From: viro@parcelfarce.linux.theplanet.co.uk
To: Frank Cusack <fcusack@fcusack.com>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>,
torvalds@transmeta.com, marcelo@conectiva.com.br,
lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] nfs_unlink() race (was: nfs_refresh_inode: inode number mismatch)
Date: Wed, 11 Jun 2003 01:54:25 +0100 [thread overview]
Message-ID: <20030611005425.GA6754@parcelfarce.linux.theplanet.co.uk> (raw)
In-Reply-To: <20030609065141.A9781@google.com>
On Mon, Jun 09, 2003 at 06:51:41AM -0700, Frank Cusack wrote:
> When foo is unlinked, nfs_unlink() does a sillyrename, this puts the
> dentry on nfs_delete_queue, and (in the VFS) unhashes it from the dcache.
> This causes a problem, because dentry->d_parent->d_inode is now guaranteed
> to remain stale. (OK, I'm not really sure about this last part.)
????
What does hashed state have to ->d_parent?
> Then readdir() returns the new .nfs file, this creates a NEW dentry
> (we just moved the first one to nfs_delete_queue and did not create a
> negative dentry) which now has d_count==1 so instead of sillyrename we
> just remove it (but note, we actually have this file open). Then rmdir
> succeeeds.
>
> Now, we have a dentry on nfs_delete_queue which a) has already been
> unlinked and b) whose dentry->d_parent DNE and dentry->d_parent->d_inode
> DNE. Of course this will cause confusion later!
b) is bogus. Unhashing does nothing to ->d_parent.
> Note that if a process does a drive by on the .nfs file (another round
> of unlinked-but-open) before we unlink it, we would sillyrename it again.
> We'd now have two different dentry's on the delete queue for the same
> file. (One of them would just leak, I think--possible local DoS?)
Two different dentries for the same file is obviously not a problem...
> 1) Don't unhash the dentry after silly-renaming. In 2.2, each fs is
> responsible for doing a d_delete(), in 2.4 it happens in the VFS and
> I think it was just an oversight that the 2.4 VFS doesn't consider
> sillyrename (considering the code and comments that are cruft).
>
> This preserves the unlinked-but-open semantic, but breaks rmdir. So
> it's not a clear winner from a semantics POV. dentry->d_count is
> always correct, which sounds like a plus.
>
> The patch to make this work is utterly simple, which is a big plus.
... and AFAICS it opens a huge can of worms with races in NFS unlink/rename.
Sigh... I'll look through that code and try to reconstruct the analysis.
It used to be a very big mess and there was fairly subtle logics around
unhashing/checks for d_count/etc. involved in fixing ;-/ And there was
a lot of changes since then. Oh, well...
next prev parent reply other threads:[~2003-06-11 0:41 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-06-03 23:54 nfs_refresh_inode: inode number mismatch Frank Cusack
2003-06-04 14:19 ` Trond Myklebust
2003-06-04 21:20 ` Frank Cusack
2003-06-04 21:28 ` Trond Myklebust
2003-06-05 9:11 ` Adrian Cox
2003-06-05 9:13 ` Russell King
2003-06-05 13:51 ` Trond Myklebust
2003-06-09 13:51 ` [PATCH] nfs_unlink() race (was: nfs_refresh_inode: inode number mismatch) Frank Cusack
2003-06-09 13:55 ` Frank Cusack
2003-06-09 15:53 ` Linus Torvalds
2003-06-09 16:40 ` Trond Myklebust
2003-06-09 20:46 ` Frank Cusack
2003-06-10 0:01 ` Trond Myklebust
2003-06-11 0:54 ` viro [this message]
2003-06-11 1:28 ` Frank Cusack
2003-06-11 1:47 ` viro
2003-06-11 2:32 ` Frank Cusack
2003-06-11 2:37 ` viro
2003-06-11 1:59 ` Trond Myklebust
2003-06-11 2:27 ` viro
2003-06-11 2:43 ` Frank Cusack
2003-06-11 2:50 ` Frank Cusack
2003-06-11 3:00 ` viro
2003-06-11 7:22 ` [PATCH] NFS sillyrename fixes (was: [PATCH] nfs_unlink() race) Frank Cusack
2003-06-13 0:19 ` [PATCH] NFS sillyrename fixes take 3 Frank Cusack
2003-06-11 3:00 ` [PATCH] nfs_unlink() race (was: nfs_refresh_inode: inode number mismatch) Trond Myklebust
2003-06-11 5:30 ` Linus Torvalds
2003-06-11 6:16 ` Andreas Dilger
2003-06-11 12:33 ` Alan Cox
2003-06-11 15:08 ` Linus Torvalds
2003-06-11 15:51 ` Alan Cox
2003-06-11 16:11 ` Linus Torvalds
2003-06-11 16:21 ` Alan Cox
2003-06-11 16:31 ` Linus Torvalds
2003-06-11 16:34 ` viro
2003-06-11 17:22 ` Alan Cox
2003-06-11 17:37 ` Trond Myklebust
2003-06-11 17:47 ` Trond Myklebust
2003-06-12 21:59 ` Jan Harkes
[not found] ` <16103.29804.198545.680701@charged.uio.no>
2003-06-11 22:24 ` Frank Cusack
2003-06-11 23:16 ` Trond Myklebust
2003-06-11 23:35 ` [PATCH] nfs_unlink() race Frank Cusack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030611005425.GA6754@parcelfarce.linux.theplanet.co.uk \
--to=viro@parcelfarce.linux.theplanet.co.uk \
--cc=fcusack@fcusack.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo@conectiva.com.br \
--cc=torvalds@transmeta.com \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox