| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 Jun 2011 20:20:55 +0900
From: OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
To: John McCutchan <john@...nmccutchan.com>,
Robert Love <rlove@...ve.org>, Eric Paris <eparis@...hat.com>
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Race inotify_rm_watch vs umount
Hi,
I'm looking the race inotify_rm_watch() vs umount(). This race become the
cause of Oops. You can see the oops at
https://bugzilla.kernel.org/show_bug.cgi?id=22602
So, what race?
umount inotify_rm_watch
... fsnotify_destroy_mark()
fsnotify_destroy_inode_mark()
/* removed from i_fsnotify_marks */
generic_shutdown_super()
fsnotify_unmount_inodes()
put_super()
iput()
iput_final()
/* this is after put_super() */
Like above, inotify doesn't guarantee to call final iput() before
put_super(). With this violation, FS driver can oops.
Well, so, what are requested for inotify? We can't simply take
sb->s_umount in inotify_rm_watch()?
Any ideas?
Thanks.
--
OGAWA Hirofumi <hirofumi@...l.parknet.co.jp>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists