From: Al Viro <viro@zeniv.linux.org.uk>
To: Christian Brauner <brauner@kernel.org>
Cc: "Thomas Weißschuh" <thomas.weissschuh@linutronix.de>,
"Jan Kara" <jack@suse.cz>, "Sargun Dhillon" <sargun@sargun.me>,
"Kees Cook" <kees@kernel.org>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v2] fs: always return zero on success from replace_fd()
Date: Mon, 4 Aug 2025 18:27:41 +0100 [thread overview]
Message-ID: <20250804172741.GZ222315@ZenIV> (raw)
In-Reply-To: <20250804155229.GY222315@ZenIV>
On Mon, Aug 04, 2025 at 04:52:29PM +0100, Al Viro wrote:
> On Mon, Aug 04, 2025 at 02:33:13PM +0200, Christian Brauner wrote:
>
> > + guard(spinlock)(&files->file_lock);
> > err = expand_files(files, fd);
> > if (unlikely(err < 0))
> > - goto out_unlock;
> > - return do_dup2(files, file, fd, flags);
> > + return err;
> > + err = do_dup2(files, file, fd, flags);
> > + if (err < 0)
> > + return err;
> >
> > -out_unlock:
> > - spin_unlock(&files->file_lock);
> > - return err;
> > + return 0;
> > }
>
> NAK. This is broken - do_dup2() drops ->file_lock. And that's why I
> loathe the guard() - it's too easy to get confused *and* assume that
> it will DTRT, no need to check carefully.
Note, BTW, that in actual replacing case do_dup2() has blocking
operations (closing the replaced reference) after dropping ->file_lock,
so making it locking-neutral would not be easy; doable (have it
return the old reference in the replacing case and adjust the callers
accordingly), but it's seriously not pretty (NULL/address of old file/ERR_PTR()
for return value, boilerplate in callers, etc.). Having do_dup2() called
without ->file_lock and taking it inside is not an option - we could pull
expand_files() in there, but lookup of oldfd in actual dup2(2)/dup3(2) has
to be done within the same ->file_lock scope where it is inserted into the
table.
Sure, all things equal it's better to have functions locking-neutral, but
it's not always the best approach. And while __free() allows for "we'd
passed the object to somebody else, it's not ours to consume anymore",
guard() does not.
next prev parent reply other threads:[~2025-08-04 17:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-04 8:40 [PATCH v2] fs: always return zero on success from replace_fd() Thomas Weißschuh
2025-08-04 12:33 ` Christian Brauner
2025-08-04 15:52 ` Al Viro
2025-08-04 16:02 ` Thomas Weißschuh
2025-08-05 11:56 ` Christian Brauner
2025-08-04 17:27 ` Al Viro [this message]
2025-08-05 11:55 ` Christian Brauner
2025-08-05 15:34 ` Al Viro
2025-08-05 19:50 ` Al Viro
2025-08-06 1:54 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250804172741.GZ222315@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=kees@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sargun@sargun.me \
--cc=stable@vger.kernel.org \
--cc=thomas.weissschuh@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.