leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fanotify: correct broken ref counting in case adding a mark failed

Browse Source 
If adding a mount or inode mark failed fanotify_free_mark() is called explicitly.
But at this time the mark has already been put into the destroy list of the
fsnotify_mark kernel thread. If the thread is too slow it will try to decrease
the reference of a mark, that has already been freed by fanotify_free_mark().
(If its fast enough it will only decrease the marks ref counter from 2 to 1 - note
that the counter has been increased to 2 in add_mark() - which has practically no
effect.)

This patch fixes the ref counting by not calling free_mark() explicitly, but
decreasing the ref counter and rely on the fsnotify_mark thread to cleanup in
case adding the mark has failed.

Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Signed-off-by: Eric Paris <eparis@redhat.com>
This commit is contained in:
Lino Sanfilippo 2010-11-09 18:18:16 +01:00 committed by Eric Paris
parent b1085ba80c
commit fa218ab98c
1 changed files with 14 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
fs/notify/fanotify/fanotify_user.c
View File

@ -594,11 +594,10 @@ static int fanotify_add_vfsmount_mark(struct fsnotify_group *group,
{ {
struct fsnotify_mark *fsn_mark; struct fsnotify_mark *fsn_mark;
__u32 added; __u32 added;
int ret = 0;
fsn_mark = fsnotify_find_vfsmount_mark(group, mnt); fsn_mark = fsnotify_find_vfsmount_mark(group, mnt);
if (!fsn_mark) { if (!fsn_mark) {
int ret;
if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks) if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks)
return -ENOSPC; return -ENOSPC;
@ -608,17 +607,16 @@ static int fanotify_add_vfsmount_mark(struct fsnotify_group *group,
fsnotify_init_mark(fsn_mark, fanotify_free_mark); fsnotify_init_mark(fsn_mark, fanotify_free_mark);
ret = fsnotify_add_mark(fsn_mark, group, NULL, mnt, 0); ret = fsnotify_add_mark(fsn_mark, group, NULL, mnt, 0);
if (ret) { if (ret)
fanotify_free_mark(fsn_mark); goto err;
return ret;
}
} }
added = fanotify_mark_add_to_mask(fsn_mark, mask, flags); added = fanotify_mark_add_to_mask(fsn_mark, mask, flags);
fsnotify_put_mark(fsn_mark);
if (added & ~mnt->mnt_fsnotify_mask) if (added & ~mnt->mnt_fsnotify_mask)
fsnotify_recalc_vfsmount_mask(mnt); fsnotify_recalc_vfsmount_mask(mnt);
err:
return 0; fsnotify_put_mark(fsn_mark);
return ret;
} }
static int fanotify_add_inode_mark(struct fsnotify_group *group, static int fanotify_add_inode_mark(struct fsnotify_group *group,
@ -627,6 +625,7 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group,
{ {
struct fsnotify_mark *fsn_mark; struct fsnotify_mark *fsn_mark;
__u32 added; __u32 added;
int ret = 0;
pr_debug("%s: group=%p inode=%p\n", __func__, group, inode); pr_debug("%s: group=%p inode=%p\n", __func__, group, inode);
@ -642,8 +641,6 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group,
fsn_mark = fsnotify_find_inode_mark(group, inode); fsn_mark = fsnotify_find_inode_mark(group, inode);
if (!fsn_mark) { if (!fsn_mark) {
int ret;
if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks) if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks)
return -ENOSPC; return -ENOSPC;
@ -653,16 +650,16 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group,
fsnotify_init_mark(fsn_mark, fanotify_free_mark); fsnotify_init_mark(fsn_mark, fanotify_free_mark);
ret = fsnotify_add_mark(fsn_mark, group, inode, NULL, 0); ret = fsnotify_add_mark(fsn_mark, group, inode, NULL, 0);
if (ret) { if (ret)
fanotify_free_mark(fsn_mark); goto err;
return ret;
}
} }
added = fanotify_mark_add_to_mask(fsn_mark, mask, flags); added = fanotify_mark_add_to_mask(fsn_mark, mask, flags);
fsnotify_put_mark(fsn_mark);
if (added & ~inode->i_fsnotify_mask) if (added & ~inode->i_fsnotify_mask)
fsnotify_recalc_inode_mask(inode); fsnotify_recalc_inode_mask(inode);
return 0; err:
fsnotify_put_mark(fsn_mark);
return ret;
} }
/* fanotify syscalls */ /* fanotify syscalls */