From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Herrmann <dh.herrmann@gmail.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
David Howells <dhowells@redhat.com>,
Oleg Nesterov <oleg@redhat.com>, stable <stable@vger.kernel.org>,
Neil Brown <neilb@suse.de>
Subject: Re: [PATCH] fs: fix i_writecount on shmem and friends
Date: Wed, 12 Mar 2014 18:19:25 +0000 [thread overview]
Message-ID: <20140312181925.GK18016@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CA+55aFwzBoTc+09jZTGjfTQTfkgZwrN5m09snb+F9inLaDn0OA@mail.gmail.com>
On Tue, Mar 11, 2014 at 12:05:09PM -0700, Linus Torvalds wrote:
>
> which returns ETXTBSY (most easily seen by just stracing it).
>
> The patch would also seem to make sense, with the i_readcount_inc()
> being immediately below for the FMODE_READ case.
I think it's trying to fix the problem in the wrong place. The bug is real,
all right, but it's not that alloc_file() for non-regulars doesn't grab
writecount; it's that drop_file_write_access() drops it for those.
What the hell would we want to play with that counter for, anyway? It's not
as if they could be mmapped, so all it does is making pipe(2) and socket(2)
more costly, for no visible reason.
I would prefer to flip
put_write_access(inode);
if (special_file(inode->i_mode))
return;
in drop_file_write_access() instead.
<goes to looks at i_writecount users>
Oh, shit...
drivers/md/md.c:
/* similar to deny_write_access, but accounts for our holding a reference
* to the file ourselves */
static int deny_bitmap_write_access(struct file * file)
{
struct inode *inode = file->f_mapping->host;
spin_lock(&inode->i_lock);
if (atomic_read(&inode->i_writecount) > 1) {
spin_unlock(&inode->i_lock);
return -ETXTBSY;
}
atomic_set(&inode->i_writecount, -1);
spin_unlock(&inode->i_lock);
return 0;
}
Broken. get_write_access() will happily increment i_writecount e.g. from
1 to 2, without even looking at i_lock. Moreover, it's paired with
void restore_bitmap_write_access(struct file *file)
{
struct inode *inode = file->f_mapping->host;
spin_lock(&inode->i_lock);
atomic_set(&inode->i_writecount, 1);
spin_unlock(&inode->i_lock);
}
Just what will happen if we do denywrite mmap() of that file in between?
Even worse, the caller take file straight from fget(), with no sanity
checks whatsoever. Just what will happen if I give it e.g. a directory?
Or a procfs/sysfs/whatnot file, for that matter? Neil? I realize that
it's root-only, but still...
next prev parent reply other threads:[~2014-03-12 18:19 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-03 15:16 [PATCH] fs: fix i_writecount on shmem and friends David Herrmann
2014-03-11 19:05 ` Linus Torvalds
2014-03-12 18:19 ` Al Viro [this message]
2014-03-12 22:30 ` David Herrmann
2014-03-13 0:37 ` Al Viro
2014-03-13 11:03 ` David Herrmann
2014-03-20 11:13 ` David Herrmann
2014-03-13 4:08 ` NeilBrown
2014-03-13 4:29 ` Al Viro
2014-03-13 5:55 ` NeilBrown
2014-03-14 4:51 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140312181925.GK18016@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=dh.herrmann@gmail.com \
--cc=dhowells@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=neilb@suse.de \
--cc=oleg@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).