Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp1149951lqh; Sun, 5 May 2024 19:55:39 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXaxmBchrpqnMekUAmocaItExurXZ0OxNaQI3yBRsjgiVkk6+vhLoMupDZcHjQf5jkI8MqbNa2rNGqRlRTsLkna2/YS3ZNaD0jQCVxTOQ== X-Google-Smtp-Source: AGHT+IG9ZdafIA6Ha3gqcL/q2M/uRSDnjzdRvHhAxIlRJbW9hdKOp+bcIqOMHXhdRV/mM7T2BnM3 X-Received: by 2002:ac8:5854:0:b0:43a:c494:a048 with SMTP id h20-20020ac85854000000b0043ac494a048mr11843676qth.30.1714964138800; Sun, 05 May 2024 19:55:38 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714964138; cv=pass; d=google.com; s=arc-20160816; b=jABb9gjii4++n77Q0HHMdCyRjjbXJfRw0xVVD74xoARfh7zZ5b4mArtM6iVtXwbwYe BrOm0wNKkKDVlMrW3vyxL849GtgMpNuVmfAdtSPKEGIm6ob0i1Xq4+0GFEoEeKlszooW ioAHSdzLq+MXb2XFNsFL1FUnLXj2r1RbjtVH62bs7CRwWNtChosJN7s4PZSLsPv3b3tN FTE7hzKKRQKIz6fQAkIdgM7NQ9uVxG1psnapkbhrb1/f70JXia8HstuortCAYEx36HLF bp3NrXpgVghm8vAdHMuc1bCDmFnfXysJUMMdijXI1L23HVJqmXaS0qCHUETVslZ0AHiA veHQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id:dkim-signature; bh=CrGqcZcLJICyMvWF8rZt/qyUDBdQ3CBU+SFKDUkHkkY=; fh=iMK7N1JiksCi/0omnYSDfuai+RJNcbpz1q87dv7YUA4=; b=Y8kXcMG8UrGie846HfyS9hE5jJrUipeBIicCGZc1MIGXu5ppR8+yLuISMP6NLYOTcD 7YCBQhBbHghQat413RoN7Qnvyevb4ABobAQw22gNW5QHeWdEGP9pFTcHnh9ygsLOtwEq 5eWkw/Mt2laOBobpx2YaZEiMAGtgJaqNAFjNlXfSKt9LfvTR/Gof6CUfFDVM+qoZ03wG Nyq9v+jwsdaU9TNh8I+Jm3zKVAsXaJY3lfzYmKUkWo81xvV4rgE4CDV/sZ9O4klpGN8l hk2IhECV6OVAAAGSsv2pGnPEV04m78V6hD0nQnQCHDDi0SwdXWk8iA1wQ+X1tkwVryVj ZBNA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.alibaba.com header.s=default header.b=HROIF9fK; arc=pass (i=1 spf=pass spfdomain=linux.alibaba.com dkim=pass dkdomain=linux.alibaba.com dmarc=pass fromdomain=linux.alibaba.com); spf=pass (google.com: domain of linux-kernel+bounces-169268-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169268-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.alibaba.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id cr22-20020a05622a429600b0043b08982564si8628198qtb.643.2024.05.05.19.55.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 May 2024 19:55:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-169268-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.alibaba.com header.s=default header.b=HROIF9fK; arc=pass (i=1 spf=pass spfdomain=linux.alibaba.com dkim=pass dkdomain=linux.alibaba.com dmarc=pass fromdomain=linux.alibaba.com); spf=pass (google.com: domain of linux-kernel+bounces-169268-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169268-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.alibaba.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 556361C20823 for ; Mon, 6 May 2024 02:55:38 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A316E4086A; Mon, 6 May 2024 02:55:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="HROIF9fK" Received: from out30-112.freemail.mail.aliyun.com (out30-112.freemail.mail.aliyun.com [115.124.30.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 426F543156; Mon, 6 May 2024 02:55:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.112 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714964124; cv=none; b=Fm88Ha1jGb6Vcwgs59r7RsH/TZepZdECLFlui5ElPiAlu6IOe6cpiwihWu1EiKdqmLfE6gSOjx17FsRLpnpmdqP9KXruxAegR7eAanxobckUY1k8hQq/kDj26CdEIpqGMSSzWO1xB0AO9Fy+2GBzjV89GS/smCJYHUGw+cZ0lxo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714964124; c=relaxed/simple; bh=r98WbCzUrGnt3BRZgXs7GZM08gFSR7Lrf/VwzO1OCxY=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=SXq3ZnDAfvtP+hA/9/RpKUxQeCVPzzrwf3PPisyL2f/FN6o/7huyRONTNCb/KZO2mLSrcY145QuYRfltH/vMTf1pBpvN1+ZN0r7KckDJWIyBQ/PQrU1OxK3FMqKR8ENtsDb2YipKUL/RDpUL+87voN4CdXPBsv+d88gmgwjPSEA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=HROIF9fK; arc=none smtp.client-ip=115.124.30.112 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1714964112; h=Message-ID:Date:MIME-Version:Subject:To:From:Content-Type; bh=CrGqcZcLJICyMvWF8rZt/qyUDBdQ3CBU+SFKDUkHkkY=; b=HROIF9fKaNt1HOZeg3e8D45ud7PUEl8MehrMj1X7jb+ERj3OFzJ/ha3gUgprC4tM8fvw7QYRJdJ1Q/sv6z3EZpMPqOdkrPHeL6SPIx23assXkfrzh+fnCR05/mu77pWsLTiww1XUH2hBmPs45zC8w7KytM+HvelPkljrZZtftqs= X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R331e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam033037067112;MF=jefflexu@linux.alibaba.com;NM=1;PH=DS;RN=9;SR=0;TI=SMTPD_---0W5q-rOV_1714964110; Received: from 30.221.146.217(mailfrom:jefflexu@linux.alibaba.com fp:SMTPD_---0W5q-rOV_1714964110) by smtp.aliyun-inc.com; Mon, 06 May 2024 10:55:11 +0800 Message-ID: <1fef9ab5-ec33-4a14-beb3-ada41a8652b3@linux.alibaba.com> Date: Mon, 6 May 2024 10:55:09 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 07/12] cachefiles: add spin_lock for cachefiles_ondemand_info To: libaokun@huaweicloud.com, netfs@lists.linux.dev Cc: dhowells@redhat.com, jlayton@kernel.org, zhujia.zj@bytedance.com, linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Baokun Li References: <20240424033916.2748488-1-libaokun@huaweicloud.com> <20240424033916.2748488-8-libaokun@huaweicloud.com> Content-Language: en-US From: Jingbo Xu In-Reply-To: <20240424033916.2748488-8-libaokun@huaweicloud.