Linux-mtd Archive on lore.kernel.org
 help / color / Atom feed
From: Hou Tao <houtao1@huawei.com>
To: Richard Weinberger <richard@nod.at>, <linux-mtd@lists.infradead.org>
Cc: houtao1@huawei.com
Subject: [PATCH 3/3] ubifs: ensure only one in-memory xattr inode is created
Date: Tue, 30 Jun 2020 21:04:38 +0800
Message-ID: <20200630130438.141649-4-houtao1@huawei.com> (raw)
In-Reply-To: <20200630130438.141649-1-houtao1@huawei.com>

ubifs may create two in-memory inodes for one xattr if
there are concurrent ubifs_xattr_get() and ubifs_xattr_set(),
as show in the following case:

ubifs_xattr_get()              ubifs_xattr_set()
                                 // the first created inode A
                                 // fill inode A
                                 ubifs_new_inode()
                                 ubifs_jnl_update()
                                   // mapping xattr name to inum
                                   ubifs_tnc_add_nm()
                                   // add xattr inode node
                                   ubifs_tnc_add()

  // find inum through xattr name
  ubifs_tnc_lookup_nm()
  iget_xattr()
    ubifs_iget()
      // not found in hash table
      // so create a new inode B
      // and keep it in hash table
      iget_locked()
      // find xattr inode node
      // fill inode B
      ubifs_tnc_lookup
      unlock_new_inode
                                 // inode A is also inserted into
                                 // hash table

If we update the xattr value afterwards, only the values in inode A will
be updated. So when we ty to remove the xattr name, and in the same
time get the xattr name, ubifs_xattr_get() may return the stale value
in inode B, as show in the following case:

ubifs_xattr_get()              ubifs_xattr_remove()

// get xattr inum
ubifs_tnc_lookup_nm()
				// return inode A
				iget_xattr()
				clear_nlink()
				remove_xattr()
				iput()
				  evict()
				    ubifs_evict_inode()
				    remove_inode_hash()
// return inode B
// return a stale xattr value
iget_xattr()

Fix it by moving insert_inode_hash() before ubifs_jnl_update(),
but after the initialization of inode is completed, so only
one inode is created for xattr value.

Signed-off-by: Hou Tao <houtao1@huawei.com>
---
 fs/ubifs/xattr.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c
index 82be2c2d2db5..10fcb454bb01 100644
--- a/fs/ubifs/xattr.c
+++ b/fs/ubifs/xattr.c
@@ -133,6 +133,15 @@ static int create_xattr(struct ubifs_info *c, struct inode *host,
 	inode->i_size = ui->ui_size = size;
 	ui->data_len = size;
 
+	/*
+	 * Ensure iget_xattr() in ubifs_xattr_get() will find the inode
+	 * instead of creating a new one.
+	 * The initialization of xattr inode is completed here, so using
+	 * insert_inode_hash() instead of insert_inode_locked(). The
+	 * latter can lead to iget_xattr() return -ESTALE.
+	 */
+	insert_inode_hash(inode);
+
 	mutex_lock(&host_ui->ui_mutex);
 	host->i_ctime = current_time(host);
 	host_ui->xattr_cnt += 1;
@@ -156,7 +165,6 @@ static int create_xattr(struct ubifs_info *c, struct inode *host,
 	mutex_unlock(&host_ui->ui_mutex);
 
 	ubifs_release_budget(c, &req);
-	insert_inode_hash(inode);
 	iput(inode);
 	return 0;
 
-- 
2.25.0.4.g0ad7144999


______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/

  parent reply index

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-30 13:04 [PATCH 0/3] fixes for ubifs xattr operations Hou Tao
2020-06-30 13:04 ` [PATCH 1/3] ubifs: check the remaining name buffer during xattr list Hou Tao
2020-06-30 13:04 ` [PATCH 2/3] ubifs: protect assertion of xattr value size by ui_mutex during xattr get Hou Tao
2020-06-30 13:04 ` Hou Tao [this message]
2020-06-30 13:15 ` [PATCH 0/3] fixes for ubifs xattr operations Richard Weinberger
2020-07-01  1:11   ` Hou Tao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200630130438.141649-4-houtao1@huawei.com \
    --to=houtao1@huawei.com \
    --cc=linux-mtd@lists.infradead.org \
    --cc=richard@nod.at \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-mtd Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-mtd/0 linux-mtd/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-mtd linux-mtd/ https://lore.kernel.org/linux-mtd \
		linux-mtd@lists.infradead.org
	public-inbox-index linux-mtd

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.infradead.lists.linux-mtd


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git