[PATCH][BUGFIX] configfs: Fix symlink() to a removing item

From: Louis Rilling
Date: Mon Jun 16 2008 - 14:09:23 EST

Hi, the following patch fixes the symlink bug I mentioned a few days ago.
Thanks for your comments.

Louis

--
Dr Louis Rilling Kerlabs
Skype: louis.rilling Batiment Germanium
Phone: (+33|0) 6 80 89 08 23 80 avenue des Buttes de Coesmes
http://www.kerlabs.com/ 35700 Rennes
configfs: Fix symlink() to a removing item

[Applies on top of rename() vs rmdir() deadlock fix patchset]

The rule for configfs symlinks is that symlinks always point to valid
config_items, and prevent the target from being removed. However,
configfs_symlink() only checks that it can grab a reference on the target item,
without ensuring that it remains alive until the symlink is correctly attached.

This patch makes configfs_symlink() fail whenever the target is being removed,
using the CONFIGFS_USET_DROPPING flag set by configfs_detach_prep() and
protected by configfs_dirent_lock.

This patch introduces a similar (weird?) behavior as with mkdir failures making
rmdir fail: if symlink() races with rmdir() of the parent directory (or its
youngest user-created ancestor if parent is a default group) or rmdir() of the
target directory, and then fails in configfs_create(), this can make the racing
rmdir() fail despite the concerned directory having no user-created entry (resp.
no symlink pointing to it or one of its default groups) in the end.
If this behavior is found unacceptable, I'll submit a fix in the same spirit as
the racing mkdir() fix.

Signed-off-by: Louis Rilling <Louis.Rilling@xxxxxxxxxxx>
---
fs/configfs/dir.c | 14 +++++++-------
fs/configfs/symlink.c | 6 ++++++
2 files changed, 13 insertions(+), 7 deletions(-)

Index: b/fs/configfs/dir.c
===================================================================
--- a/fs/configfs/dir.c 2008-06-16 19:35:57.000000000 +0200
+++ b/fs/configfs/dir.c 2008-06-16 19:38:47.000000000 +0200
@@ -370,6 +370,9 @@ static int configfs_detach_prep(struct d
struct configfs_dirent *sd;
int ret;

+ /* Mark that we're trying to drop the group */
+ parent_sd->s_type |= CONFIGFS_USET_DROPPING;
+
ret = -EBUSY;
if (!list_empty(&parent_sd->s_links))
goto out;
@@ -385,8 +388,6 @@ static int configfs_detach_prep(struct d
*wait_mutex = &sd->s_dentry->d_inode->i_mutex;
return -EAGAIN;
}
- /* Mark that we're trying to drop the group */
- sd->s_type |= CONFIGFS_USET_DROPPING;

/*
* Yup, recursive. If there's a problem, blame
@@ -414,12 +415,11 @@ static void configfs_detach_rollback(str
struct configfs_dirent *parent_sd = dentry->d_fsdata;
struct configfs_dirent *sd;

- list_for_each_entry(sd, &parent_sd->s_children, s_sibling) {
- if (sd->s_type & CONFIGFS_USET_DEFAULT) {
+ parent_sd->s_type &= ~CONFIGFS_USET_DROPPING;
+
+ list_for_each_entry(sd, &parent_sd->s_children, s_sibling)
+ if (sd->s_type & CONFIGFS_USET_DEFAULT)
configfs_detach_rollback(sd->s_dentry);
- sd->s_type &= ~CONFIGFS_USET_DROPPING;
- }
- }
}

static void detach_attrs(struct config_item * item)
Index: b/fs/configfs/symlink.c
===================================================================
--- a/fs/configfs/symlink.c 2008-06-16 19:43:34.000000000 +0200
+++ b/fs/configfs/symlink.c 2008-06-16 19:47:06.000000000 +0200
@@ -78,6 +78,12 @@ static int create_link(struct config_ite
if (sl) {
sl->sl_target = config_item_get(item);
spin_lock(&configfs_dirent_lock);
+ if (target_sd->s_type & CONFIGFS_USET_DROPPING) {
+ spin_unlock(&configfs_dirent_lock);
+ config_item_put(item);
+ kfree(sl);
+ return -EPERM;
+ }
list_add(&sl->sl_list, &target_sd->s_links);
spin_unlock(&configfs_dirent_lock);
ret = configfs_create_link(sl, parent_item->ci_dentry,

Attachment: signature.asc
Description: Digital signature