• Eric Paris's avatar
    fsnotify: do not set group for a mark before it is on the i_list · 55af1d63
    Eric Paris authored
    commit 9f0d793b upstream.
    
    fsnotify_add_mark is supposed to add a mark to the g_list and i_list and to
    set the group and inode for the mark.  fsnotify_destroy_mark_by_entry uses
    the fact that ->group != NULL to know if this group should be destroyed or
    if it's already been done.
    
    But fsnotify_add_mark sets the group and inode before it actually adds the
    mark to the i_list and g_list.  This can result in a race in inotify, it
    requires 3 threads.
    
    sys_inotify_add_watch("file")	sys_inotify_add_watch("file")	sys_inotify_rm_watch([a])
    inotify_update_watch()
    inotify_new_watch()
    inotify_add_to_idr()
       ^--- returns wd = [a]
    				inotfiy_update_watch()
    				inotify_new_watch()
    				inotify_add_to_idr()
    				fsnotify_add_mark()
    				   ^--- returns wd = [b]
    				returns to userspace;
    								inotify_idr_find([a])
    								   ^--- gives us the pointer from task 1
    fsnotify_add_mark()
       ^--- this is going to set the mark->group and mark->inode fields, but will
    return -EEXIST because of the race with [b].
    								fsnotify_destroy_mark()
    								   ^--- since ->group != NULL we call back
    									into inotify_freeing_mark() which calls
    								inotify_remove_from_idr([a])
    
    since fsnotify_add_mark() failed we call:
    inotify_remove_from_idr([a])     <------WHOOPS it's not in the idr, this could
    					have been any entry added later!
    
    The fix is to make sure we don't set mark->group until we are sure the mark is
    on the inode and fsnotify_add_mark will return success.
    Signed-off-by: default avatarEric Paris <eparis@redhat.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
    55af1d63
inode_mark.c 12.7 KB