From patchwork Mon Jun 22 10:53:16 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ashish Sangwan X-Patchwork-Id: 6655011 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id C8963C05AC for ; Mon, 22 Jun 2015 10:56:33 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 2C625205FD for ; Mon, 22 Jun 2015 10:56:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 7C27C20600 for ; Mon, 22 Jun 2015 10:56:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933301AbbFVK41 (ORCPT ); Mon, 22 Jun 2015 06:56:27 -0400 Received: from mailout2.samsung.com ([203.254.224.25]:53239 "EHLO mailout2.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933377AbbFVKz3 (ORCPT ); Mon, 22 Jun 2015 06:55:29 -0400 Received: from epcpsbgr4.samsung.com (u144.gpu120.samsung.co.kr [203.254.230.144]) by mailout2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0NQC01KJPECDTCB0@mailout2.samsung.com> for linux-fsdevel@vger.kernel.org; Mon, 22 Jun 2015 19:55:25 +0900 (KST) Received: from epcpsbgm2.samsung.com ( [172.20.52.123]) by epcpsbgr4.samsung.com (EPCPMTA) with SMTP id 6D.63.20564.D99E7855; Mon, 22 Jun 2015 19:55:25 +0900 (KST) X-AuditID: cbfee690-f796f6d000005054-40-5587e99db327 Received: from epmmp1.local.host ( [203.254.227.16]) by epcpsbgm2.samsung.com (EPCPMTA) with SMTP id 11.82.05312.D99E7855; Mon, 22 Jun 2015 19:55:25 +0900 (KST) Received: from localhost.localdomain ([107.108.92.210]) by mmp1.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0NQC00N7OEAW3370@mmp1.samsung.com>; Mon, 22 Jun 2015 19:55:25 +0900 (KST) From: Ashish Sangwan To: linux-fsdevel@vger.kernel.org, Jan Kara , Andrew Morton , Eric Paris , Amit Sahrawat , Ashish Sangwan , Namjae Jeon , Pankaj Mishra Subject: [PATCH] fsnotify: fix a crash due to invalid virtual address Date: Mon, 22 Jun 2015 16:23:16 +0530 Message-id: <1434970396-19644-1-git-send-email-a.sangwan@samsung.com> X-Mailer: git-send-email 1.7.9.5 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrOLMWRmVeSWpSXmKPExsWyRsSkWnfuy/ZQg4kTTSwu7k61WDrxErPF nPVr2Cwmbm9jsZg9vZnJYs/ekywWP6bXW9x7s5XJgcPjxIzfLB7v911l8+jbsorR48yCI+we nzfJBbBGcdmkpOZklqUW6dslcGU87GthLjgrWPH6ditTA+N1vi5GTg4JAROJN1tWMEHYYhIX 7q1n62Lk4hASWMoosf/vNXaYok+7r7CC2EICixglNk/wg7B/Mkp8vw/WzCagI7GjaxIzSLOI wComiTNHNgMlODiEBVwl7q6sBKlhEVCVmN47H6yeFyjcfPQEM0iJhICCxJxJNhCrPrNJXOoM hSgXkPg2+RALRImsxKYDzBAlkhIHV9xgmcAosICRYRWjaGpBckFxUnqRiV5xYm5xaV66XnJ+ 7iZGYHie/vdswg7GewesDzEKcDAq8fAGPGwPFWJNLCuuzD3EaAq0YSKzlGhyPjAK8kriDY3N jCxMTUyNjcwtzZTEeV9L/QwWEkhPLEnNTk0tSC2KLyrNSS0+xMjEwSnVwOhe+spg9eLeupgt QgUHFkZt6zD6saA8JrP4w6n5URE2oWYHb8+7s+REfvfCCUHf93A1efG7sm24WBRya4fUchsf y5ptHv4fPa87/JH8GWk67eaE8wduylsJ3V+2maGzadNWZffoxHkPW1/7dewK2rL3hvj/N0ur FHdNZZ5/pPmaUH3V5G21NZuUWIozEg21mIuKEwGhMH/ESgIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpikeLIzCtJLcpLzFFi42I5/e+xgO7cl+2hBpdadS0u7k61WDrxErPF nPVr2Cwmbm9jsZg9vZnJYs/ekywWP6bXW9x7s5XJgcPjxIzfLB7v911l8+jbsorR48yCI+we