projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
A potential bug in inotify_user.c
[deliverable/linux.git] / fs / inotify_user.c
1 /*
2 * fs/inotify_user.c - inotify support for userspace
3 *
4 * Authors:
5 * John McCutchan <ttb@tentacle.dhs.org>
6 * Robert Love <rml@novell.com>
7 *
8 * Copyright (C) 2005 John McCutchan
9 * Copyright 2006 Hewlett-Packard Development Company, L.P.
10 *
11 * This program is free software; you can redistribute it and/or modify it
12 * under the terms of the GNU General Public License as published by the
13 * Free Software Foundation; either version 2, or (at your option) any
14 * later version.
15 *
16 * This program is distributed in the hope that it will be useful, but
17 * WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 * General Public License for more details.
20 */
21
22 #include <linux/kernel.h>
23 #include <linux/sched.h>
24 #include <linux/slab.h>
25 #include <linux/fs.h>
26 #include <linux/file.h>
27 #include <linux/mount.h>
28 #include <linux/namei.h>
29 #include <linux/poll.h>
30 #include <linux/init.h>
31 #include <linux/list.h>
32 #include <linux/inotify.h>
33 #include <linux/syscalls.h>
34 #include <linux/magic.h>
35
36 #include <asm/ioctls.h>
37
38 static struct kmem_cache *watch_cachep __read_mostly;
39 static struct kmem_cache *event_cachep __read_mostly;
40
41 static struct vfsmount *inotify_mnt __read_mostly;
42
43 /* these are configurable via /proc/sys/fs/inotify/ */
44 int inotify_max_user_instances __read_mostly;
45 int inotify_max_user_watches __read_mostly;
46 int inotify_max_queued_events __read_mostly;
47
48 /*
49 * Lock ordering:
50 *
51 * inotify_dev->up_mutex (ensures we don't re-add the same watch)
52 * inode->inotify_mutex (protects inode's watch list)
53 * inotify_handle->mutex (protects inotify_handle's watch list)
54 * inotify_dev->ev_mutex (protects device's event queue)
55 */
56
57 /*
58 * Lifetimes of the main data structures:
59 *
60 * inotify_device: Lifetime is managed by reference count, from
61 * sys_inotify_init() until release. Additional references can bump the count
62 * via get_inotify_dev() and drop the count via put_inotify_dev().
63 *
64 * inotify_user_watch: Lifetime is from create_watch() to the receipt of an
65 * IN_IGNORED event from inotify, or when using IN_ONESHOT, to receipt of the
66 * first event, or to inotify_destroy().
67 */
68
69 /*
70 * struct inotify_device - represents an inotify instance
71 *
72 * This structure is protected by the mutex 'mutex'.
73 */
74 struct inotify_device {
75 wait_queue_head_t wq; /* wait queue for i/o */
76 struct mutex ev_mutex; /* protects event queue */
77 struct mutex up_mutex; /* synchronizes watch updates */
78 struct list_head events; /* list of queued events */
79 atomic_t count; /* reference count */
80 struct user_struct *user; /* user who opened this dev */
81 struct inotify_handle *ih; /* inotify handle */
82 unsigned int queue_size; /* size of the queue (bytes) */
83 unsigned int event_count; /* number of pending events */
84 unsigned int max_events; /* maximum number of events */
85 };
86
87 /*
88 * struct inotify_kernel_event - An inotify event, originating from a watch and
89 * queued for user-space. A list of these is attached to each instance of the
90 * device. In read(), this list is walked and all events that can fit in the
91 * buffer are returned.
92 *
93 * Protected by dev->ev_mutex of the device in which we are queued.
94 */
95 struct inotify_kernel_event {
96 struct inotify_event event; /* the user-space event */
97 struct list_head list; /* entry in inotify_device's list */
98 char *name; /* filename, if any */
99 };
100
101 /*
102 * struct inotify_user_watch - our version of an inotify_watch, we add
103 * a reference to the associated inotify_device.
