From: viro@parcelfarce.linux.theplanet.co.uk
To: Frank Cusack <fcusack@fcusack.com>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>,
torvalds@transmeta.com, marcelo@conectiva.com.br,
lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] nfs_unlink() race (was: nfs_refresh_inode: inode number mismatch)
Date: Wed, 11 Jun 2003 01:54:25 +0100 [thread overview]
Message-ID: <20030611005425.GA6754@parcelfarce.linux.theplanet.co.uk> (raw)
In-Reply-To: <20030609065141.A9781@google.com>
On Mon, Jun 09, 2003 at 06:51:41AM -0700, Frank Cusack wrote:
> When foo is unlinked, nfs_unlink() does a sillyrename, this puts the
> dentry on nfs_delete_queue, and (in the VFS) unhashes it from the dcache.
> This causes a problem, because dentry->d_parent->d_inode is now guaranteed
> to remain stale. (OK, I'm not really sure about this last part.)
????
What does hashed state have to ->d_parent?
> Then readdir() returns the new .nfs file, this creates a NEW dentry
> (we just moved the first one to nfs_delete_queue and did not create a
> negative dentry) which now has d_count==1 so instead of sillyrename we
> just remove it (but note, we actually have this file open). Then rmdir
> succeeeds.
>
> Now, we have a dentry on nfs_delete_queue which a) has already been
> unlinked and b) whose dentry->d_parent DNE and dentry->d_parent->d_inode
> DNE. Of course this will cause confusion later!
b) is bogus. Unhashing does nothing to ->d_parent.
> Note that if a process does a drive by on the .nfs file (another round
> of unlinked-but-open) before we unlink it, we would sillyrename it again.
> We'd now have two different dentry's on the delete queue for the same
> file. (One of them would just leak, I think--possible local DoS?)
Two different dentries for the same file is obviously not a problem...
> 1) Don't unhash the dentry after silly-renaming. In 2.2, each fs is
> responsible for doing a d_delete(), in 2.4 it happens in the VFS and
> I think it was just an oversight that the 2.4 VFS doesn't consider
> sillyrename (considering the code and comments that are cruft).
>
> This preserves the unlinked-but-open semantic, but breaks rmdir. So
> it's not a clear winner from a semantics POV. dentry->d_count is
> always correct, which sounds like a plus.
>
> The patch to make this work is utterly simple, which is a big plus.
... and AFAICS it opens a huge can of worms with races in NFS unlink/rename.
Sigh... I'll look through that code and try to reconstruct the analysis.
It used to be a very big mess and there was fairly subtle logics around
unhashing/checks for d_count/etc. involved in fixing ;-/ And there was
a lot of changes since then. Oh, well...
next prev parent reply other threads:[~2003-06-11 0:41 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-03 23:54 nfs_refresh_inode: inode number mismatch Frank Cusack
2003-06-04 14:19 ` Trond Myklebust
2003-06-04 21:20 ` Frank Cusack
2003-06-04 21:28 ` Trond Myklebust
2003-06-05 9:11 ` Adrian Cox
2003-06-05 9:13 ` Russell King
2003-06-05 13:51 ` Trond Myklebust
2003-06-09 13:51 ` [PATCH] nfs_unlink() race (was: nfs_refresh_inode: inode number mismatch) Frank Cusack
2003-06-09 13:55 ` Frank Cusack
2003-06-09 15:53 ` Linus Torvalds
2003-06-09 16:40 ` Trond Myklebust
2003-06-09 20:46 ` Frank Cusack
2003-06-10 0:01 ` Trond Myklebust
2003-06-11 0:54 ` viro [this message]
2003-06-11 1:28 ` Frank Cusack
2003-06-11 1:47 ` viro
2003-06-11 2:32 ` Frank Cusack
2003-06-11 2:37 ` viro
2003-06-11 1:59 ` Trond Myklebust
2003-06-11 2:27 ` viro
2003-06-11 2:43 ` Frank Cusack
2003-06-11 2:50 ` Frank Cusack
2003-06-11 3:00 ` viro
2003-06-11 7:22 ` [PATCH] NFS sillyrename fixes (was: [PATCH] nfs_unlink() race) Frank Cusack
2003-06-13 0:19 ` [PATCH] NFS sillyrename fixes take 3 Frank Cusack
2003-06-11 3:00 ` [PATCH] nfs_unlink() race (was: nfs_refresh_inode: inode number mismatch) Trond Myklebust
2003-06-11 5:30 ` Linus Torvalds
2003-06-11 6:16 ` Andreas Dilger
2003-06-11 12:33 ` Alan Cox
2003-06-11 15:08 ` Linus Torvalds
2003-06-11 15:51 ` Alan Cox
2003-06-11 16:11 ` Linus Torvalds
2003-06-11 16:21 ` Alan Cox
2003-06-11 16:31 ` Linus Torvalds
2003-06-11 16:34 ` viro
2003-06-11 17:22 ` Alan Cox
2003-06-11 17:37 ` Trond Myklebust
2003-06-11 17:47 ` Trond Myklebust
2003-06-12 21:59 ` Jan Harkes
[not found] ` <16103.29804.198545.680701@charged.uio.no>
2003-06-11 22:24 ` Frank Cusack
2003-06-11 23:16 ` Trond Myklebust
2003-06-11 23:35 ` [PATCH] nfs_unlink() race Frank Cusack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030611005425.GA6754@parcelfarce.linux.theplanet.co.uk \
--to=viro@parcelfarce.linux.theplanet.co.uk \
--cc=fcusack@fcusack.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo@conectiva.com.br \
--cc=torvalds@transmeta.com \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.