lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20251006005642.8194-1-hdanton@sina.com>
Date: Mon,  6 Oct 2025 08:56:41 +0800
From: Hillf Danton <hdanton@...a.com>
To: Mateusz Guzik <mjguzik@...il.com>
Cc: brauner@...nel.org,
	viro@...iv.linux.org.uk,
	jack@...e.cz,
	linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] fs: add missing fences to I_NEW handling

On Mon,  6 Oct 2025 01:15:26 +0200 Mateusz Guzik wrote:
> Suppose there are 2 CPUs racing inode hash lookup func (say ilookup5())
> and unlock_new_inode().
> 
> In principle the latter can clear the I_NEW flag before prior stores
> into the inode were made visible.
> 
Given difficulty following up here, could you specify why the current
mem barrier [1] in unlock_new_inode() is not enough?

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/fs/inode.c#n1190

> The former can in turn observe I_NEW is cleared and proceed to use the
> inode, while possibly reading from not-yet-published areas.
> 
> Signed-off-by: Mateusz Guzik <mjguzik@...il.com>
> ---
> 
> I don't think this is a serious bug in the sense I doubt anyone ever ran
> into it, but this is an issue on paper.
> 
> I'm doing some changes in the area and I figured I'll get this bit out
> of the way.
> 
>  fs/dcache.c               | 4 ++++
>  fs/inode.c                | 8 ++++++++
>  include/linux/writeback.h | 4 ++++
>  3 files changed, 16 insertions(+)
> 
> diff --git a/fs/dcache.c b/fs/dcache.c
> index a067fa0a965a..806d6a665124 100644
> --- a/fs/dcache.c
> +++ b/fs/dcache.c
> @@ -1981,6 +1981,10 @@ void d_instantiate_new(struct dentry *entry, struct inode *inode)
>  	spin_lock(&inode->i_lock);
>  	__d_instantiate(entry, inode);
>  	WARN_ON(!(inode->i_state & I_NEW));
> +	/*
> +	 * Pairs with smp_rmb in wait_on_inode().
> +	 */
> +	smp_wmb();
>  	inode->i_state &= ~I_NEW & ~I_CREATING;
>  	/*
>  	 * Pairs with the barrier in prepare_to_wait_event() to make sure
> diff --git a/fs/inode.c b/fs/inode.c
> index ec9339024ac3..842ee973c8b6 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -1181,6 +1181,10 @@ void unlock_new_inode(struct inode *inode)
>  	lockdep_annotate_inode_mutex_key(inode);
>  	spin_lock(&inode->i_lock);
>  	WARN_ON(!(inode->i_state & I_NEW));
> +	/*
> +	 * Pairs with smp_rmb in wait_on_inode().
> +	 */
> +	smp_wmb();
>  	inode->i_state &= ~I_NEW & ~I_CREATING;
>  	/*
>  	 * Pairs with the barrier in prepare_to_wait_event() to make sure
> @@ -1198,6 +1202,10 @@ void discard_new_inode(struct inode *inode)
>  	lockdep_annotate_inode_mutex_key(inode);
>  	spin_lock(&inode->i_lock);
>  	WARN_ON(!(inode->i_state & I_NEW));
> +	/*
> +	 * Pairs with smp_rmb in wait_on_inode().
> +	 */
> +	smp_wmb();
>  	inode->i_state &= ~I_NEW;
>  	/*
>  	 * Pairs with the barrier in prepare_to_wait_event() to make sure
> diff --git a/include/linux/writeback.h b/include/linux/writeback.h
> index 22dd4adc5667..e1e1231a6830 100644
> --- a/include/linux/writeback.h
> +++ b/include/linux/writeback.h
> @@ -194,6 +194,10 @@ static inline void wait_on_inode(struct inode *inode)
>  {
>  	wait_var_event(inode_state_wait_address(inode, __I_NEW),
>  		       !(READ_ONCE(inode->i_state) & I_NEW));
> +	/*
> +	 * Pairs with routines clearing I_NEW.
> +	 */
> +	smp_rmb();
>  }

Why is this needed as nobody cares I_NEW after wait?

>  
>  #ifdef CONFIG_CGROUP_WRITEBACK
> -- 
> 2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