Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp5832784rwd; Wed, 24 May 2023 07:21:42 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5gjbd8HTjZ+WugLuCE0nrF/Q2oj6qh4Pkt8wTa39W0z7U2peHXtJjtriaZgKl/8D7wVT7y X-Received: by 2002:a17:902:ea06:b0:1a1:bf22:2b6e with SMTP id s6-20020a170902ea0600b001a1bf222b6emr20924959plg.43.1684938102341; Wed, 24 May 2023 07:21:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684938102; cv=none; d=google.com; s=arc-20160816; b=v41nue1rkFVonBy7p+ctMZ/+TFdys9/r/SYiX8fSt01zGsQluATLAzWQvyUOC+23Gi JQVBV0Ixnzt/Ac9UllKerHyG2Vzz9cxgpc5Ci+iq7RnapJDyShUkQqICo2oqSGuEgLmG Feuao+PhHOEuUqp3xj9ma974wui1iHaOr34j6qEZtay2ERFgdg6ZkrIsGYLWB1KOxj0g VLoPHozW0rD+XQ0SHXEVdVe0w1xTwD/pQ3KgDOB7UzPR4UBS+bLFBgiUxdU2zBqxM5/x Us9aTU60D9+/ujKaBFyFURbd1Vb6lV+j6oXsKON/8Gxie0FrHi+YPe9/txFKDRmTk8oQ LUtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-signature; bh=JNyPM6nfC8sYHSUtNotAm4sGTuLQ7z86zDqULPosa9Y=; b=QQZrGdUwmRWIoincBMaBPP4vN7oyt1Sv7lSWq8aMNb/gygdKFetH2aTJbvG9mN7Fwh wW2TfIMOGeiOEsvgOeNlghcOJzn9fw2LX2SjILth8sMIMraibNU/VuU1I6P0af36lX0x 9IfIs4Cb8YDNvQ+wi3ttJx05m6grq0mTdDPv88VJVrgW7Cgmum8NbiH686nP+pQbYArK kxtDsVsyPxx1DiFHF5QXX2tNaBe60nZvYqnpHEGecxOsyq8f7orzbPR8KhY+1sjlDLik MX+rQa44c3ZKJF6pZ1OfX+E9QUm7ZgI2Hsk66ykeZl3Xf4kQfCojJX7ctM/c8iX3GazN 0Flw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=h+rjabaX; dkim=neutral (no key) header.i=@suse.cz header.b=JZOviyry; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z7-20020a170903018700b001aaecc8a84dsi8632358plg.645.2023.05.24.07.21.26; Wed, 24 May 2023 07:21:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=h+rjabaX; dkim=neutral (no key) header.i=@suse.cz header.b=JZOviyry; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230316AbjEXOS6 (ORCPT + 99 others); Wed, 24 May 2023 10:18:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53518 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233176AbjEXOS4 (ORCPT ); Wed, 24 May 2023 10:18:56 -0400 Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A974199; Wed, 24 May 2023 07:18:54 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 490D01F749; Wed, 24 May 2023 14:18:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1684937933; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JNyPM6nfC8sYHSUtNotAm4sGTuLQ7z86zDqULPosa9Y=; b=h+rjabaXza2fSgY0toGdYUuzCYo27SJerx5WZwugB9QIAx8uOvT5O5xEFUmbdS7ij7IjHH gaDWBs1HyqSUeiWqOrzzJZ4IYiNPhszwUp05Pdw9S+mOGu+X3lBXmSvwZ30jdH1ZeAWlQG 6xsh1ZR7aSYe55n8pJ0rMIi6AyBceUg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1684937933; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JNyPM6nfC8sYHSUtNotAm4sGTuLQ7z86zDqULPosa9Y=; b=JZOviyry1t018EhHLOskPZs9QrfUsRDjDHIDy+9ZVfqg3I2zHvgZ/iJ70qcG7ZTqyphBEO Hgx+OnRlyxgcUhCA== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 36DD713425; Wed, 24 May 2023 14:18:53 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id QJBjDc0cbmTQIwAAMHmgww (envelope-from ); Wed, 24 May 2023 14:18:53 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 9B696A075C; Wed, 24 May 2023 16:18:52 +0200 (CEST) Date: Wed, 24 May 2023 16:18:52 +0200 From: Jan Kara To: Amir Goldstein Cc: Jan Kara , David Laight , Ted Tso , "linux-ext4@vger.kernel.org" , "Darrick J. Wong" , "stable@vger.kernel.org" Subject: Re: [PATCH] ext4: Fix possible corruption when moving a directory with RENAME_EXCHANGE Message-ID: <20230524141852.gu75mudt4snub4ed@quack3> References: <20230523131408.13470-1-jack@suse.cz> <48d1f20b2fc1418080c96a1736f6249b@AcuMS.aculab.com> <20230524105148.wgjj7ayrbeol6cdx@quack3> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Wed 