From: Al Viro <viro@ZenIV.linux.org.uk>
To: Russ Dill <russ.dill@gmail.com>
Cc: linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: fasync race in fs/fcntl.c
Date: Sat, 2 Mar 2013 17:54:41 +0000 [thread overview]
Message-ID: <20130302175441.GB4503@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CA+Bv8XZM7yO-=vrGZg5LFLik8YkQiMC9ppCgQbyi1yuLiKstJQ@mail.gmail.com>
On Sat, Mar 02, 2013 at 03:00:28AM -0800, Russ Dill wrote:
> CPU0 calls syscall fcntl(fd, F_SETFL, FASYNC)
> fcntl calls fdget_raw, the count on the filp is 1, so it is not
> incremented (no reference taken)
> fcntl calls do_fcntl, which calls setfl which calls filp->op->fasync
> which calls fasync_helper
> fasync_helper calls fasync_add_entry, which calls fasync_insert_entry
> fasync_insert_entry adds a fasync_struct to the list for the current
> filp and assigns the pointer,
> before getting to filp->f_flags |= FASYNC, we go to CPU1
>
> CPU1 calls fput on the same filp, the counter is decremented to 0 and
> that filp is either added to the delayed_fput_list or scheduled for
> ____fput task_work.
Stop here. Just how does CPU1 manage to do that? fdget_raw() will not
increment ->f_count *only* if there's nobody else with reference to its
descriptor table. And if ->f_count is 1, we'd better have no references
outside of that descriptor table.
So where had the reference dropped by process on CPU1 come from?
next prev parent reply other threads:[~2013-03-02 17:54 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-02 11:00 fasync race in fs/fcntl.c Russ Dill
2013-03-02 17:54 ` Al Viro [this message]
2013-03-02 18:42 ` Al Viro
2013-03-02 19:25 ` Al Viro
2013-03-02 19:49 ` Al Viro
2013-03-03 0:09 ` Russ Dill
2013-03-04 6:16 ` Russ Dill
2013-03-04 7:39 ` Greg KH
2013-03-04 8:03 ` [PATCH] Revert "random: Mix cputime from each thread that exits to the pool" Russ Dill
2013-03-04 17:05 ` Theodore Ts'o
2013-03-04 19:33 ` Russ Dill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130302175441.GB4503@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=russ.dill@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox