Commit fa218ab9 authored by Lino Sanfilippo's avatar Lino Sanfilippo Committed by Eric Paris

fanotify: correct broken ref counting in case adding a mark failed

If adding a mount or inode mark failed fanotify_free_mark() is called explicitly.
But at this time the mark has already been put into the destroy list of the
fsnotify_mark kernel thread. If the thread is too slow it will try to decrease
the reference of a mark, that has already been freed by fanotify_free_mark().
(If its fast enough it will only decrease the marks ref counter from 2 to 1 - note
that the counter has been increased to 2 in add_mark() - which has practically no
effect.)

This patch fixes the ref counting by not calling free_mark() explicitly, but
decreasing the ref counter and rely on the fsnotify_mark thread to cleanup in
case adding the mark has failed.
Signed-off-by: default avatarLino Sanfilippo <LinoSanfilippo@gmx.de>
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
parent b1085ba8
...@@ -594,11 +594,10 @@ static int fanotify_add_vfsmount_mark(struct fsnotify_group *group, ...@@ -594,11 +594,10 @@ static int fanotify_add_vfsmount_mark(struct fsnotify_group *group,
{ {
struct fsnotify_mark *fsn_mark; struct fsnotify_mark *fsn_mark;
__u32 added; __u32 added;
int ret = 0;
fsn_mark = fsnotify_find_vfsmount_mark(group, mnt); fsn_mark = fsnotify_find_vfsmount_mark(group, mnt);
if (!fsn_mark) { if (!fsn_mark) {
int ret;
if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks) if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks)
return -ENOSPC; return -ENOSPC;
...@@ -608,17 +607,16 @@ static int fanotify_add_vfsmount_mark(struct fsnotify_group *group, ...@@ -608,17 +607,16 @@ static int fanotify_add_vfsmount_mark(struct fsnotify_group *group,
fsnotify_init_mark(fsn_mark, fanotify_free_mark); fsnotify_init_mark(fsn_mark, fanotify_free_mark);
ret = fsnotify_add_mark(fsn_mark, group, NULL, mnt, 0); ret = fsnotify_add_mark(fsn_mark, group, NULL, mnt, 0);
if (ret) { if (ret)
fanotify_free_mark(fsn_mark); goto err;
return ret;
}
} }
added = fanotify_mark_add_to_mask(fsn_mark, mask, flags); added = fanotify_mark_add_to_mask(fsn_mark, mask, flags);
fsnotify_put_mark(fsn_mark);
if (added & ~mnt->mnt_fsnotify_mask) if (added & ~mnt->mnt_fsnotify_mask)
fsnotify_recalc_vfsmount_mask(mnt); fsnotify_recalc_vfsmount_mask(mnt);
err:
return 0; fsnotify_put_mark(fsn_mark);
return ret;
} }
static int fanotify_add_inode_mark(struct fsnotify_group *group, static int fanotify_add_inode_mark(struct fsnotify_group *group,
...@@ -627,6 +625,7 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group, ...@@ -627,6 +625,7 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group,
{ {
struct fsnotify_mark *fsn_mark; struct fsnotify_mark *fsn_mark;
__u32 added; __u32 added;
int ret = 0;
pr_debug("%s: group=%p inode=%p\n", __func__, group, inode); pr_debug("%s: group=%p inode=%p\n", __func__, group, inode);
...@@ -642,8 +641,6 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group, ...@@ -642,8 +641,6 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group,
fsn_mark = fsnotify_find_inode_mark(group, inode); fsn_mark = fsnotify_find_inode_mark(group, inode);
if (!fsn_mark) { if (!fsn_mark) {
int ret;
if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks) if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks)
return -ENOSPC; return -ENOSPC;
...@@ -653,16 +650,16 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group, ...@@ -653,16 +650,16 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group,
fsnotify_init_mark(fsn_mark, fanotify_free_mark); fsnotify_init_mark(fsn_mark, fanotify_free_mark);
ret = fsnotify_add_mark(fsn_mark, group, inode, NULL, 0); ret = fsnotify_add_mark(fsn_mark, group, inode, NULL, 0);
if (ret) { if (ret)
fanotify_free_mark(fsn_mark); goto err;
return ret;
}
} }
added = fanotify_mark_add_to_mask(fsn_mark, mask, flags); added = fanotify_mark_add_to_mask(fsn_mark, mask, flags);
fsnotify_put_mark(fsn_mark);
if (added & ~inode->i_fsnotify_mask) if (added & ~inode->i_fsnotify_mask)
fsnotify_recalc_inode_mask(inode); fsnotify_recalc_inode_mask(inode);
return 0; err:
fsnotify_put_mark(fsn_mark);
return ret;
} }
/* fanotify syscalls */ /* fanotify syscalls */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment