fanotify: fix races when adding/removing marks

For both adding an event to an existing mark and destroying a mark we
first have to find it via fsnotify_find_[inode|vfsmount]_mark().  But
getting the mark and adding an event (or destroying it) is not done
atomically.  This opens a race where a thread is about to destroy a mark
while another thread still finds the same mark and adds an event to its
mask although it will be destroyed.

Another race exists concerning the excess of a groups number of marks
limit: When a mark is added the number of group marks is checked against
the max number of marks per group and increased afterwards.  Since check
and increment is also not done atomically, this may result in 2 or more
processes passing the check at the same time and increasing the number
of group marks above the allowed limit.

With this patch both races are avoided by doing the concerning
operations with the groups mark mutex locked.

Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Cc: Eric Paris <eparis@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index e16076d386c43ccdb55c76637074cc6f11eaa92d..4e1d8ec77b04017aa4ecfcb2ca45bdc9943221a6 100644 (file)
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -524,14 +524,18 @@ static int fanotify_remove_vfsmount_mark(struct fsnotify_group *group,
        __u32 removed;
        int destroy_mark;
 
+       mutex_lock(&group->mark_mutex);
        fsn_mark = fsnotify_find_vfsmount_mark(group, mnt);
-       if (!fsn_mark)
+       if (!fsn_mark) {
+               mutex_unlock(&group->mark_mutex);
                return -ENOENT;
+       }
 
        removed = fanotify_mark_remove_from_mask(fsn_mark, mask, flags,
                                                 &destroy_mark);
        if (destroy_mark)
-               fsnotify_destroy_mark(fsn_mark, group);
+               fsnotify_destroy_mark_locked(fsn_mark, group);
+       mutex_unlock(&group->mark_mutex);
 
        fsnotify_put_mark(fsn_mark);
        if (removed & real_mount(mnt)->mnt_fsnotify_mask)
@@ -548,14 +552,19 @@ static int fanotify_remove_inode_mark(struct fsnotify_group *group,
        __u32 removed;
        int destroy_mark;
 
+       mutex_lock(&group->mark_mutex);
        fsn_mark = fsnotify_find_inode_mark(group, inode);
-       if (!fsn_mark)
+       if (!fsn_mark) {
+               mutex_unlock(&group->mark_mutex);
                return -ENOENT;
+       }
 
        removed = fanotify_mark_remove_from_mask(fsn_mark, mask, flags,
                                                 &destroy_mark);
        if (destroy_mark)
-               fsnotify_destroy_mark(fsn_mark, group);
+               fsnotify_destroy_mark_locked(fsn_mark, group);
+       mutex_unlock(&group->mark_mutex);
+
        /* matches the fsnotify_find_inode_mark() */
        fsnotify_put_mark(fsn_mark);
        if (removed & inode->i_fsnotify_mask)
@@ -599,21 +608,29 @@ static int fanotify_add_vfsmount_mark(struct fsnotify_group *group,
        __u32 added;
        int ret = 0;
 
+       mutex_lock(&group->mark_mutex);
        fsn_mark = fsnotify_find_vfsmount_mark(group, mnt);
        if (!fsn_mark) {
-               if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks)
+               if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks) {
+                       mutex_unlock(&group->mark_mutex);
                        return -ENOSPC;
+               }
 
                fsn_mark = kmem_cache_alloc(fanotify_mark_cache, GFP_KERNEL);
-               if (!fsn_mark)
+               if (!fsn_mark) {
+                       mutex_unlock(&group->mark_mutex);
                        return -ENOMEM;
+               }
 
                fsnotify_init_mark(fsn_mark, fanotify_free_mark);
-               ret = fsnotify_add_mark(fsn_mark, group, NULL, mnt, 0);
-               if (ret)
+               ret = fsnotify_add_mark_locked(fsn_mark, group, NULL, mnt, 0);
+               if (ret) {
+                       mutex_unlock(&group->mark_mutex);
                        goto err;
+               }
        }
        added = fanotify_mark_add_to_mask(fsn_mark, mask, flags);
+       mutex_unlock(&group->mark_mutex);
 
        if (added & ~real_mount(mnt)->mnt_fsnotify_mask)
                fsnotify_recalc_vfsmount_mask(mnt);
@@ -642,21 +659,29 @@ static int fanotify_add_inode_mark(struct fsnotify_group *group,
            (atomic_read(&inode->i_writecount) > 0))
                return 0;
 
+       mutex_lock(&group->mark_mutex);
        fsn_mark = fsnotify_find_inode_mark(group, inode);
        if (!fsn_mark) {
-               if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks)
+               if (atomic_read(&group->num_marks) > group->fanotify_data.max_marks) {
+                       mutex_unlock(&group->mark_mutex);
                        return -ENOSPC;
+               }
 
                fsn_mark = kmem_cache_alloc(fanotify_mark_cache, GFP_KERNEL);
-               if (!fsn_mark)
+               if (!fsn_mark) {
+                       mutex_unlock(&group->mark_mutex);
                        return -ENOMEM;
+               }
 
                fsnotify_init_mark(fsn_mark, fanotify_free_mark);
-               ret = fsnotify_add_mark(fsn_mark, group, inode, NULL, 0);
-               if (ret)
+               ret = fsnotify_add_mark_locked(fsn_mark, group, inode, NULL, 0);
+               if (ret) {
+                       mutex_unlock(&group->mark_mutex);
                        goto err;
+               }
        }
        added = fanotify_mark_add_to_mask(fsn_mark, mask, flags);
+       mutex_unlock(&group->mark_mutex);
 
        if (added & ~inode->i_fsnotify_mask)
                fsnotify_recalc_inode_mask(inode);