2006-06-02 04:10:59 +08:00
|
|
|
/*
|
|
|
|
* fs/inotify_user.c - inotify support for userspace
|
|
|
|
*
|
|
|
|
* Authors:
|
|
|
|
* John McCutchan <ttb@tentacle.dhs.org>
|
|
|
|
* Robert Love <rml@novell.com>
|
|
|
|
*
|
|
|
|
* Copyright (C) 2005 John McCutchan
|
|
|
|
* Copyright 2006 Hewlett-Packard Development Company, L.P.
|
|
|
|
*
|
2009-05-22 05:02:01 +08:00
|
|
|
* Copyright (C) 2009 Eric Paris <Red Hat Inc>
|
|
|
|
* inotify was largely rewriten to make use of the fsnotify infrastructure
|
|
|
|
*
|
2006-06-02 04:10:59 +08:00
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
* Free Software Foundation; either version 2, or (at your option) any
|
|
|
|
* later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* General Public License for more details.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/file.h>
|
2009-05-22 05:02:01 +08:00
|
|
|
#include <linux/fs.h> /* struct inode */
|
|
|
|
#include <linux/fsnotify_backend.h>
|
|
|
|
#include <linux/idr.h>
|
|
|
|
#include <linux/init.h> /* module_init */
|
2006-06-02 04:10:59 +08:00
|
|
|
#include <linux/inotify.h>
|
2009-05-22 05:02:01 +08:00
|
|
|
#include <linux/kernel.h> /* roundup() */
|
|
|
|
#include <linux/namei.h> /* LOOKUP_FOLLOW */
|
|
|
|
#include <linux/sched.h> /* struct user */
|
|
|
|
#include <linux/slab.h> /* struct kmem_cache */
|
2006-06-02 04:10:59 +08:00
|
|
|
#include <linux/syscalls.h>
|
2009-05-22 05:02:01 +08:00
|
|
|
#include <linux/types.h>
|
2010-02-11 15:24:46 +08:00
|
|
|
#include <linux/anon_inodes.h>
|
2009-05-22 05:02:01 +08:00
|
|
|
#include <linux/uaccess.h>
|
|
|
|
#include <linux/poll.h>
|
|
|
|
#include <linux/wait.h>
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
#include "inotify.h"
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
#include <asm/ioctls.h>
|
2006-06-02 04:10:59 +08:00
|
|
|
|
|
|
|
/* these are configurable via /proc/sys/fs/inotify/ */
|
2008-02-15 11:31:21 +08:00
|
|
|
static int inotify_max_user_instances __read_mostly;
|
|
|
|
static int inotify_max_queued_events __read_mostly;
|
2009-05-22 05:02:01 +08:00
|
|
|
int inotify_max_user_watches __read_mostly;
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
static struct kmem_cache *inotify_inode_mark_cachep __read_mostly;
|
|
|
|
struct kmem_cache *event_priv_cachep __read_mostly;
|
2006-06-02 04:10:59 +08:00
|
|
|
|
|
|
|
/*
|
2009-05-22 05:02:01 +08:00
|
|
|
* When inotify registers a new group it increments this and uses that
|
|
|
|
* value as an offset to set the fsnotify group "name" and priority.
|
2006-06-02 04:10:59 +08:00
|
|
|
*/
|
2009-05-22 05:02:01 +08:00
|
|
|
static atomic_t inotify_grp_num;
|
2006-06-02 04:10:59 +08:00
|
|
|
|
|
|
|
#ifdef CONFIG_SYSCTL
|
|
|
|
|
|
|
|
#include <linux/sysctl.h>
|
|
|
|
|
|
|
|
static int zero;
|
|
|
|
|
|
|
|
ctl_table inotify_table[] = {
|
|
|
|
{
|
|
|
|
.procname = "max_user_instances",
|
|
|
|
.data = &inotify_max_user_instances,
|
|
|
|
.maxlen = sizeof(int),
|
|
|
|
.mode = 0644,
|
2009-11-16 19:11:48 +08:00
|
|
|
.proc_handler = proc_dointvec_minmax,
|
2006-06-02 04:10:59 +08:00
|
|
|
.extra1 = &zero,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.procname = "max_user_watches",
|
|
|
|
.data = &inotify_max_user_watches,
|
|
|
|
.maxlen = sizeof(int),
|
|
|
|
.mode = 0644,
|
2009-11-16 19:11:48 +08:00
|
|
|
.proc_handler = proc_dointvec_minmax,
|
2006-06-02 04:10:59 +08:00
|
|
|
.extra1 = &zero,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.procname = "max_queued_events",
|
|
|
|
.data = &inotify_max_queued_events,
|
|
|
|
.maxlen = sizeof(int),
|
|
|
|
.mode = 0644,
|
2009-11-16 19:11:48 +08:00
|
|
|
.proc_handler = proc_dointvec_minmax,
|
2006-06-02 04:10:59 +08:00
|
|
|
.extra1 = &zero
|
|
|
|
},
|
2009-11-06 06:25:10 +08:00
|
|
|
{ }
|
2006-06-02 04:10:59 +08:00
|
|
|
};
|
|
|
|
#endif /* CONFIG_SYSCTL */
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
static inline __u32 inotify_arg_to_mask(u32 arg)
|
2008-02-06 17:36:09 +08:00
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
__u32 mask;
|
2008-02-06 17:36:09 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/* everything should accept their own ignored and cares about children */
|
|
|
|
mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD);
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/* mask off the flags used to open the fd */
|
|
|
|
mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT));
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
return mask;
|
2006-06-02 04:10:59 +08:00
|
|
|
}
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
static inline u32 inotify_mask_to_arg(__u32 mask)
|
2006-06-02 04:10:59 +08:00
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
return mask & (IN_ALL_EVENTS | IN_ISDIR | IN_UNMOUNT | IN_IGNORED |
|
|
|
|
IN_Q_OVERFLOW);
|
2006-06-02 04:10:59 +08:00
|
|
|
}
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/* intofiy userspace file descriptor functions */
|
2006-06-02 04:10:59 +08:00
|
|
|
static unsigned int inotify_poll(struct file *file, poll_table *wait)
|
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
struct fsnotify_group *group = file->private_data;
|
2006-06-02 04:10:59 +08:00
|
|
|
int ret = 0;
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
poll_wait(file, &group->notification_waitq, wait);
|
|
|
|
mutex_lock(&group->notification_mutex);
|
|
|
|
if (!fsnotify_notify_queue_is_empty(group))
|
2006-06-02 04:10:59 +08:00
|
|
|
ret = POLLIN | POLLRDNORM;
|
2009-05-22 05:02:01 +08:00
|
|
|
mutex_unlock(&group->notification_mutex);
|
2006-06-02 04:10:59 +08:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
/*
|
|
|
|
* Get an inotify_kernel_event if one exists and is small
|
|
|
|
* enough to fit in "count". Return an error pointer if
|
|
|
|
* not large enough.
