ext4: fix races in ext4_sync_parent()
authorTheodore Ts'o <tytso@mit.edu>
Sat, 30 Jul 2011 16:34:19 +0000 (12:34 -0400)
committerTheodore Ts'o <tytso@mit.edu>
Sat, 30 Jul 2011 16:34:19 +0000 (12:34 -0400)
Fix problems if fsync() races against a rename of a parent directory
as pointed out by Al Viro in his own inimitable way:

>While we are at it, could somebody please explain what the hell is ext4
>doing in
>static int ext4_sync_parent(struct inode *inode)
>{
>        struct writeback_control wbc;
>        struct dentry *dentry = NULL;
>        int ret = 0;
>
>        while (inode && ext4_test_inode_state(inode, EXT4_STATE_NEWENTRY)) {
>                ext4_clear_inode_state(inode, EXT4_STATE_NEWENTRY);
>                dentry = list_entry(inode->i_dentry.next,
>                                    struct dentry, d_alias);
>                if (!dentry || !dentry->d_parent || !dentry->d_parent->d_inode)
>                        break;
>                inode = dentry->d_parent->d_inode;
>                ret = sync_mapping_buffers(inode->i_mapping);
>                ...
>Note that dentry obviously can't be NULL there.  dentry->d_parent is never
>NULL.  And dentry->d_parent would better not be negative, for crying out
>loud!  What's worse, there's no guarantees that dentry->d_parent will
>remain our parent over that sync_mapping_buffers() *and* that inode won't
>just be freed under us (after rename() and memory pressure leading to
>eviction of what used to be our dentry->d_parent)......

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
fs/ext4/fsync.c

index ce66d2fe826cbdf99389dea50aa3f72240e911d9..f9dbe33cde5e9e1e605268dd3f05b9f31a5de6af 100644 (file)
@@ -129,15 +129,30 @@ static int ext4_sync_parent(struct inode *inode)
 {
        struct writeback_control wbc;
        struct dentry *dentry = NULL;
+       struct inode *next;
        int ret = 0;
 
-       while (inode && ext4_test_inode_state(inode, EXT4_STATE_NEWENTRY)) {
+       if (!ext4_test_inode_state(inode, EXT4_STATE_NEWENTRY))
+               return 0;
+       inode = igrab(inode);
+       while (ext4_test_inode_state(inode, EXT4_STATE_NEWENTRY)) {
                ext4_clear_inode_state(inode, EXT4_STATE_NEWENTRY);
-               dentry = list_entry(inode->i_dentry.next,
-                                   struct dentry, d_alias);
-               if (!dentry || !dentry->d_parent || !dentry->d_parent->d_inode)
+               dentry = NULL;
+               spin_lock(&inode->i_lock);
+               if (!list_empty(&inode->i_dentry)) {
+                       dentry = list_first_entry(&inode->i_dentry,
+                                                 struct dentry, d_alias);
+                       dget(dentry);
+               }
+               spin_unlock(&inode->i_lock);
+               if (!dentry)
+                       break;
+               next = igrab(dentry->d_parent->d_inode);
+               dput(dentry);
+               if (!next)
                        break;
-               inode = dentry->d_parent->d_inode;
+               iput(inode);
+               inode = next;
                ret = sync_mapping_buffers(inode->i_mapping);
                if (ret)
                        break;
@@ -148,6 +163,7 @@ static int ext4_sync_parent(struct inode *inode)
                if (ret)
                        break;
        }
+       iput(inode);
        return ret;
 }