License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 17:07:57 +03:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
2005-04-17 02:20:36 +04:00
|
|
|
/*
|
|
|
|
* linux/fs/fcntl.c
|
|
|
|
*
|
|
|
|
* Copyright (C) 1991, 1992 Linus Torvalds
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/syscalls.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/mm.h>
|
2017-02-08 20:51:36 +03:00
|
|
|
#include <linux/sched/task.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/file.h>
|
2008-04-24 15:44:08 +04:00
|
|
|
#include <linux/fdtable.h>
|
2006-01-11 23:17:46 +03:00
|
|
|
#include <linux/capability.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <linux/dnotify.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/module.h>
|
2010-05-20 12:43:18 +04:00
|
|
|
#include <linux/pipe_fs_i.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <linux/security.h>
|
|
|
|
#include <linux/ptrace.h>
|
2005-05-01 19:59:14 +04:00
|
|
|
#include <linux/signal.h>
|
2005-09-10 00:04:13 +04:00
|
|
|
#include <linux/rcupdate.h>
|
2007-10-19 10:40:14 +04:00
|
|
|
#include <linux/pid_namespace.h>
|
2012-07-31 01:43:00 +04:00
|
|
|
#include <linux/user_namespace.h>
|
2018-06-08 03:06:01 +03:00
|
|
|
#include <linux/memfd.h>
|
2017-04-09 01:10:56 +03:00
|
|
|
#include <linux/compat.h>
|
2021-01-21 16:19:38 +03:00
|
|
|
#include <linux/mount.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2018-02-01 20:14:57 +03:00
|
|
|
#include <linux/poll.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <asm/siginfo.h>
|
2016-12-24 22:46:01 +03:00
|
|
|
#include <linux/uaccess.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2009-02-02 00:26:59 +03:00
|
|
|
#define SETFL_MASK (O_APPEND | O_NONBLOCK | O_NDELAY | O_DIRECT | O_NOATIME)
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
static int setfl(int fd, struct file * filp, unsigned long arg)
|
|
|
|
{
|
2013-01-24 02:07:38 +04:00
|
|
|
struct inode * inode = file_inode(filp);
|
2005-04-17 02:20:36 +04:00
|
|
|
int error = 0;
|
|
|
|
|
2006-02-03 14:04:30 +03:00
|
|
|
/*
|
|
|
|
* O_APPEND cannot be cleared if the file is marked as append-only
|
|
|
|
* and the file is open for write.
|
|
|
|
*/
|
|
|
|
if (((arg ^ filp->f_flags) & O_APPEND) && IS_APPEND(inode))
|
2005-04-17 02:20:36 +04:00
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
/* O_NOATIME can only be set by the owner or superuser */
|
|
|
|
if ((arg & O_NOATIME) && !(filp->f_flags & O_NOATIME))
|
2021-01-21 16:19:38 +03:00
|
|
|
if (!inode_owner_or_capable(file_mnt_user_ns(filp), inode))
|
2005-04-17 02:20:36 +04:00
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
/* required for strict SunOS emulation */
|
|
|
|
if (O_NONBLOCK != O_NDELAY)
|
|
|
|
if (arg & O_NDELAY)
|
|
|
|
arg |= O_NONBLOCK;
|
|
|
|
|
2015-12-15 18:41:31 +03:00
|
|
|
/* Pipe packetized mode is controlled by O_DIRECT flag */
|
2016-12-05 02:24:56 +03:00
|
|
|
if (!S_ISFIFO(inode->i_mode) && (arg & O_DIRECT)) {
|
2005-04-17 02:20:36 +04:00
|
|
|
if (!filp->f_mapping || !filp->f_mapping->a_ops ||
|
|
|
|
!filp->f_mapping->a_ops->direct_IO)
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
2013-09-23 00:27:52 +04:00
|
|
|
if (filp->f_op->check_flags)
|
2005-04-17 02:20:36 +04:00
|
|
|
error = filp->f_op->check_flags(arg);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
2008-12-06 02:12:48 +03:00
|
|
|
/*
|
2009-02-02 00:26:59 +03:00
|
|
|
* ->fasync() is responsible for setting the FASYNC bit.
|
2008-12-06 02:12:48 +03:00
|
|
|
*/
|
2013-09-23 00:27:52 +04:00
|
|
|
if (((arg ^ filp->f_flags) & FASYNC) && filp->f_op->fasync) {
|
2009-02-02 00:26:59 +03:00
|
|
|
error = filp->f_op->fasync(fd, filp, (arg & FASYNC) != 0);
|
|
|
|
if (error < 0)
|
|
|
|
goto out;
|
2009-02-02 00:52:56 +03:00
|
|
|
if (error > 0)
|
|
|
|
error = 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2009-02-07 01:25:24 +03:00
|
|
|
spin_lock(&filp->f_lock);
|
2005-04-17 02:20:36 +04:00
|
|
|
filp->f_flags = (arg & SETFL_MASK) | (filp->f_flags & ~SETFL_MASK);
|
2009-02-07 01:25:24 +03:00
|
|
|
spin_unlock(&filp->f_lock);
|
2009-02-02 00:26:59 +03:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
out:
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2006-10-02 13:17:15 +04:00
|
|
|
static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
|
2009-06-17 00:07:46 +04:00
|
|
|
int force)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2010-02-07 21:11:23 +03:00
|
|
|
write_lock_irq(&filp->f_owner.lock);
|
2005-04-17 02:20:36 +04:00
|
|
|
if (force || !filp->f_owner.pid) {
|
2006-10-02 13:17:15 +04:00
|
|
|
put_pid(filp->f_owner.pid);
|
|
|
|
filp->f_owner.pid = get_pid(pid);
|
|
|
|
filp->f_owner.pid_type = type;
|
2009-06-17 00:07:46 +04:00
|
|
|
|
|
|
|
if (pid) {
|
|
|
|
const struct cred *cred = current_cred();
|
|
|
|
filp->f_owner.uid = cred->uid;
|
|
|
|
filp->f_owner.euid = cred->euid;
|
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2010-02-07 21:11:23 +03:00
|
|
|
write_unlock_irq(&filp->f_owner.lock);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2014-08-22 19:27:32 +04:00
|
|
|
void __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
|
2006-10-02 13:17:15 +04:00
|
|
|
int force)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2014-08-22 19:27:32 +04:00
|
|
|
security_file_set_fowner(filp);
|
2009-06-17 00:07:46 +04:00
|
|
|
f_modown(filp, pid, type, force);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2006-10-02 13:17:15 +04:00
|
|
|
EXPORT_SYMBOL(__f_setown);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2017-06-13 14:35:50 +03:00
|
|
|
int f_setown(struct file *filp, unsigned long arg, int force)
|
2006-10-02 13:17:15 +04:00
|
|
|
{
|
|
|
|
enum pid_type type;
|
2017-06-14 16:11:54 +03:00
|
|
|
struct pid *pid = NULL;
|
|
|
|
int who = arg, ret = 0;
|
|
|
|
|
2017-07-17 06:05:57 +03:00
|
|
|
type = PIDTYPE_TGID;
|
2006-10-02 13:17:15 +04:00
|
|
|
if (who < 0) {
|
2017-06-13 14:35:51 +03:00
|
|
|
/* avoid overflow below */
|
|
|
|
if (who == INT_MIN)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2006-10-02 13:17:15 +04:00
|
|
|
type = PIDTYPE_PGID;
|
|
|
|
who = -who;
|
|
|
|
}
|
2017-06-14 16:11:54 +03:00
|
|
|
|
2006-10-02 13:17:15 +04:00
|
|
|
rcu_read_lock();
|
2017-06-14 16:11:54 +03:00
|
|
|
if (who) {
|
|
|
|
pid = find_vpid(who);
|
|
|
|
if (!pid)
|
|
|
|
ret = -ESRCH;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!ret)
|
|
|
|
__f_setown(filp, pid, type, force);
|
2006-10-02 13:17:15 +04:00
|
|
|
rcu_read_unlock();
|
2017-06-13 14:35:50 +03:00
|
|
|
|
2017-06-14 16:11:54 +03:00
|
|
|
return ret;
|
2006-10-02 13:17:15 +04:00
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
EXPORT_SYMBOL(f_setown);
|
|
|
|
|
|
|
|
void f_delown(struct file *filp)
|
|
|
|
{
|
2017-07-17 06:05:57 +03:00
|
|
|
f_modown(filp, NULL, PIDTYPE_TGID, 1);
|
2006-10-02 13:17:15 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
pid_t f_getown(struct file *filp)
|
|
|
|
{
|
2021-02-03 15:41:56 +03:00
|
|
|
pid_t pid = 0;
|
fcntl: fix potential deadlocks for &fown_struct.lock
Syzbot reports a potential deadlock in do_fcntl:
========================================================
WARNING: possible irq lock inversion dependency detected
5.12.0-syzkaller #0 Not tainted
--------------------------------------------------------
syz-executor132/8391 just changed the state of lock:
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: f_getown_ex fs/fcntl.c:211 [inline]
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8b4/0x1200 fs/fcntl.c:395
but this lock was taken by another, HARDIRQ-safe lock in the past:
(&dev->event_lock){-...}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Chain exists of:
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&f->f_owner.lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&new->fa_lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***
This happens because there is a lock hierarchy of
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
from the following call chain:
input_inject_event():
spin_lock_irqsave(&dev->event_lock,...);
input_handle_event():
input_pass_values():
input_to_handler():
evdev_events():
evdev_pass_values():
spin_lock(&client->buffer_lock);
__pass_event():
kill_fasync():
kill_fasync_rcu():
read_lock(&fa->fa_lock);
send_sigio():
read_lock_irqsave(&fown->lock,...);
However, since &dev->event_lock is HARDIRQ-safe, interrupts have to be
disabled while grabbing &f->f_owner.lock, otherwise we invert the lock
hierarchy.
Hence, we replace calls to read_lock/read_unlock on &f->f_owner.lock,
with read_lock_irq/read_unlock_irq.
