notify: unused event private race (eef3a116) · Commits · e / devices / android_kernel_fairphone_FP4

fs/notify/inotify/inotify_fsnotify.c

+7 −6

Original line number	Original line	Diff line number	Diff line
	@@ -62,13 +62,14 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev
	event_priv->wd = wd;		event_priv->wd = wd;

	ret = fsnotify_add_notify_event(group, event, fsn_event_priv);		ret = fsnotify_add_notify_event(group, event, fsn_event_priv);
	/* EEXIST is not an error */		if (ret) {
	if (ret == -EEXIST)
	ret = 0;

	/* did event_priv get attached? */
	if (list_empty(&fsn_event_priv->event_list))
	inotify_free_event_priv(fsn_event_priv);		inotify_free_event_priv(fsn_event_priv);
			/* EEXIST says we tail matched, EOVERFLOW isn't something
			* to report up the stack. */
			if ((ret == -EEXIST) \|\|
			(ret == -EOVERFLOW))
			ret = 0;
			}

	/*		/*
	* If we hold the entry until after the event is on the queue		* If we hold the entry until after the event is on the queue

+3 −4

Original line number	Original line	Diff line number	Diff line
	@@ -386,6 +386,7 @@ void inotify_ignored_and_remove_idr(struct fsnotify_mark_entry *entry,
	struct fsnotify_event *ignored_event;		struct fsnotify_event *ignored_event;
	struct inotify_event_private_data *event_priv;		struct inotify_event_private_data *event_priv;
	struct fsnotify_event_private_data *fsn_event_priv;		struct fsnotify_event_private_data *fsn_event_priv;
			int ret;

	ignored_event = fsnotify_create_event(NULL, FS_IN_IGNORED, NULL,		ignored_event = fsnotify_create_event(NULL, FS_IN_IGNORED, NULL,
	FSNOTIFY_EVENT_NONE, NULL, 0,		FSNOTIFY_EVENT_NONE, NULL, 0,
	@@ -404,10 +405,8 @@ void inotify_ignored_and_remove_idr(struct fsnotify_mark_entry *entry,
	fsn_event_priv->group = group;		fsn_event_priv->group = group;
	event_priv->wd = ientry->wd;		event_priv->wd = ientry->wd;

	fsnotify_add_notify_event(group, ignored_event, fsn_event_priv);		ret = fsnotify_add_notify_event(group, ignored_event, fsn_event_priv);
			if (ret)
	/* did the private data get added? */
	if (list_empty(&fsn_event_priv->event_list))
	inotify_free_event_priv(fsn_event_priv);		inotify_free_event_priv(fsn_event_priv);

	skip_send_ignore:		skip_send_ignore:

+3 −4

Original line number	Original line	Diff line number	Diff line
	@@ -171,9 +171,7 @@ int fsnotify_add_notify_event(struct fsnotify_group *group, struct fsnotify_even
	struct list_head *list = &group->notification_list;		struct list_head *list = &group->notification_list;
	struct fsnotify_event_holder *last_holder;		struct fsnotify_event_holder *last_holder;
	struct fsnotify_event *last_event;		struct fsnotify_event *last_event;
			int ret = 0;
	/* easy to tell if priv was attached to the event */
	INIT_LIST_HEAD(&priv->event_list);

	/*		/*
	* There is one fsnotify_event_holder embedded inside each fsnotify_event.		* There is one fsnotify_event_holder embedded inside each fsnotify_event.
	@@ -194,6 +192,7 @@ int fsnotify_add_notify_event(struct fsnotify_group *group, struct fsnotify_even

	if (group->q_len >= group->max_events) {		if (group->q_len >= group->max_events) {
	event = &q_overflow_event;		event = &q_overflow_event;
			ret = -EOVERFLOW;
	/* sorry, no private data on the overflow event */		/* sorry, no private data on the overflow event */
	priv = NULL;		priv = NULL;
	}		}
	@@ -235,7 +234,7 @@ int fsnotify_add_notify_event(struct fsnotify_group *group, struct fsnotify_even
	mutex_unlock(&group->notification_mutex);		mutex_unlock(&group->notification_mutex);

	wake_up(&group->notification_waitq);		wake_up(&group->notification_waitq);
	return 0;		return ret;
	}		}

	/*		/*