* [PATCH 0/2] fanotify: Fix double free on group shutdown
@ 2014-08-06 13:24 Jan Kara
2014-08-06 13:24 ` [PATCH 1/2] fsnotify: Rename event handling functions Jan Kara
2014-08-06 13:24 ` [PATCH 2/2] fanotify: Fix double free of pending permission events Jan Kara
0 siblings, 2 replies; 3+ messages in thread
From: Jan Kara @ 2014-08-06 13:24 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-fsdevel, Eric Paris
Hello,
these two patches fix double free (and oops) when fanotify group is
shutdown while it has pending permission events in the notification
queue. The first patch is just some renaming because I had real trouble
finding a sensible name for the new fsnotify function I needed in the
original naming scheme. Andrew, can you please merge the series?
Thanks!
Honza
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/2] fsnotify: Rename event handling functions
2014-08-06 13:24 [PATCH 0/2] fanotify: Fix double free on group shutdown Jan Kara
@ 2014-08-06 13:24 ` Jan Kara
2014-08-06 13:24 ` [PATCH 2/2] fanotify: Fix double free of pending permission events Jan Kara
1 sibling, 0 replies; 3+ messages in thread
From: Jan Kara @ 2014-08-06 13:24 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-fsdevel, Eric Paris, Jan Kara
Rename fsnotify_add_notify_event() to fsnotify_add_event() since the
"notify" part is duplicit. Rename fsnotify_remove_notify_event() and
fsnotify_peek_notify_event() to fsnotify_remove_first_event() and
fsnotify_peek_first_event() respectively since "notify" part is duplicit
and they really look at the first event in the queue.
Signed-off-by: Jan Kara <jack@suse.cz>
---
fs/notify/fanotify/fanotify.c | 2 +-
fs/notify/fanotify/fanotify_user.c | 2 +-
fs/notify/inotify/inotify_fsnotify.c | 2 +-
fs/notify/inotify/inotify_user.c | 4 ++--
fs/notify/notification.c | 18 +++++++++---------
include/linux/fsnotify_backend.h | 12 ++++++------
6 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index ee9cb3795c2b..fdeb36b70c65 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -210,7 +210,7 @@ static int fanotify_handle_event(struct fsnotify_group *group,
return -ENOMEM;
fsn_event = &event->fse;
- ret = fsnotify_add_notify_event(group, fsn_event, fanotify_merge);
+ ret = fsnotify_add_event(group, fsn_event, fanotify_merge);
if (ret) {
/* Permission events shouldn't be merged */
BUG_ON(ret == 1 && mask & FAN_ALL_PERM_EVENTS);
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index 3fdc8a3e1134..fbf2210823ab 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -66,7 +66,7 @@ static struct fsnotify_event *get_one_event(struct fsnotify_group *group,
/* held the notification_mutex the whole time, so this is the
* same event we peeked above */
- return fsnotify_remove_notify_event(group);
+ return fsnotify_remove_first_event(group);
}
static int create_fd(struct fsnotify_group *group,
diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c
index 43ab1e1a07a2..0f88bc0b4e6c 100644
--- a/fs/notify/inotify/inotify_fsnotify.c
+++ b/fs/notify/inotify/inotify_fsnotify.c
@@ -108,7 +108,7 @@ int inotify_handle_event(struct fsnotify_group *group,
if (len)
strcpy(event->name, file_name);
- ret = fsnotify_add_notify_event(group, fsn_event, inotify_merge);
+ ret = fsnotify_add_event(group, fsn_event, inotify_merge);
if (ret) {
/* Our event wasn't used in the end. Free it. */
fsnotify_destroy_event(group, fsn_event);
diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
index cc423a30a0c8..daf76652fe58 100644
--- a/fs/notify/inotify/inotify_user.c
+++ b/fs/notify/inotify/inotify_user.c
@@ -149,7 +149,7 @@ static struct fsnotify_event *get_one_event(struct fsnotify_group *group,
if (fsnotify_notify_queue_is_empty(group))
return NULL;
- event = fsnotify_peek_notify_event(group);
+ event = fsnotify_peek_first_event(group);
pr_debug("%s: group=%p event=%p\n", __func__, group, event);
@@ -159,7 +159,7 @@ static struct fsnotify_event *get_one_event(struct fsnotify_group *group,
/* held the notification_mutex the whole time, so this is the
* same event we peeked above */
- fsnotify_remove_notify_event(group);
+ fsnotify_remove_first_event(group);
return event;
}
diff --git a/fs/notify/notification.c b/fs/notify/notification.c
index 1e58402171a5..f90f5eecaec9 100644
--- a/fs/notify/notification.c
+++ b/fs/notify/notification.c
@@ -83,10 +83,10 @@ void fsnotify_destroy_event(struct fsnotify_group *group,
* added to the queue, 1 if the event was merged with some other queued event,
* 2 if the queue of events has overflown.
