From: Al Viro <viro@ZenIV.linux.org.uk>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Djalal Harouni <tixxdz@opendz.org>,
Hugh Dickins <hughd@google.com>,
Minchan Kim <minchan.kim@gmail.com>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
Wu Fengguang <fengguang.wu@intel.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
"J. Bruce Fields" <bfields@fieldses.org>,
Neil Brown <neilb@suse.de>,
Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>,
Christoph Hellwig <hch@infradead.org>
Subject: Re: [PATCH] mm: add missing mutex lock arround notify_change
Date: Sat, 17 Dec 2011 21:41:37 +0000 [thread overview]
Message-ID: <20111217214137.GY2203@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20111216125556.db2bf308.akpm@linux-foundation.org>
On Fri, Dec 16, 2011 at 12:55:56PM -0800, Andrew Morton wrote:
> > static int __remove_suid(struct dentry *dentry, int kill)
> > {
> > + int ret;
> > struct iattr newattrs;
> >
> > newattrs.ia_valid = ATTR_FORCE | kill;
> > - return notify_change(dentry, &newattrs);
> > +
> > + mutex_lock(&dentry->d_inode->i_mutex);
> > + ret = notify_change(dentry, &newattrs);
> > + mutex_unlock(&dentry->d_inode->i_mutex);
> > +
> > + return ret;
> > }
Consider this:
generic_file_aio_write():
mutex_lock(&inode->i_mutex);
...
ret = __generic_file_aio_write(iocb, iov, nr_segs, &iocb->ki_pos);
and from there we have
err = file_remove_suid(file);
which calls __remove_suid()
Deadlock. OK, let's look at the callers:
__remove_suid() <- file_remove_suid()
file_remove_suid() <-
xip_file_write() ! we grab i_mutex there
__generic_file_aio_write() <-
generic_file_aio_write() ! we grab i_mutex there
pohmelfs_write() ! we grab i_mutex there
blkdev_aio_write()
generic_file_splice_write() ! we grab i_mutex there
xfs_file_aio_write_checks()
ntfs_file_aio_write_nolock() <-
ntfs_file_aio_write() ! we grab i_mutex there
fuse_file_aio_write() ! we grab i_mutex there
btrfs_file_aio_write() ! we grab i_mutex there
ext4_ioctl(), EXT4_IOC_MOVE_EXT case
We have a shitload of deadlocks on very common paths with that patch. What
of the paths that do lead to file_remove_suid() without i_mutex?
* xfs_file_aio_write_checks(): we drop i_mutex (via xfs_rw_iunlock())
just before calling file_remove_suid(). Racy, the fix is obvious - move
file_remove_suid() call before unlocking.
* ext4_ioctl(): doesn't bother with i_mutex at all, very likely to be
racy. BTW, that file_remove_suid() belongs *before* mnt_drop_write(), for
obvious reasons.
* blkdev_aio_write(): file_remove_suid() will be called, but it won't
reach __remove_suid() - should_remove_suid() returns 0 unless we are dealing
with regular file. And for blkdev_aio_write() that file will be a block
device.
IOW, this patch is bogus and would have deadlocked the box as soon as one
would try to do write(2) on suid file. Testing Is A Good Thing(tm).
xfs and ext4_ioctl() need to be fixed; XFS fix follows, ext4 I'd rather left
to ext4 folks - I don't know how wide an area needs i_mutex there
xfs: call file_remove_suid() before dropping i_mutex
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
index 753ed9b..33705b1 100644
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -750,17 +750,16 @@ restart:
*new_sizep = new_size;
}
- xfs_rw_iunlock(ip, XFS_ILOCK_EXCL);
- if (error)
- return error;
-
/*
* If we're writing the file then make sure to clear the setuid and
* setgid bits if the process is not being run by root. This keeps
* people from modifying setuid and setgid binaries.
*/
- return file_remove_suid(file);
+ if (!error)
+ error = file_remove_suid(file);
+ xfs_rw_iunlock(ip, XFS_ILOCK_EXCL);
+ return error;
}
/*
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Djalal Harouni <tixxdz@opendz.org>,
Hugh Dickins <hughd@google.com>,
Minchan Kim <minchan.kim@gmail.com>,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
Wu Fengguang <fengguang.wu@intel.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
"J. Bruce Fields" <bfields@fieldses.org>,
Neil Brown <neilb@suse.de>,
Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>,
Christoph Hellwig <hch@infradead.org>
Subject: Re: [PATCH] mm: add missing mutex lock arround notify_change
Date: Sat, 17 Dec 2011 21:41:37 +0000 [thread overview]
Message-ID: <20111217214137.GY2203@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20111216125556.db2bf308.akpm@linux-foundation.org>
On Fri, Dec 16, 2011 at 12:55:56PM -0800, Andrew Morton wrote:
> > static int __remove_suid(struct dentry *dentry, int kill)
> > {
> > + int ret;
> > struct iattr newattrs;
> >
> > newattrs.ia_valid = ATTR_FORCE | kill;
> > - return notify_change(dentry, &newattrs);
> > +
> > + mutex_lock(&dentry->d_inode->i_mutex);
> > + ret = notify_change(dentry, &newattrs);
> > + mutex_unlock(&dentry->d_inode->i_mutex);
> > +
> > + return ret;
> > }
Consider this:
generic_file_aio_write():
mutex_lock(&inode->i_mutex);
...
