AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
528da3e9e2
kernel_optimize_test/fs
History
Eric Paris 528da3e9e2 inotify: inotify_destroy_mark_entry could get called twice 
inotify_destroy_mark_entry could get called twice for the same mark since it
is called directly in inotify_rm_watch and when the mark is being destroyed for
another reason.  As an example assume that the file being watched was just
deleted so inotify_destroy_mark_entry would get called from the path
fsnotify_inoderemove() -> fsnotify_destroy_marks_by_inode() ->
fsnotify_destroy_mark_entry() -> inotify_destroy_mark_entry().  If this
happened at the same time as userspace tried to remove a watch via
inotify_rm_watch we could attempt to remove the mark from the idr twice and
could thus double dec the ref cnt and potentially could be in a use after
free/double free situation.  The fix is to have inotify_rm_watch use the
generic recursive safe fsnotify_destroy_mark_by_entry() so we are sure the
inotify_destroy_mark_entry() function can only be called one.

This patch also renames the function to inotify_ingored_remove_idr() so it is
clear what is actually going on in the function.

Hopefully this fixes:
[   20.342058] idr_remove called for id=20 which is not allocated.
[   20.348000] Pid: 1860, comm: udevd Not tainted 2.6.30-tip #1077
[   20.353933] Call Trace:
[   20.356410]  [<ffffffff811a82b7>] idr_remove+0x115/0x18f
[   20.361737]  [<ffffffff8134259d>] ? _spin_lock+0x6d/0x75
[   20.367061]  [<ffffffff8111640a>] ? inotify_destroy_mark_entry+0xa3/0xcf
[   20.373771]  [<ffffffff8111641e>] inotify_destroy_mark_entry+0xb7/0xcf
[   20.380306]  [<ffffffff81115913>] inotify_freeing_mark+0xe/0x10
[   20.386238]  [<ffffffff8111410d>] fsnotify_destroy_mark_by_entry+0x143/0x170
[   20.393293]  [<ffffffff811163a3>] inotify_destroy_mark_entry+0x3c/0xcf
[   20.399829]  [<ffffffff811164d1>] sys_inotify_rm_watch+0x9b/0xc6
[   20.405850]  [<ffffffff8100bcdb>] system_call_fastpath+0x16/0x1b

Reported-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Eric Paris <eparis@redhat.com>
Tested-by: Peter Ziljlstra <peterz@infradead.org>
2009-06-19 12:42:48 -04:00
..
9p 9P doesn't need BKL in ->umount_begin() 2009-06-17 00:36:36 -04:00
adfs Cleanup of adfs headers 2009-06-17 00:36:36 -04:00
affs
afs
autofs
autofs4
befs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-06-17 08:46:57 -07:00
bfs
btrfs
cachefiles
cifs
coda
configfs
cramfs
debugfs
devpts
dlm
ecryptfs
efs get rid of BKL in fs/efs 2009-06-17 00:36:36 -04:00
exofs
exportfs
ext2 ext2: Do not update mtime of a moved directory 2009-06-18 13:03:44 -07:00
ext3 ext3: make sure inode is deleted from orphan list after truncate 2009-06-18 13:03:45 -07:00
ext4 ext4: avoid unnecessary spinlock in critical POSIX ACL path 2009-06-17 00:36:35 -04:00
fat
freevxfs
fscache
fuse fuse doesn't need BKL in ->umount_begin() 2009-06-17 00:36:36 -04:00
gfs2
hfs
hfsplus
hostfs
hpfs
hppfs
hugetlbfs
isofs isofs: cleanup mount option processing 2009-06-18 13:03:45 -07:00
jbd jbd: clean up journal_try_to_free_buffers() 2009-06-18 13:03:45 -07:00
jbd2 jbd2: clean up jbd2_journal_try_to_free_buffers() 2009-06-17 20:08:51 -04:00
jffs2
jfs
lockd
minix get rid of BKL in fs/minix 2009-06-17 00:36:37 -04:00
ncpfs
nfs
nfs_common
nfsd
nilfs2
nls
notify inotify: inotify_destroy_mark_entry could get called twice 2009-06-19 12:42:48 -04:00
ntfs
ocfs2
omfs
openpromfs
partitions
proc proc: vmcore - use kzalloc in get_new_element() 2009-06-18 13:03:41 -07:00
qnx4
quota
ramfs
reiserfs reiserfs: fix warnings with gcc 4.4 2009-06-18 13:03:46 -07:00
romfs
smbfs
squashfs
sysfs
sysv get rid of BKL in fs/sysv 2009-06-17 00:36:37 -04:00
ubifs Merge branch 'linux-next' of git://git.infradead.org/ubifs-2.6 2009-06-17 09:46:33 -07:00
udf
ufs ufs: sector_t cannot be negative 2009-06-18 13:03:46 -07:00
xfs
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c elf_core_dump: use rcu_read_lock() to access ->real_parent 2009-06-18 13:03:52 -07:00
binfmt_elf.c elf_core_dump: use rcu_read_lock() to access ->real_parent 2009-06-18 13:03:52 -07:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c
bio.c
block_dev.c
buffer.c
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6 2009-06-17 09:50:44 -07:00
compat.c
dcache.c
dcookies.c
direct-io.c
drop_caches.c
eventfd.c
eventpoll.c epoll: fix nested calls support 2009-06-18 13:03:41 -07:00
exec.c
fcntl.c
fifo.c
file_table.c
file.c
filesystems.c
fs_struct.c
fs-writeback.c
generic_acl.c
inode.c
internal.h
ioctl.c No instance of ->bmap() needs BKL 2009-06-17 00:36:35 -04:00
ioprio.c
Kconfig Hugetlbfs: Enable hugetlbfs for more systems in Kconfig. 2009-06-17 11:06:31 +01:00
Kconfig.binfmt
libfs.c
locks.c
Makefile
mbcache.c
mpage.c
namei.c
namespace.c
nfsctl.c
no-block.c
open.c
pipe.c
pnode.c
pnode.h
posix_acl.c
read_write.c
read_write.h
readdir.c
select.c
seq_file.c seq_file: add function to write binary data 2009-06-18 13:03:57 -07:00
signalfd.c
splice.c
stack.c
stat.c
super.c remove unlock_kernel() left accidentally 2009-06-17 00:36:35 -04:00
sync.c
timerfd.c
utimes.c
xattr_acl.c
xattr.c