configfs: Fix race between configfs_readdir() and configfs_d_iput()

configfs_readdir() will use the existing inode numbers of inodes in the dcache, but it makes them up for attribute files that aren't currently instantiated. There is a race where a closing attribute file can be tearing down at the same time as configfs_readdir() is trying to get its inode number. We want to get the inode number of open attribute files, because they should match while instantiated. We can't lock down the transition where dentry->d_inode is set to NULL, so we just check for NULL there. We can, however, ensure that an inode we find isn't iput() in configfs_d_iput() until after we've accessed it. Signed-off-by: Joel Becker <jlbec@evilplan.org>
author: Joel Becker <jlbec@evilplan.org> 2011-05-18 07:08:16 -0400
committer: Joel Becker <jlbec@evilplan.org> 2011-05-18 07:08:16 -0400
commit: 24307aa1e707b31613be92deaba7990e16bc1aec (patch)
tree: 6699c969a7f56c2b7949bf16af54320caee0687e /fs
parent: df7f99670a4c76f269ae57ce91876b309417a316 (diff)
1 files changed, 28 insertions, 5 deletions
diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index b11d7342eef2..9a37a9b6de3a 100644
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -53,11 +53,14 @@ DEFINE_SPINLOCK(configfs_dirent_lock);
 static void configfs_d_iput(struct dentry * dentry,
                            struct inode * inode)
 {
-        struct configfs_dirent * sd = dentry->d_fsdata;
+        struct configfs_dirent *sd = dentry->d_fsdata;
        if (sd) {
                BUG_ON(sd->s_dentry != dentry);
+                /* Coordinate with configfs_readdir */
+                spin_lock(&configfs_dirent_lock);
                sd->s_dentry = NULL;
+                spin_unlock(&configfs_dirent_lock);
                configfs_put(sd);
        }
        iput(inode);
@@ -1546,7 +1549,7 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
        struct configfs_dirent * parent_sd = dentry->d_fsdata;
        struct configfs_dirent *cursor = filp->private_data;
        struct list_head *p, *q = &cursor->s_sibling;
-        ino_t ino;
+        ino_t ino = 0;
        int i = filp->f_pos;
        switch (i) {
@@ -1574,6 +1577,7 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
                                struct configfs_dirent *next;
                                const char * name;
                                int len;
+                                struct inode *inode = NULL;
                                next = list_entry(p, struct configfs_dirent,
                                                   s_sibling);
@@ -1582,9 +1586,28 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
                                name = configfs_get_name(next);
                                len = strlen(name);
-                                if (next->s_dentry)
-                                        ino = next->s_dentry->d_inode->i_ino;
+                                /*
-                                else
+                                 * We'll have a dentry and an inode for
+                                 * PINNED items and for open attribute
+                                 * files.  We lock here to prevent a race
+                                 * with configfs_d_iput() clearing
+                                 * s_dentry before calling iput().
+                                 *
+                                 * Why do we go to the trouble?  If
+                                 * someone has an attribute file open,
+                                 * the inode number should match until
+                                 * they close it.  Beyond that, we don't
+                                 * care.
+                                 */
+                                spin_lock(&configfs_dirent_lock);
+                                dentry = next->s_dentry;
+                                if (dentry)
+                                        inode = dentry->d_inode;
+                                if (inode)
+                                        ino = inode->i_ino;
+                                spin_unlock(&configfs_dirent_lock);
+                                if (!inode)
                                        ino = iunique(configfs_sb, 2);
                                if (filldir(dirent, name, len, filp->f_pos, ino,
author	Joel Becker <jlbec@evilplan.org>	2011-05-18 07:08:16 -0400
committer	Joel Becker <jlbec@evilplan.org>	2011-05-18 07:08:16 -0400
commit	24307aa1e707b31613be92deaba7990e16bc1aec (patch)
tree	6699c969a7f56c2b7949bf16af54320caee0687e /fs
parent	df7f99670a4c76f269ae57ce91876b309417a316 (diff)

diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c index b11d7342eef2..9a37a9b6de3a 100644 --- a/fs/configfs/dir.c +++ b/fs/configfs/dir.c
@@ -53,11 +53,14 @@ DEFINE_SPINLOCK(configfs_dirent_lock);
53	static void configfs_d_iput(struct dentry * dentry,	53	static void configfs_d_iput(struct dentry * dentry,
54	struct inode * inode)	54	struct inode * inode)
55	{	55	{
56	struct configfs_dirent * sd = dentry->d_fsdata;	56	struct configfs_dirent *sd = dentry->d_fsdata;
57		57
58	if (sd) {	58	if (sd) {
59	BUG_ON(sd->s_dentry != dentry);	59	BUG_ON(sd->s_dentry != dentry);
		60	/* Coordinate with configfs_readdir */
		61	spin_lock(&configfs_dirent_lock);
60	sd->s_dentry = NULL;	62	sd->s_dentry = NULL;
		63	spin_unlock(&configfs_dirent_lock);
61	configfs_put(sd);	64	configfs_put(sd);
62	}	65	}
63	iput(inode);	66	iput(inode);
@@ -1546,7 +1549,7 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
1546	struct configfs_dirent * parent_sd = dentry->d_fsdata;	1549	struct configfs_dirent * parent_sd = dentry->d_fsdata;
1547	struct configfs_dirent *cursor = filp->private_data;	1550	struct configfs_dirent *cursor = filp->private_data;
1548	struct list_head p, q = &cursor->s_sibling;	1551	struct list_head p, q = &cursor->s_sibling;
1549	ino_t ino;	1552	ino_t ino = 0;
1550	int i = filp->f_pos;	1553	int i = filp->f_pos;
1551		1554
1552	switch (i) {	1555	switch (i) {
@@ -1574,6 +1577,7 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
1574	struct configfs_dirent *next;	1577	struct configfs_dirent *next;
1575	const char * name;	1578	const char * name;
1576	int len;	1579	int len;
		1580	struct inode *inode = NULL;
1577		1581
1578	next = list_entry(p, struct configfs_dirent,	1582	next = list_entry(p, struct configfs_dirent,
1579	s_sibling);	1583	s_sibling);
@@ -1582,9 +1586,28 @@ static int configfs_readdir(struct file * filp, void * dirent, filldir_t filldir
1582		1586
1583	name = configfs_get_name(next);	1587	name = configfs_get_name(next);
1584	len = strlen(name);	1588	len = strlen(name);
1585	if (next->s_dentry)	1589
1586	ino = next->s_dentry->d_inode->i_ino;	1590	/*
1587	else	1591	* We'll have a dentry and an inode for
		1592	* PINNED items and for open attribute
		1593	* files. We lock here to prevent a race
		1594	* with configfs_d_iput() clearing
		1595	* s_dentry before calling iput().
		1596	*
		1597	* Why do we go to the trouble? If
		1598	* someone has an attribute file open,
		1599	* the inode number should match until
		1600	* they close it. Beyond that, we don't
		1601	* care.
		1602	*/
		1603	spin_lock(&configfs_dirent_lock);
		1604	dentry = next->s_dentry;
		1605	if (dentry)
		1606	inode = dentry->d_inode;
		1607	if (inode)
		1608	ino = inode->i_ino;
		1609	spin_unlock(&configfs_dirent_lock);
		1610	if (!inode)
1588	ino = iunique(configfs_sb, 2);	1611	ino = iunique(configfs_sb, 2);
1589		1612
1590	if (filldir(dirent, name, len, filp->f_pos, ino,	1613	if (filldir(dirent, name, len, filp->f_pos, ino,