diff options
| author | Eric Paris <eparis@redhat.com> | 2009-08-16 21:51:44 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-08-17 16:37:37 -0400 |
| commit | eef3a116be11d35396efb2a8cc7345fd3221e294 (patch) | |
| tree | 2a5d0b36dd5985f29eac43f51b03e610e40b7c9b /fs | |
| parent | 0f66f96d21b4bbff49baaa337546e687d7c58e87 (diff) | |
notify: unused event private race
inotify decides if private data it passed to get added to an event was
used by checking list_empty(). But it's possible that the event may
have been dequeued and the private event removed so it would look empty.
The fix is to use the return code from fsnotify_add_notify_event rather
than looking at the list.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/notify/inotify/inotify_fsnotify.c | 13 | ||||
| -rw-r--r-- | fs/notify/inotify/inotify_user.c | 7 | ||||
| -rw-r--r-- | fs/notify/notification.c | 7 |
3 files changed, 13 insertions, 14 deletions
diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c index 47cd258fd24d..5dcbafe72d71 100644 --- a/fs/notify/inotify/inotify_fsnotify.c +++ b/fs/notify/inotify/inotify_fsnotify.c | |||
| @@ -62,13 +62,14 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev | |||
| 62 | event_priv->wd = wd; | 62 | event_priv->wd = wd; |
| 63 | 63 | ||
| 64 | ret = fsnotify_add_notify_event(group, event, fsn_event_priv); | 64 | ret = fsnotify_add_notify_event(group, event, fsn_event_priv); |
| 65 | /* EEXIST is not an error */ | 65 | if (ret) { |
| 66 | if (ret == -EEXIST) | ||
| 67 | ret = 0; | ||
| 68 | |||
| 69 | /* did event_priv get attached? */ | ||
| 70 | if (list_empty(&fsn_event_priv->event_list)) | ||
| 71 | inotify_free_event_priv(fsn_event_priv); | 66 | inotify_free_event_priv(fsn_event_priv); |
| 67 | /* EEXIST says we tail matched, EOVERFLOW isn't something | ||
| 68 | * to report up the stack. */ | ||
| 69 | if ((ret == -EEXIST) || | ||
| 70 | (ret == -EOVERFLOW)) | ||
| 71 | ret = 0; | ||
| 72 | } | ||
| 72 | 73 | ||
| 73 | /* | 74 | /* |
| 74 | * If we hold the entry until after the event is on the queue | 75 | * If we hold the entry until after the event is on the queue |
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c index f30d9bbc2e1b..c172a7a17b17 100644 --- a/fs/notify/inotify/inotify_user.c +++ b/fs/notify/inotify/inotify_user.c | |||
| @@ -386,6 +386,7 @@ void inotify_ignored_and_remove_idr(struct fsnotify_mark_entry *entry, | |||
| 386 | struct fsnotify_event *ignored_event; | 386 | struct fsnotify_event *ignored_event; |
| 387 | struct inotify_event_private_data *event_priv; | 387 | struct inotify_event_private_data *event_priv; |
| 388 | struct fsnotify_event_private_data *fsn_event_priv; | 388 | struct fsnotify_event_private_data *fsn_event_priv; |
| 389 | int ret; | ||
| 389 | 390 | ||
| 390 | ignored_event = fsnotify_create_event(NULL, FS_IN_IGNORED, NULL, | 391 | ignored_event = fsnotify_create_event(NULL, FS_IN_IGNORED, NULL, |
| 391 | FSNOTIFY_EVENT_NONE, NULL, 0, | 392 | FSNOTIFY_EVENT_NONE, NULL, 0, |
| @@ -404,10 +405,8 @@ void inotify_ignored_and_remove_idr(struct fsnotify_mark_entry *entry, | |||
| 404 | fsn_event_priv->group = group; | 405 | fsn_event_priv->group = group; |
| 405 | event_priv->wd = ientry->wd; | 406 | event_priv->wd = ientry->wd; |
| 406 | 407 | ||
| 407 | fsnotify_add_notify_event(group, ignored_event, fsn_event_priv); | 408 | ret = fsnotify_add_notify_event(group, ignored_event, fsn_event_priv); |
| 408 | 409 | if (ret) | |
| 409 | /* did the private data get added? */ | ||
| 410 | if (list_empty(&fsn_event_priv->event_list)) | ||
| 411 | inotify_free_event_priv(fsn_event_priv); | 410 | inotify_free_event_priv(fsn_event_priv); |
| 412 | 411 | ||
| 413 | skip_send_ignore: | 412 | skip_send_ignore: |
diff --git a/fs/notify/notification.c b/fs/notify/notification.c index 521368574e97..74b3cf30bc6b 100644 --- a/fs/notify/notification.c +++ b/fs/notify/notification.c | |||
| @@ -171,9 +171,7 @@ int fsnotify_add_notify_event(struct fsnotify_group *group, struct fsnotify_even | |||
| 171 | struct list_head *list = &group->notification_list; | 171 | struct list_head *list = &group->notification_list; |
| 172 | struct fsnotify_event_holder *last_holder; | 172 | struct fsnotify_event_holder *last_holder; |
| 173 | struct fsnotify_event *last_event; | 173 | struct fsnotify_event *last_event; |
| 174 | 174 | int ret = 0; | |
| 175 | /* easy to tell if priv was attached to the event */ | ||
| 176 | INIT_LIST_HEAD(&priv->event_list); | ||
| 177 | 175 | ||
| 178 | /* | 176 | /* |
| 179 | * There is one fsnotify_event_holder embedded inside each fsnotify_event. | 177 | * There is one fsnotify_event_holder embedded inside each fsnotify_event. |
| @@ -194,6 +192,7 @@ alloc_holder: | |||
| 194 | 192 | ||
| 195 | if (group->q_len >= group->max_events) { | 193 | if (group->q_len >= group->max_events) { |
| 196 | event = &q_overflow_event; | 194 | event = &q_overflow_event; |
| 195 | ret = -EOVERFLOW; | ||
| 197 | /* sorry, no private data on the overflow event */ | 196 | /* sorry, no private data on the overflow event */ |
| 198 | priv = NULL; | 197 | priv = NULL; |
| 199 | } | 198 | } |
| @@ -235,7 +234,7 @@ alloc_holder: | |||
| 235 | mutex_unlock(&group->notification_mutex); | 234 | mutex_unlock(&group->notification_mutex); |
| 236 | 235 | ||
| 237 | wake_up(&group->notification_waitq); | 236 | wake_up(&group->notification_waitq); |
| 238 | return 0; | 237 | return ret; |
| 239 | } | 238 | } |
| 240 | 239 | ||
| 241 | /* | 240 | /* |