• Dmitri Monakhov's avatar
    inotify: fix IN_ONESHOT unmount event watcher · 6ee5a399
    Dmitri Monakhov authored
    On umount two event will be dispatched to watcher:
    
    1: inotify_dev_queue_event(.., IN_UNMOUNT,..)
    2: remove_watch(watch, dev)
        ->inotify_dev_queue_event(.., IN_IGNORED, ..)
    
    But if watcher has IN_ONESHOT bit set then the watcher will be released
    inside first event.  Which result in accessing invalid object later.  IMHO
    it is not pure regression.  This bug wasn't triggered while initial
    inotify interface testing phase because of another bug in IN_ONESHOT
    handling logic :)
    
      commit ac74c00e
      Author: Ulisses Furquim <ulissesf@gmail.com>
      Date:   Fri Feb 8 04:18:16 2008 -0800
        inotify: fix check for one-shot watches before destroying them
        As the IN_ONESHOT bit is never set when an event is sent we must check it
        in the watch's mask and not in the event's mask.
    
    TESTCASE:
    mkdir mnt
    mount -ttmpfs none mnt
    mkdir mnt/d
    ./inotify mnt/d&
    umount mnt ## << lockup or crash here
    
    TESTSOURCE:
    /* gcc -oinotify inotify.c */
    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/inotify.h>
    
    int main(int argc, char **argv)
    {
            char buf[1024];
            struct inotify_event *ie;
            char *p;
            int i;
            ssize_t l;
    
            p = argv[1];
            i = inotify_init();
            inotify_add_watch(i, p, ~0);
    
            l = read(i, buf, sizeof(buf));
            printf("read %d bytes\n", l);
            ie = (struct inotify_event *) buf;
            printf("event mask: %d\n", ie->mask);
    	return 0;
    }
    Signed-off-by: default avatarDmitri Monakhov <dmonakhov@openvz.org>
    Cc: John McCutchan <ttb@tentacle.dhs.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Robert Love <rlove@google.com>
    Cc: Ulisses Furquim <ulissesf@gmail.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    6ee5a399
inotify.c 25.1 KB