提交 1404ff3c 编写于 作者: J Jan Kara 提交者: Linus Torvalds

fsnotify: drop notification_mutex before destroying event

fsnotify_flush_notify() and fanotify_release() destroy notification
event while holding notification_mutex.

The destruction of fanotify event includes a path_put() call which may
end up calling into a filesystem to delete an inode if we happen to be
the last holders of dentry reference which happens to be the last holder
of inode reference.

That in turn may violate lock ordering for some filesystems since
notification_mutex is also acquired e. g. during write when generating
fanotify event.

Also this is the only thing that forces notification_mutex to be a
sleeping lock.  So drop notification_mutex before destroying a
notification event.

Link: http://lkml.kernel.org/r/1473797711-14111-4-git-send-email-jack@suse.czSigned-off-by: NJan Kara <jack@suse.cz>
Cc: Miklos Szeredi <mszeredi@redhat.com>
Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Cc: Eric Paris <eparis@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 87840a2b
...@@ -390,9 +390,11 @@ static int fanotify_release(struct inode *ignored, struct file *file) ...@@ -390,9 +390,11 @@ static int fanotify_release(struct inode *ignored, struct file *file)
mutex_lock(&group->notification_mutex); mutex_lock(&group->notification_mutex);
while (!fsnotify_notify_queue_is_empty(group)) { while (!fsnotify_notify_queue_is_empty(group)) {
fsn_event = fsnotify_remove_first_event(group); fsn_event = fsnotify_remove_first_event(group);
if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS)) if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS)) {
mutex_unlock(&group->notification_mutex);
fsnotify_destroy_event(group, fsn_event); fsnotify_destroy_event(group, fsn_event);
else mutex_lock(&group->notification_mutex);
} else
FANOTIFY_PE(fsn_event)->response = FAN_ALLOW; FANOTIFY_PE(fsn_event)->response = FAN_ALLOW;
} }
mutex_unlock(&group->notification_mutex); mutex_unlock(&group->notification_mutex);
......
...@@ -178,7 +178,9 @@ void fsnotify_flush_notify(struct fsnotify_group *group) ...@@ -178,7 +178,9 @@ void fsnotify_flush_notify(struct fsnotify_group *group)
mutex_lock(&group->notification_mutex); mutex_lock(&group->notification_mutex);
while (!fsnotify_notify_queue_is_empty(group)) { while (!fsnotify_notify_queue_is_empty(group)) {
event = fsnotify_remove_first_event(group); event = fsnotify_remove_first_event(group);
mutex_unlock(&group->notification_mutex);
fsnotify_destroy_event(group, event); fsnotify_destroy_event(group, event);
mutex_lock(&group->notification_mutex);
} }
mutex_unlock(&group->notification_mutex); mutex_unlock(&group->notification_mutex);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册