All of lore.kernel.org
 help / color / mirror / Atom feed
* query re unlink() ... inotify ... open() race
@ 2015-09-12  0:28 Pádraig Brady
  2015-09-12  1:14 ` Al Viro
  0 siblings, 1 reply; 2+ messages in thread
From: Pádraig Brady @ 2015-09-12  0:28 UTC (permalink / raw)
  To: Linux Kernel Mailing List; +Cc: avagin, Ludovic Courtès

Hi,

We're noticing a rare race here with open() in tail(1), where this happens:

  tail --follow=name "file"
    /* "file" is unlinked() by another process */
    read(IN_ATTRIB from inotify); /* for st_nlink-- */
    open("file") /* Done to check if deleted, but this succeeds! */

The open() succeeding is surprising. Is that allowed?
The summary of the sequence in the kernel is:

  vfs_unlink() {
    mutex_lock(&(dentry->d_inode->i_mutex));
    security_inode_unlink(dir, dentry);
    try_break_deleg(target, delegated_inode);
    dir->i_op->unlink(dir, dentry);
    dont_mount(dentry);
    detach_mounts(dentry);
    mutex_unlock(&(dentry->d_inode->i_mutex));

    fsnotify_link_count(target)
    d_delete(dentry);
  }

thanks,
Pádraig.

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: query re unlink() ... inotify ... open() race
  2015-09-12  0:28 query re unlink() ... inotify ... open() race Pádraig Brady
@ 2015-09-12  1:14 ` Al Viro
  0 siblings, 0 replies; 2+ messages in thread
From: Al Viro @ 2015-09-12  1:14 UTC (permalink / raw)
  To: Pádraig Brady
  Cc: Linux Kernel Mailing List, avagin, Ludovic Courtès

On Sat, Sep 12, 2015 at 01:28:27AM +0100, Pádraig Brady wrote:

> The open() succeeding is surprising. Is that allowed?
> The summary of the sequence in the kernel is:
> 
>   vfs_unlink() {
>     mutex_lock(&(dentry->d_inode->i_mutex));
>     security_inode_unlink(dir, dentry);
>     try_break_deleg(target, delegated_inode);
>     dir->i_op->unlink(dir, dentry);
>     dont_mount(dentry);
>     detach_mounts(dentry);
>     mutex_unlock(&(dentry->d_inode->i_mutex));
> 
>     fsnotify_link_count(target)
>     d_delete(dentry);
>   }

... and ->unlink() is the one to decrement the link count.  With lookup
via dcache coming at some point after that.  idiotify is a red herring
here - stat(2) will report decremented link count just as well.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-09-12  1:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-12  0:28 query re unlink() ... inotify ... open() race Pádraig Brady
2015-09-12  1:14 ` Al Viro

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.