Description of problem: If userspace supplies an invalid pointer to a read() of an inotify instance, the inotify device's event list mutex is unlocked twice. This causes an unbalance which effectively leaves the data structure unprotected, and we can trigger oopses by accessing the inotify instance from different tasks concurrently. http://patchwork.kernel.org/patch/4857/
Created attachment 334277 [details] Upstream patch http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=3632dee2f8b8a9720329f29eeaa4ec4669a3aff8
CVSS2 score of medium, 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C)