104 */
105 struct inotify_user_watch {
106 struct inotify_device *dev; /* associated device */
107 struct inotify_watch wdata; /* inotify watch data */
108 };
109
110 #ifdef CONFIG_SYSCTL
111
112 #include <linux/sysctl.h>
113
114 static int zero;
115
116 ctl_table inotify_table[] = {
117 {
118 .ctl_name = INOTIFY_MAX_USER_INSTANCES,
119 .procname = "max_user_instances",
120 .data = &inotify_max_user_instances,
121 .maxlen = sizeof(int),
122 .mode = 0644,
123 .proc_handler = &proc_dointvec_minmax,
124 .strategy = &sysctl_intvec,
125 .extra1 = &zero,
126 },
127 {
128 .ctl_name = INOTIFY_MAX_USER_WATCHES,
129 .procname = "max_user_watches",
130 .data = &inotify_max_user_watches,
131 .maxlen = sizeof(int),
132 .mode = 0644,
133 .proc_handler = &proc_dointvec_minmax,
134 .strategy = &sysctl_intvec,
135 .extra1 = &zero,
136 },
137 {
138 .ctl_name = INOTIFY_MAX_QUEUED_EVENTS,
139 .procname = "max_queued_events",
140 .data = &inotify_max_queued_events,
141 .maxlen = sizeof(int),
142 .mode = 0644,
143 .proc_handler = &proc_dointvec_minmax,
144 .strategy = &sysctl_intvec,
145 .extra1 = &zero
146 },
147 { .ctl_name = 0 }
148 };
149 #endif /* CONFIG_SYSCTL */
150
151 static inline void get_inotify_dev(struct inotify_device *dev)
152 {
153 atomic_inc(&dev->count);
154 }
155
156 static inline void put_inotify_dev(struct inotify_device *dev)
157 {
158 if (atomic_dec_and_test(&dev->count)) {
159 atomic_dec(&dev->user->inotify_devs);
160 free_uid(dev->user);
161 kfree(dev);
162 }
163 }
164
165 /*
166 * free_inotify_user_watch - cleans up the watch and its references
167 */
168 static void free_inotify_user_watch(struct inotify_watch *w)
169 {
170 struct inotify_user_watch *watch;
171 struct inotify_device *dev;
172
173 watch = container_of(w, struct inotify_user_watch, wdata);
174 dev = watch->dev;
175
176 atomic_dec(&dev->user->inotify_watches);
177 put_inotify_dev(dev);
178 kmem_cache_free(watch_cachep, watch);
179 }
180
181 /*
182 * kernel_event - create a new kernel event with the given parameters
183 *
184 * This function can sleep.
185 */
186 static struct inotify_kernel_event * kernel_event(s32 wd, u32 mask, u32 cookie,
187 const char *name)
188 {
189 struct inotify_kernel_event *kevent;
190
191 kevent = kmem_cache_alloc(event_cachep, GFP_NOFS);
192 if (unlikely(!kevent))
193 return NULL;
194
195 /* we hand this out to user-space, so zero it just in case */
196 memset(&kevent->event, 0, sizeof(struct inotify_event));
197
198 kevent->event.wd = wd;
199 kevent->event.mask = mask;
200 kevent->event.cookie = cookie;
201
202 INIT_LIST_HEAD(&kevent->list);
203
204 if (name) {
205 size_t len, rem, event_size = sizeof(struct inotify_event);
206
207 /*
208 * We need to pad the filename so as to properly align an
209 * array of inotify_event structures. Because the structure is
210 * small and the common case is a small filename, we just round
211 * up to the next multiple of the structure's sizeof. This is
212 * simple and safe for all architectures.
213 */
214 len = strlen(name) + 1;
215 rem = event_size - len;
216 if (len > event_size) {
217 rem = event_size - (len % event_size);
218 if (len % event_size == 0)
219 rem = 0;
220 }
221
222 kevent->name = kmalloc(len + rem, GFP_KERNEL);
223 if (unlikely(!kevent->name)) {
224 kmem_cache_free(event_cachep, kevent);
225 return NULL;
226 }
227 memcpy(kevent->name, name, len);
228 if (rem)
229 memset(kevent->name + len, 0, rem);
230 kevent->event.len = len + rem;
231 } else {
232 kevent->event.len = 0;
233 kevent->name = NULL;
234 }
235
236 return kevent;
237 }
238
239 /*
240 * inotify_dev_get_event - return the next event in the given dev's queue
241 *
242 * Caller must hold dev->ev_mutex.
243 */
244 static inline struct inotify_kernel_event *
245 inotify_dev_get_event(struct inotify_device *dev)
246 {
247 return list_entry(dev->events.next, struct inotify_kernel_event, list);
248 }
249
250 /*
251 * inotify_dev_get_last_event - return the last event in the given dev's queue
252 *
253 * Caller must hold dev->ev_mutex.
254 */
255 static inline struct inotify_kernel_event *
256 inotify_dev_get_last_event(struct inotify_device *dev)
257 {
258 if (list_empty(&dev->events))
259 return NULL;
260 return list_entry(dev->events.prev, struct inotify_kernel_event, list);
261 }
262
263 /*
264 * inotify_dev_queue_event - event handler registered with core inotify, adds
265 * a new event to the given device
266 *
267 * Can sleep (calls kernel_event()).
268 */
269 static void inotify_dev_queue_event(struct inotify_watch *w, u32 wd, u32 mask,
270 u32 cookie, const char *name,
271 struct inode *ignored)
272 {
273 struct inotify_user_watch *watch;
274 struct inotify_device *dev;
275 struct inotify_kernel_event *kevent, *last;
276
277 watch = container_of(w, struct inotify_user_watch, wdata);
278 dev = watch->dev;
279
280 mutex_lock(&dev->ev_mutex);
281
282 /* we can safely put the watch as we don't reference it while
283 * generating the event
284 */
285 if (mask & IN_IGNORED || mask & IN_ONESHOT)
286 put_inotify_watch(w); /* final put */
287
288 /* coalescing: drop this event if it is a dupe of the previous */
289 last = inotify_dev_get_last_event(dev);
290 if (last && last->event.mask == mask && last->event.wd == wd &&
291 last->event.cookie == cookie) {
292 const char *lastname = last->name;
293
294 if (!name && !lastname)
295 goto out;
296 if (name && lastname && !strcmp(lastname, name))
297 goto out;
298 }
299
300 /* the queue overflowed and we already sent the Q_OVERFLOW event */
301 if (unlikely(dev->event_count > dev->max_events))
302 goto out;
303
304 /* if the queue overflows, we need to notify user space */
305 if (unlikely(dev->event_count == dev->max_events))
306 kevent = kernel_event(-1, IN_Q_OVERFLOW, cookie, NULL);
307 else
308 kevent = kernel_event(wd, mask, cookie, name);
309
310 if (unlikely(!kevent))
311 goto out;
312
313 /* queue the event and wake up anyone waiting */
314 dev->event_count++;
315 dev->queue_size += sizeof(struct inotify_event) + kevent->event.len;
316 list_add_tail(&kevent->list, &dev->events);
317 wake_up_interruptible(&dev->wq);
318
319 out:
320 mutex_unlock(&dev->ev_mutex);
321 }
322
323 /*
324 * remove_kevent - cleans up and ultimately frees the given kevent
325 *
326 * Caller must hold dev->ev_mutex.
327 */
328 static void remove_kevent(struct inotify_device *dev,
329 struct inotify_kernel_event *kevent)
330 {
331 list_del(&kevent->list);
332
333 dev->event_count--;
334 dev->queue_size -= sizeof(struct inotify_event) + kevent->event.len;
335
336 kfree(kevent->name);
337 kmem_cache_free(event_cachep, kevent);
338 }
339
340 /*
341 * inotify_dev_event_dequeue - destroy an event on the given device
342 *
343 * Caller must hold dev->ev_mutex.
