fs/file.c: __fget() and dup2() atomicity rules

Message ID	1435590630.4110.107.camel@edumazet-glaptop2.roam.corp.google.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-fsdevel-owner@kernel.org> Message-ID: <1435590630.4110.107.camel@edumazet-glaptop2.roam.corp.google.com> Subject: [PATCH] fs/file.c: __fget() and dup2() atomicity rules From: Eric Dumazet <eric.dumazet@gmail.com> To: Al Viro <viro@zeniv.linux.org.uk> Cc: Andrew Morton <akpm@linux-foundation.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, Dmitry Vyukov <dvyukov@google.com>, Eric Dumazet <edumazet@google.com>, linux-fsdevel@vger.kernel.org Date: Mon, 29 Jun 2015 17:10:30 +0200 Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk

Message ID

1435590630.4110.107.camel@edumazet-glaptop2.roam.corp.google.com (mailing list archive)

State

New, archived

Headers

Message-ID: <1435590630.4110.107.camel@edumazet-glaptop2.roam.corp.google.com>
Subject: [PATCH] fs/file.c: __fget() and dup2() atomicity rules
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Dmitry Vyukov <dvyukov@google.com>, Eric Dumazet <edumazet@google.com>,
	linux-fsdevel@vger.kernel.org
Date: Mon, 29 Jun 2015 17:10:30 +0200
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Eric Dumazet June 29, 2015, 3:10 p.m. UTC

From: Eric Dumazet <edumazet@google.com>

__fget() makes sure a file refcount is not zero before
taking a reference. It should also fetch again file pointer
in order to respect dup2() atomicity requirements.

It should either read a NULL pointer or a file on which
a refcount can be taken.

Dmitry had following test failing sometimes :

#include <pthread.h>
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>

int fd;
void *Thread(void *x) {
  char buf;
  int n = read(fd, &buf, 1);
  if (n != 1)
    exit(printf("read failed: n=%d errno=%d\n", n, errno));
  return 0;
}

int main()
{
  fd = open("/dev/urandom", O_RDONLY);
  int fd2 = open("/dev/urandom", O_RDONLY);
  if (fd == -1 || fd2 == -1)
    exit(printf("open failed\n"));
  pthread_t th;
  pthread_create(&th, 0, Thread, 0);
  if (dup2(fd2, fd) == -1)
    exit(printf("dup2 failed\n"));
  pthread_join(th, 0);
  if (close(fd) == -1)
    exit(printf("close failed\n"));
  if (close(fd2) == -1)
    exit(printf("close failed\n"));
  printf("DONE\n");
  return 0;
}


Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
---
 fs/file.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)




--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Al Viro June 29, 2015, 5:46 p.m. UTC | #1

On Mon, Jun 29, 2015 at 05:10:30PM +0200, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> __fget() makes sure a file refcount is not zero before
> taking a reference. It should also fetch again file pointer
> in order to respect dup2() atomicity requirements.
> 
> It should either read a NULL pointer or a file on which
> a refcount can be taken.

Hmm...   The problem is real, but I wonder if one could trigger a long
spin there...
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Eric Dumazet June 30, 2015, 5:02 a.m. UTC | #2

On Mon, 2015-06-29 at 18:46 +0100, Al Viro wrote:
> On Mon, Jun 29, 2015 at 05:10:30PM +0200, Eric Dumazet wrote:
> > From: Eric Dumazet <edumazet@google.com>
> > 
> > __fget() makes sure a file refcount is not zero before
> > taking a reference. It should also fetch again file pointer
> > in order to respect dup2() atomicity requirements.
> > 
> > It should either read a NULL pointer or a file on which
> > a refcount can be taken.
> 
> Hmm...   The problem is real, but I wonder if one could trigger a long
> spin there...

I do not believe we can spin a long time.

By the time do_dup2() calls filp_close(tofree, files), we already have a
stable fdt->fd[fd], because of spin_unlock(&files->file_lock) was called
before filp_close()

A loop would require threads doing dup2() calls like crazy on same
destination fd.





--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/fs/file.c b/fs/file.c
index 93c5f89c248b..492bd74c4433 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -635,11 +635,17 @@  static struct file *__fget(unsigned int fd, fmode_t mask)
 	struct file *file;
 
 	rcu_read_lock();
+loop:
 	file = fcheck_files(files, fd);
 	if (file) {
-		/* File object ref couldn't be taken */
-		if ((file->f_mode & mask) || !get_file_rcu(file))
+		/* File object ref couldn't be taken.
+		 * dup2() atomicity guarantee is the reason
+		 * we loop to catch the new file (or NULL pointer)
+		 */
+		if (file->f_mode & mask)
 			file = NULL;
+		else if (!get_file_rcu(file))
+			goto loop;
 	}
 	rcu_read_unlock();

fs/file.c: __fget() and dup2() atomicity rules

Commit Message

Comments

Patch