lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3ectwcds3gwiicciapcktvrmxhau3t7ans5ipzm5xkhpptc2fc@td2jicn5kd5s>
Date: Mon, 6 Oct 2025 14:15:09 +0200
From: Jan Kara <jack@...e.cz>
To: Mateusz Guzik <mjguzik@...il.com>
Cc: brauner@...nel.org, viro@...iv.linux.org.uk, jack@...e.cz, 
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] fs: add missing fences to I_NEW handling

On Mon 06-10-25 01:15:26, Mateusz Guzik wrote:
> Suppose there are 2 CPUs racing inode hash lookup func (say ilookup5())
> and unlock_new_inode().
> 
> In principle the latter can clear the I_NEW flag before prior stores
> into the inode were made visible.
> 
> The former can in turn observe I_NEW is cleared and proceed to use the
> inode, while possibly reading from not-yet-published areas.
> 
> Signed-off-by: Mateusz Guzik <mjguzik@...il.com>
> ---
> 
> I don't think this is a serious bug in the sense I doubt anyone ever ran
> into it, but this is an issue on paper.
> 
> I'm doing some changes in the area and I figured I'll get this bit out
> of the way.

Yeah, good spotting.

> --- a/fs/dcache.c
> +++ b/fs/dcache.c
> @@ -1981,6 +1981,10 @@ void d_instantiate_new(struct dentry *entry, struct inode *inode)
>  	spin_lock(&inode->i_lock);
>  	__d_instantiate(entry, inode);
>  	WARN_ON(!(inode->i_state & I_NEW));
> +	/*
> +	 * Pairs with smp_rmb in wait_on_inode().
> +	 */
> +	smp_wmb();
>  	inode->i_state &= ~I_NEW & ~I_CREATING;

Hum, why not smp_store_release() here (and below) and...

>  	/*
>  	 * Pairs with the barrier in prepare_to_wait_event() to make sure
> diff --git a/fs/inode.c b/fs/inode.c
> index ec9339024ac3..842ee973c8b6 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -1181,6 +1181,10 @@ void unlock_new_inode(struct inode *inode)
>  	lockdep_annotate_inode_mutex_key(inode);
>  	spin_lock(&inode->i_lock);
>  	WARN_ON(!(inode->i_state & I_NEW));
> +	/*
> +	 * Pairs with smp_rmb in wait_on_inode().
> +	 */
> +	smp_wmb();
>  	inode->i_state &= ~I_NEW & ~I_CREATING;
>  	/*
>  	 * Pairs with the barrier in prepare_to_wait_event() to make sure
> @@ -1198,6 +1202,10 @@ void discard_new_inode(struct inode *inode)
>  	lockdep_annotate_inode_mutex_key(inode);
>  	spin_lock(&inode->i_lock);
>  	WARN_ON(!(inode->i_state & I_NEW));
> +	/*
> +	 * Pairs with smp_rmb in wait_on_inode().
> +	 */
> +	smp_wmb();
>  	inode->i_state &= ~I_NEW;
>  	/*
>  	 * Pairs with the barrier in prepare_to_wait_event() to make sure
> diff --git a/include/linux/writeback.h b/include/linux/writeback.h
> index 22dd4adc5667..e1e1231a6830 100644
> --- a/include/linux/writeback.h
> +++ b/include/linux/writeback.h
> @@ -194,6 +194,10 @@ static inline void wait_on_inode(struct inode *inode)
>  {
>  	wait_var_event(inode_state_wait_address(inode, __I_NEW),
>  		       !(READ_ONCE(inode->i_state) & I_NEW));
> +	/*
> +	 * Pairs with routines clearing I_NEW.
> +	 */
> +	smp_rmb();

... smp_load_acquire() instead if READ_ONCE? That would seem like a more
"modern" way to fix this?

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