[PATCH] Fix file lookup without ref

There are places in the kernel where we look up files in fd tables and access the file structure without holding refereces to the file. So, we need special care to avoid the race between looking up files in the fd table and tearing down of the file in another CPU. Otherwise, one might see a NULL f_dentry or such torn down version of the file. This patch fixes those special places where such a race may happen. Signed-off-by: Dipankar Sarma <dipankar@in.ibm.com> Acked-by: "Paul E. McKenney" <paulmck@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
author: Dipankar Sarma <dipankar@in.ibm.com> 2006-04-19 01:21:46 -0400
committer: Linus Torvalds <torvalds@g5.osdl.org> 2006-04-19 12:13:51 -0400
commit: ca99c1da080345e227cfb083c330a184d42e27f3 (patch)
tree: e417b4c456ae31dc1dde8027b6be44a1a9f19395 /fs/proc
parent: fb30d64568fd8f6a21afef987f11852a109723da (diff)
1 files changed, 15 insertions, 6 deletions
diff --git a/fs/proc/base.c b/fs/proc/base.c
index a3a3eecef689..6cc77dc3f3ff 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -297,16 +297,20 @@ static int proc_fd_link(struct inode *inode, struct dentry **dentry, struct vfsm
        files = get_files_struct(task);
        if (files) {
-                rcu_read_lock();
+                /*
+                 * We are not taking a ref to the file structure, so we must
+                 * hold ->file_lock.
+                 */
+                spin_lock(&files->file_lock);
                file = fcheck_files(files, fd);
                if (file) {
                        *mnt = mntget(file->f_vfsmnt);
                        *dentry = dget(file->f_dentry);
-                        rcu_read_unlock();
+                        spin_unlock(&files->file_lock);
                        put_files_struct(files);
                        return 0;
                }
-                rcu_read_unlock();
+                spin_unlock(&files->file_lock);
                put_files_struct(files);
        }
        return -ENOENT;
@@ -1523,7 +1527,12 @@ static struct dentry *proc_lookupfd(struct inode * dir, struct dentry * dentry,
        if (!files)
                goto out_unlock;
        inode->i_mode = S_IFLNK;
-        rcu_read_lock();
+        /*
+         * We are not taking a ref to the file structure, so we must
+         * hold ->file_lock.
+         */
+        spin_lock(&files->file_lock);
        file = fcheck_files(files, fd);
        if (!file)
                goto out_unlock2;
@@ -1531,7 +1540,7 @@ static struct dentry *proc_lookupfd(struct inode * dir, struct dentry * dentry,
                inode->i_mode |= S_IRUSR | S_IXUSR;
        if (file->f_mode & 2)
                inode->i_mode |= S_IWUSR | S_IXUSR;
-        rcu_read_unlock();
+        spin_unlock(&files->file_lock);
        put_files_struct(files);
        inode->i_op = &proc_pid_link_inode_operations;
        inode->i_size = 64;
@@ -1541,7 +1550,7 @@ static struct dentry *proc_lookupfd(struct inode * dir, struct dentry * dentry,
        return NULL;
 out_unlock2:
-        rcu_read_unlock();
+        spin_unlock(&files->file_lock);
        put_files_struct(files);
 out_unlock:
        iput(inode);
author	Dipankar Sarma <dipankar@in.ibm.com>	2006-04-19 01:21:46 -0400
committer	Linus Torvalds <torvalds@g5.osdl.org>	2006-04-19 12:13:51 -0400
commit	ca99c1da080345e227cfb083c330a184d42e27f3 (patch)
tree	e417b4c456ae31dc1dde8027b6be44a1a9f19395 /fs/proc
parent	fb30d64568fd8f6a21afef987f11852a109723da (diff)

diff --git a/fs/proc/base.c b/fs/proc/base.c index a3a3eecef689..6cc77dc3f3ff 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c
@@ -297,16 +297,20 @@ static int proc_fd_link(struct inode inode, struct dentry *dentry, struct vfsm
297		297
298	files = get_files_struct(task);	298	files = get_files_struct(task);
299	if (files) {	299	if (files) {
300	rcu_read_lock();	300	/*
		301	* We are not taking a ref to the file structure, so we must
		302	* hold ->file_lock.
		303	*/
		304	spin_lock(&files->file_lock);
301	file = fcheck_files(files, fd);	305	file = fcheck_files(files, fd);
302	if (file) {	306	if (file) {
303	*mnt = mntget(file->f_vfsmnt);	307	*mnt = mntget(file->f_vfsmnt);
304	*dentry = dget(file->f_dentry);	308	*dentry = dget(file->f_dentry);
305	rcu_read_unlock();	309	spin_unlock(&files->file_lock);
306	put_files_struct(files);	310	put_files_struct(files);
307	return 0;	311	return 0;
308	}	312	}
309	rcu_read_unlock();	313	spin_unlock(&files->file_lock);
310	put_files_struct(files);	314	put_files_struct(files);
311	}	315	}
312	return -ENOENT;	316	return -ENOENT;
@@ -1523,7 +1527,12 @@ static struct dentry proc_lookupfd(struct inode dir, struct dentry * dentry,
1523	if (!files)	1527	if (!files)
1524	goto out_unlock;	1528	goto out_unlock;
1525	inode->i_mode = S_IFLNK;	1529	inode->i_mode = S_IFLNK;
1526	rcu_read_lock();	1530
		1531	/*
		1532	* We are not taking a ref to the file structure, so we must
		1533	* hold ->file_lock.
		1534	*/
		1535	spin_lock(&files->file_lock);
1527	file = fcheck_files(files, fd);	1536	file = fcheck_files(files, fd);
1528	if (!file)	1537	if (!file)
1529	goto out_unlock2;	1538	goto out_unlock2;
@@ -1531,7 +1540,7 @@ static struct dentry proc_lookupfd(struct inode dir, struct dentry * dentry,
1531	inode->i_mode \|= S_IRUSR \| S_IXUSR;	1540	inode->i_mode \|= S_IRUSR \| S_IXUSR;
1532	if (file->f_mode & 2)	1541	if (file->f_mode & 2)
1533	inode->i_mode \|= S_IWUSR \| S_IXUSR;	1542	inode->i_mode \|= S_IWUSR \| S_IXUSR;
1534	rcu_read_unlock();	1543	spin_unlock(&files->file_lock);
1535	put_files_struct(files);	1544	put_files_struct(files);
1536	inode->i_op = &proc_pid_link_inode_operations;	1545	inode->i_op = &proc_pid_link_inode_operations;
1537	inode->i_size = 64;	1546	inode->i_size = 64;
@@ -1541,7 +1550,7 @@ static struct dentry proc_lookupfd(struct inode dir, struct dentry * dentry,
1541	return NULL;	1550	return NULL;
1542		1551
1543	out_unlock2:	1552	out_unlock2:
1544	rcu_read_unlock();	1553	spin_unlock(&files->file_lock);
1545	put_files_struct(files);	1554	put_files_struct(files);
1546	out_unlock:	1555	out_unlock:
1547	iput(inode);	1556	iput(inode);