[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 07 Aug 2023 21:33:28 -0400
From: Gabriel Krisman Bertazi <krisman@...e.de>
To: Eric Biggers <ebiggers@...nel.org>
Cc: viro@...iv.linux.org.uk, brauner@...nel.org, tytso@....edu,
jaegeuk@...nel.org, linux-fsdevel@...r.kernel.org,
linux-ext4@...r.kernel.org, linux-f2fs-devel@...ts.sourceforge.net,
Gabriel Krisman Bertazi <krisman@...labora.com>
Subject: Re: [PATCH v4 3/7] libfs: Validate negative dentries in
case-insensitive directories
Eric Biggers <ebiggers@...nel.org> writes:
> On Thu, Aug 03, 2023 at 01:37:45PM -0400, Gabriel Krisman Bertazi wrote:
>> Eric Biggers <ebiggers@...nel.org> writes:
>>
>> > On Thu, Jul 27, 2023 at 01:28:39PM -0400, Gabriel Krisman Bertazi wrote:
>> >> - In __lookup_slow, either the parent inode is read locked by the
>> >> caller (lookup_slow), or it is called with no flags (lookup_one*).
>> >> The read lock suffices to prevent ->d_name modifications, with the
>> >> exception of one case: __d_unalias, will call __d_move to fix a
>> >> directory accessible from multiple dentries, which effectively swaps
>> >> ->d_name while holding only the shared read lock. This happens
>> >> through this flow:
>> >>
>> >> lookup_slow() //LOOKUP_CREATE
>> >> d_lookup()
>> >> ->d_lookup()
>> >> d_splice_alias()
>> >> __d_unalias()
>> >> __d_move()
>> >>
>> >> Nevertheless, this case is not a problem because negative dentries
>> >> are not allowed to be moved with __d_move.
>> >
>> > Isn't it possible for a negative dentry to become a positive one concurrently?
>>
>> Do you mean d_splice_alias racing with a dentry instantiation and
>> __d_move being called on a negative dentry that is turning positive?
>>
>> It is not possible for __d_move to be called with a negative dentry for
>> d_splice_alias, since the inode->i_lock is locked during __d_find_alias,
>> so it can't race with __d_instantiate or d_add. Then, __d_find_alias
>> can't find negative dentries in the first place, so we either have a
>> positive dentry, in which case __d_move is fine with regard to
>> d_revalidate_name, or we don't have any aliases and don't call
>> __d_move.
>>
>> Can you clarify what problem you see here?
>>
>
> I agree that negative dentries can't be moved --- I pointed this out earlier
> (https://lore.kernel.org/linux-fsdevel/20230720060657.GB2607@sol.localdomain).
> The question is whether if ->d_revalidate sees a negative dentry, when can it
> assume that it remains a negative dentry for the remainder of ->d_revalidate.
> I'm not sure there is a problem, I just don't understand your
> explanation.
I see. Thanks for clarifying, as I had previously misunderstood your
point.
So, first of all, if d_revalidate itself is not a creation, it doesn't
matter, because we won't touch ->d_name. We might invalidate a valid
dentry, but that is ok. The problem would be limited to d_revalidate
being on the creation path, where the parent (read-)lock is held. The
problem would be doing the memcmp(), while the dentry is turned positive
(d_instantiate), while someone else moves the name.
For the dentry to be turned positive during a d_revalidate, it would
then have to race with d_add or with d_instantiate. d_add shouldn't be
possible since we are holding the parent inode lock (at least
read-side), which will serialize file creation.
>From my understanding of the code, d_instantiate also can't race with
d_revalidate for the same reason - is also serialized by the parent
inode lock, which is acquired in filename_create. At least for all paths
in ext4/f2fs. In fact, I'm failing to find a case where the lock is not
taken when instantiating a dentry, but I'm unsure if this is a guarantee
or just an artifact of the code.
It seems to be safe in the current code, but I don't know if it is a
guarantee. Can anyone comment on this?
--
Gabriel Krisman Bertazi
Powered by blists - more mailing lists