From patchwork Thu Apr 19 17:44:33 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robert Kolchmeyer X-Patchwork-Id: 10351417 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 9D340602B7 for ; Thu, 19 Apr 2018 17:45:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8F4A827F60 for ; Thu, 19 Apr 2018 17:45:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 83D0727F98; Thu, 19 Apr 2018 17:45:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0EA7E27F60 for ; Thu, 19 Apr 2018 17:45:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753299AbeDSRpE (ORCPT ); Thu, 19 Apr 2018 13:45:04 -0400 Received: from mail-qt0-f202.google.com ([209.85.216.202]:56969 "EHLO mail-qt0-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752887AbeDSRpE (ORCPT ); Thu, 19 Apr 2018 13:45:04 -0400 Received: by mail-qt0-f202.google.com with SMTP id l9-v6so3934167qtp.23 for ; Thu, 19 Apr 2018 10:45:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:date:in-reply-to:message-id:references:subject:from:to :cc; bh=KDljlwZE31+3s6+hOTI6YFWxUmIzh/rCyT1Qc2JQX/M=; b=ZGXHzR6vudNgmNBlkIo5yOmWMVzLLgObVHuP4WvPTI/Yb/Ty/jcih2txgTSA5mClGN y56E4TOA8H6gOA2c2CnRNjy8x/jAq/syfPO+9y+IlpXRAgkgp3zln50A+zyN87QoknLF KWylsBRRNTIJnjh2C3Z/KNtGFfSrpWq7wGVk7293cUjDaIO4aKJOPq40/6ZA8WVRVaOH AdASOD2Wi7SEBxCqDocJqRl/kLRBC1vCkB1dsy8pzaBLoCu+c6gUQwF81aqKhfaGD18U dxObEJF4XFqa6tBrhfoaNb2xbVcO1JqS4McTkrLnavrM27BmPKTUrotcAGwxYzFz8dFj 9tgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:in-reply-to:message-id :references:subject:from:to:cc; bh=KDljlwZE31+3s6+hOTI6YFWxUmIzh/rCyT1Qc2JQX/M=; b=LbbooyURGaWqoc8NY6r7itFvqsCuQRafxMVzmv+QwFFgUGYsvmuOOrjWwsrGjSfzEz gdcvE4taHOiilHKX1PEQFWSQPoX9uI7NQYm9hIzK+chwJPxvd+Vnf3t/ESH7dgLJtgmo DnbAuEXxph8U7f1CKaVinJ8Bgo+SO+QjcUizjNLBN5Z5P5Xo6yR1aKQsw+2dyJTDugFc T8+XYGvQCy8oGi6kUdvt3q+GCc8hfmI0niYrY32kzyyw2VG4xqcmWbcgwbSazQ86dkbz xdJnCp/o0OlDLzzt5vj8Dv8YaBvJmbh0DerLuRH1p4KGB849hm2wdX++iZLK63fjCjCV YNRw== X-Gm-Message-State: ALQs6tAL04+9YwRFRJ5g1C9tsbdOQdwEP24qAWrtlfaABGOC47ASn9J1 gr3EX5GeDFhSceowKLGa9LnJ1KZMwY3cbYOf X-Google-Smtp-Source: AB8JxZqyPgwL7DKqIPALumx8KkKF7skXw+Ry66C5ta80YF7BT2/7EYj8uOuERUK/wH1dd587e8pYsR4/eV11tsExfw== MIME-Version: 1.0 X-Received: by 2002:ac8:1e9c:: with SMTP id c28-v6mr5121757qtm.15.1524159903316; Thu, 19 Apr 2018 10:45:03 -0700 (PDT) Date: Thu, 19 Apr 2018 10:44:33 -0700 In-Reply-To: <20180419000525.21673-1-rkolchmeyer@google.com> Message-Id: <20180419174433.53058-1-rkolchmeyer@google.com> References: <20180419000525.21673-1-rkolchmeyer@google.com> X-Mailer: git-send-email 2.17.0.484.g0c8726318c-goog Subject: [PATCH v2] fsnotify: Fix fsnotify_mark_connector race From: Robert Kolchmeyer To: jack@suse.cz, amir73il@gmail.com, mszeredi@redhat.com, linux-fsdevel@vger.kernel.org, rkolchmeyer@google.com Cc: linux-fsdevel@vger.kernel.org, Robert Kolchmeyer Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP fsnotify() acquires a reference to a fsnotify_mark_connector through the SRCU-protected pointer to_tell->i_fsnotify_marks. However, it appears that no precautions are taken in fsnotify_put_mark() to ensure that fsnotify() drops its reference to this fsnotify_mark_connector before assigning a value to its 'destroy_next' field. This can result in fsnotify_put_mark() assigning a value to a connector's 'destroy_next' field right before fsnotify() tries to traverse the linked list referenced by the connector's 'list' field. Since these two fields are members of the same union, this behavior results in a kernel panic. This issue is resolved by moving the connector's 'destroy_next' field into the object pointer union. This should work since the object pointer access is protected by both a spinlock and the value of the 'flags' field, and the 'flags' field is cleared while holding the spinlock in fsnotify_put_mark() before 'destroy_next' is updated. It shouldn't be possible for another thread to accidentally read from the object pointer after the 'destroy_next' field is updated. The offending behavior here is extremely unlikely; since fsnotify_put_mark() removes references to a connector (specifically, it ensures that the connector is unreachable from the inode it was formerly attached to) before updating its 'destroy_next' field, a sizeable chunk of code in fsnotify_put_mark() has to execute in the short window between when fsnotify() acquires the connector reference and saves the value of its 'list' field. On the HEAD kernel, I've only been able to reproduce this by inserting a udelay(1) in fsnotify(). However, I've been able to reproduce this issue without inserting a udelay(1) anywhere on older unmodified release kernels, so I believe it's worth fixing at HEAD. Fixes bug 199437: https://bugzilla.kernel.org/show_bug.cgi?id=199437 Fixes: 08991e83b7286635167bab40927665a90fb00d81 Signed-off-by: Robert Kolchmeyer --- Changelog since v1: - Solve problem by moving 'destroy_next' field into a different union instead of calling synchronize_srcu(). include/linux/fsnotify_backend.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/include/linux/fsnotify_backend.h b/include/linux/fsnotify_backend.h index 9f1edb92c97e..a3d13d874fd1 100644 --- a/include/linux/fsnotify_backend.h +++ b/include/linux/fsnotify_backend.h @@ -217,12 +217,10 @@ struct fsnotify_mark_connector { union { /* Object pointer [lock] */ struct inode *inode; struct vfsmount *mnt; - }; - union { - struct hlist_head list; /* Used listing heads to free after srcu period expires */ struct fsnotify_mark_connector *destroy_next; }; + struct hlist_head list; }; /*