linux-ls1: Fix kernel oops caused by fsnotify race condition

Backport from mainline. Only kernels <4.2 are affected by this. Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Adrian Dudau <adrian.dudau@enea.com> 2016-05-26 10:12:29 +0200
committer: Martin Borg <martin.borg@enea.com> 2016-05-31 14:05:50 +0200
commit: 746363a33825f03166c37deeb185e3b72a4b46f8 (patch)
tree: 944ea86e65d4f128e07001c018ecc84d1f4baf32
parent: 90f55810228403b12bd663318e5dc16cc3089fc3 (diff)
download: meta-enea-bsp-arm-746363a33825f03166c37deeb185e3b72a4b46f8.tar.gz
2 files changed, 81 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ls1/0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch b/recipes-kernel/linux/linux-ls1/0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch
new file mode 100644
index 0000000..250c8db
--- /dev/null
+++ b/recipes-kernel/linux/linux-ls1/0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch
@@ -0,0 +1,80 @@
+From 8f2f3eb59dff4ec538de55f2e0592fec85966aab Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.com>
+Date: Thu, 6 Aug 2015 15:46:42 -0700
+Subject: [PATCH] fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
+fsnotify_clear_marks_by_group_flags() can race with
+fsnotify_destroy_marks() so that when fsnotify_destroy_mark_locked()
+drops mark_mutex, a mark from the list iterated by
+fsnotify_clear_marks_by_group_flags() can be freed and thus the next
+entry pointer we have cached may become stale and we dereference free
+memory.
+Fix the problem by first moving marks to free to a special private list
+and then always free the first entry in the special list.  This method
+is safe even when entries from the list can disappear once we drop the
+lock.
+Upstream-Status: Backported
+Signed-off-by: Jan Kara <jack@suse.com>
+Reported-by: Ashish Sangwan <a.sangwan@samsung.com>
+Reviewed-by: Ashish Sangwan <a.sangwan@samsung.com>
+Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
+---
+ fs/notify/mark.c | 30 +++++++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+diff --git a/fs/notify/mark.c b/fs/notify/mark.c
+index 92e48c7..39ddcaf 100644
+--- a/fs/notify/mark.c
+++ b/fs/notify/mark.c
+@@ -412,16 +412,36 @@ void fsnotify_clear_marks_by_group_flags(struct fsnotify_group *group,
+                                         unsigned int flags)
+ {
+        struct fsnotify_mark *lmark, *mark;
+       LIST_HEAD(to_free);
+ 
+       /*
+        * We have to be really careful here. Anytime we drop mark_mutex, e.g.
+        * fsnotify_clear_marks_by_inode() can come and free marks. Even in our
+        * to_free list so we have to use mark_mutex even when accessing that
+        * list. And freeing mark requires us to drop mark_mutex. So we can
+        * reliably free only the first mark in the list. That's why we first
+        * move marks to free to to_free list in one go and then free marks in
+        * to_free list one by one.
+        */
+        mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
+        list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) {
+-               if (mark->flags & flags) {
+-                       fsnotify_get_mark(mark);
+-                       fsnotify_destroy_mark_locked(mark, group);
+-                       fsnotify_put_mark(mark);
+-               }
+               if (mark->flags & flags)
+                       list_move(&mark->g_list, &to_free);
+        }
+        mutex_unlock(&group->mark_mutex);
+
+       while (1) {
+               mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
+               if (list_empty(&to_free)) {
+                       mutex_unlock(&group->mark_mutex);
+                       break;
+               }
+               mark = list_first_entry(&to_free, struct fsnotify_mark, g_list);
+               fsnotify_get_mark(mark);
+               fsnotify_destroy_mark_locked(mark, group);
+               mutex_unlock(&group->mark_mutex);
+               fsnotify_put_mark(mark);
+       }
+ }
+ 
+ /*
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend
index f34b2d1..338b3bf 100644
--- a/recipes-kernel/linux/linux-ls1_3.12.bbappend
+++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend
@@ -1,6 +1,7 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 SRC_URI += "file://ls1021aiot.dts \
+            file://0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch \
           "
 # fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"
author	Adrian Dudau <adrian.dudau@enea.com>	2016-05-26 10:12:29 +0200
committer	Martin Borg <martin.borg@enea.com>	2016-05-31 14:05:50 +0200
commit	746363a33825f03166c37deeb185e3b72a4b46f8 (patch)
tree	944ea86e65d4f128e07001c018ecc84d1f4baf32
parent	90f55810228403b12bd663318e5dc16cc3089fc3 (diff)
download	meta-enea-bsp-arm-746363a33825f03166c37deeb185e3b72a4b46f8.tar.gz