344 */
345 static void inotify_dev_event_dequeue(struct inotify_device *dev)
346 {
347 if (!list_empty(&dev->events)) {
348 struct inotify_kernel_event *kevent;
349 kevent = inotify_dev_get_event(dev);
350 remove_kevent(dev, kevent);
351 }
352 }
353
354 /*
355 * find_inode - resolve a user-given path to a specific inode and return a nd
356 */
357 static int find_inode(const char __user *dirname, struct nameidata *nd,
358 unsigned flags)
359 {
360 int error;
361
362 error = __user_walk(dirname, flags, nd);
363 if (error)
364 return error;
365 /* you can only watch an inode if you have read permissions on it */
366 error = vfs_permission(nd, MAY_READ);
367 if (error)
368 path_release(nd);
369 return error;
370 }
371
372 /*
373 * create_watch - creates a watch on the given device.
374 *
375 * Callers must hold dev->up_mutex.
376 */
377 static int create_watch(struct inotify_device *dev, struct inode *inode,
378 u32 mask)
379 {
380 struct inotify_user_watch *watch;
381 int ret;
382
383 if (atomic_read(&dev->user->inotify_watches) >=
384 inotify_max_user_watches)
385 return -ENOSPC;
386
387 watch = kmem_cache_alloc(watch_cachep, GFP_KERNEL);
388 if (unlikely(!watch))
389 return -ENOMEM;
390
391 /* save a reference to device and bump the count to make it official */
392 get_inotify_dev(dev);
393 watch->dev = dev;
394
395 atomic_inc(&dev->user->inotify_watches);
396
397 inotify_init_watch(&watch->wdata);
398 ret = inotify_add_watch(dev->ih, &watch->wdata, inode, mask);
399 if (ret < 0)
400 free_inotify_user_watch(&watch->wdata);
401
402 return ret;
403 }
404
405 /* Device Interface */
406
407 static unsigned int inotify_poll(struct file *file, poll_table *wait)
408 {
409 struct inotify_device *dev = file->private_data;
410 int ret = 0;
411
412 poll_wait(file, &dev->wq, wait);
413 mutex_lock(&dev->ev_mutex);
414 if (!list_empty(&dev->events))
415 ret = POLLIN | POLLRDNORM;
416 mutex_unlock(&dev->ev_mutex);
417
418 return ret;
419 }
420
421 static ssize_t inotify_read(struct file *file, char __user *buf,
422 size_t count, loff_t *pos)
423 {
424 size_t event_size = sizeof (struct inotify_event);
425 struct inotify_device *dev;
426 char __user *start;
427 int ret;
428 DEFINE_WAIT(wait);
429
430 start = buf;
431 dev = file->private_data;
432
433 while (1) {
434 int events;
435
436 prepare_to_wait(&dev->wq, &wait, TASK_INTERRUPTIBLE);
437
438 mutex_lock(&dev->ev_mutex);
439 events = !list_empty(&dev->events);
440 mutex_unlock(&dev->ev_mutex);
441 if (events) {
442 ret = 0;
443 break;
444 }
445
446 if (file->f_flags & O_NONBLOCK) {
447 ret = -EAGAIN;
448 break;
449 }
450
451 if (signal_pending(current)) {
452 ret = -EINTR;
453 break;
454 }
455
456 schedule();
457 }
458
459 finish_wait(&dev->wq, &wait);
460 if (ret)
461 return ret;
462
463 mutex_lock(&dev->ev_mutex);
464 while (1) {
465 struct inotify_kernel_event *kevent;
466
467 ret = buf - start;
468 if (list_empty(&dev->events))
469 break;
470
471 kevent = inotify_dev_get_event(dev);
472 if (event_size + kevent->event.len > count) {
473 if (ret == 0 && count > 0) {
474 /*
475 * could not get a single event because we
476 * didn't have enough buffer space.
