From patchwork Wed Oct 25 08:41:34 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 10026045 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BED2260375 for ; Wed, 25 Oct 2017 08:43:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ADA0228B1E for ; Wed, 25 Oct 2017 08:43:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A24C928B26; Wed, 25 Oct 2017 08:43:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.4 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4CEFA28B1E for ; Wed, 25 Oct 2017 08:43:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932278AbdJYInb (ORCPT ); Wed, 25 Oct 2017 04:43:31 -0400 Received: from mail-wm0-f66.google.com ([74.125.82.66]:46595 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932270AbdJYIlo (ORCPT ); Wed, 25 Oct 2017 04:41:44 -0400 Received: by mail-wm0-f66.google.com with SMTP id m72so333144wmc.1 for ; Wed, 25 Oct 2017 01:41:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=xSVZ1BtZR8tq8H4bwiWZak/FNY3+LD6PSZ9oQXDzNIs=; b=Uj+g8kYnrkjuI4CUxgJbsZZ8Lw44K39MU5gwQgdjbXqBGqLGsB9J2UFpJgWFiQa2UB 4J8XnbM86xvaPnsmpsameRPkcyYS+YIKn4FXmurwOlPcWZYeg+zkds3t0Sv6eX5To5AN xhtYtx61H6jariMs6jPSdcod7IWdN6w2XJznt1Ei0Hq6EgY8zV2NRtzDxQqzMir5hpqN VWEKie/Xiwf/mKLKVo/+S+uNKcXDkVE56S65wdzO+y9OqMEFIRLKHkRbtsKpC5LZ3Lnx XBXAuKB8lgY3nZEDZoUVuNAfw6XeayvZtLTB4WCdUSLHUhQ7nGBkpfD6VhDcz7fmqhxr 3U8Q== X-Gm-Message-State: AMCzsaVa+krO7ueFJiX7XZGfMCteFnmj4nAyr9cri2h3PollnZmv+MfU 0FZ65NncITx6xKUFy7YU+Ut1JAvmM6g= X-Google-Smtp-Source: ABhQp+Q6xw+jQHKuXGQjms8uIXKXKyos7qHJTH7s9zaUgsqB+ALcU9LpgQXQMq7RaUUpuAktdDHdXw== X-Received: by 10.28.174.78 with SMTP id x75mr1062508wme.27.1508920903322; Wed, 25 Oct 2017 01:41:43 -0700 (PDT) Received: from veci.piliscsaba.szeredi.hu (C2B0E321.catv.pool.telekom.hu. [194.176.227.33]) by smtp.gmail.com with ESMTPSA id 31sm1732312wrm.0.2017.10.25.01.41.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Oct 2017 01:41:42 -0700 (PDT) From: Miklos Szeredi To: linux-fsdevel@vger.kernel.org Cc: Jan Kara , Amir Goldstein , Xiong Zhou , linux-kernel@vger.kernel.org Subject: [PATCH v2 2/7] fsnotify: pin both inode and vfsmount mark Date: Wed, 25 Oct 2017 10:41:34 +0200 Message-Id: <1508920899-8115-3-git-send-email-mszeredi@redhat.com> X-Mailer: git-send-email 2.5.5 In-Reply-To: <1508920899-8115-1-git-send-email-mszeredi@redhat.com> References: <1508920899-8115-1-git-send-email-mszeredi@redhat.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP We may fail to pin one of the marks in fsnotify_prepare_user_wait() when dropping the srcu read lock, resulting in use after free at the next iteration. Solution is to store both marks in iter_info instead of just the one we'll be sending the event for. Signed-off-by: Miklos Szeredi Fixes: 9385a84d7e1f ("fsnotify: Pass fsnotify_iter_info into handle_event handler") Cc: # v4.12 --- fs/notify/fsnotify.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c index 0c4583b61717..48ec61f4c4d5 100644 --- a/fs/notify/fsnotify.c +++ b/fs/notify/fsnotify.c @@ -336,6 +336,9 @@ int fsnotify(struct inode *to_tell, __u32 mask, const void *data, int data_is, vfsmount_group = vfsmount_mark->group; } + iter_info.inode_mark = inode_mark; + iter_info.vfsmount_mark = vfsmount_mark; + if (inode_group && vfsmount_group) { int cmp = fsnotify_compare_groups(inode_group, vfsmount_group); @@ -348,9 +351,6 @@ int fsnotify(struct inode *to_tell, __u32 mask, const void *data, int data_is, } } - iter_info.inode_mark = inode_mark; - iter_info.vfsmount_mark = vfsmount_mark; - ret = send_to_group(to_tell, inode_mark, vfsmount_mark, mask, data, data_is, cookie, file_name, &iter_info);