nzfJBbBGNTDaZKQmpqQWKaTmJeenZOal2yp5B8c7x5uaGRjqGlpamCsp5CXmptoqufgE6Lpl 5gCdoqRQlphTChQKSCwuVtK3wzQhNMRN1wKmMULXNyQIrsfIAA0krGHMeNjXwlxwVrDi9e1W pgbG63xdjJwcEgImEp92X2GFsMUkLtxbzwZiCwksYpTYPMEPwv7JKPH9PhOIzSagI7GjaxJz FyMXh4jAKiaJM0c2AyU4OIQFXCXurqwEqWERUJWY3jsfrJ4XKNx89AQzSImEgILEnEk2Exi5 FjAyrGIUTS1ILihOSs810itOzC0uzUvXS87P3cQIDv9n0jsYVzVYHGIU4GBU4uFlfNYeKsSa WFZcmXuIUYKDWUmEt+UsUIg3JbGyKrUoP76oNCe1+BCjKdDyicxSosn5wNjMK4k3NDYxNzU2 tTSxMDGzVBLnPZnvEyokkJ5YkpqdmlqQWgTTx8TBKdXAGDTznq5+kVdYJ1OyBBMPd4Sgfl9T lWLQMu/KluQDV098OVFrFxKy01fR/JDtq78/69Yekww2SCxufdr8NypvEeel366zmSYcMbA2 bZ2hVRJ7UnFzms52Ey93Qeeqtl1brJ4JcdbdnHFEdk/71f8Py1pyz61+YcV45s6P9K69mjM3 3Z23YW+tEktxRqKhFnNRcSIADOdjtZUCAAA= DLP-Filter: Pass X-MTR: 20000000000000000@CPGS X-CFilter-Loop: Reflected Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP For deleting the fsnotify_mark related with an inode, there are 2 paths in the kernel. When the inotify fd is closed, all the marks belonging to a group are removed one by one in fsnotify_clear_marks_by_group_flags. Other path is when the inode is removed from user space by unlink, fsnotify_destroy_mark is called to delete a single mark. There is a race between these 2 paths which is caused due to the temporary release of the mark_mutex inside fsnotify_destroy_mark_locked. The race happen when the inotify app monitoring the file(s) exits, triggering fsnotify_clear_marks_by_group_flags to delete the marks. This function use lmark pointer to move to the next node after a safe removal of the node. In parallel, if there is rm call for a file and such that the lmark is pointing to the mark which is removed by this rm call, lmark ends up pointing to a freed memory. Now, when we try to move to the next node using lmark, it triggers an invalid virtual address crash. Although fsnotify_clear_marks_by_group_flags and fsnotify_destroy_mark are synchronized by mark_mutex, but both of these functions call fsnotify_destroy_mark_locked which release the mark_mutex and acquire it again creating a subtle race window. There seems to be no reason for releasing mark_mutex, so this patch remove the mutex_unlock call. Signed-off-by: Ashish Sangwan Reviewed-by: Amit Sahrawat --- fs/notify/mark.c | 4 ---- 1 files changed, 0 insertions(+), 4 deletions(-) diff --git a/fs/notify/mark.c b/fs/notify/mark.c index 92e48c7..4ee419f 100755 --- a/fs/notify/mark.c +++ b/fs/notify/mark.c @@ -157,8 +157,6 @@ void fsnotify_destroy_mark_locked(struct fsnotify_mark *mark, if (inode && (mark->flags & FSNOTIFY_MARK_FLAG_OBJECT_PINNED)) iput(inode); - /* release lock temporarily */ - mutex_unlock(&group->mark_mutex); spin_lock(&destroy_lock); list_add(&mark->g_list, &destroy_list); @@ -191,8 +189,6 @@ void fsnotify_destroy_mark_locked(struct fsnotify_mark *mark, */ atomic_dec(&group->num_marks); - - mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING); } void fsnotify_destroy_mark(struct fsnotify_mark *mark,