Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp179847lqd; Tue, 23 Apr 2024 20:57:07 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXOynrbAcgyGAOGi3Zis/n2k3/L92/wk1pMUxSEKTi4WW0cwnYmdpLM52GjYnwpTsEk9MXOXz6SNv2W1SuKKQazpICMOE52+VTCgyzVPQ== X-Google-Smtp-Source: AGHT+IH2cDDYZCYP0lwp8o8c+adwoaDMr27eux0AMwlqmor9nQLZpudzgjqhWyi9enL+JoL6ZK0M X-Received: by 2002:a05:6870:a8b5:b0:22e:b3c6:96ff with SMTP id eb53-20020a056870a8b500b0022eb3c696ffmr885591oab.40.1713931027001; Tue, 23 Apr 2024 20:57:07 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1713931026; cv=pass; d=google.com; s=arc-20160816; b=hW6MIZqqJl4ydjx0PMcp5xHinmr3uqvw7oYJkOLqDsVaCLp9Pr+N4D/yABOwpc1lOQ /PREIP6G8+kl01FCg4R70ZAiRrmFDPzST7TrrKYItOnmDeYvSwXlEs29d3+VPdSCxCqW +wuLcNOyefmlBuVU9hCgfDOmZa1yKe+908eo9egerZH3okXYXhAahuLS10CXkYz8ZIs4 y4lnB3VL4qaGnSQ56X5f0HCw8ix7+ClS3sRO8es1IqgjQEfZj6YMUs00KQHKNP9iHiM9 9ge+COxdezFSZ/56nRzxNXlZHwQ5XGyVv14Ozaz4KOq5bfGxXNeOLAvr2Gb80MQglUt4 EtqQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from; bh=h+QytJnDTXyE/3vDvIMzmpD6RH2mGkQW5Y/Alf9tgZA=; fh=i5IbsgFIxNzVlojlk6cad7x00Fu+oJdYiGpDW2fxq2E=; b=gsbSonH2yDU43cuxrWCCqq/ek0/TZXP8USac/ecyxe4L8lqjEnyi/GczYTmMGfzydp YAuTb81Wxbb0BWKjR305Mq3FH5YJsdU3IcymRRxKTXYOx8aLG2+vIu4dlAaPEfh0OTRo 7dBhVAAN6htIKGJHl0vnQ1WyitYY2BlXfUTV+x95f6LLgGUqjWqBsNu7iqGQtYwTlDc3 B3T7tbuXCH7JeQMxvhJx9RBr1oA5eiAhqsg9t6SQJyTIIDIgnoEgCC9qKunaCYjFOvcm zXmiGdpj6SzcKRfe4MBdlux6uVE2B2G5IAcgWqmK8L8lFG2cAUKvhMPxOUhrE7GOVD91 gTSA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-156247-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-156247-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id j14-20020a63550e000000b005cdf9c9b7e3si10834260pgb.179.2024.04.23.20.57.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Apr 2024 20:57:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-156247-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-156247-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-156247-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 6A090B2380B for ; Wed, 24 Apr 2024 03:51:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A0EC1148313; Wed, 24 Apr 2024 03:48:40 +0000 (UTC) Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E2A6C145336; Wed, 24 Apr 2024 03:48:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713930520; cv=none; b=p/CE+caMj4gojX1oh5gnkUsBYhvj6vXpW2ZBXuoa58IQWdGaRkMqoEz50boskSKOwPpdQMdA9FS87VwJAqi8Ig/sG7HNpV150JLlaxMQc7qGOQJycFIiWDVFgOnL7xfuoe/xZM8/UzYY6oRmfCA1ivr/o5F0dFTzplipqMspC0E= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713930520; c=relaxed/simple; bh=2n8CaGm76wJpNvvMhxXP685KbFPBiVrc6aFFxzOLAEE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=TxURyVRPu8KwtYl/SdJdVoosDgIjD4EDgi+WwOHItYXizUadHVk+pw5OiphXi6S/I4u39Jqo2V8c08SNBJcr5JLYaUW+I9y0NFoQuN+UrhywQAhLaqDGIn0aqDNRfUldIa9S/Kpc/OO/UuzUKdfO5NKtcguN4rkF6u4plFiFn/E= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=45.249.212.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.19.163.216]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4VPQ2617pVz4f3jqW; Wed, 24 Apr 2024 11:48:30 +0800 (CST) Received: from mail02.huawei.com (unknown [10.116.40.112]) by mail.maildlp.com (Postfix) with ESMTP id 056841A0B30; Wed, 24 Apr 2024 11:48:35 +0800 (CST) Received: from huaweicloud.com (unknown [10.175.104.67]) by APP1 (Coremail) with SMTP id cCh0CgCXaBELgShmKXE4Kw--.6143S14; Wed, 24 Apr 2024 11:48:34 +0800 (CST) From: libaokun@huaweicloud.com To: netfs@lists.linux.dev Cc: dhowells@redhat.com, jlayton@kernel.org, zhujia.zj@bytedance.com, jefflexu@linux.alibaba.com, linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, libaokun@huaweicloud.com, Zizhi Wo , Baokun Li Subject: [PATCH 10/12] cachefiles: Set object to close if ondemand_id < 0 in copen Date: Wed, 24 Apr 2024 11:39:14 +0800 Message-Id: <20240424033916.2748488-11-libaokun@huaweicloud.