diff options
| author | Jan Kara <jack@suse.cz> | 2014-02-21 13:14:11 -0500 |
|---|---|---|
| committer | Jan Kara <jack@suse.cz> | 2014-02-25 05:18:06 -0500 |
| commit | ff57cd5863cf3014c1c5ed62ce2715294f065b17 (patch) | |
| tree | c9bc7bd04326afc92d85a476d28453218c40e14e /fs/notify | |
| parent | 482ef06c5e946aae360f247dc69471ec031e09d2 (diff) | |
fsnotify: Allocate overflow events with proper type
Commit 7053aee26a35 "fsnotify: do not share events between notification
groups" used overflow event statically allocated in a group with the
size of the generic notification event. This causes problems because
some code looks at type specific parts of event structure and gets
confused by a random data it sees there and causes crashes.
Fix the problem by allocating overflow event with type corresponding to
the group type so code cannot get confused.
Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs/notify')
| -rw-r--r-- | fs/notify/fanotify/fanotify_user.c | 13 | ||||
| -rw-r--r-- | fs/notify/group.c | 8 | ||||
| -rw-r--r-- | fs/notify/inotify/inotify_user.c | 12 | ||||
| -rw-r--r-- | fs/notify/notification.c | 4 |
4 files changed, 34 insertions, 3 deletions
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c index b6175fa11bf8..287a22c04149 100644 --- a/fs/notify/fanotify/fanotify_user.c +++ b/fs/notify/fanotify/fanotify_user.c | |||
| @@ -698,6 +698,7 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags) | |||
| 698 | struct fsnotify_group *group; | 698 | struct fsnotify_group *group; |
| 699 | int f_flags, fd; | 699 | int f_flags, fd; |
| 700 | struct user_struct *user; | 700 | struct user_struct *user; |
| 701 | struct fanotify_event_info *oevent; | ||
| 701 | 702 | ||
| 702 | pr_debug("%s: flags=%d event_f_flags=%d\n", | 703 | pr_debug("%s: flags=%d event_f_flags=%d\n", |
| 703 | __func__, flags, event_f_flags); | 704 | __func__, flags, event_f_flags); |
| @@ -730,8 +731,20 @@ SYSCALL_DEFINE2(fanotify_init, unsigned int, flags, unsigned int, event_f_flags) | |||
| 730 | group->fanotify_data.user = user; | 731 | group->fanotify_data.user = user; |
| 731 | atomic_inc(&user->fanotify_listeners); | 732 | atomic_inc(&user->fanotify_listeners); |
| 732 | 733 | ||
| 734 | oevent = kmem_cache_alloc(fanotify_event_cachep, GFP_KERNEL); | ||
| 735 | if (unlikely(!oevent)) { | ||
| 736 | fd = -ENOMEM; | ||
| 737 | goto out_destroy_group; | ||
| 738 | } | ||
| 739 | group->overflow_event = &oevent->fse; | ||
| 740 | fsnotify_init_event(group->overflow_event, NULL, FS_Q_OVERFLOW); | ||
| 741 | oevent->tgid = get_pid(task_tgid(current)); | ||
| 742 | oevent->path.mnt = NULL; | ||
| 743 | oevent->path.dentry = NULL; | ||
| 744 | |||
| 733 | group->fanotify_data.f_flags = event_f_flags; | 745 | group->fanotify_data.f_flags = event_f_flags; |
| 734 | #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS | 746 | #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS |
| 747 | oevent->response = 0; | ||
| 735 | mutex_init(&group->fanotify_data.access_mutex); | 748 | mutex_init(&group->fanotify_data.access_mutex); |
| 736 | init_waitqueue_head(&group->fanotify_data.access_waitq); | 749 | init_waitqueue_head(&group->fanotify_data.access_waitq); |
| 737 | INIT_LIST_HEAD(&group->fanotify_data.access_list); | 750 | INIT_LIST_HEAD(&group->fanotify_data.access_list); |
diff --git a/fs/notify/group.c b/fs/notify/group.c index ee674fe2cec7..ad1995980456 100644 --- a/fs/notify/group.c +++ b/fs/notify/group.c | |||
| @@ -55,6 +55,13 @@ void fsnotify_destroy_group(struct fsnotify_group *group) | |||
