From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve French Subject: cp command, lookup intents and fs/namei.c horrors Date: Thu, 30 Nov 2006 19:57:08 -0600 Message-ID: <456F8BF4.4080701@austin.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from ms-smtp-03.texas.rr.com ([24.93.47.42]:26776 "EHLO ms-smtp-03.texas.rr.com") by vger.kernel.org with ESMTP id S1758211AbWLAC4I (ORCPT ); Thu, 30 Nov 2006 21:56:08 -0500 Received: from [192.168.0.2] (cpe-66-69-211-197.austin.res.rr.com [66.69.211.197]) by ms-smtp-03.texas.rr.com (8.13.6/8.13.6) with ESMTP id kB12u5fW001316 for ; Thu, 30 Nov 2006 20:56:06 -0600 (CST) To: linux-fsdevel Sender: linux-fsdevel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org I have been looking at why the command: cp source target does very strange things when the target file is open and not writable but the attributes (file size) are writable. cp doesn't create a new file, if the target already exists it simply shrinks and opens the targetfile as follows: open("/mnt/ttargetfile, O_WRONLY|O_TRUNC|O_LARGEFILE) The problem with this behavior is that it is possible to change attributes on a file (file size) and not have permission to open the target file for write - if the server is Windows it is even more common because the target file could be opened deny write by another client - even OpenOffice does this (at least for Windows). The result of all this is that open_namei (in fs/namei.c) can "fail" with sideeffects - it first sets the file size to zero (deleting all of the data in the target in the process!), then fails to open the file for writing so returns an error ... Simplest case to reproduce this is: 1) open a file in OpenOffice on Windows (which does an open with "deny write") 2) mount to Windows from Linux 3) try to cp from a local Linux file to the remote file opened by OpenOffice 4) the copy will report failure, but the file will be set to zero size Basically, what is happening in the open call in Linux is that namei.c is doing very strange things (more complicated logic than seemed plausible): lookup target (but don't set the lookup intent to open!) if target exists and O_TRUNC - shrink inode to zero size and (notify attribute change) set the attributes try to open the file for write (which fails when the target file is open with deny modes) Since the lookup in namei.c does not set the lookup intents to LOOKUP_OPEN or LOOKUP_CREATE, a filesystem can't try the open before the truncate. This seems like a bug, and since the truncate (setattr) does not pass the intent either, we can't know to defer the truncate until after the open (or better simply pass the flags to the server so the server can do this as one operation). Ideally a filesystem should be able to hook namei_open since it needs to be more atomic for the case of network and cluster filesystems (it would be much faster too for network/cluster filesystems) Any ideas how to fix this? 1) Allow an fs to hook namei_open? or 2) pass the proper lookup intent on the lookup called from namei_open or 3) pass lookup intents on setattr (so a network fs can tell why the truncate is being done and combine operations) or 4) find some clue to hint the filesystem that it can defer the setattr until later or throw it away or ...