[Dazuko-devel] Bug in mask_proc (repost)

[Lino Sanfilippo]

Hello,

This is a repost of a patch that I posted on 9th July 2009. This time 
the patch is
for the recent dazukofs version (3.1.1).

The problem is that there is a (dazukofs_proc) structure allocated  on 
the stack and
afterwards put in a global list. This will very likely leed to problems 
sooner or later,
since the stack memory may be overwritten the next time the proc 
structure is accessed
in the list.

This patch solves this problem by using a structure that is allocated on 
the heap.

Regards,
Lino Sanfilippo

Geschäftsführender Gesellschafter: Tjark Auerbach
Sitz der Gesellschaft: Tettnang
Handelsregister: Amtsgericht Ulm, HRB 630992
ALLGEMEINE GESCHÄFTSBEDINGUNGEN
Es gelten unsere Allgemeinen Geschäftsbedingungen
(AGB). Sie finden sie in der jeweils gültigen Fassung
im Internet unter http://www.avira.de/agb
***************************************************

diff -rup dazukofs-3.1.1/event.c dazukofs-3.1.1-PATCHED/event.c
--- dazukofs-3.1.1/event.c      2009-07-02 21:15:05.000000000 +0200
+++ dazukofs-3.1.1-PATCHED/event.c      2009-11-19 09:30:14.000000000 +0100
@@ -87,6 +87,7 @@ static struct dazukofs_proc proc_list;
 static struct kmem_cache *dazukofs_group_cachep;
 static struct kmem_cache *dazukofs_event_container_cachep;
 static struct kmem_cache *dazukofs_event_cachep;
+static struct kmem_cache *dazukofs_proc_cachep;
 
 static int last_event_id;
 
@@ -128,6 +129,13 @@ int dazukofs_init_events(void)
        if (!dazukofs_event_cachep)
                goto error_out;
 
+       dazukofs_proc_cachep = 
+               kmem_cache_create("dazukofs_proc_cache",
+                                 sizeof(struct dazukofs_proc), 0,
+                                 SLAB_HWCACHE_ALIGN, NULL);
+       if (!dazukofs_proc_cachep)
+               goto error_out;
+
        return 0;
 
 error_out:
@@ -137,6 +145,9 @@ error_out:
                kmem_cache_destroy(dazukofs_event_container_cachep);
        if (dazukofs_event_cachep)
                kmem_cache_destroy(dazukofs_event_cachep);
+       if (dazukofs_proc_cachep)
+               kmem_cache_destroy(dazukofs_proc_cachep);
+
        return -ENOMEM;
 }
 
@@ -253,6 +264,41 @@ static void __remove_group(struct dazuko
        wake_up_all(&grp->queue);
 }
 
+
+static void cleanup_groups(void)
+{
+       struct list_head *q;
+       struct list_head *pos;
+       struct dazukofs_group *grp;
+
+       list_for_each_safe(pos, q, &group_list.list) {
+               grp = list_entry(pos, struct dazukofs_group, list);
+               list_del(pos);
+
+               __remove_group(grp);
+
+               /* free group name */
+               kfree(grp->name);
+
+               /* free group */
+               kmem_cache_free(dazukofs_group_cachep, grp);
+       }
+}
+
+static void cleanup_ignored_procs(void)
+{      struct list_head *q;
+       struct list_head *pos;
+       struct dazukofs_proc *proc;
+
+       /* free the groups */
+       list_for_each_safe(pos, q, &proc_list.list) {
+               proc = list_entry(pos, struct dazukofs_proc, list);
+               list_del(pos);
+               /* free proc */
+               kmem_cache_free(dazukofs_proc_cachep, proc);
+       }
+}
+
 /**
  * dazukofs_destroy_events - cleanup/shutdown event handling infrastructure
  *
@@ -260,9 +306,6 @@ static void __remove_group(struct dazuko
  */
 void dazukofs_destroy_events(void)
 {
-       struct dazukofs_group *grp;
-       struct list_head *pos;
-       struct list_head *q;
 
        /*
         * We are not using any locks here because we assume
@@ -271,23 +314,16 @@ void dazukofs_destroy_events(void)
         */
 
        /* free the groups */
-       list_for_each_safe(pos, q, &group_list.list) {
-               grp = list_entry(pos, struct dazukofs_group, list);
-               list_del(pos);
-
-               __remove_group(grp);
-
-               /* free group name */
-               kfree(grp->name);
+       cleanup_groups();
 
-               /* free group */
-               kmem_cache_free(dazukofs_group_cachep, grp);
-       }
+       /* free ignored processes */
+       cleanup_ignored_procs();
 
        /* free everything else */
        kmem_cache_destroy(dazukofs_group_cachep);
        kmem_cache_destroy(dazukofs_event_container_cachep);
        kmem_cache_destroy(dazukofs_event_cachep);
+       kmem_cache_destroy(dazukofs_proc_cachep);
 }
 
 /**
@@ -576,6 +612,7 @@ static int check_recursion(void)
                        found = 1;
                        put_pid(proc->proc_id);
                        list_del(pos);
+                       kmem_cache_free(dazukofs_proc_cachep, proc);
                        break;
                }
        }
@@ -951,12 +988,19 @@ static struct dazukofs_event_container *
  * generating recursive file access events. The process is removed from
  * the list with the check_recursion() function.
  */
-static void mask_proc(struct dazukofs_proc *proc)
+static int mask_proc(void)
 {
+       struct dazukofs_proc *proc;
+
+       proc = kmem_cache_zalloc(dazukofs_proc_cachep, GFP_KERNEL);
+       if (!proc)
+               return -ENOMEM;
+
        proc->proc_id = get_pid(task_pid(current));
        mutex_lock(&proc_mutex);
        list_add(&proc->list, &proc_list.list);
        mutex_unlock(&proc_mutex);
+       return 0;
 }
 
 /**
@@ -972,7 +1016,6 @@ static void mask_proc(struct dazukofs_pr
 static int open_file(struct dazukofs_event_container *ec)
 {
        struct dazukofs_event *evt = ec->event;
-       struct dazukofs_proc proc;
        int ret;
 
        /* open the file read-only */
@@ -984,7 +1027,9 @@ static int open_file(struct dazukofs_eve
        }
 
        /* add myself to be ignored on file open (to avoid recursion) */
-       mask_proc(&proc);
+       ret = mask_proc();
+       if (ret) 
+               goto error_out2;
 
        ec->file = dentry_open(dget(evt->dentry), mntget(evt->mnt),
                               O_RDONLY | O_LARGEFILE, current_cred());