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240424033916.2748488-1-libaokun@huaweicloud.com> References: <20240424033916.2748488-1-libaokun@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:cCh0CgCXaBELgShmKXE4Kw--.6143S14 X-Coremail-Antispam: 1UD129KBjvJXoW7Zry8Wry8Jr4Utr4xtr4UCFg_yoW8Cw4xpF WakFy3Kry8uF1I9rn7Jw1kJ3yrC3ykZFnxWrZ0q3y8Ar98XryrZr4UtryUZF1UZ3yftr43 Jr10gF9Iga4qy3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUQI14x267AKxVWrJVCq3wAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWUWVWUuwAFIxvE14AKwVWUJVWUGwA2048vs2IY020E87I2jVAFwI0_JF0E3s1l82xGYI kIc2x26xkF7I0E14v26ryj6s0DM28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8wA2 z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr1j6F 4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oVCq 3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv7VC0I7 IYx2IY67AKxVWUXVWUAwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r1j6r4U M4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02628vn2 kIc2xKxwAKzVCY07xG64k0F24lc7CjxVAKzI0EY4vE52x082I5MxAIw28IcxkI7VAKI48J MxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwV AFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv2 0xvE14v26ryj6F1UMIIF0xvE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UMIIF0xvE42xK8V AvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVW8JVWxJwCI42IY6I8E87Iv6xkF7I0E 14v26r4UJVWxJrUvcSsGvfC2KfnxnUUI43ZEXa7VUUNBMtUUUUU== X-CM-SenderInfo: 5olet0hnxqqx5xdzvxpfor3voofrz/ From: Zizhi Wo If copen is maliciously called in the user mode, it may delete the request corresponding to the random id. And the request may have not been read yet. Note that when the object is set to reopen, the open request will be done with the still reopen state in above case. As a result, the request corresponding to this object is always skipped in select_req function, so the read request is never completed and blocks other process. Fix this issue by simply set object to close if its id < 0 in copen. Signed-off-by: Zizhi Wo Signed-off-by: Baokun Li --- fs/cachefiles/ondemand.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c index 7c2d43104120..673e7ad52041 100644 --- a/fs/cachefiles/ondemand.c +++ b/fs/cachefiles/ondemand.c @@ -182,6 +182,7 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args) xas_store(&xas, NULL); xa_unlock(&cache->reqs); + info = req->object->ondemand; /* fail OPEN request if copen format is invalid */ ret = kstrtol(psize, 0, &size); if (ret) { @@ -201,7 +202,6 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args) goto out; } - info = req->object->ondemand; spin_lock(&info->lock); /* The anonymous fd was closed before copen ? */ if (info->ondemand_id == CACHEFILES_ONDEMAND_ID_CLOSED) { @@ -222,6 +222,11 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args) wake_up_all(&cache->daemon_pollwq); out: + spin_lock(&info->lock); + /* Need to set object close to avoid reopen status continuing */ + if (info->ondemand_id == CACHEFILES_ONDEMAND_ID_CLOSED) + cachefiles_ondemand_set_object_close(req->object); + spin_unlock(&info->lock); complete(&req->done); return ret; } -- 2.39.2