Reported-and-tested-by: syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
2021-07-02 12:18:30 +03:00
|
|
|
|
|
|
|
read_lock_irq(&filp->f_owner.lock);
|
2021-02-03 15:41:56 +03:00
|
|
|
rcu_read_lock();
|
|
|
|
if (pid_task(filp->f_owner.pid, filp->f_owner.pid_type)) {
|
|
|
|
pid = pid_vnr(filp->f_owner.pid);
|
|
|
|
if (filp->f_owner.pid_type == PIDTYPE_PGID)
|
|
|
|
pid = -pid;
|
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
fcntl: fix potential deadlocks for &fown_struct.lock
Syzbot reports a potential deadlock in do_fcntl:
========================================================
WARNING: possible irq lock inversion dependency detected
5.12.0-syzkaller #0 Not tainted
--------------------------------------------------------
syz-executor132/8391 just changed the state of lock:
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: f_getown_ex fs/fcntl.c:211 [inline]
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8b4/0x1200 fs/fcntl.c:395
but this lock was taken by another, HARDIRQ-safe lock in the past:
(&dev->event_lock){-...}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Chain exists of:
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&f->f_owner.lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&new->fa_lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***
This happens because there is a lock hierarchy of
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
from the following call chain:
input_inject_event():
spin_lock_irqsave(&dev->event_lock,...);
input_handle_event():
input_pass_values():
input_to_handler():
evdev_events():
evdev_pass_values():
spin_lock(&client->buffer_lock);
__pass_event():
kill_fasync():
kill_fasync_rcu():
read_lock(&fa->fa_lock);
send_sigio():
read_lock_irqsave(&fown->lock,...);
However, since &dev->event_lock is HARDIRQ-safe, interrupts have to be
disabled while grabbing &f->f_owner.lock, otherwise we invert the lock
hierarchy.
Hence, we replace calls to read_lock/read_unlock on &f->f_owner.lock,
with read_lock_irq/read_unlock_irq.
Reported-and-tested-by: syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
2021-07-02 12:18:30 +03:00
|
|
|
read_unlock_irq(&filp->f_owner.lock);
|
2006-10-02 13:17:15 +04:00
|
|
|
return pid;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2009-09-24 02:57:03 +04:00
|
|
|
static int f_setown_ex(struct file *filp, unsigned long arg)
|
|
|
|
{
|
2012-09-27 05:43:05 +04:00
|
|
|
struct f_owner_ex __user *owner_p = (void __user *)arg;
|
2009-09-24 02:57:03 +04:00
|
|
|
struct f_owner_ex owner;
|
|
|
|
struct pid *pid;
|
|
|
|
int type;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
ret = copy_from_user(&owner, owner_p, sizeof(owner));
|
|
|
|
if (ret)
|
2010-06-03 14:35:42 +04:00
|
|
|
return -EFAULT;
|
2009-09-24 02:57:03 +04:00
|
|
|
|
|
|
|
switch (owner.type) {
|
|
|
|
case F_OWNER_TID:
|
2017-07-17 06:05:57 +03:00
|
|
|
type = PIDTYPE_PID;
|
2009-09-24 02:57:03 +04:00
|
|
|
break;
|
|
|
|
|
|
|
|
case F_OWNER_PID:
|
2017-07-17 06:05:57 +03:00
|
|
|
type = PIDTYPE_TGID;
|
2009-09-24 02:57:03 +04:00
|
|
|
break;
|
|
|
|
|
2009-11-18 01:06:24 +03:00
|
|
|
case F_OWNER_PGRP:
|
2009-09-24 02:57:03 +04:00
|
|
|
type = PIDTYPE_PGID;
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
pid = find_vpid(owner.pid);
|
|
|
|
if (owner.pid && !pid)
|
|
|
|
ret = -ESRCH;
|
|
|
|
else
|
2014-08-22 19:27:32 +04:00
|
|
|
__f_setown(filp, pid, type, 1);
|
2009-09-24 02:57:03 +04:00
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int f_getown_ex(struct file *filp, unsigned long arg)
|
|
|
|
{
|
2012-09-27 05:43:05 +04:00
|
|
|
struct f_owner_ex __user *owner_p = (void __user *)arg;
|
2021-02-03 15:41:56 +03:00
|
|
|
struct f_owner_ex owner = {};
|
2009-09-24 02:57:03 +04:00
|
|
|
int ret = 0;
|
|
|
|
|
fcntl: fix potential deadlocks for &fown_struct.lock
Syzbot reports a potential deadlock in do_fcntl:
========================================================
WARNING: possible irq lock inversion dependency detected
5.12.0-syzkaller #0 Not tainted
--------------------------------------------------------
syz-executor132/8391 just changed the state of lock:
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: f_getown_ex fs/fcntl.c:211 [inline]
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8b4/0x1200 fs/fcntl.c:395
but this lock was taken by another, HARDIRQ-safe lock in the past:
(&dev->event_lock){-...}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Chain exists of:
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&f->f_owner.lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&new->fa_lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***
This happens because there is a lock hierarchy of
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
from the following call chain:
input_inject_event():
spin_lock_irqsave(&dev->event_lock,...);
input_handle_event():
input_pass_values():
input_to_handler():
evdev_events():
evdev_pass_values():
spin_lock(&client->buffer_lock);
__pass_event():
kill_fasync():
kill_fasync_rcu():
read_lock(&fa->fa_lock);
send_sigio():
read_lock_irqsave(&fown->lock,...);
However, since &dev->event_lock is HARDIRQ-safe, interrupts have to be
disabled while grabbing &f->f_owner.lock, otherwise we invert the lock
hierarchy.
Hence, we replace calls to read_lock/read_unlock on &f->f_owner.lock,
with read_lock_irq/read_unlock_irq.
Reported-and-tested-by: syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
2021-07-02 12:18:30 +03:00
|
|
|
read_lock_irq(&filp->f_owner.lock);
|
2021-02-03 15:41:56 +03:00
|
|
|
rcu_read_lock();
|
|
|
|
if (pid_task(filp->f_owner.pid, filp->f_owner.pid_type))
|
|
|
|
owner.pid = pid_vnr(filp->f_owner.pid);
|
|
|
|
rcu_read_unlock();
|
2009-09-24 02:57:03 +04:00
|
|
|
switch (filp->f_owner.pid_type) {
|
2017-07-17 06:05:57 +03:00
|
|
|
case PIDTYPE_PID:
|
2009-09-24 02:57:03 +04:00
|
|
|
owner.type = F_OWNER_TID;
|
|
|
|
break;
|
|
|
|
|
2017-07-17 06:05:57 +03:00
|
|
|
case PIDTYPE_TGID:
|
2009-09-24 02:57:03 +04:00
|
|
|
owner.type = F_OWNER_PID;
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PIDTYPE_PGID:
|
2009-11-18 01:06:24 +03:00
|
|
|
owner.type = F_OWNER_PGRP;
|
2009-09-24 02:57:03 +04:00
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
WARN_ON(1);
|
|
|
|
ret = -EINVAL;
|
|
|
|
break;
|
|
|
|
}
|
fcntl: fix potential deadlocks for &fown_struct.lock
Syzbot reports a potential deadlock in do_fcntl:
========================================================
WARNING: possible irq lock inversion dependency detected
5.12.0-syzkaller #0 Not tainted
--------------------------------------------------------
syz-executor132/8391 just changed the state of lock:
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: f_getown_ex fs/fcntl.c:211 [inline]
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8b4/0x1200 fs/fcntl.c:395
but this lock was taken by another, HARDIRQ-safe lock in the past:
(&dev->event_lock){-...}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Chain exists of:
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&f->f_owner.lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&new->fa_lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***
This happens because there is a lock hierarchy of
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
from the following call chain:
input_inject_event():
spin_lock_irqsave(&dev->event_lock,...);
input_handle_event():
input_pass_values():
input_to_handler():
evdev_events():
evdev_pass_values():
spin_lock(&client->buffer_lock);
__pass_event():
kill_fasync():
kill_fasync_rcu():
read_lock(&fa->fa_lock);
send_sigio():
read_lock_irqsave(&fown->lock,...);
However, since &dev->event_lock is HARDIRQ-safe, interrupts have to be
disabled while grabbing &f->f_owner.lock, otherwise we invert the lock
hierarchy.
Hence, we replace calls to read_lock/read_unlock on &f->f_owner.lock,
with read_lock_irq/read_unlock_irq.
Reported-and-tested-by: syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
2021-07-02 12:18:30 +03:00
|
|
|
read_unlock_irq(&filp->f_owner.lock);
|
2009-09-24 02:57:03 +04:00
|
|
|
|
2010-06-03 14:35:42 +04:00
|
|
|
if (!ret) {
|
2009-09-24 02:57:03 +04:00
|
|
|
ret = copy_to_user(owner_p, &owner, sizeof(owner));
|
2010-06-03 14:35:42 +04:00
|
|
|
if (ret)
|
|
|
|
ret = -EFAULT;
|
|
|
|
}
|
2009-09-24 02:57:03 +04:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2012-07-31 01:43:00 +04:00
|
|
|
#ifdef CONFIG_CHECKPOINT_RESTORE
|
|
|
|
static int f_getowner_uids(struct file *filp, unsigned long arg)
|
|
|
|
{
|
|
|
|
struct user_namespace *user_ns = current_user_ns();
|
2012-09-27 05:43:05 +04:00
|
|
|
uid_t __user *dst = (void __user *)arg;
|
2012-07-31 01:43:00 +04:00
|
|
|
uid_t src[2];
|
|
|
|
int err;
|
|
|
|
|
fcntl: fix potential deadlocks for &fown_struct.lock
Syzbot reports a potential deadlock in do_fcntl:
========================================================
WARNING: possible irq lock inversion dependency detected
5.12.0-syzkaller #0 Not tainted
--------------------------------------------------------
syz-executor132/8391 just changed the state of lock:
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: f_getown_ex fs/fcntl.c:211 [inline]
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8b4/0x1200 fs/fcntl.c:395
but this lock was taken by another, HARDIRQ-safe lock in the past:
(&dev->event_lock){-...}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Chain exists of:
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&f->f_owner.lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&new->fa_lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***
This happens because there is a lock hierarchy of
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
from the following call chain:
input_inject_event():
spin_lock_irqsave(&dev->event_lock,...);
input_handle_event():
input_pass_values():
input_to_handler():
evdev_events():
evdev_pass_values():
spin_lock(&client->buffer_lock);
__pass_event():
kill_fasync():
kill_fasync_rcu():
read_lock(&fa->fa_lock);
send_sigio():
read_lock_irqsave(&fown->lock,...);
However, since &dev->event_lock is HARDIRQ-safe, interrupts have to be
disabled while grabbing &f->f_owner.lock, otherwise we invert the lock
hierarchy.
Hence, we replace calls to read_lock/read_unlock on &f->f_owner.lock,
with read_lock_irq/read_unlock_irq.
