[PATCH] fs, fanotify: dont send notification event for coredump file

* [PATCH] fs, fanotify: dont send notification event for coredump file
@ 2012-03-25  1:28 Lino Sanfilippo
  2012-03-26 17:03 ` Eric Paris
  0 siblings, 1 reply; 3+ messages in thread
From: Lino Sanfilippo @ 2012-03-25  1:28 UTC (permalink / raw)
  To: viro, eparis; +Cc: linux-fsdevel, vasily.novikov

Currently fsnotify events are created for core dump files. This may
lead to problems if a listener has registered with fanotify to watch
permission events for the whole filesystem:
If it is the listener itself that causes the creation of a core dump file
(due to a segfault) a permission event is created but never granted
(the listener is not running any more).
OTOH the listener cant unregister either, since its waiting for its own
ack. Since no file accesses are answered any more, eventually the whole
system freezes.

This patch solves the problem by allowing the core dump file to be
created without sending a notification event. For this reason the
FMODE_NONOTIFY flag is no longer cleared in build_open_flags() but
in the caller. Furthermore it is set for the creation of the core dump
file.
Also callers of filp_open() are now able to specify FMODE_NONOTIFY if
they dont want notification events to be created for an opened file.

Reported-by: Vasily Novikov <vasily.novikov@kaspersky.com>
Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
---
s patch applies against 3.3
The bug has been reported here:
http://marc.info/?l=linux-fsdevel&m=129346873312523&w=2

 fs/exec.c |    5 ++---
 fs/open.c |    9 ++++-----
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 153dee1..3c65946 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -2197,9 +2197,8 @@ void do_coredump(long signr, int exit_code, struct pt_regs *regs)
 		if (cprm.limit < binfmt->min_coredump)
 			goto fail_unlock;
 
-		cprm.file = filp_open(cn.corename,
-				 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
-				 0600);
+		flag |= O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | FMODE_NONOTIFY;
+		cprm.file = filp_open(cn.corename, flag, 0600);
 		if (IS_ERR(cprm.file))
 			goto fail_unlock;
 
diff --git a/fs/open.c b/fs/open.c
index 77becc0..955fe2f 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -886,9 +886,6 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o
 		mode = 0;
 	op->mode = mode;
 
-	/* Must never be set by userspace */
-	flags &= ~FMODE_NONOTIFY;
-
 	/*
 	 * O_SYNC is implemented as __O_SYNC|O_DSYNC.  As many places only
 	 * check for O_DSYNC if the need any syncing at all we enforce it's
@@ -947,6 +944,8 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o
  * This is the helper to open a file from kernelspace if you really
  * have to.  But in generally you should not do this, so please move
  * along, nothing to see here..
+ * NOTE: If flags are given from userspace consider to ensure that
+ * FMODE_NONOTIFY is not set.
  */
 struct file *filp_open(const char *filename, int flags, umode_t mode)
 {
@@ -960,7 +959,7 @@ struct file *file_open_root(struct dentry *dentry, struct vfsmount *mnt,
 			    const char *filename, int flags)
 {
 	struct open_flags op;
-	int lookup = build_open_flags(flags, 0, &op);
+	int lookup = build_open_flags(flags & ~FMODE_NONOTIFY, 0, &op);
 	if (flags & O_CREAT)
 		return ERR_PTR(-EINVAL);
 	if (!filename && (flags & O_DIRECTORY))
@@ -973,7 +972,7 @@ EXPORT_SYMBOL(file_open_root);
 long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
 {
 	struct open_flags op;
-	int lookup = build_open_flags(flags, mode, &op);
+	int lookup = build_open_flags(flags & ~FMODE_NONOTIFY, mode, &op);
 	char *tmp = getname(filename);
 	int fd = PTR_ERR(tmp);
 
-- 
1.7.2.5


^ permalink raw reply related	[flat|nested] 3+ messages in thread