提交 2e197f58 编写于 作者: A Al Viro 提交者: Jeffle Xu

fix dget_parent() fastpath race

fix #27211210

commit e84009336711d2bba885fc9cea66348ddfce3758 upstream.

We are overoptimistic about taking the fast path there; seeing
the same value in ->d_parent after having grabbed a reference
to that parent does *not* mean that it has remained our parent
all along.

That wouldn't be a big deal (in the end it is our parent and
we have grabbed the reference we are about to return), but...
the situation with barriers is messed up.

We might have hit the following sequence:

d is a dentry of /tmp/a/b
CPU1:					CPU2:
parent = d->d_parent (i.e. dentry of /tmp/a)
					rename /tmp/a/b to /tmp/b
					rmdir /tmp/a, making its dentry negative
grab reference to parent,
end up with cached parent->d_inode (NULL)
					mkdir /tmp/a, rename /tmp/b to /tmp/a/b
recheck d->d_parent, which is back to original
decide that everything's fine and return the reference we'd got.

The trouble is, caller (on CPU1) will observe dget_parent()
returning an apparently negative dentry.  It actually is positive,
but CPU1 has stale ->d_inode cached.

Use d->d_seq to see if it has been moved instead of rechecking ->d_parent.
NOTE: we are *NOT* going to retry on any kind of ->d_seq mismatch;
we just go into the slow path in such case.  We don't wait for ->d_seq
to become even either - again, if we are racing with renames, we
can bloody well go to slow path anyway.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NJeffle Xu <jefflexu@linux.alibaba.com>
Acked-by: NJoseph Qi <joseph.qi@linux.alibaba.com>
上级 ec6880e8
...@@ -864,17 +864,19 @@ struct dentry *dget_parent(struct dentry *dentry) ...@@ -864,17 +864,19 @@ struct dentry *dget_parent(struct dentry *dentry)
{ {
int gotref; int gotref;
struct dentry *ret; struct dentry *ret;
unsigned seq;
/* /*
* Do optimistic parent lookup without any * Do optimistic parent lookup without any
* locking. * locking.
*/ */
rcu_read_lock(); rcu_read_lock();
seq = raw_seqcount_begin(&dentry->d_seq);
ret = READ_ONCE(dentry->d_parent); ret = READ_ONCE(dentry->d_parent);
gotref = lockref_get_not_zero(&ret->d_lockref); gotref = lockref_get_not_zero(&ret->d_lockref);
rcu_read_unlock(); rcu_read_unlock();
if (likely(gotref)) { if (likely(gotref)) {
if (likely(ret == READ_ONCE(dentry->d_parent))) if (!read_seqcount_retry(&dentry->d_seq, seq))
return ret; return ret;
dput(ret); dput(ret);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册