Reported-and-tested-by: syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
2021-07-02 12:18:30 +03:00
|
|
|
read_lock_irq(&filp->f_owner.lock);
|
2012-07-31 01:43:00 +04:00
|
|
|
src[0] = from_kuid(user_ns, filp->f_owner.uid);
|
|
|
|
src[1] = from_kuid(user_ns, filp->f_owner.euid);
|
fcntl: fix potential deadlocks for &fown_struct.lock
Syzbot reports a potential deadlock in do_fcntl:
========================================================
WARNING: possible irq lock inversion dependency detected
5.12.0-syzkaller #0 Not tainted
--------------------------------------------------------
syz-executor132/8391 just changed the state of lock:
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: f_getown_ex fs/fcntl.c:211 [inline]
ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8b4/0x1200 fs/fcntl.c:395
but this lock was taken by another, HARDIRQ-safe lock in the past:
(&dev->event_lock){-...}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Chain exists of:
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&f->f_owner.lock);
local_irq_disable();
lock(&dev->event_lock);
lock(&new->fa_lock);
<Interrupt>
lock(&dev->event_lock);
*** DEADLOCK ***
This happens because there is a lock hierarchy of
&dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
from the following call chain:
input_inject_event():
spin_lock_irqsave(&dev->event_lock,...);
input_handle_event():
input_pass_values():
input_to_handler():
evdev_events():
evdev_pass_values():
spin_lock(&client->buffer_lock);
__pass_event():
kill_fasync():
kill_fasync_rcu():
read_lock(&fa->fa_lock);
send_sigio():
read_lock_irqsave(&fown->lock,...);
However, since &dev->event_lock is HARDIRQ-safe, interrupts have to be
disabled while grabbing &f->f_owner.lock, otherwise we invert the lock
hierarchy.
Hence, we replace calls to read_lock/read_unlock on &f->f_owner.lock,
with read_lock_irq/read_unlock_irq.
Reported-and-tested-by: syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
2021-07-02 12:18:30 +03:00
|
|
|
read_unlock_irq(&filp->f_owner.lock);
|
2012-07-31 01:43:00 +04:00
|
|
|
|
|
|
|
err = put_user(src[0], &dst[0]);
|
|
|
|
err |= put_user(src[1], &dst[1]);
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static int f_getowner_uids(struct file *filp, unsigned long arg)
|
|
|
|
{
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
fs: add fcntl() interface for setting/getting write life time hints
Define a set of write life time hints:
RWH_WRITE_LIFE_NOT_SET No hint information set
RWH_WRITE_LIFE_NONE No hints about write life time
RWH_WRITE_LIFE_SHORT Data written has a short life time
RWH_WRITE_LIFE_MEDIUM Data written has a medium life time
RWH_WRITE_LIFE_LONG Data written has a long life time
RWH_WRITE_LIFE_EXTREME Data written has an extremely long life time
The intent is for these values to be relative to each other, no
absolute meaning should be attached to these flag names.
Add an fcntl interface for querying these flags, and also for
setting them as well:
F_GET_RW_HINT Returns the read/write hint set on the
underlying inode.
F_SET_RW_HINT Set one of the above write hints on the
underlying inode.
F_GET_FILE_RW_HINT Returns the read/write hint set on the
file descriptor.
F_SET_FILE_RW_HINT Set one of the above write hints on the
file descriptor.
The user passes in a 64-bit pointer to get/set these values, and
the interface returns 0/-1 on success/error.
Sample program testing/implementing basic setting/getting of write
hints is below.
Add support for storing the write life time hint in the inode flags
and in struct file as well, and pass them to the kiocb flags. If
both a file and its corresponding inode has a write hint, then we
use the one in the file, if available. The file hint can be used
for sync/direct IO, for buffered writeback only the inode hint
is available.
This is in preparation for utilizing these hints in the block layer,
to guide on-media data placement.
/*
* writehint.c: get or set an inode write hint
*/
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <inttypes.h>
#ifndef F_GET_RW_HINT
#define F_LINUX_SPECIFIC_BASE 1024
#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
#endif
static char *str[] = { "RWF_WRITE_LIFE_NOT_SET", "RWH_WRITE_LIFE_NONE",
"RWH_WRITE_LIFE_SHORT", "RWH_WRITE_LIFE_MEDIUM",
"RWH_WRITE_LIFE_LONG", "RWH_WRITE_LIFE_EXTREME" };
int main(int argc, char *argv[])
{
uint64_t hint;
int fd, ret;
if (argc < 2) {
fprintf(stderr, "%s: file <hint>\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
perror("open");
return 2;
}
if (argc > 2) {
hint = atoi(argv[2]);
ret = fcntl(fd, F_SET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_SET_RW_HINT");
return 4;
}
}
ret = fcntl(fd, F_GET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_GET_RW_HINT");
return 3;
}
printf("%s: hint %s\n", argv[1], str[hint]);
close(fd);
return 0;
}
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-06-27 20:47:04 +03:00
|
|
|
static bool rw_hint_valid(enum rw_hint hint)
|
|
|
|
{
|
|
|
|
switch (hint) {
|
2019-09-20 18:58:21 +03:00
|
|
|
case RWH_WRITE_LIFE_NOT_SET:
|
fs: add fcntl() interface for setting/getting write life time hints
Define a set of write life time hints:
RWH_WRITE_LIFE_NOT_SET No hint information set
RWH_WRITE_LIFE_NONE No hints about write life time
RWH_WRITE_LIFE_SHORT Data written has a short life time
RWH_WRITE_LIFE_MEDIUM Data written has a medium life time
RWH_WRITE_LIFE_LONG Data written has a long life time
RWH_WRITE_LIFE_EXTREME Data written has an extremely long life time
The intent is for these values to be relative to each other, no
absolute meaning should be attached to these flag names.
Add an fcntl interface for querying these flags, and also for
setting them as well:
F_GET_RW_HINT Returns the read/write hint set on the
underlying inode.
F_SET_RW_HINT Set one of the above write hints on the
underlying inode.
F_GET_FILE_RW_HINT Returns the read/write hint set on the
file descriptor.
F_SET_FILE_RW_HINT Set one of the above write hints on the
file descriptor.
The user passes in a 64-bit pointer to get/set these values, and
the interface returns 0/-1 on success/error.
Sample program testing/implementing basic setting/getting of write
hints is below.
Add support for storing the write life time hint in the inode flags
and in struct file as well, and pass them to the kiocb flags. If
both a file and its corresponding inode has a write hint, then we
use the one in the file, if available. The file hint can be used
for sync/direct IO, for buffered writeback only the inode hint
is available.
This is in preparation for utilizing these hints in the block layer,
to guide on-media data placement.
/*
* writehint.c: get or set an inode write hint
*/
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <inttypes.h>
#ifndef F_GET_RW_HINT
#define F_LINUX_SPECIFIC_BASE 1024
#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
#endif
static char *str[] = { "RWF_WRITE_LIFE_NOT_SET", "RWH_WRITE_LIFE_NONE",
"RWH_WRITE_LIFE_SHORT", "RWH_WRITE_LIFE_MEDIUM",
"RWH_WRITE_LIFE_LONG", "RWH_WRITE_LIFE_EXTREME" };
int main(int argc, char *argv[])
{
uint64_t hint;
int fd, ret;
if (argc < 2) {
fprintf(stderr, "%s: file <hint>\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
perror("open");
return 2;
}
if (argc > 2) {
hint = atoi(argv[2]);
ret = fcntl(fd, F_SET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_SET_RW_HINT");
return 4;
}
}
ret = fcntl(fd, F_GET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_GET_RW_HINT");
return 3;
}
printf("%s: hint %s\n", argv[1], str[hint]);
close(fd);
return 0;
}
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-06-27 20:47:04 +03:00
|
|
|
case RWH_WRITE_LIFE_NONE:
|
|
|
|
case RWH_WRITE_LIFE_SHORT:
|
|
|
|
case RWH_WRITE_LIFE_MEDIUM:
|
|
|
|
case RWH_WRITE_LIFE_LONG:
|
|
|
|
case RWH_WRITE_LIFE_EXTREME:
|
|
|
|
return true;
|
|
|
|
default:
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static long fcntl_rw_hint(struct file *file, unsigned int cmd,
|
|
|
|
unsigned long arg)
|
|
|
|
{
|
|
|
|
struct inode *inode = file_inode(file);
|
2019-10-15 13:50:49 +03:00
|
|
|
u64 __user *argp = (u64 __user *)arg;
|
fs: add fcntl() interface for setting/getting write life time hints
Define a set of write life time hints:
RWH_WRITE_LIFE_NOT_SET No hint information set
RWH_WRITE_LIFE_NONE No hints about write life time
RWH_WRITE_LIFE_SHORT Data written has a short life time
RWH_WRITE_LIFE_MEDIUM Data written has a medium life time
RWH_WRITE_LIFE_LONG Data written has a long life time
RWH_WRITE_LIFE_EXTREME Data written has an extremely long life time
The intent is for these values to be relative to each other, no
absolute meaning should be attached to these flag names.
Add an fcntl interface for querying these flags, and also for
setting them as well:
F_GET_RW_HINT Returns the read/write hint set on the
underlying inode.
F_SET_RW_HINT Set one of the above write hints on the
underlying inode.
F_GET_FILE_RW_HINT Returns the read/write hint set on the
file descriptor.
F_SET_FILE_RW_HINT Set one of the above write hints on the
file descriptor.
The user passes in a 64-bit pointer to get/set these values, and
the interface returns 0/-1 on success/error.
Sample program testing/implementing basic setting/getting of write
hints is below.
Add support for storing the write life time hint in the inode flags
and in struct file as well, and pass them to the kiocb flags. If
both a file and its corresponding inode has a write hint, then we
use the one in the file, if available. The file hint can be used
for sync/direct IO, for buffered writeback only the inode hint
is available.
This is in preparation for utilizing these hints in the block layer,
to guide on-media data placement.
/*
* writehint.c: get or set an inode write hint
*/
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <inttypes.h>
#ifndef F_GET_RW_HINT
#define F_LINUX_SPECIFIC_BASE 1024
#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
#endif
static char *str[] = { "RWF_WRITE_LIFE_NOT_SET", "RWH_WRITE_LIFE_NONE",
"RWH_WRITE_LIFE_SHORT", "RWH_WRITE_LIFE_MEDIUM",
"RWH_WRITE_LIFE_LONG", "RWH_WRITE_LIFE_EXTREME" };
int main(int argc, char *argv[])
{
uint64_t hint;
int fd, ret;
if (argc < 2) {
fprintf(stderr, "%s: file <hint>\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
perror("open");
return 2;
}
if (argc > 2) {
hint = atoi(argv[2]);
ret = fcntl(fd, F_SET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_SET_RW_HINT");
return 4;
}
}
ret = fcntl(fd, F_GET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_GET_RW_HINT");
return 3;
}
printf("%s: hint %s\n", argv[1], str[hint]);
close(fd);
return 0;
}
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-06-27 20:47:04 +03:00
|
|
|
enum rw_hint hint;
|
2017-06-28 17:09:45 +03:00
|
|
|
u64 h;
|
fs: add fcntl() interface for setting/getting write life time hints
Define a set of write life time hints:
RWH_WRITE_LIFE_NOT_SET No hint information set
RWH_WRITE_LIFE_NONE No hints about write life time
RWH_WRITE_LIFE_SHORT Data written has a short life time
RWH_WRITE_LIFE_MEDIUM Data written has a medium life time
RWH_WRITE_LIFE_LONG Data written has a long life time
RWH_WRITE_LIFE_EXTREME Data written has an extremely long life time
The intent is for these values to be relative to each other, no
absolute meaning should be attached to these flag names.
