Re: [PATCH] vhost: Fix `struct file' leakage in `eventfd_link'

[Thomas Monjalon <thomas.monjalon-pdR9zngts4EAvxtiuMwx3w@public.gmane.org>]

Huawei,
This thread is unreadable because your mailer is not quoting.
Please check. Thanks

2015-03-23 15:16, Xie, Huawei:
> On 3/23/2015 10:52 PM, Pavel Boldin wrote:
> 
> 
> On Mon, Mar 23, 2015 at 4:41 PM, Xie, Huawei <huawei.xie-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org<mailto:huawei.xie-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>> wrote:
> On 3/23/2015 10:37 PM, Pavel Boldin wrote:
> 
> 
> On Mon, Mar 23, 2015 at 4:21 PM, Xie, Huawei <huawei.xie-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org<mailto:huawei.xie-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org><mailto:huawei.xie-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org<mailto:huawei.xie-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>>> wrote:
> On 3/23/2015 8:54 PM, Pavel Boldin wrote:
> > Due to increased `struct file's reference counter subsequent call
> > to `filp_close' does not free the `struct file'. Prepend `fput' call
> > to decrease the reference counter.
> >
> > Signed-off-by: Pavel Boldin <pboldin-nYU0QVwCCFFWk0Htik3J/w@public.gmane.org<mailto:pboldin-nYU0QVwCCFFWk0Htik3J/w@public.gmane.org><mailto:pboldin-nYU0QVwCCFFWk0Htik3J/w@public.gmane.org<mailto:pboldin-nYU0QVwCCFFWk0Htik3J/w@public.gmane.org>>>
> > ---
> >  lib/librte_vhost/eventfd_link/eventfd_link.c | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/lib/librte_vhost/eventfd_link/eventfd_link.c b/lib/librte_vhost/eventfd_link/eventfd_link.c
> > index 7755dd6..62c45c8 100644
> > --- a/lib/librte_vhost/eventfd_link/eventfd_link.c
> > +++ b/lib/librte_vhost/eventfd_link/eventfd_link.c
> > @@ -117,6 +117,7 @@ eventfd_link_ioctl(struct file *f, unsigned int ioctl, unsigned long arg)
> >                * Release the existing eventfd in the source process
> >                */
> >               spin_lock(&files->file_lock);
> > +             fput(file);
> Could we just call atomic_long_dec here?
> 
> We can but I don't like breaking encapsulation (which is broken anyway by the code). So, there is a special method and we should use it in my opinion.
> it is increased by atomic_long_inc_not_zero so why don't we use the symmetric function?
> The code with `atomic_long_inc_not_zero' call is a copy-paste of the `fget' function. If we want to make it clear we should make a separate function and name it so: `fget_from_files'.
> 
> I don't understand why there is a (exact?) copy&paste of fget there. :).
> Maybe you could post a patchset, first replace the copy/paste with fget and then this patch. It will looks much clearer.
> Second thing is: another thread of the same processor can call the `sys_close' on the `fd' and this will dereference counter so `fput' will correctly free the `struct file'. Using `atomic_long_dec' will leak a `struct file' and print a KERN_ERR message by `filp_close'.
> 
> So, the common thing is to use appropriate functions and don't reinvent the wheel.
> 
> Pavel
> 
> 
> 
> Pavel
> 
> >               filp_close(file, files);
> >               fdt = files_fdtable(files);
> >               fdt->fd[eventfd_copy.source_fd] = NULL;
>