lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090323092830.GN28946@ZenIV.linux.org.uk>
Date:	Mon, 23 Mar 2009 09:28:30 +0000
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Eric Paris <eparis@...hat.com>
Cc:	linux-kernel@...r.kernel.org, hch@...radead.org,
	alan@...rguk.ukuu.org.uk, sfr@...b.auug.org.au,
	john@...nmccutchan.com, rlove@...ve.org, akpm@...ux-foundation.org
Subject: Re: [PATCH 04/13] fsnotify: add in inode fsnotify markings

On Thu, Mar 19, 2009 at 02:05:14PM -0400, Eric Paris wrote:
> This patch creates in inode fsnotify markings.  dnotify will make use of in
> inode markings to mark which inodes it wishes to send events for.  fanotify
> will use this to mark which inodes it does not wish to send events for.

Hrm...  What happens if fsnotify_clear_marks_by_inode() is called, gets
the only mark we had for a group, removes it from all lists, drops all
locks and races with the final fsnotify_put_group()?  Said put_group
sees nothing whatsoever on the per-group mark list (the only mark we
used to have there is already evicted) and the group is cheerfully
freed.  Then fsnotify_destroy_mark_by_entry() calls
	group->ops->freeing_mark(entry, group)
with group already freed...  Gets really interesting in case of inotify -
there ->freeing_mark() leads to blocking allocations and really touches
group in non-trivial ways.

Note that for inotify ->freeing_mark() will happily add notification to
group's queue and that's another race of the same nature - even if
group itself isn't yet freed, that final put_group() might bloody well
get past flushing the queue.

I really don't like the idea of having marks contributing to group refcount -
that would have solved this one, but we'd get potential leaks from hell ;-/
Maybe a separate counter controlling only actual freeing of group?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