Add an fcntl interface for querying these flags, and also for
setting them as well:
F_GET_RW_HINT Returns the read/write hint set on the
underlying inode.
F_SET_RW_HINT Set one of the above write hints on the
underlying inode.
F_GET_FILE_RW_HINT Returns the read/write hint set on the
file descriptor.
F_SET_FILE_RW_HINT Set one of the above write hints on the
file descriptor.
The user passes in a 64-bit pointer to get/set these values, and
the interface returns 0/-1 on success/error.
Sample program testing/implementing basic setting/getting of write
hints is below.
Add support for storing the write life time hint in the inode flags
and in struct file as well, and pass them to the kiocb flags. If
both a file and its corresponding inode has a write hint, then we
use the one in the file, if available. The file hint can be used
for sync/direct IO, for buffered writeback only the inode hint
is available.
This is in preparation for utilizing these hints in the block layer,
to guide on-media data placement.
/*
* writehint.c: get or set an inode write hint
*/
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <inttypes.h>
#ifndef F_GET_RW_HINT
#define F_LINUX_SPECIFIC_BASE 1024
#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
#endif
static char *str[] = { "RWF_WRITE_LIFE_NOT_SET", "RWH_WRITE_LIFE_NONE",
"RWH_WRITE_LIFE_SHORT", "RWH_WRITE_LIFE_MEDIUM",
"RWH_WRITE_LIFE_LONG", "RWH_WRITE_LIFE_EXTREME" };
int main(int argc, char *argv[])
{
uint64_t hint;
int fd, ret;
if (argc < 2) {
fprintf(stderr, "%s: file <hint>\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
perror("open");
return 2;
}
if (argc > 2) {
hint = atoi(argv[2]);
ret = fcntl(fd, F_SET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_SET_RW_HINT");
return 4;
}
}
ret = fcntl(fd, F_GET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_GET_RW_HINT");
return 3;
}
printf("%s: hint %s\n", argv[1], str[hint]);
close(fd);
return 0;
}
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-06-27 20:47:04 +03:00
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case F_GET_RW_HINT:
|
2017-06-28 17:09:45 +03:00
|
|
|
h = inode->i_write_hint;
|
|
|
|
if (copy_to_user(argp, &h, sizeof(*argp)))
|
fs: add fcntl() interface for setting/getting write life time hints
Define a set of write life time hints:
RWH_WRITE_LIFE_NOT_SET No hint information set
RWH_WRITE_LIFE_NONE No hints about write life time
RWH_WRITE_LIFE_SHORT Data written has a short life time
RWH_WRITE_LIFE_MEDIUM Data written has a medium life time
RWH_WRITE_LIFE_LONG Data written has a long life time
RWH_WRITE_LIFE_EXTREME Data written has an extremely long life time
The intent is for these values to be relative to each other, no
absolute meaning should be attached to these flag names.
Add an fcntl interface for querying these flags, and also for
setting them as well:
F_GET_RW_HINT Returns the read/write hint set on the
underlying inode.
F_SET_RW_HINT Set one of the above write hints on the
underlying inode.
F_GET_FILE_RW_HINT Returns the read/write hint set on the
file descriptor.
F_SET_FILE_RW_HINT Set one of the above write hints on the
file descriptor.
The user passes in a 64-bit pointer to get/set these values, and
the interface returns 0/-1 on success/error.
Sample program testing/implementing basic setting/getting of write
hints is below.
Add support for storing the write life time hint in the inode flags
and in struct file as well, and pass them to the kiocb flags. If
both a file and its corresponding inode has a write hint, then we
use the one in the file, if available. The file hint can be used
for sync/direct IO, for buffered writeback only the inode hint
is available.
This is in preparation for utilizing these hints in the block layer,
to guide on-media data placement.
/*
* writehint.c: get or set an inode write hint
*/
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <inttypes.h>
#ifndef F_GET_RW_HINT
#define F_LINUX_SPECIFIC_BASE 1024
#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
#endif
static char *str[] = { "RWF_WRITE_LIFE_NOT_SET", "RWH_WRITE_LIFE_NONE",
"RWH_WRITE_LIFE_SHORT", "RWH_WRITE_LIFE_MEDIUM",
"RWH_WRITE_LIFE_LONG", "RWH_WRITE_LIFE_EXTREME" };
int main(int argc, char *argv[])
{
uint64_t hint;
int fd, ret;
if (argc < 2) {
fprintf(stderr, "%s: file <hint>\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
perror("open");
return 2;
}
if (argc > 2) {
hint = atoi(argv[2]);
ret = fcntl(fd, F_SET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_SET_RW_HINT");
return 4;
}
}
ret = fcntl(fd, F_GET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_GET_RW_HINT");
return 3;
}
printf("%s: hint %s\n", argv[1], str[hint]);
close(fd);
return 0;
}
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-06-27 20:47:04 +03:00
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
case F_SET_RW_HINT:
|
2017-06-28 17:09:45 +03:00
|
|
|
if (copy_from_user(&h, argp, sizeof(h)))
|
fs: add fcntl() interface for setting/getting write life time hints
Define a set of write life time hints:
RWH_WRITE_LIFE_NOT_SET No hint information set
RWH_WRITE_LIFE_NONE No hints about write life time
RWH_WRITE_LIFE_SHORT Data written has a short life time
RWH_WRITE_LIFE_MEDIUM Data written has a medium life time
RWH_WRITE_LIFE_LONG Data written has a long life time
RWH_WRITE_LIFE_EXTREME Data written has an extremely long life time
The intent is for these values to be relative to each other, no
absolute meaning should be attached to these flag names.
Add an fcntl interface for querying these flags, and also for
setting them as well:
F_GET_RW_HINT Returns the read/write hint set on the
underlying inode.
F_SET_RW_HINT Set one of the above write hints on the
underlying inode.
F_GET_FILE_RW_HINT Returns the read/write hint set on the
file descriptor.
F_SET_FILE_RW_HINT Set one of the above write hints on the
file descriptor.
The user passes in a 64-bit pointer to get/set these values, and
the interface returns 0/-1 on success/error.
Sample program testing/implementing basic setting/getting of write
hints is below.
Add support for storing the write life time hint in the inode flags
and in struct file as well, and pass them to the kiocb flags. If
both a file and its corresponding inode has a write hint, then we
use the one in the file, if available. The file hint can be used
for sync/direct IO, for buffered writeback only the inode hint
is available.
This is in preparation for utilizing these hints in the block layer,
to guide on-media data placement.
/*
* writehint.c: get or set an inode write hint
*/
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <inttypes.h>
#ifndef F_GET_RW_HINT
#define F_LINUX_SPECIFIC_BASE 1024
#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
#endif
static char *str[] = { "RWF_WRITE_LIFE_NOT_SET", "RWH_WRITE_LIFE_NONE",
"RWH_WRITE_LIFE_SHORT", "RWH_WRITE_LIFE_MEDIUM",
"RWH_WRITE_LIFE_LONG", "RWH_WRITE_LIFE_EXTREME" };
int main(int argc, char *argv[])
{
uint64_t hint;
int fd, ret;
if (argc < 2) {
fprintf(stderr, "%s: file <hint>\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
perror("open");
return 2;
}
if (argc > 2) {
hint = atoi(argv[2]);
ret = fcntl(fd, F_SET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_SET_RW_HINT");
return 4;
}
}
ret = fcntl(fd, F_GET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_GET_RW_HINT");
return 3;
}
printf("%s: hint %s\n", argv[1], str[hint]);
close(fd);
return 0;
}
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-06-27 20:47:04 +03:00
|
|
|
return -EFAULT;
|
2017-06-28 17:09:45 +03:00
|
|
|
hint = (enum rw_hint) h;
|
fs: add fcntl() interface for setting/getting write life time hints
Define a set of write life time hints:
RWH_WRITE_LIFE_NOT_SET No hint information set
RWH_WRITE_LIFE_NONE No hints about write life time
RWH_WRITE_LIFE_SHORT Data written has a short life time
RWH_WRITE_LIFE_MEDIUM Data written has a medium life time
RWH_WRITE_LIFE_LONG Data written has a long life time
RWH_WRITE_LIFE_EXTREME Data written has an extremely long life time
The intent is for these values to be relative to each other, no
absolute meaning should be attached to these flag names.
Add an fcntl interface for querying these flags, and also for
setting them as well:
F_GET_RW_HINT Returns the read/write hint set on the
underlying inode.
F_SET_RW_HINT Set one of the above write hints on the
underlying inode.
F_GET_FILE_RW_HINT Returns the read/write hint set on the
file descriptor.
F_SET_FILE_RW_HINT Set one of the above write hints on the
file descriptor.
The user passes in a 64-bit pointer to get/set these values, and
the interface returns 0/-1 on success/error.
Sample program testing/implementing basic setting/getting of write
hints is below.
Add support for storing the write life time hint in the inode flags
and in struct file as well, and pass them to the kiocb flags. If
both a file and its corresponding inode has a write hint, then we
use the one in the file, if available. The file hint can be used
for sync/direct IO, for buffered writeback only the inode hint
is available.
This is in preparation for utilizing these hints in the block layer,
to guide on-media data placement.
