Re: [PATCH 04/13] fsnotify: add in inode fsnotify markings

[Al Viro]

On Thu, Mar 19, 2009 at 02:05:14PM -0400, Eric Paris wrote:
> This patch creates in inode fsnotify markings.  dnotify will make use of in
> inode markings to mark which inodes it wishes to send events for.  fanotify
> will use this to mark which inodes it does not wish to send events for.

Hrm...  What happens if fsnotify_clear_marks_by_inode() is called, gets
the only mark we had for a group, removes it from all lists, drops all
locks and races with the final fsnotify_put_group()?  Said put_group
sees nothing whatsoever on the per-group mark list (the only mark we
used to have there is already evicted) and the group is cheerfully
freed.  Then fsnotify_destroy_mark_by_entry() calls
	group->ops->freeing_mark(entry, group)
with group already freed...  Gets really interesting in case of inotify -
there ->freeing_mark() leads to blocking allocations and really touches
group in non-trivial ways.

Note that for inotify ->freeing_mark() will happily add notification to
group's queue and that's another race of the same nature - even if
group itself isn't yet freed, that final put_group() might bloody well
get past flushing the queue.

I really don't like the idea of having marks contributing to group refcount -
that would have solved this one, but we'd get potential leaks from hell ;-/
Maybe a separate counter controlling only actual freeing of group?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/