From: Marcelo Tosatti <marcelo@kvack.org>
To: Willy Tarreau <w@1wt.eu>
Cc: Grant Coady <gcoady.lk@gmail.com>,
linux-kernel@vger.kernel.org, Al Viro <viro@ftp.linux.org.uk>
Subject: Re: Linux 2.4.33-rc1
Date: Mon, 19 Jun 2006 19:04:05 -0300 [thread overview]
Message-ID: <20060619220405.GA16251@dmt> (raw)
In-Reply-To: <20060619080651.GA3273@1wt.eu>
Willy,
On Mon, Jun 19, 2006 at 10:06:51AM +0200, Willy Tarreau wrote:
> Hi Grant,
>
> OK, it does *really* crash in vfs_unlink(), during the double_up on
> dentry->inode-i_zombie (dentry->inode = NULL).
>
> I suggest the following fix, I hope that it is correct and is not subject
> to any race condition :
>
> --- ./fs/namei.c.orig 2006-06-19 09:39:52.000000000 +0200
> +++ ./fs/namei.c 2006-06-19 09:51:09.000000000 +0200
> @@ -1478,12 +1478,14 @@
> int vfs_unlink(struct inode *dir, struct dentry *dentry)
> {
> int error;
> + struct inode *inode;
>
> error = may_delete(dir, dentry, 0);
> if (error)
> return error;
>
> - double_down(&dir->i_zombie, &dentry->d_inode->i_zombie);
> + inode = dentry->d_inode;
> + double_down(&dir->i_zombie, &inode->i_zombie);
> error = -EPERM;
> if (dir->i_op && dir->i_op->unlink) {
> DQUOT_INIT(dir);
> @@ -1495,7 +1497,7 @@
> unlock_kernel();
> }
> }
> - double_up(&dir->i_zombie, &dentry->d_inode->i_zombie);
> + double_up(&dir->i_zombie, &inode->i_zombie);
> if (!error) {
> d_delete(dentry);
> inode_dir_notify(dir, DN_DELETE);
>
> I think it will *not* oops anymore with this fix, but I'd like someone to
> review it to ensure that it is valid.
Think this is the right thing to do, except that it must be guaranteed
that the inode struct won't be freed in the meantime, need to grab a
reference to it.
Thanks!
--
v2.4.33-pre introduced a fix for lack of synchronization between
link/unlink which requires vfs_unlink to grab i_zombie of both the
victim and its parent with double_down().
Problem is that NFS client deletes the victim dentry on ->unlink,
resulting in a NULL dereference when vfs_unlink() tries to up
dentry->d_inode->i_zombie.
Keep a copy of the inode pointer, incrementing its reference counter, to
fix the situation.
diff --git a/fs/namei.c b/fs/namei.c
index 42cce98..69da199 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1478,12 +1478,14 @@ exit:
int vfs_unlink(struct inode *dir, struct dentry *dentry)
{
int error;
+ struct inode *inode;
error = may_delete(dir, dentry, 0);
if (error)
return error;
- double_down(&dir->i_zombie, &dentry->d_inode->i_zombie);
+ inode = dentry->d_inode;
+ double_down(&dir->i_zombie, &inode->i_zombie);
error = -EPERM;
if (dir->i_op && dir->i_op->unlink) {
DQUOT_INIT(dir);
@@ -1495,7 +1497,7 @@ int vfs_unlink(struct inode *dir, struct
unlock_kernel();
}
}
- double_up(&dir->i_zombie, &dentry->d_inode->i_zombie);
+ double_up(&dir->i_zombie, &inode->i_zombie);
if (!error) {
d_delete(dentry);
inode_dir_notify(dir, DN_DELETE);
@@ -1509,6 +1511,7 @@ asmlinkage long sys_unlink(const char *
char * name;
struct dentry *dentry;
struct nameidata nd;
+ struct inode *inode = NULL;
name = getname(pathname);
if(IS_ERR(name))
@@ -1527,11 +1530,16 @@ asmlinkage long sys_unlink(const char *
/* Why not before? Because we want correct error value */
if (nd.last.name[nd.last.len])
goto slashes;
+ inode = dentry->d_inode;
+ if (inode)
+ atomic_inc(&inode->i_count);
error = vfs_unlink(nd.dentry->d_inode, dentry);
exit2:
dput(dentry);
}
up(&nd.dentry->d_inode->i_sem);
+ if (inode)
+ iput(inode);
exit1:
path_release(&nd);
exit:
next prev parent reply other threads:[~2006-06-19 22:07 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-16 18:14 Linux 2.4.33-rc1 Marcelo Tosatti
2006-06-16 22:21 ` Grant Coady
2006-06-16 22:38 ` Michal Piotrowski
2006-06-16 23:24 ` Grant Coady
2006-06-17 5:13 ` Willy Tarreau
2006-06-17 6:24 ` Grant Coady
2006-06-17 7:10 ` Willy Tarreau
2006-06-17 17:15 ` Need to format twice /dev/ramX with reiserfs to be able to mount it ? sebastien cabaniols
2006-06-17 18:14 ` Bernd Eckenfels
2006-06-17 18:37 ` sebastien cabaniols
2006-06-17 19:55 ` Linux 2.4.33-rc1 Marcelo Tosatti
2006-06-18 13:37 ` Marcelo Tosatti
2006-06-18 22:25 ` Grant Coady
2006-06-18 22:37 ` Willy Tarreau
2006-06-18 23:07 ` Grant Coady
2006-06-19 4:01 ` Willy Tarreau
2006-06-19 5:03 ` Grant Coady
2006-06-19 8:06 ` Willy Tarreau
2006-06-19 8:53 ` Grant Coady
2006-06-19 9:08 ` Willy Tarreau
2006-06-19 9:12 ` Grant Coady
2006-06-19 9:24 ` Willy Tarreau
2006-06-19 10:27 ` Grant Coady
2006-06-19 10:31 ` Willy Tarreau
2006-06-19 20:11 ` Grant Coady
2006-06-19 20:20 ` Willy Tarreau
2006-06-19 22:04 ` Marcelo Tosatti [this message]
2006-06-19 23:00 ` Willy Tarreau
2006-06-19 23:45 ` Marcelo Tosatti
2006-06-20 22:23 ` Willy Tarreau
2006-06-21 1:09 ` Grant Coady
2006-06-21 4:05 ` Willy Tarreau
2006-06-21 13:50 ` Marcelo Tosatti
2006-06-21 20:26 ` Willy Tarreau
2006-06-18 22:33 ` Grant Coady
2006-06-18 22:40 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060619220405.GA16251@dmt \
--to=marcelo@kvack.org \
--cc=gcoady.lk@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@ftp.linux.org.uk \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox