Re: [PATCH linux-2.6 03/04] brsem: fix ro-remount <-> open race condition

03_brsem_fix-remount-open-race.patch

	A file can be opened rw while ro-remounting is in progress
	resulting in open rw file on ro mounted filesystem.  This
	patch kills the race by making permission check and the rest
	of open atomic w.r.t. remounting.  Other file operations also
	have this race condition and should be fixed in similar
	manner.

Signed-off-by: Tejun Heo <[email protected]>

 namei.c |   11 ++++++++++-
 open.c  |   12 ++++++++++--
 2 files changed, 20 insertions(+), 3 deletions(-)

Index: linux-work/fs/namei.c
===================================================================
--- linux-work.orig/fs/namei.c	2005-09-25 15:26:32.000000000 +0900
+++ linux-work/fs/namei.c	2005-09-25 15:42:04.000000000 +0900
@@ -1412,6 +1412,12 @@ int may_open(struct nameidata *nd, int a
  *			  11 - read/write permissions needed
  * which is a lot more logical, and also allows the "no perm" needed
  * for symlinks (where the permissions are checked later).
+ *
+ * nd->mnt->mnt_sb->s_umount brsem is read-locked on successful return
+ * from this function.  This is to make permission checking and the
+ * actual open operation atomic w.r.t. remounting.  The caller must
+ * release s_umount after open is complete.
+ *
  * SMP-safe
  */
 int open_namei(const char * pathname, int flag, int mode, struct nameidata *nd)
@@ -1512,9 +1518,12 @@ do_last:
 	if (path.dentry->d_inode && S_ISDIR(path.dentry->d_inode->i_mode))
 		goto exit;
 ok:
+	brsem_down_read(nd->mnt->mnt_sb->s_umount);
 	error = may_open(nd, acc_mode, flag);
-	if (error)
+	if (error) {
+		brsem_up_read(nd->mnt->mnt_sb->s_umount);
 		goto exit;
+	}
 	return 0;
 
 exit_dput:
Index: linux-work/fs/open.c
===================================================================
--- linux-work.orig/fs/open.c	2005-09-25 15:26:32.000000000 +0900
+++ linux-work/fs/open.c	2005-09-25 15:42:04.000000000 +0900
@@ -828,8 +828,16 @@ struct file *filp_open(const char * file
 		return ERR_PTR(error);
 
 	error = open_namei(filename, namei_flags, mode, &nd);
-	if (!error)
-		return __dentry_open(nd.dentry, nd.mnt, flags, f);
+	if (!error) {
+		f = __dentry_open(nd.dentry, nd.mnt, flags, f);
+		/*
+		 * On successful return from open_namei(), s_umount is
+		 * read-locked, see comment above open_namei() for
+		 * more information.
+		 */
+		brsem_up_read(nd.mnt->mnt_sb->s_umount);
+		return f;
+	}
 
 	put_filp(f);
 	return ERR_PTR(error);

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • [PATCH linux-2.6 00/04] brsem: [RFC] big reader semaphore
    • From: Tejun Heo <[email protected]>

• Prev by Date: [PATCH linux-2.6 00/04] brsem: [RFC] big reader semaphore
• Next by Date: Re: [PATCH linux-2.6 02/04] brsem: convert super_block->s_umount to brsem
• Previous by thread: Re: [PATCH linux-2.6 04/04] brsem: convert cpucontrol to brsem
• Next by thread: Re: [PATCH linux-2.6 02/04] brsem: convert super_block->s_umount to brsem
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]