477 */
478 ret = -EINVAL;
479 }
480 break;
481 }
482
483 if (copy_to_user(buf, &kevent->event, event_size)) {
484 ret = -EFAULT;
485 break;
486 }
487 buf += event_size;
488 count -= event_size;
489
490 if (kevent->name) {
491 if (copy_to_user(buf, kevent->name, kevent->event.len)){
492 ret = -EFAULT;
493 break;
494 }
495 buf += kevent->event.len;
496 count -= kevent->event.len;
497 }
498
499 remove_kevent(dev, kevent);
500 }
501 mutex_unlock(&dev->ev_mutex);
502
503 return ret;
504 }
505
506 static int inotify_release(struct inode *ignored, struct file *file)
507 {
508 struct inotify_device *dev = file->private_data;
509
510 inotify_destroy(dev->ih);
511
512 /* destroy all of the events on this device */
513 mutex_lock(&dev->ev_mutex);
514 while (!list_empty(&dev->events))
515 inotify_dev_event_dequeue(dev);
516 mutex_unlock(&dev->ev_mutex);
517
518 /* free this device: the put matching the get in inotify_init() */
519 put_inotify_dev(dev);
520
521 return 0;
522 }
523
524 static long inotify_ioctl(struct file *file, unsigned int cmd,
525 unsigned long arg)
526 {
527 struct inotify_device *dev;
528 void __user *p;
529 int ret = -ENOTTY;
530
531 dev = file->private_data;
532 p = (void __user *) arg;
533
534 switch (cmd) {
535 case FIONREAD:
536 ret = put_user(dev->queue_size, (int __user *) p);
537 break;
538 }
539
540 return ret;
541 }
542
543 static const struct file_operations inotify_fops = {
544 .poll = inotify_poll,
545 .read = inotify_read,
546 .release = inotify_release,
547 .unlocked_ioctl = inotify_ioctl,
548 .compat_ioctl = inotify_ioctl,
549 };
550
551 static const struct inotify_operations inotify_user_ops = {
552 .handle_event = inotify_dev_queue_event,
553 .destroy_watch = free_inotify_user_watch,
554 };
555
556 asmlinkage long sys_inotify_init(void)
557 {
558 struct inotify_device *dev;
559 struct inotify_handle *ih;
560 struct user_struct *user;
561 struct file *filp;
562 int fd, ret;
563
564 fd = get_unused_fd();
565 if (fd < 0)
566 return fd;
567
568 filp = get_empty_filp();
569 if (!filp) {
570 ret = -ENFILE;
571 goto out_put_fd;
572 }
573
574 user = get_uid(current->user);
575 if (unlikely(atomic_read(&user->inotify_devs) >=
576 inotify_max_user_instances)) {
577 ret = -EMFILE;
578 goto out_free_uid;
579 }
580
581 dev = kmalloc(sizeof(struct inotify_device), GFP_KERNEL);
582 if (unlikely(!dev)) {
583 ret = -ENOMEM;
584 goto out_free_uid;
585 }
586
587 ih = inotify_init(&inotify_user_ops);
588 if (unlikely(IS_ERR(ih))) {
589 ret = PTR_ERR(ih);
590 goto out_free_dev;
591 }
592 dev->ih = ih;
593
594 filp->f_op = &inotify_fops;
595 filp->f_path.mnt = mntget(inotify_mnt);
596 filp->f_path.dentry = dget(inotify_mnt->mnt_root);
597 filp->f_mapping = filp->f_path.dentry->d_inode->i_mapping;
598 filp->f_mode = FMODE_READ;
599 filp->f_flags = O_RDONLY;
600 filp->private_data = dev;
601
602 INIT_LIST_HEAD(&dev->events);
603 init_waitqueue_head(&dev->wq);
604 mutex_init(&dev->ev_mutex);
605 mutex_init(&dev->up_mutex);
606 dev->event_count = 0;
607 dev->queue_size = 0;
608 dev->max_events = inotify_max_queued_events;
609 dev->user = user;
610 atomic_set(&dev->count, 0);
611
612 get_inotify_dev(dev);
613 atomic_inc(&user->inotify_devs);
614 fd_install(fd, filp);
615
616 return fd;
617 out_free_dev:
618 kfree(dev);
619 out_free_uid:
620 free_uid(user);