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 4/24/24 11:39 AM, libaokun@huaweicloud.com wrote: > From: Baokun Li > > The following concurrency may cause a read request to fail to be completed > and result in a hung: > > t1 | t2 > --------------------------------------------------------- > cachefiles_ondemand_copen > req = xa_erase(&cache->reqs, id) > // Anon fd is maliciously closed. > cachefiles_ondemand_fd_release > xa_lock(&cache->reqs) > cachefiles_ondemand_set_object_close(object) > xa_unlock(&cache->reqs) > cachefiles_ondemand_set_object_open > // No one will ever close it again. > cachefiles_ondemand_daemon_read > cachefiles_ondemand_select_req > // Get a read req but its fd is already closed. > // The daemon can't issue a cread ioctl with an closed fd, then hung. > > So add spin_lock for cachefiles_ondemand_info to protect ondemand_id and > state, thus we can avoid the above problem in cachefiles_ondemand_copen() > by using ondemand_id to determine if fd has been released. > > Signed-off-by: Baokun Li This indeed looks like a reasonable scenario where the kernel side should fix, as a non-malicious daemon could also run into this. How about reusing &cache->reqs spinlock rather than introducing a new spinlock, as &cache->reqs spinlock is already held when setting object to close state in cachefiles_ondemand_fd_release()? > --- > fs/cachefiles/internal.h | 1 + > fs/cachefiles/ondemand.c | 16 +++++++++++++++- > 2 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h > index 7745b8abc3aa..45c8bed60538 100644 > --- a/fs/cachefiles/internal.h > +++ b/fs/cachefiles/internal.h > @@ -55,6 +55,7 @@ struct cachefiles_ondemand_info { > int ondemand_id; > enum cachefiles_object_state state; > struct cachefiles_object *object; > + spinlock_t lock; > }; > > /* > diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c > index 898fab68332b..b5e6a851ef04 100644 > --- a/fs/cachefiles/ondemand.c > +++ b/fs/cachefiles/ondemand.c > @@ -16,13 +16,16 @@ static int cachefiles_ondemand_fd_release(struct inode *inode, > struct cachefiles_object *object = file->private_data; > struct cachefiles_cache *cache = object->volume->cache; > struct cachefiles_ondemand_info *info = object->ondemand; > - int object_id = info->ondemand_id; > + int object_id; > struct cachefiles_req *req; > XA_STATE(xas, &cache->reqs, 0); > > xa_lock(&cache->reqs); > + spin_lock(&info->lock); > + object_id = info->ondemand_id; > info->ondemand_id = CACHEFILES_ONDEMAND_ID_CLOSED; > cachefiles_ondemand_set_object_close(object); > + spin_unlock(&info->lock); > > /* Only flush CACHEFILES_REQ_NEW marked req to avoid race with daemon_read */ > xas_for_each_marked(&xas, req, ULONG_MAX, CACHEFILES_REQ_NEW) { > @@ -127,6 +130,7 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args) > { > struct cachefiles_req *req; > struct fscache_cookie *cookie; > + struct cachefiles_ondemand_info *info; > char *pid, *psize; > unsigned long id; > long size; > @@ -185,6 +189,14 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args) > goto out; > } > > + info = req->object->ondemand; > + spin_lock(&info->lock); > + /* The anonymous fd was closed before copen ? */ I would like describe more details in the comment, e.g. put the time sequence described in the commit message here. > + if (info->ondemand_id == CACHEFILES_ONDEMAND_ID_CLOSED) { > + spin_unlock(&info->lock); > + req->error = -EBADFD; > + goto out; > + } > cookie = req->object->cookie; > cookie->object_size = size; > if (size) > @@ -194,6 +206,7 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args) > trace_cachefiles_ondemand_copen(req->object, id, size); > > cachefiles_ondemand_set_object_open(req->object); > + spin_unlock(&info->lock); > wake_up_all(&cache->daemon_pollwq); > > out: > @@ -596,6 +609,7 @@ int cachefiles_ondemand_init_obj_info(struct cachefiles_object *object, > return -ENOMEM; > > object->ondemand->object = object; > + spin_lock_init(&object->ondemand->lock); > INIT_WORK(&object->ondemand->ondemand_work, ondemand_object_worker); > return 0; > } -- Thanks, Jingbo