Re: kernel bugs 2.6.31-rc6

[Linus Torvalds]

On Sat, 15 Aug 2009, Linus Torvalds wrote:
> 
> For example, fsnotify_remove_priv_from_event() will remove the private 
> data event from the list, but what if there are _multiple_ entries with 
> the same 'group' entry? If so, it will remove just the first one.

Hmm. Looking closer, that shouldn't much matter. Each time we added an 
entry in private_data_list, we would have done a 
'fsnotify_get_event(event)' due to adding it to the 'golder->event_list'.

That said, there does seem to be some dubious code there. For example, 
in 'inotify_ignored_and_remove_idr()', we do this:

        fsnotify_add_notify_event(group, ignored_event, fsn_event_priv);

        /* did the private data get added? */
        if (list_empty(&fsn_event_priv->event_list))
                inotify_free_event_priv(fsn_event_priv);

and we do it without holding any locks at all. So as far as I can tell, 
what could happen is that 'fsnotify_add_notify_event()' actually adds the 
private event (fsn_event_priv), but then before we check that the 
event_list is empty, another user (on another CPU, or preempted on the 
same CPU - Christoph has both PREEMPT and SMP on) comes along, picks up 
the private event and frees it (and re-uses it).

That looks like a pretty small window, but preemption could make it much 
bigger. Who knows? Maybe there are other things like that.

And maybe I'm just full of sh*t, and the above can't even happen for some 
reason I'm missing.

		Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/