diff options
| author | Davide Libenzi <davidel@xmailserver.org> | 2005-09-16 22:28:06 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@g5.osdl.org> | 2005-09-17 14:50:02 -0400 |
| commit | 53d2be79d5981b7efc8c5ec1169613bba95bde20 (patch) | |
| tree | 0827b66ad3ffb70f0e7503c3db3b01d6d7a1037b /fs/eventpoll.c | |
| parent | dda8577fb5a00507e5aea737833190a10516b257 (diff) | |
[PATCH] epoll: fix delayed initialization bug
Al found a potential problem in epoll_create(), where the
file->private_data member was set after fd_install(). This is obviously
wrong since another thread might do a close() on that fd# before we set the
file->private_data member. This goes over 2.6.13 and passes a few basic
tests I've done here.
(akpm: snuck in a kzalloc() cleanup too)
Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'fs/eventpoll.c')
| -rw-r--r-- | fs/eventpoll.c | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 6ab1dd0ca904..403b90a1213d 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c | |||
| @@ -231,8 +231,9 @@ struct ep_pqueue { | |||
| 231 | 231 | ||
| 232 | static void ep_poll_safewake_init(struct poll_safewake *psw); | 232 | static void ep_poll_safewake_init(struct poll_safewake *psw); |
| 233 | static void ep_poll_safewake(struct poll_safewake *psw, wait_queue_head_t *wq); | 233 | static void ep_poll_safewake(struct poll_safewake *psw, wait_queue_head_t *wq); |
| 234 | static int ep_getfd(int *efd, struct inode **einode, struct file **efile); | 234 | static int ep_getfd(int *efd, struct inode **einode, struct file **efile, |
| 235 | static int ep_file_init(struct file *file); | 235 | struct eventpoll *ep); |
| 236 | static int ep_alloc(struct eventpoll **pep); | ||
| 236 | static void ep_free(struct eventpoll *ep); | 237 | static void ep_free(struct eventpoll *ep); |
| 237 | static struct epitem *ep_find(struct eventpoll *ep, struct file *file, int fd); | 238 | static struct epitem *ep_find(struct eventpoll *ep, struct file *file, int fd); |
| 238 | static void ep_use_epitem(struct epitem *epi); | 239 | static void ep_use_epitem(struct epitem *epi); |
| @@ -501,38 +502,37 @@ void eventpoll_release_file(struct file *file) | |||
| 501 | asmlinkage long sys_epoll_create(int size) | 502 | asmlinkage long sys_epoll_create(int size) |
| 502 | { | 503 | { |
| 503 | int error, fd; | 504 | int error, fd; |
| 505 | struct eventpoll *ep; | ||
| 504 | struct inode *inode; | 506 | struct inode *inode; |
| 505 | struct file *file; | 507 | struct file *file; |
| 506 | 508 | ||
| 507 | DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d)\n", | 509 | DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d)\n", |
| 508 | current, size)); | 510 | current, size)); |
| 509 | 511 | ||
| 510 | /* Sanity check on the size parameter */ | 512 | /* |
| 513 | * Sanity check on the size parameter, and create the internal data | ||
| 514 | * structure ( "struct eventpoll" ). | ||
| 515 | */ | ||
| 511 | error = -EINVAL; | 516 | error = -EINVAL; |
| 512 | if (size <= 0) | 517 | if (size <= 0 || (error = ep_alloc(&ep)) != 0) |
| 513 | goto eexit_1; | 518 | goto eexit_1; |
| 514 | 519 | ||
| 515 | /* | 520 | /* |
| 516 | * Creates all the items needed to setup an eventpoll file. That is, | 521 | * Creates all the items needed to setup an eventpoll file. That is, |
| 517 | * a file structure, and inode and a free file descriptor. | 522 | * a file structure, and inode and a free file descriptor. |
| 518 | */ | 523 | */ |