|
|
|
|
*
|
2009-05-22 05:02:01 +08:00
|
|
|
* Called with the group->notification_mutex held.
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
*/
|
2009-05-22 05:02:01 +08:00
|
|
|
static struct fsnotify_event *get_one_event(struct fsnotify_group *group,
|
|
|
|
size_t count)
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
{
|
|
|
|
size_t event_size = sizeof(struct inotify_event);
|
2009-05-22 05:02:01 +08:00
|
|
|
struct fsnotify_event *event;
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
if (fsnotify_notify_queue_is_empty(group))
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
return NULL;
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
event = fsnotify_peek_notify_event(group);
|
|
|
|
|
2009-08-28 23:57:55 +08:00
|
|
|
if (event->name_len)
|
|
|
|
event_size += roundup(event->name_len + 1, event_size);
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
|
|
|
|
if (event_size > count)
|
|
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/* held the notification_mutex the whole time, so this is the
|
|
|
|
* same event we peeked above */
|
|
|
|
fsnotify_remove_notify_event(group);
|
|
|
|
|
|
|
|
return event;
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Copy an event to user space, returning how much we copied.
|
|
|
|
*
|
|
|
|
* We already checked that the event size is smaller than the
|
|
|
|
* buffer we had in "get_one_event()" above.
|
|
|
|
*/
|
2009-05-22 05:02:01 +08:00
|
|
|
static ssize_t copy_event_to_user(struct fsnotify_group *group,
|
|
|
|
struct fsnotify_event *event,
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
char __user *buf)
|
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
struct inotify_event inotify_event;
|
|
|
|
struct fsnotify_event_private_data *fsn_priv;
|
|
|
|
struct inotify_event_private_data *priv;
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
size_t event_size = sizeof(struct inotify_event);
|
2009-08-28 22:00:05 +08:00
|
|
|
size_t name_len = 0;
|
2009-05-22 05:02:01 +08:00
|
|
|
|
|
|
|
/* we get the inotify watch descriptor from the event private data */
|
|
|
|
spin_lock(&event->lock);
|
|
|
|
fsn_priv = fsnotify_remove_priv_from_event(group, event);
|
|
|
|
spin_unlock(&event->lock);
|
|
|
|
|
|
|
|
if (!fsn_priv)
|
|
|
|
inotify_event.wd = -1;
|
|
|
|
else {
|
|
|
|
priv = container_of(fsn_priv, struct inotify_event_private_data,
|
|
|
|
fsnotify_event_priv_data);
|
|
|
|
inotify_event.wd = priv->wd;
|
|
|
|
inotify_free_event_priv(fsn_priv);
|
|
|
|
}
|
|
|
|
|
2009-08-28 22:00:05 +08:00
|
|
|
/*
|
|
|
|
* round up event->name_len so it is a multiple of event_size
|
2009-08-27 18:20:04 +08:00
|
|
|
* plus an extra byte for the terminating '\0'.
|
|
|
|
*/
|
2009-08-28 22:00:05 +08:00
|
|
|
if (event->name_len)
|
|
|
|
name_len = roundup(event->name_len + 1, event_size);
|
2009-05-22 05:02:01 +08:00
|
|
|
inotify_event.len = name_len;
|
|
|
|
|
|
|
|
inotify_event.mask = inotify_mask_to_arg(event->mask);
|
|
|
|
inotify_event.cookie = event->sync_cookie;
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/* send the main event */
|
|
|
|
if (copy_to_user(buf, &inotify_event, event_size))
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
return -EFAULT;
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
buf += event_size;
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/*
|
|
|
|
* fsnotify only stores the pathname, so here we have to send the pathname
|
|
|
|
* and then pad that pathname out to a multiple of sizeof(inotify_event)
|
|
|
|
* with zeros. I get my zeros from the nul_inotify_event.