/*
* writehint.c: get or set an inode write hint
*/
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <inttypes.h>
#ifndef F_GET_RW_HINT
#define F_LINUX_SPECIFIC_BASE 1024
#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
#endif
static char *str[] = { "RWF_WRITE_LIFE_NOT_SET", "RWH_WRITE_LIFE_NONE",
"RWH_WRITE_LIFE_SHORT", "RWH_WRITE_LIFE_MEDIUM",
"RWH_WRITE_LIFE_LONG", "RWH_WRITE_LIFE_EXTREME" };
int main(int argc, char *argv[])
{
uint64_t hint;
int fd, ret;
if (argc < 2) {
fprintf(stderr, "%s: file <hint>\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
perror("open");
return 2;
}
if (argc > 2) {
hint = atoi(argv[2]);
ret = fcntl(fd, F_SET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_SET_RW_HINT");
return 4;
}
}
ret = fcntl(fd, F_GET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_GET_RW_HINT");
return 3;
}
printf("%s: hint %s\n", argv[1], str[hint]);
close(fd);
return 0;
}
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-06-27 20:47:04 +03:00
|
|
|
if (!rw_hint_valid(hint))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
inode_lock(inode);
|
|
|
|
inode->i_write_hint = hint;
|
|
|
|
inode_unlock(inode);
|
|
|
|
return 0;
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
static long do_fcntl(int fd, unsigned int cmd, unsigned long arg,
|
|
|
|
struct file *filp)
|
|
|
|
{
|
2017-05-27 13:07:19 +03:00
|
|
|
void __user *argp = (void __user *)arg;
|
|
|
|
struct flock flock;
|
2005-04-17 02:20:36 +04:00
|
|
|
long err = -EINVAL;
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case F_DUPFD:
|
2012-08-21 19:48:11 +04:00
|
|
|
err = f_dupfd(arg, filp, 0);
|
|
|
|
break;
|
F_DUPFD_CLOEXEC implementation
One more small change to extend the availability of creation of file
descriptors with FD_CLOEXEC set. Adding a new command to fcntl() requires
no new system call and the overall impact on code size if minimal.
If this patch gets accepted we will also add this change to the next
revision of the POSIX spec.
To test the patch, use the following little program. Adjust the value of
F_DUPFD_CLOEXEC appropriately.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#ifndef F_DUPFD_CLOEXEC
# define F_DUPFD_CLOEXEC 12
#endif
int
main (int argc, char *argv[])
{
if (argc > 1)
{
if (fcntl (3, F_GETFD) == 0)
{
puts ("descriptor not closed");
exit (1);
}
if (errno != EBADF)
{
puts ("error not EBADF");
exit (1);
}
exit (0);
}
int fd = fcntl (STDOUT_FILENO, F_DUPFD_CLOEXEC, 0);
if (fd == -1 && errno == EINVAL)
{
puts ("F_DUPFD_CLOEXEC not supported");
return 0;
}
if (fd != 3)
{
puts ("program called with descriptors other than 0,1,2");
return 1;
}
execl ("/proc/self/exe", "/proc/self/exe", "1", NULL);
puts ("execl failed");
return 1;
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Ulrich Drepper <drepper@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: <linux-arch@vger.kernel.org>
Cc: Kyle McMartin <kyle@mcmartin.ca>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-17 10:30:26 +04:00
|
|
|
case F_DUPFD_CLOEXEC:
|
2012-10-09 02:21:58 +04:00
|
|
|
err = f_dupfd(arg, filp, O_CLOEXEC);
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
|
|
|
case F_GETFD:
|
|
|
|
err = get_close_on_exec(fd) ? FD_CLOEXEC : 0;
|
|
|
|
break;
|
|
|
|
case F_SETFD:
|
|
|
|
err = 0;
|
|
|
|
set_close_on_exec(fd, arg & FD_CLOEXEC);
|
|
|
|
break;
|
|
|
|
case F_GETFL:
|
|
|
|
err = filp->f_flags;
|
|
|
|
break;
|
|
|
|
case F_SETFL:
|
|
|
|
err = setfl(fd, filp, arg);
|
|
|
|
break;
|
2014-02-03 21:13:10 +04:00
|
|
|
#if BITS_PER_LONG != 32
|
|
|
|
/* 32-bit arches must use fcntl64() */
|
2014-04-22 16:23:58 +04:00
|
|
|
case F_OFD_GETLK:
|
2014-02-03 21:13:10 +04:00
|
|
|
#endif
|
2005-04-17 02:20:36 +04:00
|
|
|
case F_GETLK:
|
2017-05-27 13:07:19 +03:00
|
|
|
if (copy_from_user(&flock, argp, sizeof(flock)))
|
|
|
|
return -EFAULT;
|
|
|
|
err = fcntl_getlk(filp, cmd, &flock);
|
|
|
|
if (!err && copy_to_user(argp, &flock, sizeof(flock)))
|
|
|
|
return -EFAULT;
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
2014-02-03 21:13:10 +04:00
|
|
|
#if BITS_PER_LONG != 32
|
|
|
|
/* 32-bit arches must use fcntl64() */
|
2014-04-22 16:23:58 +04:00
|
|
|
case F_OFD_SETLK:
|
|
|
|
case F_OFD_SETLKW:
|
2020-08-24 01:36:59 +03:00
|
|
|
fallthrough;
|
2021-07-12 19:09:13 +03:00
|
|
|
#endif
|
2005-04-17 02:20:36 +04:00
|
|
|
case F_SETLK:
|
|
|
|
case F_SETLKW:
|
2017-05-27 13:07:19 +03:00
|
|
|
if (copy_from_user(&flock, argp, sizeof(flock)))
|
|
|
|
return -EFAULT;
|
|
|
|
err = fcntl_setlk(fd, filp, cmd, &flock);
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
|
|
|
case F_GETOWN:
|
|
|
|
/*
|
|
|
|
* XXX If f_owner is a process group, the
|
|
|
|
* negative return value will get converted
|
|
|
|
* into an error. Oops. If we keep the
|
|
|
|
* current syscall conventions, the only way
|
|
|
|
* to fix this will be in libc.
|
|
|
|
*/
|
2006-10-02 13:17:15 +04:00
|
|
|
err = f_getown(filp);
|
2005-04-17 02:20:36 +04:00
|
|
|
force_successful_syscall_return();
|
|
|
|
break;
|
|
|
|
case F_SETOWN:
|
2017-06-13 14:35:50 +03:00
|
|
|
err = f_setown(filp, arg, 1);
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
2009-09-24 02:57:03 +04:00
|
|
|
case F_GETOWN_EX:
|
|
|
|
err = f_getown_ex(filp, arg);
|
|
|
|
break;
|
|
|
|
case F_SETOWN_EX:
|
|
|
|
err = f_setown_ex(filp, arg);
|
|
|
|
break;
|
2012-07-31 01:43:00 +04:00
|
|
|
case F_GETOWNER_UIDS:
|
|
|
|
err = f_getowner_uids(filp, arg);
|
|
|
|
break;
|
2005-04-17 02:20:36 +04:00
|
|
|
case F_GETSIG:
|
|
|
|
err = filp->f_owner.signum;
|
|
|
|
break;
|
|
|
|
case F_SETSIG:
|
|
|
|
/* arg == 0 restores default behaviour. */
|
2005-05-01 19:59:14 +04:00
|
|
|
if (!valid_signal(arg)) {
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
err = 0;
|
|
|
|
filp->f_owner.signum = arg;
|
|
|
|
break;
|
|
|
|
case F_GETLEASE:
|
|
|
|
err = fcntl_getlease(filp);
|
|
|
|
break;
|
|
|
|
case F_SETLEASE:
|
|
|
|
err = fcntl_setlease(fd, filp, arg);
|
|
|
|
break;
|
|
|
|
case F_NOTIFY:
|
|
|
|
err = fcntl_dirnotify(fd, filp, arg);
|
|
|
|
break;
|
2010-05-20 12:43:18 +04:00
|
|
|
case F_SETPIPE_SZ:
|
|
|
|
case F_GETPIPE_SZ:
|
|
|
|
err = pipe_fcntl(filp, cmd, arg);
|
|
|
|
break;
|
shm: add sealing API
If two processes share a common memory region, they usually want some
guarantees to allow safe access. This often includes:
- one side cannot overwrite data while the other reads it
- one side cannot shrink the buffer while the other accesses it
- one side cannot grow the buffer beyond previously set boundaries
If there is a trust-relationship between both parties, there is no need
for policy enforcement. However, if there's no trust relationship (eg.,
for general-purpose IPC) sharing memory-regions is highly fragile and
often not possible without local copies. Look at the following two
use-cases:
1) A graphics client wants to share its rendering-buffer with a
graphics-server. The memory-region is allocated by the client for
read/write access and a second FD is passed to the server. While
scanning out from the memory region, the server has no guarantee that
the client doesn't shrink the buffer at any time, requiring rather
cumbersome SIGBUS handling.
2) A process wants to perform an RPC on another process. To avoid huge
bandwidth consumption, zero-copy is preferred. After a message is
assembled in-memory and a FD is passed to the remote side, both sides
want to be sure that neither modifies this shared copy, anymore. The
source may have put sensible data into the message without a separate
copy and the target may want to parse the message inline, to avoid a
local copy.
While SIGBUS handling, POSIX mandatory locking and MAP_DENYWRITE provide
ways to achieve most of this, the first one is unproportionally ugly to
use in libraries and the latter two are broken/racy or even disabled due
to denial of service attacks.
This patch introduces the concept of SEALING. If you seal a file, a
specific set of operations is blocked on that file forever. Unlike locks,
seals can only be set, never removed. Hence, once you verified a specific
set of seals is set, you're guaranteed that no-one can perform the blocked
operations on this file, anymore.
An initial set of SEALS is introduced by this patch:
- SHRINK: If SEAL_SHRINK is set, the file in question cannot be reduced
in size. This affects ftruncate() and open(O_TRUNC).
- GROW: If SEAL_GROW is set, the file in question cannot be increased
in size. This affects ftruncate(), fallocate() and write().
- WRITE: If SEAL_WRITE is set, no write operations (besides resizing)
are possible. This affects fallocate(PUNCH_HOLE), mmap() and
write().
- SEAL: If SEAL_SEAL is set, no further seals can be added to a file.
This basically prevents the F_ADD_SEAL operation on a file and
can be set to prevent others from adding further seals that you
don't want.
The described use-cases can easily use these seals to provide safe use
without any trust-relationship:
1) The graphics server can verify that a passed file-descriptor has
SEAL_SHRINK set. This allows safe scanout, while the client is
allowed to increase buffer size for window-resizing on-the-fly.
Concurrent writes are explicitly allowed.
2) For general-purpose IPC, both processes can verify that SEAL_SHRINK,
SEAL_GROW and SEAL_WRITE are set. This guarantees that neither
process can modify the data while the other side parses it.
Furthermore, it guarantees that even with writable FDs passed to the
peer, it cannot increase the size to hit memory-limits of the source
process (in case the file-storage is accounted to the source).
The new API is an extension to fcntl(), adding two new commands:
F_GET_SEALS: Return a bitset describing the seals on the file. This
can be called on any FD if the underlying file supports
sealing.
F_ADD_SEALS: Change the seals of a given file. This requires WRITE
access to the file and F_SEAL_SEAL may not already be set.
Furthermore, the underlying file must support sealing and
there may not be any existing shared mapping of that file.
Otherwise, EBADF/EPERM is returned.
The given seals are _added_ to the existing set of seals
on the file. You cannot remove seals again.
