From: Al Viro <viro@ZenIV.linux.org.uk>
To: "Liu, Chuansheng" <chuansheng.liu@intel.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] Fix the race between the fget() and close()
Date: Sat, 31 Aug 2013 08:35:43 +0100 [thread overview]
Message-ID: <20130831073543.GL13318@ZenIV.linux.org.uk> (raw)
In-Reply-To: <27240C0AC20F114CBF8149A2696CBE4A01AF6D3B@SHSMSX101.ccr.corp.intel.com>
On Sat, Aug 31, 2013 at 07:01:33AM +0000, Liu, Chuansheng wrote:
> My scenario is:
> P1 files_struct refcount is 1, P2's is 1 also.
> P1 get_files_struct(P2)
> P1 install one file into P2's files_struct
> P1 put_files_struct(P2)
>
> Then P1 and P2's files_struct refcount are 1, then when P1 is doing ioctl() and P2 is exiting
> with put_files_struct(P2), the race will occur, my understanding is wrong?
First of all, this wouldn't have been a problem (so you get a new reference
to file inserted in P2's files_struct; file refcount had been bumped, so
destruction of P2's files_struct will undo that increment of file refcount
and we are still fine). _Removal_ in a similar scenario would have been
a problem, with P2 doing fdget() while its table isn't shared, then P1
removing a reference from it and dropping a file - the last one, at that,
since fdget() assumed that the reference would've stayed in P2's descriptor
table. HOWEVER, P1 does not do get_files_struct(P2) at all - it's only
done by P2 in binder_mmap().
Again, the invariant to look for is this:
* if current->files had not been shared at fdget() time, it won't
be shared at matching fdput() and no entries will have been removed in
between.
task_fd_install()/task_close_fd() are done on proc->files, which contributes
to descriptor table refcount. All other modifications are done to
current->files, which also contributes to refcount. If at fdget() time
current->files had refcount 1, we had no other processes with task->files
pointing to this descriptor table *and* no binder_proc had their ->files
pointint to it. No new ones may appear, since new process could get
such a reference only from do_fork() called by us and new binder_proc could
get such a reference only from binder_mmap() called by us. Neither is
called between fdget() and fdput(). So in that case the only reference
to this descriptor table will remain current->files and all removals
would have to be done by ourselves (and not via task_close_fd(), at that).
And AFAICS, binder_lock() prevents proc->files being dropped under
task_close_fd() and task_fd_install(). Hell knows...
How reproducible it is? Do you have any more instances, or had that
been a one-off panic?
next prev parent reply other threads:[~2013-08-31 7:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-26 16:12 [PATCH] Fix the race between the fget() and close() Chuansheng Liu
2013-08-26 11:29 ` Al Viro
2013-08-26 23:56 ` Liu, Chuansheng
2013-08-27 0:42 ` Al Viro
2013-08-27 0:48 ` Al Viro
2013-08-31 5:53 ` Liu, Chuansheng
2013-08-31 6:48 ` Al Viro
2013-08-31 7:01 ` Liu, Chuansheng
2013-08-31 7:35 ` Al Viro [this message]
2013-08-31 7:44 ` Liu, Chuansheng
2013-08-27 0:53 ` Liu, Chuansheng
2013-08-26 15:14 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130831073543.GL13318@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=chuansheng.liu@intel.com \
--cc=eric.dumazet@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.