|
|
|
|
*/
|
|
|
|
if (name_len) {
|
|
|
|
unsigned int len_to_zero = name_len - event->name_len;
|
|
|
|
/* copy the path name */
|
|
|
|
if (copy_to_user(buf, event->file_name, event->name_len))
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
return -EFAULT;
|
2009-05-22 05:02:01 +08:00
|
|
|
buf += event->name_len;
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
|
2009-08-27 18:20:04 +08:00
|
|
|
/* fill userspace with 0's */
|
|
|
|
if (clear_user(buf, len_to_zero))
|
2009-05-22 05:02:01 +08:00
|
|
|
return -EFAULT;
|
|
|
|
buf += len_to_zero;
|
|
|
|
event_size += name_len;
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
}
|
2009-05-22 05:02:01 +08:00
|
|
|
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
return event_size;
|
|
|
|
}
|
|
|
|
|
2006-06-02 04:10:59 +08:00
|
|
|
static ssize_t inotify_read(struct file *file, char __user *buf,
|
|
|
|
size_t count, loff_t *pos)
|
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
struct fsnotify_group *group;
|
|
|
|
struct fsnotify_event *kevent;
|
2006-06-02 04:10:59 +08:00
|
|
|
char __user *start;
|
|
|
|
int ret;
|
|
|
|
DEFINE_WAIT(wait);
|
|
|
|
|
|
|
|
start = buf;
|
2009-05-22 05:02:01 +08:00
|
|
|
group = file->private_data;
|
2006-06-02 04:10:59 +08:00
|
|
|
|
|
|
|
while (1) {
|
2009-05-22 05:02:01 +08:00
|
|
|
prepare_to_wait(&group->notification_waitq, &wait, TASK_INTERRUPTIBLE);
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
mutex_lock(&group->notification_mutex);
|
|
|
|
kevent = get_one_event(group, count);
|
|
|
|
mutex_unlock(&group->notification_mutex);
|
2006-06-02 04:10:59 +08:00
|
|
|
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
if (kevent) {
|
|
|
|
ret = PTR_ERR(kevent);
|
|
|
|
if (IS_ERR(kevent))
|
|
|
|
break;
|
2009-05-22 05:02:01 +08:00
|
|
|
ret = copy_event_to_user(group, kevent, buf);
|
|
|
|
fsnotify_put_event(kevent);
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
if (ret < 0)
|
|
|
|
break;
|
|
|
|
buf += ret;
|
|
|
|
count -= ret;
|
|
|
|
continue;
|
2006-06-02 04:10:59 +08:00
|
|
|
}
|
|
|
|
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
ret = -EAGAIN;
|
|
|
|
if (file->f_flags & O_NONBLOCK)
|
2006-06-02 04:10:59 +08:00
|
|
|
break;
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
ret = -EINTR;
|
|
|
|
if (signal_pending(current))
|
2006-06-02 04:10:59 +08:00
|
|
|
break;
|
2008-10-03 05:50:12 +08:00
|
|
|
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
if (start != buf)
|
2006-06-02 04:10:59 +08:00
|
|
|
break;
|
2008-10-03 05:50:12 +08:00
|
|
|
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
schedule();
|
2006-06-02 04:10:59 +08:00
|
|
|
}
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
finish_wait(&group->notification_waitq, &wait);
|
inotify: clean up inotify_read and fix locking problems
If userspace supplies an invalid pointer to a read() of an inotify
instance, the inotify device's event list mutex is unlocked twice.
This causes an unbalance which effectively leaves the data structure
unprotected, and we can trigger oopses by accessing the inotify
instance from different tasks concurrently.
The best fix (contributed largely by Linus) is a total rewrite
of the function in question:
On Thu, Jan 22, 2009 at 7:05 AM, Linus Torvalds wrote:
> The thing to notice is that:
>
> - locking is done in just one place, and there is no question about it
> not having an unlock.
>
> - that whole double-while(1)-loop thing is gone.
>
> - use multiple functions to make nesting and error handling sane
>
> - do error testing after doing the things you always need to do, ie do
> this:
>
> mutex_lock(..)
> ret = function_call();
> mutex_unlock(..)
>
> .. test ret here ..
>
> instead of doing conditional exits with unlocking or freeing.
>
> So if the code is written in this way, it may still be buggy, but at least
> it's not buggy because of subtle "forgot to unlock" or "forgot to free"
> issues.
>
> This _always_ unlocks if it locked, and it always frees if it got a
> non-error kevent.
Cc: John McCutchan <ttb@tentacle.dhs.org>
Cc: Robert Love <rlove@google.com>
Cc: <stable@kernel.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-01-22 22:29:45 +08:00
|
|
|
if (start != buf && ret != -EFAULT)
|
|
|
|
ret = buf - start;
|
2006-06-02 04:10:59 +08:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2008-02-06 17:36:19 +08:00
|
|
|
static int inotify_fasync(int fd, struct file *file, int on)
|
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
struct fsnotify_group *group = file->private_data;
|
2008-02-06 17:36:19 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
return fasync_helper(fd, file, on, &group->inotify_data.fa) >= 0 ? 0 : -EIO;
|
2008-02-06 17:36:19 +08:00
|
|
|
}
|
|
|
|
|
