diff options
author | Eric Paris <eparis@redhat.com> | 2009-09-11 13:03:19 -0400 |
---|---|---|
committer | Eric Paris <eparis@redhat.com> | 2009-10-18 15:49:38 -0400 |
commit | 9f0d793b52eb2266359661369ef6303838904855 (patch) | |
tree | c884f59a4ad9ce50b033710d47894bc96c214a6c | |
parent | 2fdc246aaf9a7fa088451ad2a72e9119b5f7f029 (diff) |
fsnotify: do not set group for a mark before it is on the i_list
fsnotify_add_mark is supposed to add a mark to the g_list and i_list and to
set the group and inode for the mark. fsnotify_destroy_mark_by_entry uses
the fact that ->group != NULL to know if this group should be destroyed or
if it's already been done.
But fsnotify_add_mark sets the group and inode before it actually adds the
mark to the i_list and g_list. This can result in a race in inotify, it
requires 3 threads.
sys_inotify_add_watch("file") sys_inotify_add_watch("file") sys_inotify_rm_watch([a])
inotify_update_watch()
inotify_new_watch()
inotify_add_to_idr()
^--- returns wd = [a]
inotfiy_update_watch()
inotify_new_watch()
inotify_add_to_idr()
fsnotify_add_mark()
^--- returns wd = [b]
returns to userspace;
inotify_idr_find([a])
^--- gives us the pointer from task 1
fsnotify_add_mark()
^--- this is going to set the mark->group and mark->inode fields, but will
return -EEXIST because of the race with [b].
fsnotify_destroy_mark()
^--- since ->group != NULL we call back
into inotify_freeing_mark() which calls
inotify_remove_from_idr([a])
since fsnotify_add_mark() failed we call:
inotify_remove_from_idr([a]) <------WHOOPS it's not in the idr, this could
have been any entry added later!
The fix is to make sure we don't set mark->group until we are sure the mark is
on the inode and fsnotify_add_mark will return success.
Signed-off-by: Eric Paris <eparis@redhat.com>
-rw-r--r-- | fs/notify/inode_mark.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/notify/inode_mark.c b/fs/notify/inode_mark.c index c8a07c65482b..3165d85aada2 100644 --- a/fs/notify/inode_mark.c +++ b/fs/notify/inode_mark.c | |||
@@ -324,11 +324,11 @@ int fsnotify_add_mark(struct fsnotify_mark_entry *entry, | |||
324 | spin_lock(&group->mark_lock); | 324 | spin_lock(&group->mark_lock); |
325 | spin_lock(&inode->i_lock); | 325 | spin_lock(&inode->i_lock); |
326 | 326 | ||
327 | entry->group = group; | ||
328 | entry->inode = inode; | ||
329 | |||
330 | lentry = fsnotify_find_mark_entry(group, inode); | 327 | lentry = fsnotify_find_mark_entry(group, inode); |
331 | if (!lentry) { | 328 | if (!lentry) { |
329 | entry->group = group; | ||
330 | entry->inode = inode; | ||
331 | |||
332 | hlist_add_head(&entry->i_list, &inode->i_fsnotify_mark_entries); | 332 | hlist_add_head(&entry->i_list, &inode->i_fsnotify_mark_entries); |
333 | list_add(&entry->g_list, &group->mark_entries); | 333 | list_add(&entry->g_list, &group->mark_entries); |
334 | 334 | ||