*/
-int fsnotify_add_notify_event(struct fsnotify_group *group,
- struct fsnotify_event *event,
- int (*merge)(struct list_head *,
- struct fsnotify_event *))
+int fsnotify_add_event(struct fsnotify_group *group,
+ struct fsnotify_event *event,
+ int (*merge)(struct list_head *,
+ struct fsnotify_event *))
{
int ret = 0;
struct list_head *list = &group->notification_list;
@@ -128,7 +128,7 @@ queue:
* Remove and return the first event from the notification list. It is the
* responsibility of the caller to destroy the obtained event
*/
-struct fsnotify_event *fsnotify_remove_notify_event(struct fsnotify_group *group)
+struct fsnotify_event *fsnotify_remove_first_event(struct fsnotify_group *group)
{
struct fsnotify_event *event;
@@ -140,7 +140,7 @@ struct fsnotify_event *fsnotify_remove_notify_event(struct fsnotify_group *group
struct fsnotify_event, list);
/*
* We need to init list head for the case of overflow event so that
- * check in fsnotify_add_notify_events() works
+ * check in fsnotify_add_event() works
*/
list_del_init(&event->list);
group->q_len--;
@@ -149,9 +149,9 @@ struct fsnotify_event *fsnotify_remove_notify_event(struct fsnotify_group *group
}
/*
- * This will not remove the event, that must be done with fsnotify_remove_notify_event()
+ * This will not remove the event, that must be done with fsnotify_remove_first_event()
*/
-struct fsnotify_event *fsnotify_peek_notify_event(struct fsnotify_group *group)
+struct fsnotify_event *fsnotify_peek_first_event(struct fsnotify_group *group)
{
BUG_ON(!mutex_is_locked(&group->notification_mutex));
@@ -169,7 +169,7 @@ void fsnotify_flush_notify(struct fsnotify_group *group)
mutex_lock(&group->notification_mutex);
while (!fsnotify_notify_queue_is_empty(group)) {
- event = fsnotify_remove_notify_event(group);
+ event = fsnotify_remove_first_event(group);
fsnotify_destroy_event(group, event);
}
mutex_unlock(&group->notification_mutex);
diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
index fc7718c6bd3e..a6e899943363 100644
--- a/include/linux/fsnotify_backend.h
+++ b/include/linux/fsnotify_backend.h
@@ -322,16 +322,16 @@ extern int fsnotify_fasync(int fd, struct file *file, int on);
extern void fsnotify_destroy_event(struct fsnotify_group *group,
struct fsnotify_event *event);
/* attach the event to the group notification queue */
-extern int fsnotify_add_notify_event(struct fsnotify_group *group,
- struct fsnotify_event *event,
- int (*merge)(struct list_head *,
- struct fsnotify_event *));
+extern int fsnotify_add_event(struct fsnotify_group *group,
+ struct fsnotify_event *event,
+ int (*merge)(struct list_head *,
+ struct fsnotify_event *));
/* true if the group notification queue is empty */
extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group);
/* return, but do not dequeue the first event on the notification queue */
-extern struct fsnotify_event *fsnotify_peek_notify_event(struct fsnotify_group *group);
+extern struct fsnotify_event *fsnotify_peek_first_event(struct fsnotify_group *group);
/* return AND dequeue the first event on the notification queue */
-extern struct fsnotify_event *fsnotify_remove_notify_event(struct fsnotify_group *group);
+extern struct fsnotify_event *fsnotify_remove_first_event(struct fsnotify_group *group);
/* functions used to manipulate the marks attached to inodes */
--
1.8.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH 2/2] fanotify: Fix double free of pending permission events
2014-08-06 13:24 [PATCH 0/2] fanotify: Fix double free on group shutdown Jan Kara
2014-08-06 13:24 ` [PATCH 1/2] fsnotify: Rename event handling functions Jan Kara
@ 2014-08-06 13:24 ` Jan Kara
1 sibling, 0 replies; 3+ messages in thread
From: Jan Kara @ 2014-08-06 13:24 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-fsdevel, Eric Paris, Jan Kara, stable
Commit 85816794240b (fanotify: Fix use after free for permission events)
introduced a double free issue for permission events which are pending
in group's notification queue while group is being destroyed. These
events are freed from fanotify_handle_event() but they are not removed
from groups notification queue and thus they get freed again from
fsnotify_flush_notify().
Fix the problem by removing permission events from notification queue
before freeing them if we skip processing access response. Also expand
comments in fanotify_release() to explain group shutdown in detail.