2006-06-02 04:10:59 +08:00
|
|
|
static int inotify_release(struct inode *ignored, struct file *file)
|
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
struct fsnotify_group *group = file->private_data;
|
2009-07-02 12:56:38 +08:00
|
|
|
struct user_struct *user = group->inotify_data.user;
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
fsnotify_clear_marks_by_group(group);
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/* free this group, matching get was inotify_init->fsnotify_obtain_group */
|
|
|
|
fsnotify_put_group(group);
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-07-02 12:56:38 +08:00
|
|
|
atomic_dec(&user->inotify_devs);
|
|
|
|
|
2006-06-02 04:10:59 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static long inotify_ioctl(struct file *file, unsigned int cmd,
|
|
|
|
unsigned long arg)
|
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
struct fsnotify_group *group;
|
|
|
|
struct fsnotify_event_holder *holder;
|
|
|
|
struct fsnotify_event *event;
|
2006-06-02 04:10:59 +08:00
|
|
|
void __user *p;
|
|
|
|
int ret = -ENOTTY;
|
2009-05-22 05:02:01 +08:00
|
|
|
size_t send_len = 0;
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
group = file->private_data;
|
2006-06-02 04:10:59 +08:00
|
|
|
p = (void __user *) arg;
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case FIONREAD:
|
2009-05-22 05:02:01 +08:00
|
|
|
mutex_lock(&group->notification_mutex);
|
|
|
|
list_for_each_entry(holder, &group->notification_list, event_list) {
|
|
|
|
event = holder->event;
|
|
|
|
send_len += sizeof(struct inotify_event);
|
2009-08-28 23:57:55 +08:00
|
|
|
if (event->name_len)
|
|
|
|
send_len += roundup(event->name_len + 1,
|
|
|
|
sizeof(struct inotify_event));
|
2009-05-22 05:02:01 +08:00
|
|
|
}
|
|
|
|
mutex_unlock(&group->notification_mutex);
|
|
|
|
ret = put_user(send_len, (int __user *) p);
|
2006-06-02 04:10:59 +08:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct file_operations inotify_fops = {
|
2009-05-22 05:02:01 +08:00
|
|
|
.poll = inotify_poll,
|
|
|
|
.read = inotify_read,
|
|
|
|
.fasync = inotify_fasync,
|
|
|
|
.release = inotify_release,
|
|
|
|
.unlocked_ioctl = inotify_ioctl,
|
2006-06-02 04:10:59 +08:00
|
|
|
.compat_ioctl = inotify_ioctl,
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/*
|
|
|
|
* find_inode - resolve a user-given path to a specific inode
|
|
|
|
*/
|
|
|
|
static int inotify_find_inode(const char __user *dirname, struct path *path, unsigned flags)
|
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = user_path_at(AT_FDCWD, dirname, flags, path);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
/* you can only watch an inode if you have read permissions on it */
|
|
|
|
error = inode_permission(path->dentry->d_inode, MAY_READ);
|
|
|
|
if (error)
|
|
|
|
path_put(path);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2009-08-25 04:03:35 +08:00
|
|
|
/*
|
|
|
|
* Remove the mark from the idr (if present) and drop the reference
|
|
|
|
* on the mark because it was in the idr.
|
|
|
|
*/
|
2009-07-07 22:28:24 +08:00
|
|
|
static void inotify_remove_from_idr(struct fsnotify_group *group,
|
|
|
|
struct inotify_inode_mark_entry *ientry)
|
|
|
|
{
|
|
|
|
struct idr *idr;
|
2009-08-25 04:03:35 +08:00
|
|
|
struct fsnotify_mark_entry *entry;
|
|
|
|
struct inotify_inode_mark_entry *found_ientry;
|
|
|
|
int wd;
|
2009-07-07 22:28:24 +08:00
|
|
|
|
|
|
|
spin_lock(&group->inotify_data.idr_lock);
|
|
|
|
idr = &group->inotify_data.idr;
|
2009-08-25 04:03:35 +08:00
|
|
|
wd = ientry->wd;
|
|
|
|
|
|
|
|
if (wd == -1)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
entry = idr_find(&group->inotify_data.idr, wd);
|
|
|
|
if (unlikely(!entry))
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
found_ientry = container_of(entry, struct inotify_inode_mark_entry, fsn_entry);
|
|
|
|
if (unlikely(found_ientry != ientry)) {
|
|
|
|
/* We found an entry in the idr with the right wd, but it's
|
|
|
|
* not the entry we were told to remove. eparis seriously
|
|
|
|
* fucked up somewhere. */
|
|
|
|
WARN_ON(1);
|
|
|
|
ientry->wd = -1;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* One ref for being in the idr, one ref held by the caller */
|
|
|
|
BUG_ON(atomic_read(&entry->refcnt) < 2);
|
|
|
|
|
|
|
|
idr_remove(idr, wd);
|
2009-07-07 22:28:24 +08:00
|
|
|
ientry->wd = -1;
|
2009-08-25 04:03:35 +08:00
|
|
|
|
|
|
|
/* removed from the idr, drop that ref */
|
|
|
|
fsnotify_put_mark(entry);
|
|
|
|
out:
|
|
|
|
spin_unlock(&group->inotify_data.idr_lock);
|
2009-07-07 22:28:24 +08:00
|
|
|
}
|
2009-08-25 04:03:35 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/*
|
2009-08-25 04:03:35 +08:00
|
|
|
* Send IN_IGNORED for this wd, remove this wd from the idr.
