From patchwork Mon Jan 30 09:51:29 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [maverick/ti-omap4, CVE,
 1/1] inotify: stop kernel memory leak on file creation failure
Date: Sun, 29 Jan 2012 23:51:29 -0000
From: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 138532
Message-Id: <1327917089-29562-2-git-send-email-apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Cc: Andy Whitcroft <apw@canonical.com>

From: Eric Paris <eparis@redhat.com>

If inotify_init is unable to allocate a new file for the new inotify
group we leak the new group.  This patch drops the reference on the
group on file allocation failure.

Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
cc: stable@kernel.org
Signed-off-by: Eric Paris <eparis@redhat.com>

(cherry picked from commit a2ae4cc9a16e211c8a128ba10d22a85431f093ab)
CVE-2010-4250
BugLink: http://bugs.launchpad.net/bugs/917797
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Stefan Bader <smb@canonical.com>

---
fs/notify/inotify/inotify_user.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
index e46ca68..e295eee 100644
--- a/fs/notify/inotify/inotify_user.c
+++ b/fs/notify/inotify/inotify_user.c
@@ -671,6 +671,7 @@ SYSCALL_DEFINE1(inotify_init1, int, flags)
 	if (ret >= 0)
 		return ret;
 
+	fsnotify_put_group(group);
 	atomic_dec(&user->inotify_devs);
 out_free_uid:
 	free_uid(user);