The fcntl() handler is currently specific to shmem and disabled on all
files. A file needs to explicitly support sealing for this interface to
work. A separate syscall is added in a follow-up, which creates files that
support sealing. There is no intention to support this on other
file-systems. Semantics are unclear for non-volatile files and we lack any
use-case right now. Therefore, the implementation is specific to shmem.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Ryan Lortie <desrt@desrt.ca>
Cc: Lennart Poettering <lennart@poettering.net>
Cc: Daniel Mack <zonque@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-08-09 01:25:27 +04:00
|
|
|
case F_ADD_SEALS:
|
|
|
|
case F_GET_SEALS:
|
2018-02-01 03:19:18 +03:00
|
|
|
err = memfd_fcntl(filp, cmd, arg);
|
shm: add sealing API
If two processes share a common memory region, they usually want some
guarantees to allow safe access. This often includes:
- one side cannot overwrite data while the other reads it
- one side cannot shrink the buffer while the other accesses it
- one side cannot grow the buffer beyond previously set boundaries
If there is a trust-relationship between both parties, there is no need
for policy enforcement. However, if there's no trust relationship (eg.,
for general-purpose IPC) sharing memory-regions is highly fragile and
often not possible without local copies. Look at the following two
use-cases:
1) A graphics client wants to share its rendering-buffer with a
graphics-server. The memory-region is allocated by the client for
read/write access and a second FD is passed to the server. While
scanning out from the memory region, the server has no guarantee that
the client doesn't shrink the buffer at any time, requiring rather
cumbersome SIGBUS handling.
2) A process wants to perform an RPC on another process. To avoid huge
bandwidth consumption, zero-copy is preferred. After a message is
assembled in-memory and a FD is passed to the remote side, both sides
want to be sure that neither modifies this shared copy, anymore. The
source may have put sensible data into the message without a separate
copy and the target may want to parse the message inline, to avoid a
local copy.
While SIGBUS handling, POSIX mandatory locking and MAP_DENYWRITE provide
ways to achieve most of this, the first one is unproportionally ugly to
use in libraries and the latter two are broken/racy or even disabled due
to denial of service attacks.
This patch introduces the concept of SEALING. If you seal a file, a
specific set of operations is blocked on that file forever. Unlike locks,
seals can only be set, never removed. Hence, once you verified a specific
set of seals is set, you're guaranteed that no-one can perform the blocked
operations on this file, anymore.
An initial set of SEALS is introduced by this patch:
- SHRINK: If SEAL_SHRINK is set, the file in question cannot be reduced
in size. This affects ftruncate() and open(O_TRUNC).
- GROW: If SEAL_GROW is set, the file in question cannot be increased
in size. This affects ftruncate(), fallocate() and write().
- WRITE: If SEAL_WRITE is set, no write operations (besides resizing)
are possible. This affects fallocate(PUNCH_HOLE), mmap() and
write().
- SEAL: If SEAL_SEAL is set, no further seals can be added to a file.
This basically prevents the F_ADD_SEAL operation on a file and
can be set to prevent others from adding further seals that you
don't want.
The described use-cases can easily use these seals to provide safe use
without any trust-relationship:
1) The graphics server can verify that a passed file-descriptor has
SEAL_SHRINK set. This allows safe scanout, while the client is
allowed to increase buffer size for window-resizing on-the-fly.
Concurrent writes are explicitly allowed.
2) For general-purpose IPC, both processes can verify that SEAL_SHRINK,
SEAL_GROW and SEAL_WRITE are set. This guarantees that neither
process can modify the data while the other side parses it.
Furthermore, it guarantees that even with writable FDs passed to the
peer, it cannot increase the size to hit memory-limits of the source
process (in case the file-storage is accounted to the source).
The new API is an extension to fcntl(), adding two new commands:
F_GET_SEALS: Return a bitset describing the seals on the file. This
can be called on any FD if the underlying file supports
sealing.
F_ADD_SEALS: Change the seals of a given file. This requires WRITE
access to the file and F_SEAL_SEAL may not already be set.
Furthermore, the underlying file must support sealing and
there may not be any existing shared mapping of that file.
Otherwise, EBADF/EPERM is returned.
The given seals are _added_ to the existing set of seals
on the file. You cannot remove seals again.
The fcntl() handler is currently specific to shmem and disabled on all
files. A file needs to explicitly support sealing for this interface to
work. A separate syscall is added in a follow-up, which creates files that
support sealing. There is no intention to support this on other
file-systems. Semantics are unclear for non-volatile files and we lack any
use-case right now. Therefore, the implementation is specific to shmem.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Ryan Lortie <desrt@desrt.ca>
Cc: Lennart Poettering <lennart@poettering.net>
Cc: Daniel Mack <zonque@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-08-09 01:25:27 +04:00
|
|
|
break;
|
fs: add fcntl() interface for setting/getting write life time hints
Define a set of write life time hints:
RWH_WRITE_LIFE_NOT_SET No hint information set
RWH_WRITE_LIFE_NONE No hints about write life time
RWH_WRITE_LIFE_SHORT Data written has a short life time
RWH_WRITE_LIFE_MEDIUM Data written has a medium life time
RWH_WRITE_LIFE_LONG Data written has a long life time
RWH_WRITE_LIFE_EXTREME Data written has an extremely long life time
The intent is for these values to be relative to each other, no
absolute meaning should be attached to these flag names.
Add an fcntl interface for querying these flags, and also for
setting them as well:
F_GET_RW_HINT Returns the read/write hint set on the
underlying inode.
F_SET_RW_HINT Set one of the above write hints on the
underlying inode.
F_GET_FILE_RW_HINT Returns the read/write hint set on the
file descriptor.
F_SET_FILE_RW_HINT Set one of the above write hints on the
file descriptor.
The user passes in a 64-bit pointer to get/set these values, and
the interface returns 0/-1 on success/error.
Sample program testing/implementing basic setting/getting of write
hints is below.
Add support for storing the write life time hint in the inode flags
and in struct file as well, and pass them to the kiocb flags. If
both a file and its corresponding inode has a write hint, then we
use the one in the file, if available. The file hint can be used
for sync/direct IO, for buffered writeback only the inode hint
is available.
This is in preparation for utilizing these hints in the block layer,
to guide on-media data placement.
/*
* writehint.c: get or set an inode write hint
*/
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdbool.h>
#include <inttypes.h>
#ifndef F_GET_RW_HINT
#define F_LINUX_SPECIFIC_BASE 1024
#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
#endif
static char *str[] = { "RWF_WRITE_LIFE_NOT_SET", "RWH_WRITE_LIFE_NONE",
"RWH_WRITE_LIFE_SHORT", "RWH_WRITE_LIFE_MEDIUM",
"RWH_WRITE_LIFE_LONG", "RWH_WRITE_LIFE_EXTREME" };
int main(int argc, char *argv[])
{
uint64_t hint;
int fd, ret;
if (argc < 2) {
fprintf(stderr, "%s: file <hint>\n", argv[0]);
return 1;
}
fd = open(argv[1], O_RDONLY);
if (fd < 0) {
perror("open");
return 2;
}
if (argc > 2) {
hint = atoi(argv[2]);
ret = fcntl(fd, F_SET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_SET_RW_HINT");
return 4;
}
}
ret = fcntl(fd, F_GET_RW_HINT, &hint);
if (ret < 0) {
perror("fcntl: F_GET_RW_HINT");
return 3;
}
printf("%s: hint %s\n", argv[1], str[hint]);
close(fd);
return 0;
}
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-06-27 20:47:04 +03:00
|
|
|
case F_GET_RW_HINT:
|
|
|
|
case F_SET_RW_HINT:
|
|
|
|
err = fcntl_rw_hint(filp, cmd, arg);
|
|
|
|
break;
|
2005-04-17 02:20:36 +04:00
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 10:51:11 +03:00
|
|
|
static int check_fcntl_cmd(unsigned cmd)
|
|
|
|
{
|
|
|
|
switch (cmd) {
|
|
|
|
case F_DUPFD:
|
|
|
|
case F_DUPFD_CLOEXEC:
|
|
|
|
case F_GETFD:
|
|
|
|
case F_SETFD:
|
|
|
|
case F_GETFL:
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2009-01-14 16:14:17 +03:00
|
|
|
SYSCALL_DEFINE3(fcntl, unsigned int, fd, unsigned int, cmd, unsigned long, arg)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2012-08-28 20:52:22 +04:00
|
|
|
struct fd f = fdget_raw(fd);
|
2005-04-17 02:20:36 +04:00
|
|
|
long err = -EBADF;
|
|
|
|
|
2012-08-28 20:52:22 +04:00
|
|
|
if (!f.file)
|
2005-04-17 02:20:36 +04:00
|
|
|
goto out;
|
|
|
|
|
2012-08-28 20:52:22 +04:00
|
|
|
if (unlikely(f.file->f_mode & FMODE_PATH)) {
|
2012-04-22 02:42:19 +04:00
|
|
|
if (!check_fcntl_cmd(cmd))
|
|
|
|
goto out1;
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 10:51:11 +03:00
|
|
|
}
|
|
|
|
|
2012-08-28 20:52:22 +04:00
|
|
|
err = security_file_fcntl(f.file, cmd, arg);
|
2012-04-22 02:42:19 +04:00
|
|
|
if (!err)
|
2012-08-28 20:52:22 +04:00
|
|
|
err = do_fcntl(fd, cmd, arg, f.file);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2012-04-22 02:42:19 +04:00
|
|
|
out1:
|
2012-08-28 20:52:22 +04:00
|
|
|
fdput(f);
|
2005-04-17 02:20:36 +04:00
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
#if BITS_PER_LONG == 32
|
2009-01-14 16:14:17 +03:00
|
|
|
SYSCALL_DEFINE3(fcntl64, unsigned int, fd, unsigned int, cmd,
|
|
|
|
unsigned long, arg)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2017-05-27 13:07:19 +03:00
|
|
|
void __user *argp = (void __user *)arg;
|
2012-08-28 20:52:22 +04:00
|
|
|
struct fd f = fdget_raw(fd);
|
2017-05-27 13:07:19 +03:00
|
|
|
struct flock64 flock;
|
2012-04-22 02:42:19 +04:00
|
|
|
long err = -EBADF;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2012-08-28 20:52:22 +04:00
|
|
|
if (!f.file)
|
2005-04-17 02:20:36 +04:00
|
|
|
goto out;
|
|
|
|
|
2012-08-28 20:52:22 +04:00
|
|
|
if (unlikely(f.file->f_mode & FMODE_PATH)) {
|
2012-04-22 02:42:19 +04:00
|
|
|
if (!check_fcntl_cmd(cmd))
|
|
|
|
goto out1;
|
New kind of open files - "location only".
