On Fri 29-06-18 15:05:07, Amir Goldstein wrote: > On Thu, Jun 28, 2018 at 7:40 PM, Jan Kara <jack@xxxxxxx> wrote: > > Audit tree code is replacing marks attached to inodes in non-atomic way. > > Thus fsnotify_find_mark() in tag_chunk() may find a mark that belongs to > > a chunk that is no longer valid one and will soon be destroyed. Tags > > added to such chunk will be simply lost. > > > > Fix the problem by making sure old mark is marked as going away (through > > fsnotify_detach_mark()) before dropping mark_mutex and thus in an atomic > > way wrt tag_chunk(). Note that this does not fix the problem completely > > as if tag_chunk() finds a mark that is going away, it fails with > > -ENOENT. But at least the failure is not silent and currently there's no > > way to search for another fsnotify mark attached to the inode. We'll fix > > this problem in later patch. > > > > Signed-off-by: Jan Kara <jack@xxxxxxx> > > --- > > This one too looks sane. > Without knowing anything about audit_watch, there seems to be > an fsnotify_destroy_mark() after unlock of audit_filter_mutex, so it > may require a similar fix. Where? I don't see any call to fsnotify_destroy_mark() left after this patch... Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
