fs: consistently deref the files table with rcu_dereference_raw()
[ Upstream commitf381640e1b] ... except when the table is known to be only used by one thread. A file pointer can get installed at any moment despite the ->file_lock being held since the following:8a81252b77("fs/file.c: don't acquire files->file_lock in fd_install()") Accesses subject to such a race can in principle suffer load tearing. While here redo the comment in dup_fd -- it only covered a race against files showing up, still assuming fd_install() takes the lock. Signed-off-by: Mateusz Guzik <mjguzik@gmail.com> Link: https://lore.kernel.org/r/20250313135725.1320914-1-mjguzik@gmail.com Signed-off-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> (cherry picked from commit 323960a187a9622d9006484ff6635680d3a0118f)
This commit is contained in:
Mateusz Guzik
Wentao Guan
parent
83017988bd
commit
52538be9b3
26
fs/file.c
26
fs/file.c
|
|
@ -364,17 +364,25 @@ struct files_struct *dup_fd(struct files_struct *oldf, struct fd_range *punch_ho
|
|||
old_fds = old_fdt->fd;
|
||||
new_fds = new_fdt->fd;
|
||||
|
||||
/*
|
||||
* We may be racing against fd allocation from other threads using this
|
||||
* files_struct, despite holding ->file_lock.
|
||||
*
|
||||
* alloc_fd() might have already claimed a slot, while fd_install()
|
||||
* did not populate it yet. Note the latter operates locklessly, so
|
||||
* the file can show up as we are walking the array below.
|
||||
*
|
||||
* At the same time we know no files will disappear as all other
|
||||
* operations take the lock.
|
||||
*
|
||||
* Instead of trying to placate userspace racing with itself, we
|
||||
* ref the file if we see it and mark the fd slot as unused otherwise.
|
||||
*/
|
||||
for (i = open_files; i != 0; i--) {
|
||||
struct file *f = *old_fds++;
|
||||
struct file *f = rcu_dereference_raw(*old_fds++);
|
||||
if (f) {
|
||||
get_file(f);
|
||||
} else {
|
||||
/*
|
||||
* The fd may be claimed in the fd bitmap but not yet
|
||||
* instantiated in the files array if a sibling thread
|
||||
* is partway through open(). So make sure that this
|
||||
* fd is available to the new process.
|
||||
*/
|
||||
__clear_open_fd(open_files - i, new_fdt);
|
||||
}
|
||||
rcu_assign_pointer(*new_fds++, f);
|
||||
|
|
@ -631,7 +639,7 @@ static struct file *pick_file(struct files_struct *files, unsigned fd)
|
|||
return NULL;
|
||||
|
||||
fd = array_index_nospec(fd, fdt->max_fds);
|
||||
file = fdt->fd[fd];
|
||||
file = rcu_dereference_raw(fdt->fd[fd]);
|
||||
if (file) {
|
||||
rcu_assign_pointer(fdt->fd[fd], NULL);
|
||||
__put_unused_fd(files, fd);
|
||||
|
|
@ -1102,7 +1110,7 @@ __releases(&files->file_lock)
|
|||
*/
|
||||
fdt = files_fdtable(files);
|
||||
fd = array_index_nospec(fd, fdt->max_fds);
|
||||
tofree = fdt->fd[fd];
|
||||
tofree = rcu_dereference_raw(fdt->fd[fd]);
|
||||
if (!tofree && fd_is_open(fd, fdt))
|
||||
goto Ebusy;
|
||||
get_file(file);
|
||||
|
|
|
|||
Loading…
Reference in New Issue