| 519 | error = ep_getfd(&fd, &inode, &file); | 524 | error = ep_getfd(&fd, &inode, &file, ep); |
| 520 | if (error) | ||
| 521 | goto eexit_1; | ||
| 522 | |||
| 523 | /* Setup the file internal data structure ( "struct eventpoll" ) */ | ||
| 524 | error = ep_file_init(file); | ||
| 525 | if (error) | 525 | if (error) |
| 526 | goto eexit_2; | 526 | goto eexit_2; |
| 527 | 527 | ||
| 528 | |||
| 529 | DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d) = %d\n", | 528 | DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d) = %d\n", |
| 530 | current, size, fd)); | 529 | current, size, fd)); |
| 531 | 530 | ||
| 532 | return fd; | 531 | return fd; |
| 533 | 532 | ||
| 534 | eexit_2: | 533 | eexit_2: |
| 535 | sys_close(fd); | 534 | ep_free(ep); |
| 535 | kfree(ep); | ||
| 536 | eexit_1: | 536 | eexit_1: |
| 537 | DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d) = %d\n", | 537 | DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d) = %d\n", |
| 538 | current, size, error)); | 538 | current, size, error)); |
| @@ -706,7 +706,8 @@ eexit_1: | |||
| 706 | /* | 706 | /* |
| 707 | * Creates the file descriptor to be used by the epoll interface. | 707 | * Creates the file descriptor to be used by the epoll interface. |
| 708 | */ | 708 | */ |
| 709 | static int ep_getfd(int *efd, struct inode **einode, struct file **efile) | 709 | static int ep_getfd(int *efd, struct inode **einode, struct file **efile, |
| 710 | struct eventpoll *ep) | ||
| 710 | { | 711 | { |
| 711 | struct qstr this; | 712 | struct qstr this; |
| 712 | char name[32]; | 713 | char name[32]; |
| @@ -756,7 +757,7 @@ static int ep_getfd(int *efd, struct inode **einode, struct file **efile) | |||
| 756 | file->f_op = &eventpoll_fops; | 757 | file->f_op = &eventpoll_fops; |
| 757 | file->f_mode = FMODE_READ; | 758 | file->f_mode = FMODE_READ; |
| 758 | file->f_version = 0; | 759 | file->f_version = 0; |
| 759 | file->private_data = NULL; | 760 | file->private_data = ep; |
| 760 | 761 | ||
| 761 | /* Install the new setup file into the allocated fd. */ | 762 | /* Install the new setup file into the allocated fd. */ |
| 762 | fd_install(fd, file); | 763 | fd_install(fd, file); |
| @@ -777,14 +778,13 @@ eexit_1: | |||
| 777 | } | 778 | } |
| 778 | 779 | ||
| 779 | 780 | ||
| 780 | static int ep_file_init(struct file *file) | 781 | static int ep_alloc(struct eventpoll **pep) |
| 781 | { | 782 | { |
| 782 | struct eventpoll *ep; | 783 | struct eventpoll *ep = kzalloc(sizeof(*ep), GFP_KERNEL); |
| 783 | 784 | ||
| 784 | if (!(ep = kmalloc(sizeof(struct eventpoll), GFP_KERNEL))) | 785 | if (!ep) |
| 785 | return -ENOMEM; | 786 | return -ENOMEM; |
| 786 | 787 | ||
| 787 | memset(ep, 0, sizeof(*ep)); | ||
| 788 | rwlock_init(&ep->lock); | 788 | rwlock_init(&ep->lock); |
| 789 | init_rwsem(&ep->sem); | 789 | init_rwsem(&ep->sem); |
| 790 | init_waitqueue_head(&ep->wq); | 790 | init_waitqueue_head(&ep->wq); |
| @@ -792,9 +792,9 @@ static int ep_file_init(struct file *file) | |||
| 792 | INIT_LIST_HEAD(&ep->rdllist); | 792 | INIT_LIST_HEAD(&ep->rdllist); |
| 793 | ep->rbr = RB_ROOT; | 793 | ep->rbr = RB_ROOT; |
| 794 | 794 | ||
| 795 | file->private_data = ep; | 795 | *pep = ep; |
| 796 | 796 | ||
| 797 | DNPRINTK(3, (KERN_INFO "[%p] eventpoll: ep_file_init() ep=%p\n", | 797 | DNPRINTK(3, (KERN_INFO "[%p] eventpoll: ep_alloc() ep=%p\n", |
| 798 | current, ep)); | 798 | current, ep)); |
| 799 | return 0; | 799 | return 0; |
| 800 | } | 800 | } |