mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-18 03:06:43 +00:00
5716863e0f
fsnotify_unmount_inodes() plays complex tricks to pin next inode in the sb->s_inodes list when iterating over all inodes. Furthermore the code has a bug that if the current inode is the last on i_sb_list that does not have e.g. I_FREEING set, then we leave next_i pointing to inode which may get removed from the i_sb_list once we drop s_inode_list_lock thus resulting in use-after-free issues (usually manifesting as infinite looping in fsnotify_unmount_inodes()). Fix the problem by keeping current inode pinned somewhat longer. Then we can make the code much simpler and standard. CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz>
200 lines
5.5 KiB
C
200 lines
5.5 KiB
C
/*
|
|
* Copyright (C) 2008 Red Hat, Inc., Eric Paris <eparis@redhat.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2, or (at your option)
|
|
* any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; see the file COPYING. If not, write to
|
|
* the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
*/
|
|
|
|
#include <linux/fs.h>
|
|
#include <linux/init.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/module.h>
|
|
#include <linux/mutex.h>
|
|
#include <linux/spinlock.h>
|
|
|
|
#include <linux/atomic.h>
|
|
|
|
#include <linux/fsnotify_backend.h>
|
|
#include "fsnotify.h"
|
|
|
|
#include "../internal.h"
|
|
|
|
/*
|
|
* Recalculate the inode->i_fsnotify_mask, or the mask of all FS_* event types
|
|
* any notifier is interested in hearing for this inode.
|
|
*/
|
|
void fsnotify_recalc_inode_mask(struct inode *inode)
|
|
{
|
|
spin_lock(&inode->i_lock);
|
|
inode->i_fsnotify_mask = fsnotify_recalc_mask(&inode->i_fsnotify_marks);
|
|
spin_unlock(&inode->i_lock);
|
|
|
|
__fsnotify_update_child_dentry_flags(inode);
|
|
}
|
|
|
|
void fsnotify_destroy_inode_mark(struct fsnotify_mark *mark)
|
|
{
|
|
struct inode *inode = mark->inode;
|
|
|
|
BUG_ON(!mutex_is_locked(&mark->group->mark_mutex));
|
|
assert_spin_locked(&mark->lock);
|
|
|
|
spin_lock(&inode->i_lock);
|
|
|
|
hlist_del_init_rcu(&mark->obj_list);
|
|
mark->inode = NULL;
|
|
|
|
/*
|
|
* this mark is now off the inode->i_fsnotify_marks list and we
|
|
* hold the inode->i_lock, so this is the perfect time to update the
|
|
* inode->i_fsnotify_mask
|
|
*/
|
|
inode->i_fsnotify_mask = fsnotify_recalc_mask(&inode->i_fsnotify_marks);
|
|
spin_unlock(&inode->i_lock);
|
|
}
|
|
|
|
/*
|
|
* Given a group clear all of the inode marks associated with that group.
|
|
*/
|
|
void fsnotify_clear_inode_marks_by_group(struct fsnotify_group *group)
|
|
{
|
|
fsnotify_clear_marks_by_group_flags(group, FSNOTIFY_MARK_FLAG_INODE);
|
|
}
|
|
|
|
/*
|
|
* given a group and inode, find the mark associated with that combination.
|
|
* if found take a reference to that mark and return it, else return NULL
|
|
*/
|
|
struct fsnotify_mark *fsnotify_find_inode_mark(struct fsnotify_group *group,
|
|
struct inode *inode)
|
|
{
|
|
struct fsnotify_mark *mark;
|
|
|
|
spin_lock(&inode->i_lock);
|
|
mark = fsnotify_find_mark(&inode->i_fsnotify_marks, group);
|
|
spin_unlock(&inode->i_lock);
|
|
|
|
return mark;
|
|
}
|
|
|
|
/*
|
|
* If we are setting a mark mask on an inode mark we should pin the inode
|
|
* in memory.