New flag for open(2) - O_PATH. Semantics:
* pathname is resolved, but the file itself is _NOT_ opened
as far as filesystem is concerned.
* almost all operations on the resulting descriptors shall
fail with -EBADF. Exceptions are:
1) operations on descriptors themselves (i.e.
close(), dup(), dup2(), dup3(), fcntl(fd, F_DUPFD),
fcntl(fd, F_DUPFD_CLOEXEC, ...), fcntl(fd, F_GETFD),
fcntl(fd, F_SETFD, ...))
2) fcntl(fd, F_GETFL), for a common non-destructive way to
check if descriptor is open
3) "dfd" arguments of ...at(2) syscalls, i.e. the starting
points of pathname resolution
* closing such descriptor does *NOT* affect dnotify or
posix locks.
* permissions are checked as usual along the way to file;
no permission checks are applied to the file itself. Of course,
giving such thing to syscall will result in permission checks (at
the moment it means checking that starting point of ....at() is
a directory and caller has exec permissions on it).
fget() and fget_light() return NULL on such descriptors; use of
fget_raw() and fget_raw_light() is needed to get them. That protects
existing code from dealing with those things.
There are two things still missing (they come in the next commits):
one is handling of symlinks (right now we refuse to open them that
way; see the next commit for semantics related to those) and another
is descriptor passing via SCM_RIGHTS datagrams.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-03-13 10:51:11 +03:00
|
|
|
}
|
|
|
|
|
2012-08-28 20:52:22 +04:00
|
|
|
err = security_file_fcntl(f.file, cmd, arg);
|
2012-04-22 02:42:19 +04:00
|
|
|
if (err)
|
|
|
|
goto out1;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
|
|
|
switch (cmd) {
|
2014-02-03 21:13:10 +04:00
|
|
|
case F_GETLK64:
|
2014-04-22 16:23:58 +04:00
|
|
|
case F_OFD_GETLK:
|
2017-05-27 13:07:19 +03:00
|
|
|
err = -EFAULT;
|
|
|
|
if (copy_from_user(&flock, argp, sizeof(flock)))
|
|
|
|
break;
|
|
|
|
err = fcntl_getlk64(f.file, cmd, &flock);
|
|
|
|
if (!err && copy_to_user(argp, &flock, sizeof(flock)))
|
|
|
|
err = -EFAULT;
|
2014-02-03 21:13:10 +04:00
|
|
|
break;
|
|
|
|
case F_SETLK64:
|
|
|
|
case F_SETLKW64:
|
2014-04-22 16:23:58 +04:00
|
|
|
case F_OFD_SETLK:
|
|
|
|
case F_OFD_SETLKW:
|
2017-05-27 13:07:19 +03:00
|
|
|
err = -EFAULT;
|
|
|
|
if (copy_from_user(&flock, argp, sizeof(flock)))
|
|
|
|
break;
|
|
|
|
err = fcntl_setlk64(fd, f.file, cmd, &flock);
|
2014-02-03 21:13:10 +04:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
err = do_fcntl(fd, cmd, arg, f.file);
|
|
|
|
break;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2012-04-22 02:42:19 +04:00
|
|
|
out1:
|
2012-08-28 20:52:22 +04:00
|
|
|
fdput(f);
|
2005-04-17 02:20:36 +04:00
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2017-04-09 01:10:56 +03:00
|
|
|
#ifdef CONFIG_COMPAT
|
2017-06-27 06:51:31 +03:00
|
|
|
/* careful - don't use anywhere else */
|
2017-07-07 23:48:18 +03:00
|
|
|
#define copy_flock_fields(dst, src) \
|
|
|
|
(dst)->l_type = (src)->l_type; \
|
|
|
|
(dst)->l_whence = (src)->l_whence; \
|
|
|
|
(dst)->l_start = (src)->l_start; \
|
|
|
|
(dst)->l_len = (src)->l_len; \
|
|
|
|
(dst)->l_pid = (src)->l_pid;
|
|
|
|
|
|
|
|
static int get_compat_flock(struct flock *kfl, const struct compat_flock __user *ufl)
|
2017-04-09 01:10:56 +03:00
|
|
|
{
|
2017-06-27 06:51:31 +03:00
|
|
|
struct compat_flock fl;
|
|
|
|
|
|
|
|
if (copy_from_user(&fl, ufl, sizeof(struct compat_flock)))
|
2017-04-09 01:10:56 +03:00
|
|
|
return -EFAULT;
|
2017-07-07 23:48:18 +03:00
|
|
|
copy_flock_fields(kfl, &fl);
|
2017-04-09 01:10:56 +03:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-07-07 23:48:18 +03:00
|
|
|
static int get_compat_flock64(struct flock *kfl, const struct compat_flock64 __user *ufl)
|
2017-04-09 01:10:56 +03:00
|
|
|
{
|
2017-06-27 06:51:31 +03:00
|
|
|
struct compat_flock64 fl;
|
|
|
|
|
|
|
|
if (copy_from_user(&fl, ufl, sizeof(struct compat_flock64)))
|
2017-04-09 01:10:56 +03:00
|
|
|
return -EFAULT;
|
2017-07-07 23:48:18 +03:00
|
|
|
copy_flock_fields(kfl, &fl);
|
2017-04-09 01:10:56 +03:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-07-07 23:48:18 +03:00
|
|
|
static int put_compat_flock(const struct flock *kfl, struct compat_flock __user *ufl)
|
2017-04-09 01:10:56 +03:00
|
|
|
{
|
2017-06-27 06:51:31 +03:00
|
|
|
struct compat_flock fl;
|
|
|
|
|
|
|
|
memset(&fl, 0, sizeof(struct compat_flock));
|
2017-07-07 23:48:18 +03:00
|
|
|
copy_flock_fields(&fl, kfl);
|
2017-06-27 06:51:31 +03:00
|
|
|
if (copy_to_user(ufl, &fl, sizeof(struct compat_flock)))
|
2017-04-09 01:10:56 +03:00
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-07-07 23:48:18 +03:00
|
|
|
static int put_compat_flock64(const struct flock *kfl, struct compat_flock64 __user *ufl)
|
2017-04-09 01:10:56 +03:00
|
|
|
{
|
2017-06-27 06:51:31 +03:00
|
|
|
struct compat_flock64 fl;
|
|
|
|
|
2017-11-14 22:42:57 +03:00
|
|
|
BUILD_BUG_ON(sizeof(kfl->l_start) > sizeof(ufl->l_start));
|
|
|
|
BUILD_BUG_ON(sizeof(kfl->l_len) > sizeof(ufl->l_len));
|
|
|
|
|
2017-06-27 06:51:31 +03:00
|
|
|
memset(&fl, 0, sizeof(struct compat_flock64));
|
2017-07-07 23:48:18 +03:00
|
|
|
copy_flock_fields(&fl, kfl);
|
2017-06-27 06:51:31 +03:00
|
|
|
if (copy_to_user(ufl, &fl, sizeof(struct compat_flock64)))
|
2017-04-09 01:10:56 +03:00
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
|
|
|
}
|
2017-06-27 06:51:31 +03:00
|
|
|
#undef copy_flock_fields
|
2017-04-09 01:10:56 +03:00
|
|
|
|
|
|
|
static unsigned int
|
|
|
|
convert_fcntl_cmd(unsigned int cmd)
|
|
|
|
{
|
|
|
|
switch (cmd) {
|
|
|
|
case F_GETLK64:
|
|
|
|
return F_GETLK;
|
|
|
|
case F_SETLK64:
|
|
|
|
return F_SETLK;
|
|
|
|
case F_SETLKW64:
|
|
|
|
return F_SETLKW;
|
|
|
|
}
|
|
|
|
|
|
|
|
return cmd;
|
|
|
|
}
|
|
|
|
|
2017-05-27 13:07:20 +03:00
|
|
|
/*
|
|
|
|
* GETLK was successful and we need to return the data, but it needs to fit in
|
|
|
|
* the compat structure.