|
2009-05-22 05:02:01 +08:00
|
|
|
*/
|
2009-06-13 04:04:26 +08:00
|
|
|
void inotify_ignored_and_remove_idr(struct fsnotify_mark_entry *entry,
|
|
|
|
struct fsnotify_group *group)
|
2009-05-22 05:02:01 +08:00
|
|
|
{
|
|
|
|
struct inotify_inode_mark_entry *ientry;
|
2009-07-16 03:49:52 +08:00
|
|
|
struct fsnotify_event *ignored_event;
|
2009-05-22 05:02:01 +08:00
|
|
|
struct inotify_event_private_data *event_priv;
|
|
|
|
struct fsnotify_event_private_data *fsn_event_priv;
|
2009-08-17 09:51:44 +08:00
|
|
|
int ret;
|
2009-05-22 05:02:01 +08:00
|
|
|
|
2009-07-16 03:49:52 +08:00
|
|
|
ignored_event = fsnotify_create_event(NULL, FS_IN_IGNORED, NULL,
|
|
|
|
FSNOTIFY_EVENT_NONE, NULL, 0,
|
|
|
|
GFP_NOFS);
|
|
|
|
if (!ignored_event)
|
|
|
|
return;
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
ientry = container_of(entry, struct inotify_inode_mark_entry, fsn_entry);
|
|
|
|
|
2009-07-16 03:49:52 +08:00
|
|
|
event_priv = kmem_cache_alloc(event_priv_cachep, GFP_NOFS);
|
2009-05-22 05:02:01 +08:00
|
|
|
if (unlikely(!event_priv))
|
|
|
|
goto skip_send_ignore;
|
|
|
|
|
|
|
|
fsn_event_priv = &event_priv->fsnotify_event_priv_data;
|
|
|
|
|
|
|
|
fsn_event_priv->group = group;
|
|
|
|
event_priv->wd = ientry->wd;
|
|
|
|
|
2009-08-17 09:51:44 +08:00
|
|
|
ret = fsnotify_add_notify_event(group, ignored_event, fsn_event_priv);
|
|
|
|
if (ret)
|
2009-05-22 05:02:01 +08:00
|
|
|
inotify_free_event_priv(fsn_event_priv);
|
|
|
|
|
|
|
|
skip_send_ignore:
|
|
|
|
|
2009-07-16 03:49:52 +08:00
|
|
|
/* matches the reference taken when the event was created */
|
|
|
|
fsnotify_put_event(ignored_event);
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/* remove this entry from the idr */
|
2009-07-07 22:28:24 +08:00
|
|
|
inotify_remove_from_idr(group, ientry);
|
2009-05-22 05:02:01 +08:00
|
|
|
|
2009-07-07 22:28:23 +08:00
|
|
|
atomic_dec(&group->inotify_data.user->inotify_watches);
|
2009-05-22 05:02:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* ding dong the mark is dead */
|
|
|
|
static void inotify_free_mark(struct fsnotify_mark_entry *entry)
|
|
|
|
{
|
|
|
|
struct inotify_inode_mark_entry *ientry = (struct inotify_inode_mark_entry *)entry;
|
|
|
|
|
|
|
|
kmem_cache_free(inotify_inode_mark_cachep, ientry);
|
|
|
|
}
|
|
|
|
|
2009-08-25 04:03:35 +08:00
|
|
|
static int inotify_update_existing_watch(struct fsnotify_group *group,
|
|
|
|
struct inode *inode,
|
|
|
|
u32 arg)
|
2009-05-22 05:02:01 +08:00
|
|
|
{
|
2009-08-25 04:03:35 +08:00
|
|
|
struct fsnotify_mark_entry *entry;
|
2009-05-22 05:02:01 +08:00
|
|
|
struct inotify_inode_mark_entry *ientry;
|
|
|
|
__u32 old_mask, new_mask;
|
2009-08-25 04:03:35 +08:00
|
|
|
__u32 mask;
|
|
|
|
int add = (arg & IN_MASK_ADD);
|
|
|
|
int ret;
|
2009-05-22 05:02:01 +08:00
|
|
|
|
|
|
|
/* don't allow invalid bits: we don't want flags set */
|
|
|
|
mask = inotify_arg_to_mask(arg);
|
|
|
|
if (unlikely(!mask))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
spin_lock(&inode->i_lock);
|
|
|
|
entry = fsnotify_find_mark_entry(group, inode);
|
|
|
|
spin_unlock(&inode->i_lock);
|
2009-08-25 04:03:35 +08:00
|
|
|
if (!entry)
|
|
|
|
return -ENOENT;
|
2009-07-07 22:28:24 +08:00
|
|
|
|
2009-08-25 04:03:35 +08:00
|
|
|
ientry = container_of(entry, struct inotify_inode_mark_entry, fsn_entry);
|
2009-07-07 22:28:23 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
spin_lock(&entry->lock);
|
|
|
|
|
|
|
|
old_mask = entry->mask;
|
|
|
|
if (add) {
|
|
|
|
entry->mask |= mask;
|
|
|
|
new_mask = entry->mask;
|
|
|
|
} else {
|
|
|
|
entry->mask = mask;
|
|
|
|
new_mask = entry->mask;
|
|
|
|
}
|
|
|
|
|
|
|
|
spin_unlock(&entry->lock);
|
|
|
|
|
|
|
|
if (old_mask != new_mask) {
|
|
|
|
/* more bits in old than in new? */
|
|
|
|
int dropped = (old_mask & ~new_mask);
|
|
|
|
/* more bits in this entry than the inode's mask? */
|
|
|
|
int do_inode = (new_mask & ~inode->i_fsnotify_mask);
|
|
|
|
/* more bits in this entry than the group? */
|
|
|
|
int do_group = (new_mask & ~group->mask);
|
|
|
|
|
|
|
|
/* update the inode with this new entry */
|
|
|
|
if (dropped || do_inode)
|
|
|
|
fsnotify_recalc_inode_mask(inode);
|
|
|
|
|
|
|
|
/* update the group mask with the new mask */
|
|
|
|
if (dropped || do_group)
|
|
|
|
fsnotify_recalc_group_mask(group);
|
|
|
|
}
|
|
|
|
|
2009-08-25 04:03:35 +08:00
|
|
|
/* return the wd */
|
|
|
|
ret = ientry->wd;
|
|
|
|
|
|
|
|
/* match the get from fsnotify_find_mark_entry() */
|
2009-07-07 22:28:23 +08:00
|
|
|
fsnotify_put_mark(entry);
|
|
|
|
|
2009-08-25 04:03:35 +08:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int inotify_new_watch(struct fsnotify_group *group,
|
|
|
|
struct inode *inode,
|
|
|
|
u32 arg)
|
|
|
|
{
|
|
|
|
struct inotify_inode_mark_entry *tmp_ientry;
|
|
|
|
__u32 mask;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
/* don't allow invalid bits: we don't want flags set */
|
|
|
|
mask = inotify_arg_to_mask(arg);
|
|
|
|
if (unlikely(!mask))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
tmp_ientry = kmem_cache_alloc(inotify_inode_mark_cachep, GFP_KERNEL);
|
|
|
|