Fixes: 85816794240b9659e66e4d9b0df7c6e814e5f603
Reported-and-tested-by: Douglas Leeder <douglas.leeder@sophos.com>
Reported-by: Heinrich Schuchard <xypron.glpk@gmx.de>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
---
fs/notify/fanotify/fanotify.c | 9 ++++++++-
fs/notify/fanotify/fanotify_user.c | 12 ++++++++++++
fs/notify/notification.c | 18 +++++++++++++++++-
include/linux/fsnotify_backend.h | 2 ++
4 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c
index fdeb36b70c65..30d3addfad75 100644
--- a/fs/notify/fanotify/fanotify.c
+++ b/fs/notify/fanotify/fanotify.c
@@ -70,8 +70,15 @@ static int fanotify_get_response(struct fsnotify_group *group,
wait_event(group->fanotify_data.access_waitq, event->response ||
atomic_read(&group->fanotify_data.bypass_perm));
- if (!event->response) /* bypass_perm set */
+ if (!event->response) { /* bypass_perm set */
+ /*
+ * Event was canceled because group is being destroyed. Remove
+ * it from group's event list because we are responsible for
+ * freeing the permission event.
+ */
+ fsnotify_remove_event(group, &event->fae.fse);
return 0;
+ }
/* userspace responded, convert to something usable */
switch (event->response) {
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index fbf2210823ab..b13992a41bd9 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -359,6 +359,11 @@ static int fanotify_release(struct inode *ignored, struct file *file)
#ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
struct fanotify_perm_event_info *event, *next;
+ /*
+ * There may be still new events arriving in the notification queue
+ * but since userspace cannot use fanotify fd anymore, no event can
+ * enter or leave access_list by now.
+ */
spin_lock(&group->fanotify_data.access_lock);
atomic_inc(&group->fanotify_data.bypass_perm);
@@ -373,6 +378,13 @@ static int fanotify_release(struct inode *ignored, struct file *file)
}
spin_unlock(&group->fanotify_data.access_lock);
+ /*
+ * Since bypass_perm is set, newly queued events will not wait for
+ * access response. Wake up the already sleeping ones now.
+ * synchronize_srcu() in fsnotify_destroy_group() will wait for all
+ * processes sleeping in fanotify_handle_event() waiting for access
+ * response and thus also for all permission events to be freed.
+ */
wake_up(&group->fanotify_data.access_waitq);
#endif
diff --git a/fs/notify/notification.c b/fs/notify/notification.c
index f90f5eecaec9..b2cd875cb22a 100644
--- a/fs/notify/notification.c
+++ b/fs/notify/notification.c
@@ -73,7 +73,8 @@ void fsnotify_destroy_event(struct fsnotify_group *group,
/* Overflow events are per-group and we don't want to free them */
if (!event || event->mask == FS_Q_OVERFLOW)
return;
-
+ /* If the event is still queued, we have a problem... */
+ WARN_ON(!list_empty(&event->list));
group->ops->free_event(event);
}
@@ -125,6 +126,21 @@ queue:
}
/*
+ * Remove @event from group's notification queue. It is the responsibility of
+ * the caller to destroy the event.
+ */
+void fsnotify_remove_event(struct fsnotify_group *group,
+ struct fsnotify_event *event)
+{
+ mutex_lock(&group->notification_mutex);
+ if (!list_empty(&event->list)) {
+ list_del_init(&event->list);
+ group->q_len--;
+ }
+ mutex_unlock(&group->notification_mutex);
+}
+
+/*
* Remove and return the first event from the notification list. It is the
* responsibility of the caller to destroy the obtained event
*/
diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h
index a6e899943363..ca060d7c4fa6 100644
--- a/include/linux/fsnotify_backend.h
+++ b/include/linux/fsnotify_backend.h
@@ -326,6 +326,8 @@ extern int fsnotify_add_event(struct fsnotify_group *group,
struct fsnotify_event *event,
int (*merge)(struct list_head *,
struct fsnotify_event *));
+/* Remove passed event from groups notification queue */
+extern void fsnotify_remove_event(struct fsnotify_group *group, struct fsnotify_event *event);
/* true if the group notification queue is empty */
extern bool fsnotify_notify_queue_is_empty(struct fsnotify_group *group);
/* return, but do not dequeue the first event on the notification queue */
--
1.8.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-08-06 13:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-06 13:24 [PATCH 0/2] fanotify: Fix double free on group shutdown Jan Kara
2014-08-06 13:24 ` [PATCH 1/2] fsnotify: Rename event handling functions Jan Kara
2014-08-06 13:24 ` [PATCH 2/2] fanotify: Fix double free of pending permission events Jan Kara
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.