| 55 | /* clear the notification queue of all events */ | 55 | /* clear the notification queue of all events */ |
| 56 | fsnotify_flush_notify(group); | 56 | fsnotify_flush_notify(group); |
| 57 | 57 | ||
| 58 | /* | ||
| 59 | * Destroy overflow event (we cannot use fsnotify_destroy_event() as | ||
| 60 | * that deliberately ignores overflow events. | ||
| 61 | */ | ||
| 62 | if (group->overflow_event) | ||
| 63 | group->ops->free_event(group->overflow_event); | ||
| 64 | |||
| 58 | fsnotify_put_group(group); | 65 | fsnotify_put_group(group); |
| 59 | } | 66 | } |
| 60 | 67 | ||
| @@ -99,7 +106,6 @@ struct fsnotify_group *fsnotify_alloc_group(const struct fsnotify_ops *ops) | |||
| 99 | INIT_LIST_HEAD(&group->marks_list); | 106 | INIT_LIST_HEAD(&group->marks_list); |
| 100 | 107 | ||
| 101 | group->ops = ops; | 108 | group->ops = ops; |
| 102 | fsnotify_init_event(&group->overflow_event, NULL, FS_Q_OVERFLOW); | ||
| 103 | 109 | ||
| 104 | return group; | 110 | return group; |
| 105 | } | 111 | } |
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c index 6528b5a54ca0..78a2ca3966c3 100644 --- a/fs/notify/inotify/inotify_user.c +++ b/fs/notify/inotify/inotify_user.c | |||
| @@ -633,11 +633,23 @@ static int inotify_update_watch(struct fsnotify_group *group, struct inode *inod | |||
| 633 | static struct fsnotify_group *inotify_new_group(unsigned int max_events) | 633 | static struct fsnotify_group *inotify_new_group(unsigned int max_events) |
| 634 | { | 634 | { |
| 635 | struct fsnotify_group *group; | 635 | struct fsnotify_group *group; |
| 636 | struct inotify_event_info *oevent; | ||
| 636 | 637 | ||
| 637 | group = fsnotify_alloc_group(&inotify_fsnotify_ops); | 638 | group = fsnotify_alloc_group(&inotify_fsnotify_ops); |
| 638 | if (IS_ERR(group)) | 639 | if (IS_ERR(group)) |
| 639 | return group; | 640 | return group; |
| 640 | 641 | ||
| 642 | oevent = kmalloc(sizeof(struct inotify_event_info), GFP_KERNEL); | ||
| 643 | if (unlikely(!oevent)) { | ||
| 644 | fsnotify_destroy_group(group); | ||
| 645 | return ERR_PTR(-ENOMEM); | ||
| 646 | } | ||
| 647 | group->overflow_event = &oevent->fse; | ||
| 648 | fsnotify_init_event(group->overflow_event, NULL, FS_Q_OVERFLOW); | ||
| 649 | oevent->wd = -1; | ||
| 650 | oevent->sync_cookie = 0; | ||
| 651 | oevent->name_len = 0; | ||
| 652 | |||
| 641 | group->max_events = max_events; | 653 | group->max_events = max_events; |
| 642 | 654 | ||
| 643 | spin_lock_init(&group->inotify_data.idr_lock); | 655 | spin_lock_init(&group->inotify_data.idr_lock); |
diff --git a/fs/notify/notification.c b/fs/notify/notification.c index 6a4ba17c0395..1e58402171a5 100644 --- a/fs/notify/notification.c +++ b/fs/notify/notification.c | |||
| @@ -98,11 +98,11 @@ int fsnotify_add_notify_event(struct fsnotify_group *group, | |||
| 98 | if (group->q_len >= group->max_events) { | 98 | if (group->q_len >= group->max_events) { |
| 99 | ret = 2; | 99 | ret = 2; |
| 100 | /* Queue overflow event only if it isn't already queued */ | 100 | /* Queue overflow event only if it isn't already queued */ |
| 101 | if (!list_empty(&group->overflow_event.list)) { | 101 | if (!list_empty(&group->overflow_event->list)) { |
| 102 | mutex_unlock(&group->notification_mutex); | 102 | mutex_unlock(&group->notification_mutex); |
| 103 | return ret; | 103 | return ret; |
| 104 | } | 104 | } |
| 105 | event = &group->overflow_event; | 105 | event = group->overflow_event; |
| 106 | goto queue; | 106 | goto queue; |
| 107 | } | 107 | } |
| 108 | 108 | ||