lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150507133935.2d2e3181@gandalf.local.home>
Date:	Thu, 7 May 2015 13:39:35 -0400
From:	Steven Rostedt <rostedt@...dmis.org>
To:	Al Viro <viro@...IV.linux.org.uk>
Cc:	David Howells <dhowells@...hat.com>,
	LKML <linux-kernel@...r.kernel.org>,
	linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] VFS: Add back check for !inode in walk_component()

On Thu, 7 May 2015 18:28:34 +0100
Al Viro <viro@...IV.linux.org.uk> wrote:

> On Thu, May 07, 2015 at 12:52:41PM -0400, Steven Rostedt wrote:
> > 
> > Commit 698934df8b45 "VFS: Combine inode checks with d_is_negative() and
> > d_is_positive() in pathwalk" removed a check for inode being NULL in
> > walk_component() where the type is tested. Stressing my tracefs create
> > and remove instances while reading the files now triggers this:
> 
> So you get NULL ->d_inode with stale flags?  The thing is, ->d_inode
> becoming NULL should happen via d_delete(), which goes throug this:

But it's not the delete, it's the creation of a new d_entry. Pehaps it
gets linked premature? The tracing I had happened in
tracefs_create_file().


>         unsigned flags = READ_ONCE(dentry->d_flags);
> 
>         flags &= ~(DCACHE_ENTRY_TYPE | DCACHE_FALLTHRU);
>         WRITE_ONCE(dentry->d_flags, flags);
>         smp_wmb();
>         dentry->d_inode = NULL;
> 
> and after that assignment to ->d_flags you'll see d_is_negative() being
> true.  OTOH, we have
>                 *inode = dentry->d_inode;
>                 if (read_seqcount_retry(&dentry->d_seq, seq))
> in lookup_fast(), and read_seqcount_retry() is
> {
>         smp_rmb();
>         return __read_seqcount_retry(s, start);
> }
> 
> IOW, we have smp_rmb() between fetching ->d_inode and checking ->d_flags.
> 
> If you can reproduce that at will, could you make it dump nd->flags along with
> dentry involved?

I had them printed in my previous traces. The flags were 0x200088, and
they were 0 just before the call.

 ftrace-test-mki-3201  [000]    85.306761: bprint:               walk_component: inode=(nil) dentry=0xee3c0240 neg:1
 ftrace-test-mki-3201  [000]    85.306761: bprint:               walk_component: inode=(nil) dentry=0xee3c0240 neg:0 flags:200088

That was with this:

        trace_printk("inode=%p dentry=%p neg:%d\n", inode, path->dentry,
                     d_is_negative(path->dentry));
        err = -ENOENT;
        if (d_is_negative(path->dentry))
                goto out_path_put;
        trace_printk("inode=%p dentry=%p neg:%d flags:%lx\n", inode, path->dentry,
                     d_is_negative(path->dentry), (long)path->dentry->d_flags);



-- Steve

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