On Fri, 31 Aug 2001, Alexander Viro wrote:
> > In 2.4.9, I have encountered a strange condition while playing with file
> > structs chained on a superblock list (sb->s_files) : some of them can have
> > a NULL f_dentry pointer. The only case I found which can cause this is
> > when fput is called and f_count drops to zero. Is that the only case ?
>
> Yes, it is, and yes, it's legitimate - code that scans that list should
> (and in-tree one does) deal with such case.
AFAICT fput (and also dentry_open, BTW) nullifies f_dentry without any
lock held, so code that scans the list (such as fs_may_remount_ro, I
haven't looked for other instances) can never assume that a file struct
found in the list has or even will keep what looks like a valid f_dentry.
> fs_may_remount_ro() is, indeed, racy and had been since very long.
Sure, let's consider code in fs_may_remount_ro :
file_list_lock();
/* loop over files in sb->s_files */
if (!file->f_dentry)
continue;
/* now a concurrent fput may set f_dentry to NULL */
inode = file->f_dentry->d_inode; /* oops */
Maybe the file struct should be removed from the list /before/ f_dentry is
assigned NULL ?
> However, the main problem is not in opening something after the
> check - the check itself is not exact enough.
I agree fs_may_remount_ro can report wrong results (ie. "you may remount
ro" while you really can't) because of how it is used, but as stated
above, I think it also has a small but real potential for directly
crashing the system, and should be fixed.
-- Jean-Marc Saffroy - Research Engineer - Silicomp Research Institute mailto:saffroy@ri.silicomp.fr- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Fri Sep 07 2001 - 21:00:22 EST