Fix dnotify/close race We have a race between fcntl() and close() that can lead to dnotify_struct inserted into inode's list *after* the last descriptor had been gone from current->files. Since that's the only point where dnotify_struct gets evicted, we are screwed - it will stick around indefinitely. Even after struct file in question is gone and freed. Worse, we can trigger send_sigio() on it at any later point, which allows to send an arbitrary signal to arbitrary process if we manage to apply enough memory pressure to get the page that used to host that struct file and fill it with the right pattern...
*** Bug 216675 has been marked as a duplicate of this bug. ***
released in 2.6.25.1 and 2.6.24.6
hardened-kernel unaffected at present time. Removing alias. PS: Anything using >=genpatches-2.6.25-3 is unaffected and, for 2.6.24, genpatches-2.6.24-8 is the first unaffected release.
