If a 9p client asks to creat() a new file, and the server does so but
unexpectedly claims in answer to the ensuing Tgetattr that the new
file is a FIFO, then the client's file->f_op is &pipefifo_fops, but
file->private_data points to a p9_fid, not a pipe_inode_info. This
causes trouble when pipe_*() try to use file->private_data.
Ordinarily, d_dentry_open() both sets file->f_op and calls
file->f_op->open(), which sets file->private_data consistently with
file->f_op.
But v9fs_vfs_atomic_open_dotl() calls finish_open() with the open
argument set to generic_file_open, which causes d_dentry_open() to *not*
call file->f_op->open(). And v9fs_vfs_atomic_open_dotl() sets
file->private_data to a p9_fid.
A summary:
v9fs_vfs_atomic_open_dotl()
v9fs_get_new_inode_from_fid()
v9fs_inode_from_fid_dotl()
v9fs_qid_iget_dotl()
v9fs_init_inode()
case S_IFIFO:
init_special_inode()
} else if (S_ISFIFO(mode))
inode->i_fop = &pipefifo_fops;
finish_open(..., open=generic_file_open)
do_dentry_open(..., open=generic_file_open)
f->f_op = fops_get(inode->i_fop)
if (!open)
open = f->f_op->open;
if (open) {
error = open(inode, f); // calls generic_file_open, not pipe_open
file->private_data = ofid
I've attached a demo, which first gets a mutex error because
pipe_write() thinks file->private_data ought to start with a mutex,
and then a page fault.
# uname -a
Linux xxx 6.13.0-rc3-00017-gf44d154d6e3d #13 SMP Tue Dec 17 07:03:22 EST 2024 x86_64 x86_64 x86_64 GNU/Linux
# cc 9p6c.c
# ./a.out
...
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 3 PID: 1551 at kernel/locking/mutex.c:564 __mutex_lock.constprop.0
+0x6b9/0x990
CPU: 3 UID: 0 PID: 1551 Comm: a.out Not tainted 6.13.0-rc3-00017-gf44d154d6e3d #
13
Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
RIP: 0010:__mutex_lock.constprop.0+0x6b9/0x990
Code: ff 85 c0 0f 84 cc f9 ff ff 8b 15 c2 5a 5d 01 85 d2 0f 85 be f9 ff ff 48 c7
c6 4d 5e c7 82 48 c7 c7 8e e1 c6 82 e8 e7 7b d6 fe <0f> 0b e9 a4 f9 ff ff 0f 0b
e9 d1 fa ff ff 48 8b 03 a8 08 0f 85 fa
RSP: 0018:ffffc90001f03d50 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000027
RDX: ffff88842dadc848 RSI: 0000000000000001 RDI: ffff88842dadc840
RBP: ffffc90001f03de0 R08: 00000000ffffefff R09: 0000000000000001
R10: 00000000ffffefff R11: ffffffff8365b2c0 R12: ffff8881021b5a80
R13: ffff888113d33280 R14: ffffc90001f03f10 R15: 0000000000000000
FS: 00007f294d1df740(0000) GS:ffff88842dac0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560867bb0008 CR3: 0000000109c66004 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
? __warn+0x7f/0x130
? __mutex_lock.constprop.0+0x6b9/0x990
? report_bug+0x16e/0x1a0
? prb_read_valid+0x16/0x20
? handle_bug+0x53/0x90
? exc_invalid_op+0x17/0x70
? asm_exc_invalid_op+0x1a/0x20
? __mutex_lock.constprop.0+0x6b9/0x990
? do_sys_openat2+0x78/0xc0
? set_track_prepare+0x3b/0x60
? do_sys_openat2+0x78/0xc0
? check_bytes_and_report.isra.0+0x48/0x120
pipe_write+0x48/0x660
? free_to_partial_list+0x116/0x5e0
? do_sys_openat2+0x78/0xc0
vfs_write+0x23d/0x400
ksys_write+0x67/0xe0
do_syscall_64+0x3f/0xd0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f294d2fe574
Code: c7 00 16 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 80 3d d5 ea 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89
RSP: 002b:00007fffb311e078 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fffb311ea58 RCX: 00007f294d2fe574
RDX: 0000000000000001 RSI: 0000560867bad0a6 RDI: 0000000000000003
RBP: 00007fffb311e930 R08: 00007f294d3e5b20 R09: 0000000000000410
R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000000001
R13: 0000000000000000 R14: 0000560867baece8 R15: 00007f294d440000
---[ end trace 0000000000000000 ]---
BUG: unable to handle page fault for address: 000000000002fcc0
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: Oops: 0002 [#1] SMP DEBUG_PAGEALLOC PTI
CPU: 3 UID: 0 PID: 1551 Comm: a.out Tainted: G W 6.13.0-rc3-00017-gf44d154d6e3d #13
Tainted: [W]=WARN
Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
RIP: 0010:osq_lock+0x57/0xf0
Code: 00 00 00 00 00 89 42 14 87 07 85 c0 0f 84 98 00 00 00 83 e8 01 48 c7 c1 c0 fc 02 00 48 98 48 03 0c c5 c0 49 cf 82 48 89 4a 08 <48> 89 11 8b 42 10 85 c0 75 76 65 48 8b 3d 17 e6 f2 7e eb 09 f3 90
RSP: 0018:ffffc90001f03d48 EFLAGS: 00010206
RAX: fffffffffffffffe RBX: ffff888107269940 RCX: 000000000002fcc0
RDX: ffff88842daefcc0 RSI: ffff888113d332a0 RDI: ffff888113d332a0
RBP: ffffc90001f03de0 R08: 00000000ffffefff R09: 0000000000000001
R10: 00000000ffffefff R11: ffffffff8365b2c0 R12: ffff88810cc6ba00
R13: ffff888113d33280 R14: ffff888113d332a0 R15: 0000000000000000
FS: 00007f294d1df740(0000) GS:ffff88842dac0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000002fcc0 CR3: 0000000109c66004 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
? __die+0x1e/0x60
? page_fault_oops+0x157/0x450
? __warn+0xa5/0x130
? __mutex_lock.constprop.0+0x6b9/0x990
? nbcon_get_cpu_emergency_nesting+0x5/0x30
? exc_page_fault+0x66/0x140
? asm_exc_page_fault+0x26/0x30
? osq_lock+0x57/0xf0
__mutex_lock.constprop.0+0x2b2/0x990
? do_sys_openat2+0x78/0xc0
? set_track_prepare+0x3b/0x60
? do_sys_openat2+0x78/0xc0
? check_bytes_and_report.isra.0+0x48/0x120
pipe_write+0x48/0x660
? free_to_partial_list+0x116/0x5e0
? do_sys_openat2+0x78/0xc0
vfs_write+0x23d/0x400
ksys_write+0x67/0xe0
do_syscall_64+0x3f/0xd0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f294d2fe574
...
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
---[ end Kernel panic - not syncing: Fatal exception ]---
Robert Morris
rtm@mit.edu