if (unlikely(!tmp_ientry))
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
fsnotify_init_mark(&tmp_ientry->fsn_entry, inotify_free_mark);
|
|
|
|
tmp_ientry->fsn_entry.mask = mask;
|
|
|
|
tmp_ientry->wd = -1;
|
|
|
|
|
|
|
|
ret = -ENOSPC;
|
|
|
|
if (atomic_read(&group->inotify_data.user->inotify_watches) >= inotify_max_user_watches)
|
|
|
|
goto out_err;
|
|
|
|
retry:
|
|
|
|
ret = -ENOMEM;
|
|
|
|
if (unlikely(!idr_pre_get(&group->inotify_data.idr, GFP_KERNEL)))
|
|
|
|
goto out_err;
|
|
|
|
|
2010-05-12 05:17:40 +08:00
|
|
|
/* we are putting the mark on the idr, take a reference */
|
|
|
|
fsnotify_get_mark(&tmp_ientry->fsn_entry);
|
|
|
|
|
2009-08-25 04:03:35 +08:00
|
|
|
spin_lock(&group->inotify_data.idr_lock);
|
|
|
|
ret = idr_get_new_above(&group->inotify_data.idr, &tmp_ientry->fsn_entry,
|
inotify: do not reuse watch descriptors
Since commit 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 ("inotify: fix
error paths in inotify_update_watch") inotify changed the manor in which
it gave watch descriptors back to userspace. Previous to this commit
inotify acted like the following:
inotify_add_watch(X, Y, Z) = 1
inotify_rm_watch(X, 1);
inotify_add_watch(X, Y, Z) = 2
but after this patch inotify would return watch descriptors like so:
inotify_add_watch(X, Y, Z) = 1
inotify_rm_watch(X, 1);
inotify_add_watch(X, Y, Z) = 1
which I saw as equivalent to opening an fd where
open(file) = 1;
close(1);
open(file) = 1;
seemed perfectly reasonable. The issue is that quite a bit of userspace
apparently relies on the behavior in which watch descriptors will not be
quickly reused. KDE relies on it, I know some selinux packages rely on
it, and I have heard complaints from other random sources such as debian
bug 558981.
Although the man page implies what we do is ok, we broke userspace so
this patch almost reverts us to the old behavior. It is still slightly
racey and I have patches that would fix that, but they are rather large
and this will fix it for all real world cases. The race is as follows:
- task1 creates a watch and blocks in idr_new_watch() before it updates
the hint.
- task2 creates a watch and updates the hint.
- task1 updates the hint with it's older wd
- task removes the watch created by task2
- task adds a new watch and will reuse the wd originally given to task2
it requires moving some locking around the hint (last_wd) but this should
solve it for the real world and be -stable safe.
As a side effect this patch papers over a bug in the lib/idr code which
is causing a large number WARN's to pop on people's system and many
reports in kerneloops.org. I'm working on the root cause of that idr
bug seperately but this should make inotify immune to that issue.
Signed-off-by: Eric Paris <eparis@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-01-16 01:12:24 +08:00
|
|
|
group->inotify_data.last_wd+1,
|
2009-08-25 04:03:35 +08:00
|
|
|
&tmp_ientry->wd);
|
|
|
|
spin_unlock(&group->inotify_data.idr_lock);
|
|
|
|
if (ret) {
|
2010-05-12 05:17:40 +08:00
|
|
|
/* we didn't get on the idr, drop the idr reference */
|
|
|
|
fsnotify_put_mark(&tmp_ientry->fsn_entry);
|
|
|
|
|
2009-08-25 04:03:35 +08:00
|
|
|
/* idr was out of memory allocate and try again */
|
|
|
|
if (ret == -EAGAIN)
|
|
|
|
goto retry;
|
|
|
|
goto out_err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* we are on the idr, now get on the inode */
|
|
|
|
ret = fsnotify_add_mark(&tmp_ientry->fsn_entry, group, inode);
|
|
|
|
if (ret) {
|
|
|
|
/* we failed to get on the inode, get off the idr */
|
|
|
|
inotify_remove_from_idr(group, tmp_ientry);
|
|
|
|
goto out_err;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* update the idr hint, who cares about races, it's just a hint */
|
|
|
|
group->inotify_data.last_wd = tmp_ientry->wd;
|
|
|
|
|
|
|
|
/* increment the number of watches the user has */
|
|
|
|
atomic_inc(&group->inotify_data.user->inotify_watches);
|
|
|
|
|
|
|
|
/* return the watch descriptor for this new entry */
|
|
|
|
ret = tmp_ientry->wd;
|
|
|
|
|
2009-08-29 00:50:47 +08:00
|
|
|
/* if this mark added a new event update the group mask */
|
|
|
|
if (mask & ~group->mask)
|
|
|
|
fsnotify_recalc_group_mask(group);
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
out_err:
|
2010-05-12 05:16:23 +08:00
|
|
|
/* match the ref from fsnotify_init_markentry() */
|
|
|
|
fsnotify_put_mark(&tmp_ientry->fsn_entry);
|
2009-08-25 04:03:35 +08:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int inotify_update_watch(struct fsnotify_group *group, struct inode *inode, u32 arg)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
retry:
|
|
|
|
/* try to update and existing watch with the new arg */
|
|
|
|
ret = inotify_update_existing_watch(group, inode, arg);
|
|
|
|
/* no mark present, try to add a new one */
|
|
|
|
if (ret == -ENOENT)
|
|
|
|
ret = inotify_new_watch(group, inode, arg);
|
|
|
|
/*
|
|
|
|
* inotify_new_watch could race with another thread which did an
|
|
|
|
* inotify_new_watch between the update_existing and the add watch
|
|
|
|
* here, go back and try to update an existing mark again.
|
|
|
|
*/
|
|
|
|
if (ret == -EEXIST)
|
|
|
|
goto retry;
|
2009-07-07 22:28:24 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct fsnotify_group *inotify_new_group(struct user_struct *user, unsigned int max_events)
|
|
|
|
{
|
|
|
|
struct fsnotify_group *group;
|
|
|
|
unsigned int grp_num;
|
|
|
|
|
|
|
|
/* fsnotify_obtain_group took a reference to group, we put this when we kill the file in the end */
|
|
|
|
grp_num = (INOTIFY_GROUP_NUM - atomic_inc_return(&inotify_grp_num));
|
|
|
|
group = fsnotify_obtain_group(grp_num, 0, &inotify_fsnotify_ops);
|
|
|
|
if (IS_ERR(group))
|
|
|
|
return group;
|
|
|
|
|
|
|
|
group->max_events = max_events;
|
|
|
|
|
|
|
|
spin_lock_init(&group->inotify_data.idr_lock);
|
|
|
|
idr_init(&group->inotify_data.idr);
|
inotify: do not reuse watch descriptors
Since commit 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 ("inotify: fix
error paths in inotify_update_watch") inotify changed the manor in which
it gave watch descriptors back to userspace. Previous to this commit
inotify acted like the following:
inotify_add_watch(X, Y, Z) = 1
inotify_rm_watch(X, 1);
inotify_add_watch(X, Y, Z) = 2
but after this patch inotify would return watch descriptors like so:
inotify_add_watch(X, Y, Z) = 1
inotify_rm_watch(X, 1);
inotify_add_watch(X, Y, Z) = 1
which I saw as equivalent to opening an fd where
open(file) = 1;
close(1);
open(file) = 1;
seemed perfectly reasonable. The issue is that quite a bit of userspace
apparently relies on the behavior in which watch descriptors will not be
quickly reused. KDE relies on it, I know some selinux packages rely on
it, and I have heard complaints from other random sources such as debian
bug 558981.
Although the man page implies what we do is ok, we broke userspace so
this patch almost reverts us to the old behavior. It is still slightly
racey and I have patches that would fix that, but they are rather large
and this will fix it for all real world cases. The race is as follows:
- task1 creates a watch and blocks in idr_new_watch() before it updates
the hint.
- task2 creates a watch and updates the hint.
- task1 updates the hint with it's older wd
- task removes the watch created by task2
- task adds a new watch and will reuse the wd originally given to task2
it requires moving some locking around the hint (last_wd) but this should
solve it for the real world and be -stable safe.
As a side effect this patch papers over a bug in the lib/idr code which
is causing a large number WARN's to pop on people's system and many
reports in kerneloops.org. I'm working on the root cause of that idr
bug seperately but this should make inotify immune to that issue.
Signed-off-by: Eric Paris <eparis@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-01-16 01:12:24 +08:00
|
|
|
group->inotify_data.last_wd = 0;
|
2009-05-22 05:02:01 +08:00
|
|
|
group->inotify_data.user = user;
|
|
|
|
group->inotify_data.fa = NULL;
|
|
|
|
|
|
|
|
return group;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* inotify syscalls */
|
2009-01-14 21:14:30 +08:00
|
|
|
SYSCALL_DEFINE1(inotify_init1, int, flags)
|
2006-06-02 04:10:59 +08:00
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
struct fsnotify_group *group;
|
2006-06-02 04:10:59 +08:00
|
|
|
struct user_struct *user;
|
2010-02-11 15:24:46 +08:00
|
|
|
int ret;
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2008-07-24 12:29:42 +08:00
|
|
|
/* Check the IN_* constants for consistency. */
|
|
|
|
BUILD_BUG_ON(IN_CLOEXEC != O_CLOEXEC);
|
|
|
|
BUILD_BUG_ON(IN_NONBLOCK != O_NONBLOCK);
|
|
|
|
|
2008-07-24 12:29:41 +08:00
|
|
|
if (flags & ~(IN_CLOEXEC | IN_NONBLOCK))
|
2008-07-24 12:29:32 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
2008-11-14 07:39:05 +08:00
|
|
|
user = get_current_user();
|
2006-06-02 04:10:59 +08:00
|
|
|
if (unlikely(atomic_read(&user->inotify_devs) >=
|
|
|
|
inotify_max_user_instances)) {
|
|
|
|
ret = -EMFILE;
|
|
|
|
goto out_free_uid;
|
|
|
|
}
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/* fsnotify_obtain_group took a reference to group, we put this when we kill the file in the end */
|
|
|
|
group = inotify_new_group(user, inotify_max_queued_events);
|
|
|
|
if (IS_ERR(group)) {
|
|
|
|
ret = PTR_ERR(group);
|
2006-06-02 04:10:59 +08:00
|
|
|
goto out_free_uid;
|
|
|
|
}
|
|
|
|
|
2009-08-05 22:35:21 +08:00
|
|
|