621 put_filp(filp);
622 out_put_fd:
623 put_unused_fd(fd);
624 return ret;
625 }
626
627 asmlinkage long sys_inotify_add_watch(int fd, const char __user *path, u32 mask)
628 {
629 struct inode *inode;
630 struct inotify_device *dev;
631 struct nameidata nd;
632 struct file *filp;
633 int ret, fput_needed;
634 unsigned flags = 0;
635
636 filp = fget_light(fd, &fput_needed);
637 if (unlikely(!filp))
638 return -EBADF;
639
640 /* verify that this is indeed an inotify instance */
641 if (unlikely(filp->f_op != &inotify_fops)) {
642 ret = -EINVAL;
643 goto fput_and_out;
644 }
645
646 if (!(mask & IN_DONT_FOLLOW))
647 flags |= LOOKUP_FOLLOW;
648 if (mask & IN_ONLYDIR)
649 flags |= LOOKUP_DIRECTORY;
650
651 ret = find_inode(path, &nd, flags);
652 if (unlikely(ret))
653 goto fput_and_out;
654
655 /* inode held in place by reference to nd; dev by fget on fd */
656 inode = nd.dentry->d_inode;
657 dev = filp->private_data;
658
659 mutex_lock(&dev->up_mutex);
660 ret = inotify_find_update_watch(dev->ih, inode, mask);
661 if (ret == -ENOENT)
662 ret = create_watch(dev, inode, mask);
663 mutex_unlock(&dev->up_mutex);
664
665 path_release(&nd);
666 fput_and_out:
667 fput_light(filp, fput_needed);
668 return ret;
669 }
670
671 asmlinkage long sys_inotify_rm_watch(int fd, u32 wd)
672 {
673 struct file *filp;
674 struct inotify_device *dev;
675 int ret, fput_needed;
676
677 filp = fget_light(fd, &fput_needed);
678 if (unlikely(!filp))
679 return -EBADF;
680
681 /* verify that this is indeed an inotify instance */
682 if (unlikely(filp->f_op != &inotify_fops)) {
683 ret = -EINVAL;
684 goto out;
685 }
686
687 dev = filp->private_data;
688
689 /* we free our watch data when we get IN_IGNORED */
690 ret = inotify_rm_wd(dev->ih, wd);
691
692 out:
693 fput_light(filp, fput_needed);
694 return ret;
695 }
696
697 static int
698 inotify_get_sb(struct file_system_type *fs_type, int flags,
699 const char *dev_name, void *data, struct vfsmount *mnt)
700 {
701 return get_sb_pseudo(fs_type, "inotify", NULL,
702 INOTIFYFS_SUPER_MAGIC, mnt);
703 }
704
705 static struct file_system_type inotify_fs_type = {
706 .name = "inotifyfs",
707 .get_sb = inotify_get_sb,
708 .kill_sb = kill_anon_super,
709 };
710
711 /*
712 * inotify_user_setup - Our initialization function. Note that we cannnot return
713 * error because we have compiled-in VFS hooks. So an (unlikely) failure here
714 * must result in panic().
715 */
716 static int __init inotify_user_setup(void)
717 {
718 int ret;
719
720 ret = register_filesystem(&inotify_fs_type);
721 if (unlikely(ret))
722 panic("inotify: register_filesystem returned %d!\n", ret);
723
724 inotify_mnt = kern_mount(&inotify_fs_type);
725 if (IS_ERR(inotify_mnt))
726 panic("inotify: kern_mount ret %ld!\n", PTR_ERR(inotify_mnt));
727
728 inotify_max_queued_events = 16384;
729 inotify_max_user_instances = 128;
730 inotify_max_user_watches = 8192;
731
732 watch_cachep = kmem_cache_create("inotify_watch_cache",
733 sizeof(struct inotify_user_watch),
734 0, SLAB_PANIC, NULL);
735 event_cachep = kmem_cache_create("inotify_event_cache",
736 sizeof(struct inotify_kernel_event),
737 0, SLAB_PANIC, NULL);
738
739 return 0;
740 }
741
742 module_init(inotify_user_setup);
Linux kernel - Deliverables
This page took 0.045845 seconds and 6 git commands to generate.