ret = __generic_file_aio_write(iocb, iov, nr_segs, &iocb->ki_pos);
and from there we have
err = file_remove_suid(file);
which calls __remove_suid()
Deadlock. OK, let's look at the callers:
__remove_suid() <- file_remove_suid()
file_remove_suid() <-
xip_file_write() ! we grab i_mutex there
__generic_file_aio_write() <-
generic_file_aio_write() ! we grab i_mutex there
pohmelfs_write() ! we grab i_mutex there
blkdev_aio_write()
generic_file_splice_write() ! we grab i_mutex there
xfs_file_aio_write_checks()
ntfs_file_aio_write_nolock() <-
ntfs_file_aio_write() ! we grab i_mutex there
fuse_file_aio_write() ! we grab i_mutex there
btrfs_file_aio_write() ! we grab i_mutex there
ext4_ioctl(), EXT4_IOC_MOVE_EXT case
We have a shitload of deadlocks on very common paths with that patch. What
of the paths that do lead to file_remove_suid() without i_mutex?
* xfs_file_aio_write_checks(): we drop i_mutex (via xfs_rw_iunlock())
just before calling file_remove_suid(). Racy, the fix is obvious - move
file_remove_suid() call before unlocking.
* ext4_ioctl(): doesn't bother with i_mutex at all, very likely to be
racy. BTW, that file_remove_suid() belongs *before* mnt_drop_write(), for
obvious reasons.
* blkdev_aio_write(): file_remove_suid() will be called, but it won't
reach __remove_suid() - should_remove_suid() returns 0 unless we are dealing
with regular file. And for blkdev_aio_write() that file will be a block
device.
IOW, this patch is bogus and would have deadlocked the box as soon as one
would try to do write(2) on suid file. Testing Is A Good Thing(tm).
xfs and ext4_ioctl() need to be fixed; XFS fix follows, ext4 I'd rather left
to ext4 folks - I don't know how wide an area needs i_mutex there
xfs: call file_remove_suid() before dropping i_mutex
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
index 753ed9b..33705b1 100644
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -750,17 +750,16 @@ restart:
*new_sizep = new_size;
}
- xfs_rw_iunlock(ip, XFS_ILOCK_EXCL);
- if (error)
- return error;
-
/*
* If we're writing the file then make sure to clear the setuid and
* setgid bits if the process is not being run by root. This keeps
* people from modifying setuid and setgid binaries.
*/
- return file_remove_suid(file);
+ if (!error)
+ error = file_remove_suid(file);
+ xfs_rw_iunlock(ip, XFS_ILOCK_EXCL);
+ return error;
}
/*
next prev parent reply other threads:[~2011-12-17 21:41 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-16 11:25 [PATCH] mm: add missing mutex lock arround notify_change Djalal Harouni
2011-12-16 11:25 ` Djalal Harouni
2011-12-16 20:55 ` Andrew Morton
2011-12-16 20:55 ` Andrew Morton
2011-12-16 21:54 ` Djalal Harouni
2011-12-16 21:54 ` Djalal Harouni
2011-12-17 21:41 ` Al Viro [this message]
2011-12-17 21:41 ` Al Viro
2011-12-17 22:10 ` Al Viro
2011-12-17 22:10 ` Al Viro
2011-12-20 22:09 ` Ted Ts'o
2011-12-20 22:09 ` Ted Ts'o
2011-12-20 22:09 ` Ted Ts'o
2011-12-20 22:45 ` Ted Ts'o
2011-12-20 22:45 ` Ted Ts'o
2011-12-19 1:43 ` Dave Chinner
2011-12-19 1:43 ` Dave Chinner
2011-12-19 2:03 ` Al Viro
2011-12-19 2:03 ` Al Viro
2011-12-19 2:06 ` Al Viro
2011-12-19 2:06 ` Al Viro
2011-12-19 5:07 ` Dave Chinner
2011-12-19 5:07 ` Dave Chinner
2011-12-19 4:22 ` Dave Chinner
2011-12-19 4:22 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111217214137.GY2203@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=bfields@fieldses.org \
--cc=fengguang.wu@intel.com \
--cc=hch@infradead.org \
--cc=hughd@google.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mikulas@artax.karlin.mff.cuni.cz \
--cc=minchan.kim@gmail.com \
--cc=neilb@suse.de \
--cc=tixxdz@opendz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.