fanotify: fix fsnotify_prepare_user_wait() failure

If fsnotify_prepare_user_wait() fails, we leave the event on the notification list. Which will result in a warning in fsnotify_destroy_event() and later use-after-free. Instead of adding a new helper to remove the event from the list in this case, I opted to move the prepare/finish up into fanotify_handle_event(). This will allow these to be moved further out into the generic code later, and perhaps let us move to non-sleeping RCU. Reviewed-by: Amir Goldstein <amir73il@gmail.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Fixes: 05f0e38724e8 ("fanotify: Release SRCU lock when waiting for userspace response") Cc: <stable@vger.kernel.org> # v4.12 Signed-off-by: Jan Kara <jack@suse.cz>
author: Miklos Szeredi <mszeredi@redhat.com> 2017-10-30 16:14:56 -0400
committer: Jan Kara <jack@suse.cz> 2017-10-31 12:54:56 -0400
commit: f37650f1c7c71cf5180b43229d13b421d81e7170 (patch)
tree: ff7aab8765170e57aaa8eb117b9c899017b02fe6
parent: 9a31d7ad997f55768c687974ce36b759065b49e5 (diff)
1 files changed, 20 insertions, 13 deletions
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index 2fa99aeaa095..df3f484e458a 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -64,19 +64,8 @@ static int fanotify_get_response(struct fsnotify_group *group,
        pr_debug("%s: group=%p event=%p\n", __func__, group, event);
-        /*
-         * fsnotify_prepare_user_wait() fails if we race with mark deletion.
-         * Just let the operation pass in that case.
-         */
-        if (!fsnotify_prepare_user_wait(iter_info)) {
-                event->response = FAN_ALLOW;
-                goto out;
-        }
        wait_event(group->fanotify_data.access_waitq, event->response);
-        fsnotify_finish_user_wait(iter_info);
-out:
        /* userspace responded, convert to something usable */
        switch (event->response) {
        case FAN_ALLOW:
@@ -211,9 +200,21 @@ static int fanotify_handle_event(struct fsnotify_group *group,
        pr_debug("%s: group=%p inode=%p mask=%x\n", __func__, group, inode,
                 mask);
+#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
+        if (mask & FAN_ALL_PERM_EVENTS) {
+                /*
+                 * fsnotify_prepare_user_wait() fails if we race with mark
+                 * deletion.  Just let the operation pass in that case.
+                 */
+                if (!fsnotify_prepare_user_wait(iter_info))
+                        return 0;
+        }
+#endif
        event = fanotify_alloc_event(inode, mask, data);
+        ret = -ENOMEM;
        if (unlikely(!event))
-                return -ENOMEM;
+                goto finish;
        fsn_event = &event->fse;
        ret = fsnotify_add_event(group, fsn_event, fanotify_merge);
@@ -223,7 +224,8 @@ static int fanotify_handle_event(struct fsnotify_group *group,
                /* Our event wasn't used in the end. Free it. */
                fsnotify_destroy_event(group, fsn_event);
-                return 0;
+                ret = 0;
+                goto finish;
        }
 #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
@@ -232,6 +234,11 @@ static int fanotify_handle_event(struct fsnotify_group *group,
                                            iter_info);
                fsnotify_destroy_event(group, fsn_event);
        }
+finish:
+        if (mask & FAN_ALL_PERM_EVENTS)
+                fsnotify_finish_user_wait(iter_info);
+#else
+finish:
 #endif
        return ret;
 }
author	Miklos Szeredi <mszeredi@redhat.com>	2017-10-30 16:14:56 -0400
committer	Jan Kara <jack@suse.cz>	2017-10-31 12:54:56 -0400
commit	f37650f1c7c71cf5180b43229d13b421d81e7170 (patch)
tree	ff7aab8765170e57aaa8eb117b9c899017b02fe6
parent	9a31d7ad997f55768c687974ce36b759065b49e5 (diff)