On Thu, Jun 28, 2018 at 7:40 PM, Jan Kara <jack@xxxxxxx> wrote: > Audit tree code is replacing marks attached to inodes in non-atomic way. > Thus fsnotify_find_mark() in tag_chunk() may find a mark that belongs to > a chunk that is no longer valid one and will soon be destroyed. Tags > added to such chunk will be simply lost. > > Fix the problem by making sure old mark is marked as going away (through > fsnotify_detach_mark()) before dropping mark_mutex and thus in an atomic > way wrt tag_chunk(). Note that this does not fix the problem completely > as if tag_chunk() finds a mark that is going away, it fails with > -ENOENT. But at least the failure is not silent and currently there's no > way to search for another fsnotify mark attached to the inode. We'll fix > this problem in later patch. > > Signed-off-by: Jan Kara <jack@xxxxxxx> > --- This one too looks sane. Without knowing anything about audit_watch, there seems to be an fsnotify_destroy_mark() after unlock of audit_filter_mutex, so it may require a similar fix. Thanks, Amir.