diff --git a/recipes-kernel/linux/linux-ls1/0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch b/recipes-kernel/linux/linux-ls1/0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch new file mode 100644 index 0000000..250c8db --- /dev/null +++ b/recipes-kernel/linux/linux-ls1/0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch
@@ -0,0 +1,80 @@
		1	From 8f2f3eb59dff4ec538de55f2e0592fec85966aab Mon Sep 17 00:00:00 2001
		2	From: Jan Kara <jack@suse.com>
		3	Date: Thu, 6 Aug 2015 15:46:42 -0700
		4	Subject: [PATCH] fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
		5
		6	fsnotify_clear_marks_by_group_flags() can race with
		7	fsnotify_destroy_marks() so that when fsnotify_destroy_mark_locked()
		8	drops mark_mutex, a mark from the list iterated by
		9	fsnotify_clear_marks_by_group_flags() can be freed and thus the next
		10	entry pointer we have cached may become stale and we dereference free
		11	memory.
		12
		13	Fix the problem by first moving marks to free to a special private list
		14	and then always free the first entry in the special list. This method
		15	is safe even when entries from the list can disappear once we drop the
		16	lock.
		17
		18	Upstream-Status: Backported
		19
		20	Signed-off-by: Jan Kara <jack@suse.com>
		21	Reported-by: Ashish Sangwan <a.sangwan@samsung.com>
		22	Reviewed-by: Ashish Sangwan <a.sangwan@samsung.com>
		23	Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
		24	Cc: <stable@vger.kernel.org>
		25	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
		26	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		27	Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
		28	---
		29	fs/notify/mark.c \| 30 +++++++++++++++++++++++++-----
		30	1 file changed, 25 insertions(+), 5 deletions(-)
		31
		32	diff --git a/fs/notify/mark.c b/fs/notify/mark.c
		33	index 92e48c7..39ddcaf 100644
		34	--- a/fs/notify/mark.c
		35	+++ b/fs/notify/mark.c
		36	@@ -412,16 +412,36 @@ void fsnotify_clear_marks_by_group_flags(struct fsnotify_group *group,
		37	unsigned int flags)
		38	{
		39	struct fsnotify_mark lmark, mark;
		40	+ LIST_HEAD(to_free);
		41
		42	+ /*
		43	+ * We have to be really careful here. Anytime we drop mark_mutex, e.g.
		44	+ * fsnotify_clear_marks_by_inode() can come and free marks. Even in our
		45	+ * to_free list so we have to use mark_mutex even when accessing that
		46	+ * list. And freeing mark requires us to drop mark_mutex. So we can
		47	+ * reliably free only the first mark in the list. That's why we first
		48	+ * move marks to free to to_free list in one go and then free marks in
		49	+ * to_free list one by one.
		50	+ */
		51	mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
		52	list_for_each_entry_safe(mark, lmark, &group->marks_list, g_list) {
		53	- if (mark->flags & flags) {
		54	- fsnotify_get_mark(mark);
		55	- fsnotify_destroy_mark_locked(mark, group);
		56	- fsnotify_put_mark(mark);
		57	- }
		58	+ if (mark->flags & flags)
		59	+ list_move(&mark->g_list, &to_free);
		60	}
		61	mutex_unlock(&group->mark_mutex);
		62	+
		63	+ while (1) {
		64	+ mutex_lock_nested(&group->mark_mutex, SINGLE_DEPTH_NESTING);
		65	+ if (list_empty(&to_free)) {
		66	+ mutex_unlock(&group->mark_mutex);
		67	+ break;
		68	+ }
		69	+ mark = list_first_entry(&to_free, struct fsnotify_mark, g_list);
		70	+ fsnotify_get_mark(mark);
		71	+ fsnotify_destroy_mark_locked(mark, group);
		72	+ mutex_unlock(&group->mark_mutex);
		73	+ fsnotify_put_mark(mark);
		74	+ }
		75	}
		76
		77	/*
		78	--
		79	1.9.1
		80


diff --git a/recipes-kernel/linux/linux-ls1_3.12.bbappend b/recipes-kernel/linux/linux-ls1_3.12.bbappend index f34b2d1..338b3bf 100644 --- a/recipes-kernel/linux/linux-ls1_3.12.bbappend +++ b/recipes-kernel/linux/linux-ls1_3.12.bbappend
@@ -1,6 +1,7 @@
1	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"	1	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
2		2
3	SRC_URI += "file://ls1021aiot.dts \	3	SRC_URI += "file://ls1021aiot.dts \
		4	file://0001-fsnotify-fix-oops-in-fsnotify_clear_marks_by_group_f.patch \
4	"	5	"
5		6
6	# fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"	7	# fix err: "linux-ls1-3.12-r0 do_deploy: Taskhash mismatch"