Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp852445pxk; Thu, 17 Sep 2020 19:06:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxcpmDGvQSwqCdZkB92sHaN9h5WeYY/ZI4ZaNSL7n7Z2cLTw0oJ8sGyEidicRdaruDk/AOo X-Received: by 2002:a17:906:6ce:: with SMTP id v14mr32687298ejb.451.1600394771504; Thu, 17 Sep 2020 19:06:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600394771; cv=none; d=google.com; s=arc-20160816; b=z95fz+aiu/8/vElsSOtcLoh7+un+wzHpdddA3vUvv2QyU6sp704XpaTg2rH2SxdR7t sxSM4THaCIFdcpARh51+5sNAmmf06yom91mhKPjn0wxtDi+wXCtJWXDSKaKzYWRFcZ4A XbwBy7jdNowU81go38LEXjzccxvq1XKp4Tl0UlmWhVJgE0pgWasSn3l0pj/SQH09wfYL UJU2FsSJZaoOrh6Bk6kXmw4QC/f7z2Ke9nb/pC5ApyHPH+B+BMcY0vZAeIyMmXVAoH+g MeEHmHMttnZpP3cUrqtFm19NQjC8z1nISWkFZhhsqqqNuoPfeyZU6e4Zj5rQ2/972PGs QS/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=3jxAAuLkBtmnX/2WX+5Hmh5/SR21xLSwyOQPVeXp/DE=; b=YzHPvudNh/Z1cSo1njdQL61f/zFRV0+nwrlFyl2DMnkNFtmKp1XoMHOzYeMvplXDiR c5I7NOtozG3UPsq2noCgEUNcI1WCuSLiYYJaBdAzBBpvB+lfN6EjYJ+U1odvVo9cRnLE QHQiYDK8JaRXkAGP2u4G4/zzE2fzMShqlm6VxuTH6Zhki1aVsDICOUgJKLK91EgcHLaY ZMSOZZvpdaY06Lza84+hUXpMrGUHYtbdC59tuXrPe8M/2EHKB/JU+utN0HiPeWAFT086 SkvUUfZJzEYVA/SMMx2ozOw+6nxeSSIDTuoOsW+0L4kPXEEX1RI9KpEWftjD4M7/PdIR kKPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xmPxTWLO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id pg3si1397661ejb.94.2020.09.17.19.05.48; Thu, 17 Sep 2020 19:06:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=xmPxTWLO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726723AbgIRCCS (ORCPT + 99 others); Thu, 17 Sep 2020 22:02:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:47190 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726682AbgIRCCM (ORCPT ); Thu, 17 Sep 2020 22:02:12 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8E848235F8; Fri, 18 Sep 2020 02:02:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1600394532; bh=K4nUaNmLvBiaHjCXtJrH4Xt4KeHX2wQF+A7iBLMQEo4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xmPxTWLOzdN/DZOTBh8yGY6PAxc+Out6lzfUKlvEglLnrFGzKqm8T22PaAN4UzOMo tOsWqrbR/9yXRTyX3iHslQHSClBrfE2ts+Dlyg036cDLry0qZi62ZtgMbJTLGFWvdQ 704M5zLTJyyHeL8cEkid+ELUTtjPtRkP7e02yEos= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Al Viro , Sasha Levin , linux-fsdevel@vger.kernel.org Subject: [PATCH AUTOSEL 5.4 051/330] fix dget_parent() fastpath race Date: Thu, 17 Sep 2020 21:56:31 -0400 Message-Id: <20200918020110.2063155-51-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200918020110.2063155-1-sashal@kernel.org> References: <20200918020110.2063155-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Al Viro [ Upstream commit e84009336711d2bba885fc9cea66348ddfce3758 ] We are overoptimistic about taking the fast path there; seeing the same value in ->d_parent after having grabbed a reference to that parent does *not* mean that it has remained our parent all along. That wouldn't be a big deal (in the end it is our parent and we have grabbed the reference we are about to return), but... the situation with barriers is messed up. We might have hit the following sequence: d is a dentry of /tmp/a/b CPU1: CPU2: parent = d->d_parent (i.e. dentry of /tmp/a) rename /tmp/a/b to /tmp/b rmdir /tmp/a, making its dentry negative grab reference to parent, end up with cached parent->d_inode (NULL) mkdir /tmp/a, rename /tmp/b to /tmp/a/b recheck d->d_parent, which is back to original decide that everything's fine and return the reference we'd got. The trouble is, caller (on CPU1) will observe dget_parent() returning an apparently negative dentry. It actually is positive, but CPU1 has stale ->d_inode cached. Use d->d_seq to see if it has been moved instead of rechecking ->d_parent. NOTE: we are *NOT* going to retry on any kind of ->d_seq mismatch; we just go into the slow path in such case. We don't wait for ->d_seq to become even either - again, if we are racing with renames, we can bloody well go to slow path anyway. Signed-off-by: Al Viro Signed-off-by: Sasha Levin --- fs/dcache.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/dcache.c b/fs/dcache.c index e88cf0554e659..b2a7f1765f0b1 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -903,17 +903,19 @@ struct dentry *dget_parent(struct dentry *dentry) { int gotref; struct dentry *ret; + unsigned seq; /* * Do optimistic parent lookup without any * locking. */ rcu_read_lock(); + seq = raw_seqcount_begin(&dentry->d_seq); ret = READ_ONCE(dentry->d_parent); gotref = lockref_get_not_zero(&ret->d_lockref); rcu_read_unlock(); if (likely(gotref)) { - if (likely(ret == READ_ONCE(dentry->d_parent))) + if (!read_seqcount_retry(&dentry->d_seq, seq)) return ret; dput(ret); } -- 2.25.1