From: Al Viro <viro@zeniv.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "zhengbin (A)" <zhengbin13@huawei.com>, Jan Kara <jack@suse.cz>,
Andrew Morton <akpm@linux-foundation.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
"zhangyi (F)" <yi.zhang@huawei.com>,
renxudong1@huawei.com, Hou Tao <houtao1@huawei.com>
Subject: Re: [PATCH] Re: Possible FS race condition between iterate_dir and d_alloc_parallel
Date: Sun, 22 Sep 2019 22:29:34 +0100 [thread overview]
Message-ID: <20190922212934.GC29065@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CAHk-=whpKgNTxjrenAed2sNkegrpCCPkV77_pWKbqo+c7apCOw@mail.gmail.com>
On Sat, Sep 14, 2019 at 09:49:21AM -0700, Linus Torvalds wrote:
> On Sat, Sep 14, 2019 at 9:16 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > OK, folks, could you try the following? It survives the local beating
> > so far.
>
> This looks like the right solution to me. Keep the locking simple,
> take the dentry refcount as long as we keep a ref to it in "*res".
*grumble*
Example of subtleties in the whole mess: this is safe for mainline
now, but only due to "devpts_pty_kill(): don't bother with d_delete()"
already merged. Without that, we are risking the following fun:
scan_positive() on devpts: finds a dentry, sees it positive, decides
to grab the sucker. Refcount is currently 1 (will become 2 after
we grab the reference).
devpts_pty_kill(): d_delete(dentry); on that sucker. Refcount is
currently (still) 1, so we simply make it negative.
scan_positive(): grabs an extra reference to now negative dentry.
devpts_pty_kill(): dput() drops refcount to 1 (what if it got there
before scan_positive() grabbed a reference? Nothing, really, since
scan_positive() is holding parent's ->d_lock; dput() wouldn't
have progressed through dentry_kill() until it managed to get
that, and it would've rechecked the refcount. So that's not
a problem)
scan_positive(): returns a reference to negative dentry to
dcache_readdir(). Which proceeds to oops on
if (!dir_emit(ctx, next->d_name.name, next->d_name.len,
d_inode(next)->i_ino, dt_type(d_inode(next))))
since d_inode(next) is NULL.
With the aforementioned commit it *is* safe, since the dentry remains
positive (and unhashed), so we simply act as if dcache_readdir() has
won the race and emitted a record for the sucker killed by devpts_pty_kill().
IOW, backports will either need to bring that commit in as well, or
they'll need to play silly buggers along the lines of
if (simple_positive(d) && !--count) {
spin_lock(&d->d_lock);
if (likely(simple_positive(d)))
found = dget_dlock(d);
spin_unlock(&d->d_lock);
if (found)
break;
count = 1; // it's gone, keep scanning
}
Probably the latter, since it's less dependent on some other place
doing what devpts used to do...
next prev parent reply other threads:[~2019-09-22 22:30 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-03 14:44 Possible FS race condition between iterate_dir and d_alloc_parallel zhengbin (A)
2019-09-03 15:40 ` Al Viro
2019-09-03 15:41 ` Al Viro
2019-09-04 6:15 ` zhengbin (A)
2019-09-05 17:47 ` Al Viro
2019-09-06 0:55 ` Jun Li
2019-09-06 2:00 ` Al Viro
2019-09-06 2:32 ` zhengbin (A)
2019-09-09 14:10 ` zhengbin (A)
2019-09-09 14:59 ` Al Viro
2019-09-09 15:10 ` zhengbin (A)
[not found] ` <7e32cda5-dc89-719d-9651-cf2bd06ae728@huawei.com>
2019-09-10 21:53 ` Al Viro
2019-09-10 22:17 ` Al Viro
2019-09-14 16:16 ` [PATCH] " Al Viro
2019-09-14 16:49 ` Linus Torvalds
2019-09-14 17:01 ` Al Viro
2019-09-14 17:15 ` Linus Torvalds
2019-09-14 20:04 ` Al Viro
2019-09-14 22:57 ` Linus Torvalds
2019-09-15 0:50 ` Al Viro
2019-09-15 1:41 ` Linus Torvalds
2019-09-15 16:02 ` Al Viro
2019-09-15 17:58 ` Linus Torvalds
2019-09-21 14:07 ` Al Viro
2019-09-21 16:21 ` Linus Torvalds
2019-09-21 17:18 ` Al Viro
2019-09-21 17:38 ` Linus Torvalds
2019-09-24 2:52 ` Al Viro
2019-09-24 13:30 ` Josef Bacik
2019-09-24 14:51 ` Al Viro
2019-09-24 15:01 ` Josef Bacik
2019-09-24 15:11 ` Al Viro
2019-09-24 15:26 ` Josef Bacik
2019-09-24 16:33 ` Al Viro
[not found] ` <CAHk-=wiJ1eY7y6r_cFNRPCqD+BJZS7eJeQFO6OrXxRFjDAipsQ@mail.gmail.com>
2019-09-29 5:29 ` Al Viro
2019-09-25 11:59 ` Amir Goldstein
2019-09-25 12:22 ` Al Viro
2019-09-25 12:34 ` Amir Goldstein
2019-09-22 21:29 ` Al Viro [this message]
2019-09-23 3:32 ` zhengbin (A)
2019-09-23 5:08 ` Al Viro
2019-09-16 2:04 ` 266a9a8b41: WARNING:possible_recursive_locking_detected kernel test robot
2019-09-16 2:58 ` Al Viro
2019-09-16 2:58 ` Al Viro
2019-09-16 3:03 ` Al Viro
2019-09-16 3:03 ` Al Viro
2019-09-16 3:44 ` Linus Torvalds
2019-09-16 3:44 ` Linus Torvalds
2019-09-16 17:16 ` Al Viro
2019-09-16 17:16 ` Al Viro
2019-09-16 17:29 ` Al Viro
2019-09-16 17:29 ` Al Viro
2019-09-17 8:59 ` Rong Chen
2019-09-17 7:03 ` zhengbin
2019-09-17 12:01 ` Al Viro
2019-09-17 12:01 ` Al Viro
2019-09-19 3:36 ` zhengbin
2019-09-19 3:36 ` zhengbin (A)
2019-09-19 3:55 ` Al Viro
2019-09-19 3:55 ` Al Viro
2019-09-19 4:16 ` zhengbin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190922212934.GC29065@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=houtao1@huawei.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=renxudong1@huawei.com \
--cc=torvalds@linux-foundation.org \
--cc=yi.zhang@huawei.com \
--cc=zhengbin13@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.