fsnotify: drop notification_mutex before destroying event
authorJan Kara <jack@suse.cz>
Fri, 7 Oct 2016 23:56:49 +0000 (16:56 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Sat, 8 Oct 2016 01:46:26 +0000 (18:46 -0700)
fsnotify_flush_notify() and fanotify_release() destroy notification
event while holding notification_mutex.

The destruction of fanotify event includes a path_put() call which may
end up calling into a filesystem to delete an inode if we happen to be
the last holders of dentry reference which happens to be the last holder
of inode reference.

That in turn may violate lock ordering for some filesystems since
notification_mutex is also acquired e. g. during write when generating
fanotify event.

Also this is the only thing that forces notification_mutex to be a
sleeping lock.  So drop notification_mutex before destroying a
notification event.

Link: http://lkml.kernel.org/r/1473797711-14111-4-git-send-email-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Miklos Szeredi <mszeredi@redhat.com>
Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Cc: Eric Paris <eparis@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/notify/fanotify/fanotify_user.c
fs/notify/notification.c

index a64313868d3a15cefca72b5e228e798d98a43a1e..46d135c4988f3774fbd94ecb32d0056ccdd55cd5 100644 (file)
@@ -390,9 +390,11 @@ static int fanotify_release(struct inode *ignored, struct file *file)
        mutex_lock(&group->notification_mutex);
        while (!fsnotify_notify_queue_is_empty(group)) {
                fsn_event = fsnotify_remove_first_event(group);
-               if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS))
+               if (!(fsn_event->mask & FAN_ALL_PERM_EVENTS)) {
+                       mutex_unlock(&group->notification_mutex);
                        fsnotify_destroy_event(group, fsn_event);
-               else
+                       mutex_lock(&group->notification_mutex);
+               } else
                        FANOTIFY_PE(fsn_event)->response = FAN_ALLOW;
        }
        mutex_unlock(&group->notification_mutex);
index e455e83ceeebc9ea5cb0b3166e10bd505cec43f1..7d563dea52a4f696d78e380d698ee2d903a48119 100644 (file)
@@ -178,7 +178,9 @@ void fsnotify_flush_notify(struct fsnotify_group *group)
        mutex_lock(&group->notification_mutex);
        while (!fsnotify_notify_queue_is_empty(group)) {
                event = fsnotify_remove_first_event(group);
+               mutex_unlock(&group->notification_mutex);
                fsnotify_destroy_event(group, event);
+               mutex_lock(&group->notification_mutex);
        }
        mutex_unlock(&group->notification_mutex);
 }