|
|
*/
|
|
void fsnotify_set_inode_mark_mask_locked(struct fsnotify_mark *mark,
|
|
__u32 mask)
|
|
{
|
|
struct inode *inode;
|
|
|
|
assert_spin_locked(&mark->lock);
|
|
|
|
if (mask &&
|
|
mark->inode &&
|
|
!(mark->flags & FSNOTIFY_MARK_FLAG_OBJECT_PINNED)) {
|
|
mark->flags |= FSNOTIFY_MARK_FLAG_OBJECT_PINNED;
|
|
inode = igrab(mark->inode);
|
|
/*
|
|
* we shouldn't be able to get here if the inode wasn't
|
|
* already safely held in memory. But bug in case it
|
|
* ever is wrong.
|
|
*/
|
|
BUG_ON(!inode);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Attach an initialized mark to a given inode.
|
|
* These marks may be used for the fsnotify backend to determine which
|
|
* event types should be delivered to which group and for which inodes. These
|
|
* marks are ordered according to priority, highest number first, and then by
|
|
* the group's location in memory.
|
|
*/
|
|
int fsnotify_add_inode_mark(struct fsnotify_mark *mark,
|
|
struct fsnotify_group *group, struct inode *inode,
|
|
int allow_dups)
|
|
{
|
|
int ret;
|
|
|
|
mark->flags |= FSNOTIFY_MARK_FLAG_INODE;
|
|
|
|
BUG_ON(!mutex_is_locked(&group->mark_mutex));
|
|
assert_spin_locked(&mark->lock);
|
|
|
|
spin_lock(&inode->i_lock);
|
|
mark->inode = inode;
|
|
ret = fsnotify_add_mark_list(&inode->i_fsnotify_marks, mark,
|
|
allow_dups);
|
|
inode->i_fsnotify_mask = fsnotify_recalc_mask(&inode->i_fsnotify_marks);
|
|
spin_unlock(&inode->i_lock);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* fsnotify_unmount_inodes - an sb is unmounting. handle any watched inodes.
|
|
* @sb: superblock being unmounted.
|
|
*
|
|
* Called during unmount with no locks held, so needs to be safe against
|
|
* concurrent modifiers. We temporarily drop sb->s_inode_list_lock and CAN block.
|
|
*/
|
|
void fsnotify_unmount_inodes(struct super_block *sb)
|
|
{
|
|
struct inode *inode, *iput_inode = NULL;
|
|
|
|
spin_lock(&sb->s_inode_list_lock);
|
|
list_for_each_entry(inode, &sb->s_inodes, i_sb_list) {
|
|
/*
|
|
* We cannot __iget() an inode in state I_FREEING,
|
|
* I_WILL_FREE, or I_NEW which is fine because by that point
|
|
* the inode cannot have any associated watches.
|
|
*/
|
|
spin_lock(&inode->i_lock);
|
|
if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) {
|
|
spin_unlock(&inode->i_lock);
|
|
continue;
|
|
}
|
|
|
|
/*
|
|
* If i_count is zero, the inode cannot have any watches and
|
|
* doing an __iget/iput with MS_ACTIVE clear would actually
|
|
* evict all inodes with zero i_count from icache which is
|
|
* unnecessarily violent and may in fact be illegal to do.
|
|
*/
|
|
if (!atomic_read(&inode->i_count)) {
|
|
spin_unlock(&inode->i_lock);
|
|
continue;
|
|
}
|
|
|
|
__iget(inode);
|
|
spin_unlock(&inode->i_lock);
|
|
spin_unlock(&sb->s_inode_list_lock);
|
|
|
|
if (iput_inode)
|
|
iput(iput_inode);
|
|
|
|
/* for each watch, send FS_UNMOUNT and then remove it */
|
|
fsnotify(inode, FS_UNMOUNT, inode, FSNOTIFY_EVENT_INODE, NULL, 0);
|
|
|
|
fsnotify_inode_delete(inode);
|
|
|
|
iput_inode = inode;
|
|
|
|
spin_lock(&sb->s_inode_list_lock);
|
|
}
|
|
spin_unlock(&sb->s_inode_list_lock);
|
|
|
|
if (iput_inode)
|
|
iput(iput_inode);
|
|
}
|