Re: [tracepoint] cargo-culting considered harmful...

[Al Viro <viro@ZenIV.linux.org.uk>]

On Wed, Jan 23, 2013 at 03:51:47PM -0800, Andrew Morton wrote:

> > note that
> > 	* file->f_path is already pinned down by open(), path_get() does not
> > provide anything extra.
> > 	* file->f_path.dentry is already pinned by open() *and* path_get()
> > just above that dget().
> > 	* ->d_name.name *IS* *NOT* *PROTECTED* by pinning dentry down,
> > whether it's done once or thrice.
> 
> I guess the first two are obvious (or at least, expected).  But the
> third isn't.

->d_name.name is changed by rename() (as one could expect).  Grabbing
a reference to dentry will not prevent rename() from happening.  ->i_mutex
on parent will, but you either need to play with retries (grab reference
to parent, grab ->i_mutex, check that it's still our parent, if we'd lost
the race and someone had renamed the sucker - unlock ->i_mutex, dput,
repeat) *or* to have our dentry looked up with parent locked, with ->i_mutex
on said parent still held (which happens to cover the majority of valid
uses in fs code - ->lookup(), ->create(), ->unlink(), rename(), etc. are
all called that way, so the name of dentry passed to such methods is stable
for the duration of the method).

->d_lock on dentry is also sufficient, but that obviously means that you
can't block while holding it.

> Where should a kernel developer go to learn these things? 
> include/linux/dcache.h doesn't mention d_name locking rules, nor does
> Documentation/filesystems/vfs.txt.

See directory locking rules in there; the crucial point is that dentry
name is changed by rename() *and* that results of a race can be worse than
just running into a partially rewritten name - long names are allocated
separately and walking through a stale pointer you might end up in freed
memory.

It's a mess, unfortunately, and $BIGNUM other uses of ->i_mutex make it only
nastier.  Once in a while I go hunting for races in that area, usally with
a bunch of fixes coming out of such run ;-/