atomic_inc(&user->inotify_devs);
|
|
|
|
|
2010-02-11 15:24:46 +08:00
|
|
|
ret = anon_inode_getfd("inotify", &inotify_fops, group,
|
|
|
|
O_RDONLY | flags);
|
|
|
|
if (ret >= 0)
|
|
|
|
return ret;
|
2009-08-05 22:35:21 +08:00
|
|
|
|
|
|
|
atomic_dec(&user->inotify_devs);
|
2006-06-02 04:10:59 +08:00
|
|
|
out_free_uid:
|
|
|
|
free_uid(user);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2009-01-14 21:14:30 +08:00
|
|
|
SYSCALL_DEFINE0(inotify_init)
|
2008-07-24 12:29:32 +08:00
|
|
|
{
|
|
|
|
return sys_inotify_init1(0);
|
|
|
|
}
|
|
|
|
|
2009-01-14 21:14:31 +08:00
|
|
|
SYSCALL_DEFINE3(inotify_add_watch, int, fd, const char __user *, pathname,
|
|
|
|
u32, mask)
|
2006-06-02 04:10:59 +08:00
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
struct fsnotify_group *group;
|
2006-06-02 04:10:59 +08:00
|
|
|
struct inode *inode;
|
2008-07-22 21:59:21 +08:00
|
|
|
struct path path;
|
2006-06-02 04:10:59 +08:00
|
|
|
struct file *filp;
|
|
|
|
int ret, fput_needed;
|
|
|
|
unsigned flags = 0;
|
|
|
|
|
|
|
|
filp = fget_light(fd, &fput_needed);
|
|
|
|
if (unlikely(!filp))
|
|
|
|
return -EBADF;
|
|
|
|
|
|
|
|
/* verify that this is indeed an inotify instance */
|
|
|
|
if (unlikely(filp->f_op != &inotify_fops)) {
|
|
|
|
ret = -EINVAL;
|
|
|
|
goto fput_and_out;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!(mask & IN_DONT_FOLLOW))
|
|
|
|
flags |= LOOKUP_FOLLOW;
|
|
|
|
if (mask & IN_ONLYDIR)
|
|
|
|
flags |= LOOKUP_DIRECTORY;
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
ret = inotify_find_inode(pathname, &path, flags);
|
|
|
|
if (ret)
|
2006-06-02 04:10:59 +08:00
|
|
|
goto fput_and_out;
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/* inode held in place by reference to path; group by fget on fd */
|
2008-07-22 21:59:21 +08:00
|
|
|
inode = path.dentry->d_inode;
|
2009-05-22 05:02:01 +08:00
|
|
|
group = filp->private_data;
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
/* create/update an inode mark */
|
|
|
|
ret = inotify_update_watch(group, inode, mask);
|
2008-07-22 21:59:21 +08:00
|
|
|
path_put(&path);
|
2006-06-02 04:10:59 +08:00
|
|
|
fput_and_out:
|
|
|
|
fput_light(filp, fput_needed);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2009-01-14 21:14:31 +08:00
|
|
|
SYSCALL_DEFINE2(inotify_rm_watch, int, fd, __s32, wd)
|
2006-06-02 04:10:59 +08:00
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
struct fsnotify_group *group;
|
|
|
|
struct fsnotify_mark_entry *entry;
|
2006-06-02 04:10:59 +08:00
|
|
|
struct file *filp;
|
2009-05-22 05:02:01 +08:00
|
|
|
int ret = 0, fput_needed;
|
2006-06-02 04:10:59 +08:00
|
|
|
|
|
|
|
filp = fget_light(fd, &fput_needed);
|
|
|
|
if (unlikely(!filp))
|
|
|
|
return -EBADF;
|
|
|
|
|
|
|
|
/* verify that this is indeed an inotify instance */
|
|
|
|
if (unlikely(filp->f_op != &inotify_fops)) {
|
|
|
|
ret = -EINVAL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
group = filp->private_data;
|
2006-06-02 04:10:59 +08:00
|
|
|
|
2009-05-22 05:02:01 +08:00
|
|
|
spin_lock(&group->inotify_data.idr_lock);
|
|
|
|
entry = idr_find(&group->inotify_data.idr, wd);
|
|
|
|
if (unlikely(!entry)) {
|
|
|
|
spin_unlock(&group->inotify_data.idr_lock);
|
|
|
|
ret = -EINVAL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
fsnotify_get_mark(entry);
|
|
|
|
spin_unlock(&group->inotify_data.idr_lock);
|
|
|
|
|
2009-06-13 04:04:26 +08:00
|
|
|
fsnotify_destroy_mark_by_entry(entry);
|
2009-05-22 05:02:01 +08:00
|
|
|
fsnotify_put_mark(entry);
|
2006-06-02 04:10:59 +08:00
|
|
|
|
|
|
|
out:
|
|
|
|
fput_light(filp, fput_needed);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* inotify_user_setup - Our initialization function. Note that we cannnot return
|
|
|
|
* error because we have compiled-in VFS hooks. So an (unlikely) failure here
|
|
|
|
* must result in panic().
|
|
|
|
*/
|
|
|
|
static int __init inotify_user_setup(void)
|
|
|
|
{
|
2009-05-22 05:02:01 +08:00
|
|
|
inotify_inode_mark_cachep = KMEM_CACHE(inotify_inode_mark_entry, SLAB_PANIC);
|
|
|
|
event_priv_cachep = KMEM_CACHE(inotify_event_private_data, SLAB_PANIC);
|
|
|
|
|
2006-06-02 04:10:59 +08:00
|
|
|
inotify_max_queued_events = 16384;
|
|
|
|
inotify_max_user_instances = 128;
|
|
|
|
inotify_max_user_watches = 8192;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
module_init(inotify_user_setup);
|