From: Danny Feng <dfeng@redhat.com> Date: Thu, 30 Jul 2009 07:08:57 -0400 Subject: [fs] inotify: fix race Message-id: 20090730110859.17617.91002.sendpatchset@danny O-Subject: [RHEL5.5 PATCH 1/2] inotify: fix race Bugzilla: 499019 RH-Acked-by: Eric Paris <eparis@redhat.com> RH-Acked-by: Josef Bacik <josef@redhat.com> >From cc4f0ccdcd5c3cbf9eab2166248ab0ff752187dd Mon Sep 17 00:00:00 2001 From: Xiaotian Feng <dfeng@redhat.com> Date: Thu, 30 Jul 2009 18:29:20 +0800 Subject: [PATCH 1/2] inotify: fix a race There is a race between setting an inode's children's "parent watched" flag when placing the first watch on a parent, and instantiating new children of that parent: a child could miss having its flags set by set_dentry_child_flags, but then inotify_d_instantiate might still see !inotify_inode_watched. The solution is to set_dentry_child_flags after adding the watch. Locking is taken care of, because both set_dentry_child_flags and inotify_d_instantiate hold dcache_lock and child->d_locks. diff --git a/fs/inotify.c b/fs/inotify.c index 5bc3702..6010796 100644 --- a/fs/inotify.c +++ b/fs/inotify.c @@ -759,7 +759,7 @@ s32 inotify_add_watch(struct inotify_handle *ih, struct inotify_watch *watch, struct inode *inode, u32 mask) { int ret = 0; - + int newly_watched; /* don't allow invalid bits: we don't want flags set */ mask &= IN_ALL_EVENTS | IN_ONESHOT; if (unlikely(!mask)) @@ -785,12 +785,18 @@ s32 inotify_add_watch(struct inotify_handle *ih, struct inotify_watch *watch, */ watch->inode = igrab(inode); - if (!inotify_inode_watched(inode)) - set_dentry_child_flags(inode, 1); - /* Add the watch to the handle's and the inode's list */ + newly_watched = !inotify_inode_watched(inode); list_add(&watch->h_list, &ih->watches); list_add(&watch->i_list, &inode->inotify_watches); + /* + * Set child flags _after_ adding the watch, so there is no race + * windows where newly instantiated children could miss their parent's + * watched flag. + */ + if (newly_watched) + set_dentry_child_flags(inode, 1); + out: mutex_unlock(&ih->mutex); mutex_unlock(&inode->inotify_mutex);