24-05-23 16:11:13, Amir Goldstein wrote: > On Wed, May 24, 2023 at 2:27 PM Jan Kara wrote: > > > > On Tue 23-05-23 13:50:01, David Laight wrote: > > > From: Jan Kara > > > > Sent: 23 May 2023 14:14 > > > > > > > > Commit 0813299c586b ("ext4: Fix possible corruption when moving a > > > > directory") forgot that handling of RENAME_EXCHANGE renames needs the > > > > protection of inode lock when changing directory parents for moved > > > > directories. Add proper locking for that case as well. > > > > > > > > CC: stable@vger.kernel.org > > > > Fixes: 0813299c586b ("ext4: Fix possible corruption when moving a directory") > > > > Reported-by: "Darrick J. Wong" > > > > Signed-off-by: Jan Kara > > > > --- > > > > fs/ext4/namei.c | 23 +++++++++++++++++++++-- > > > > 1 file changed, 21 insertions(+), 2 deletions(-) > > > > > > > > diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c > > > > index 45b579805c95..b91abea1c781 100644 > > > > --- a/fs/ext4/namei.c > > > > +++ b/fs/ext4/namei.c > > > > @@ -4083,10 +4083,25 @@ static int ext4_cross_rename(struct inode *old_dir, struct dentry *old_dentry, > > > > if (retval) > > > > return retval; > > > > > > > > + /* > > > > + * We need to protect against old.inode and new.inode directory getting > > > > + * converted from inline directory format into a normal one. The lock > > > > + * ordering does not matter here as old and new are guaranteed to be > > > > + * incomparable in the directory hierarchy. > > > > + */ > > > > + if (S_ISDIR(old.inode->i_mode)) > > > > + inode_lock(old.inode); > > > > + if (S_ISDIR(new.inode->i_mode)) > > > > + inode_lock_nested(new.inode, I_MUTEX_NONDIR2); > > > > + > > > > > > What happens if there is another concurrent rename from new.inode > > > to old.inode? > > > That will try to acquire the locks in the other order. > > > > That is not really possible because these two renames cannot happen in > > parallel due to VFS locking - either old & new share parent which is locked > > by VFS (so there cannot be another rename in that directory) or they have > > different parents which are also locked by VFS (so again it is not possible > > to race with another rename in these two dirs). > > Unless D1/A ; D1/B are hardlinks of D2/B ; D2/A respectively > and exchange (D1/A, D1/B) is racing with exchange (D2/B, D2/A) Well, but these are *directories*. So no hardlinks possible ;) I agree with regular files we'd have to be more careful but then VFS would take care of the locking anyway. I'm still convinced VFS should be taking care of locking of directories as well but Al disagreed [1] and wants only filesystems that need this to handle the directory locking. > There is a simple solution of course, same as xfs_lock_two_inodes() > > Another possible deadlock (I think) is if D/A ; D/B are subdirs that > are exchanged and after taking inode_lock of D and A, rename comes > in D/B/foo => D/A/foo and lock_rename() tries to > lock_two_directories(B, A). > > So it seems that both lock_two_directories() and to be helper > lock_two_inodes() need to order the two inodes by address? Right, so this case indeed looks possible and I didn't think about it. Thanks for spotting this! Let me try to persuade Al again to do the necessary locking in VFS as it is getting really hairy and needs VFS changes anyway. Honza [1] https://lore.kernel.org/all/Y8bTk1CsH9AaAnLt@ZenIV -- Jan Kara SUSE Labs, CR