|
|
|
|
* l_start shouldn't be too big, unless the original start + end is greater than
|
|
|
|
* COMPAT_OFF_T_MAX, in which case the app was asking for trouble, so we return
|
|
|
|
* -EOVERFLOW in that case. l_len could be too big, in which case we just
|
|
|
|
* truncate it, and only allow the app to see that part of the conflicting lock
|
|
|
|
* that might make sense to it anyway
|
|
|
|
*/
|
|
|
|
static int fixup_compat_flock(struct flock *flock)
|
|
|
|
{
|
|
|
|
if (flock->l_start > COMPAT_OFF_T_MAX)
|
|
|
|
return -EOVERFLOW;
|
|
|
|
if (flock->l_len > COMPAT_OFF_T_MAX)
|
|
|
|
flock->l_len = COMPAT_OFF_T_MAX;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-03-20 21:29:53 +03:00
|
|
|
static long do_compat_fcntl64(unsigned int fd, unsigned int cmd,
|
|
|
|
compat_ulong_t arg)
|
2017-04-09 01:10:56 +03:00
|
|
|
{
|
2017-05-27 13:07:20 +03:00
|
|
|
struct fd f = fdget_raw(fd);
|
|
|
|
struct flock flock;
|
|
|
|
long err = -EBADF;
|
|
|
|
|
|
|
|
if (!f.file)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
if (unlikely(f.file->f_mode & FMODE_PATH)) {
|
|
|
|
if (!check_fcntl_cmd(cmd))
|
|
|
|
goto out_put;
|
|
|
|
}
|
|
|
|
|
|
|
|
err = security_file_fcntl(f.file, cmd, arg);
|
|
|
|
if (err)
|
|
|
|
goto out_put;
|
2017-04-09 01:10:56 +03:00
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case F_GETLK:
|
2017-05-27 13:07:20 +03:00
|
|
|
err = get_compat_flock(&flock, compat_ptr(arg));
|
|
|
|
if (err)
|
|
|
|
break;
|
|
|
|
err = fcntl_getlk(f.file, convert_fcntl_cmd(cmd), &flock);
|
|
|
|
if (err)
|
|
|
|
break;
|
|
|
|
err = fixup_compat_flock(&flock);
|
2017-11-14 22:43:56 +03:00
|
|
|
if (!err)
|
|
|
|
err = put_compat_flock(&flock, compat_ptr(arg));
|
2017-05-27 13:07:20 +03:00
|
|
|
break;
|
|
|
|
case F_GETLK64:
|
|
|
|
case F_OFD_GETLK:
|
|
|
|
err = get_compat_flock64(&flock, compat_ptr(arg));
|
|
|
|
if (err)
|
|
|
|
break;
|
|
|
|
err = fcntl_getlk(f.file, convert_fcntl_cmd(cmd), &flock);
|
2017-11-14 22:42:57 +03:00
|
|
|
if (!err)
|
|
|
|
err = put_compat_flock64(&flock, compat_ptr(arg));
|
2017-05-27 13:07:20 +03:00
|
|
|
break;
|
2017-04-09 01:10:56 +03:00
|
|
|
case F_SETLK:
|
|
|
|
case F_SETLKW:
|
2017-05-27 13:07:20 +03:00
|
|
|
err = get_compat_flock(&flock, compat_ptr(arg));
|
|
|
|
if (err)
|
2017-04-09 01:10:56 +03:00
|
|
|
break;
|
2017-05-27 13:07:20 +03:00
|
|
|
err = fcntl_setlk(fd, f.file, convert_fcntl_cmd(cmd), &flock);
|
2017-04-09 01:10:56 +03:00
|
|
|
break;
|
|
|
|
case F_SETLK64:
|
|
|
|
case F_SETLKW64:
|
|
|
|
case F_OFD_SETLK:
|
|
|
|
case F_OFD_SETLKW:
|
2017-05-27 13:07:20 +03:00
|
|
|
err = get_compat_flock64(&flock, compat_ptr(arg));
|
|
|
|
if (err)
|
2017-04-09 01:10:56 +03:00
|
|
|
break;
|
2017-05-27 13:07:20 +03:00
|
|
|
err = fcntl_setlk(fd, f.file, convert_fcntl_cmd(cmd), &flock);
|
2017-04-09 01:10:56 +03:00
|
|
|
break;
|
|
|
|
default:
|
2017-05-27 13:07:20 +03:00
|
|
|
err = do_fcntl(fd, cmd, arg, f.file);
|
2017-04-09 01:10:56 +03:00
|
|
|
break;
|
|
|
|
}
|
2017-05-27 13:07:20 +03:00
|
|
|
out_put:
|
|
|
|
fdput(f);
|
|
|
|
return err;
|
2017-04-09 01:10:56 +03:00
|
|
|
}
|
|
|
|
|
2018-03-20 21:29:53 +03:00
|
|
|
COMPAT_SYSCALL_DEFINE3(fcntl64, unsigned int, fd, unsigned int, cmd,
|
|
|
|
compat_ulong_t, arg)
|
|
|
|
{
|
|
|
|
return do_compat_fcntl64(fd, cmd, arg);
|
|
|
|
}
|
|
|
|
|
2017-04-09 01:10:56 +03:00
|
|
|
COMPAT_SYSCALL_DEFINE3(fcntl, unsigned int, fd, unsigned int, cmd,
|
|
|
|
compat_ulong_t, arg)
|
|
|
|
{
|
|
|
|
switch (cmd) {
|
|
|
|
case F_GETLK64:
|
|
|
|
case F_SETLK64:
|
|
|
|
case F_SETLKW64:
|
|
|
|
case F_OFD_GETLK:
|
|
|
|
case F_OFD_SETLK:
|
|
|
|
case F_OFD_SETLKW:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
2018-03-20 21:29:53 +03:00
|
|
|
return do_compat_fcntl64(fd, cmd, arg);
|
2017-04-09 01:10:56 +03:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
/* Table to convert sigio signal codes into poll band bitmaps */
|
|
|
|
|
2017-07-17 05:14:00 +03:00
|
|
|
static const __poll_t band_table[NSIGPOLL] = {
|
2018-02-12 01:34:03 +03:00
|
|
|
EPOLLIN | EPOLLRDNORM, /* POLL_IN */
|
|
|
|
EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND, /* POLL_OUT */
|
|
|
|
EPOLLIN | EPOLLRDNORM | EPOLLMSG, /* POLL_MSG */
|
|
|
|
EPOLLERR, /* POLL_ERR */
|
|
|
|
EPOLLPRI | EPOLLRDBAND, /* POLL_PRI */
|
|
|
|
EPOLLHUP | EPOLLERR /* POLL_HUP */
|
2005-04-17 02:20:36 +04:00
|
|
|
};
|
|
|
|
|
|
|
|
static inline int sigio_perm(struct task_struct *p,
|
|
|
|
struct fown_struct *fown, int sig)
|
|
|
|
{
|
2008-11-14 02:39:19 +03:00
|
|
|
const struct cred *cred;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
cred = __task_cred(p);
|
2012-03-04 09:17:15 +04:00
|
|
|
ret = ((uid_eq(fown->euid, GLOBAL_ROOT_UID) ||
|
|
|
|
uid_eq(fown->euid, cred->suid) || uid_eq(fown->euid, cred->uid) ||
|
|
|
|
uid_eq(fown->uid, cred->suid) || uid_eq(fown->uid, cred->uid)) &&
|
2008-11-14 02:39:19 +03:00
|
|
|
!security_file_send_sigiotask(p, fown, sig));
|
|
|
|
rcu_read_unlock();
|
|
|
|
return ret;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static void send_sigio_to_task(struct task_struct *p,
|
2009-06-17 02:27:10 +04:00
|
|
|
struct fown_struct *fown,
|
2018-07-21 16:17:29 +03:00
|
|
|
int fd, int reason, enum pid_type type)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2009-06-17 02:27:10 +04:00
|
|
|
/*
|
|
|
|
* F_SETSIG can change ->signum lockless in parallel, make
|
|
|
|
* sure we read it once and use the same value throughout.
|
|
|
|
*/
|
locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE()
Please do not apply this to mainline directly, instead please re-run the
coccinelle script shown below and apply its output.
For several reasons, it is desirable to use {READ,WRITE}_ONCE() in
preference to ACCESS_ONCE(), and new code is expected to use one of the
former. So far, there's been no reason to change most existing uses of
ACCESS_ONCE(), as these aren't harmful, and changing them results in
churn.
However, for some features, the read/write distinction is critical to
correct operation. To distinguish these cases, separate read/write
accessors must be used. This patch migrates (most) remaining
ACCESS_ONCE() instances to {READ,WRITE}_ONCE(), using the following
coccinelle script:
----
// Convert trivial ACCESS_ONCE() uses to equivalent READ_ONCE() and
// WRITE_ONCE()
// $ make coccicheck COCCI=/home/mark/once.cocci SPFLAGS="--include-headers" MODE=patch
virtual patch
@ depends on patch @
expression E1, E2;
@@
- ACCESS_ONCE(E1) = E2
+ WRITE_ONCE(E1, E2)
@ depends on patch @
expression E;
@@
- ACCESS_ONCE(E)
+ READ_ONCE(E)
----
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: davem@davemloft.net
Cc: linux-arch@vger.kernel.org
Cc: mpe@ellerman.id.au
Cc: shuah@kernel.org
Cc: snitzer@redhat.com
Cc: thor.thayer@linux.intel.com
Cc: tj@kernel.org
Cc: viro@zeniv.linux.org.uk
Cc: will.deacon@arm.com
Link: http://lkml.kernel.org/r/1508792849-3115-19-git-send-email-paulmck@linux.vnet.ibm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-10-24 00:07:29 +03:00
|
|
|
int signum = READ_ONCE(fown->signum);
|
2009-06-17 02:27:10 +04:00
|
|
|
|
|
|
|
if (!sigio_perm(p, fown, signum))
|
2005-04-17 02:20:36 +04:00
|
|
|
return;
|
|
|
|
|
2009-06-17 02:27:10 +04:00
|
|
|
switch (signum) {
|
2020-02-20 09:22:43 +03:00
|
|
|
default: {
|
|
|
|
kernel_siginfo_t si;
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
/* Queue a rt signal with the appropriate fd as its
|
|
|
|
value. We use SI_SIGIO as the source, not
|
|
|
|
SI_KERNEL, since kernel signals always get
|
|
|
|
delivered even if we can't queue. Failure to
|
|
|
|
queue in this case _should_ be reported; we fall
|
|
|
|
back to SIGIO in that case. --sct */
|
2018-01-06 02:27:42 +03:00
|
|
|
clear_siginfo(&si);
|
2009-06-17 02:27:10 +04:00
|
|
|
si.si_signo = signum;
|
2005-04-17 02:20:36 +04:00
|
|
|
si.si_errno = 0;
|
|
|
|
si.si_code = reason;
|
2017-06-29 17:28:50 +03:00
|
|
|
/*
|
|
|
|
* Posix definies POLL_IN and friends to be signal
|
|
|
|
* specific si_codes for SIG_POLL. Linux extended
|
|
|
|
* these si_codes to other signals in a way that is
|
|
|
|
* ambiguous if other signals also have signal
|
|
|
|
* specific si_codes. In that case use SI_SIGIO instead
|
|
|
|
* to remove the ambiguity.
|
|
|
|
*/
|
2017-09-19 06:51:14 +03:00
|
|
|
if ((signum != SIGPOLL) && sig_specific_sicodes(signum))
|
2017-06-29 17:28:50 +03:00
|
|
|
si.si_code = SI_SIGIO;
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
/* Make sure we are called with one of the POLL_*
|
|
|
|
reasons, otherwise we could leak kernel stack into
|
|
|
|
userspace. */
|
2017-06-29 17:28:50 +03:00
|
|
|
BUG_ON((reason < POLL_IN) || ((reason - POLL_IN) >= NSIGPOLL));
|
2005-04-17 02:20:36 +04:00
|
|
|
if (reason - POLL_IN >= NSIGPOLL)
|
|
|
|
si.si_band = ~0L;
|
|
|
|
else
|
2017-11-30 03:00:41 +03:00
|
|
|
si.si_band = mangle_poll(band_table[reason - POLL_IN]);
|
2005-04-17 02:20:36 +04:00
|
|
|
si.si_fd = fd;
|
2018-07-21 18:45:15 +03:00
|
|
|
if (!do_send_sig_info(signum, &si, p, type))
|
2005-04-17 02:20:36 +04:00
|
|
|
break;
|
2020-02-20 09:22:43 +03:00
|
|
|
}
|
2020-08-24 01:36:59 +03:00
|
|
|
fallthrough; /* fall back on the old plain SIGIO signal */
|
2005-04-17 02:20:36 +04:00
|
|
|
case 0:
|
2018-07-21 18:45:15 +03:00
|
|
|
do_send_sig_info(SIGIO, SEND_SIG_PRIV, p, type);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void send_sigio(struct fown_struct *fown, int fd, int band)
|
|
|
|
{
|
|
|
|
struct task_struct *p;
|
2006-10-02 13:17:15 +04:00
|
|
|
enum pid_type type;
|
2020-11-05 09:23:51 +03:00
|
|
|
unsigned long flags;
|
2006-10-02 13:17:15 +04:00
|
|
|
struct pid *pid;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2020-11-05 09:23:51 +03:00
|
|
|
read_lock_irqsave(&fown->lock, flags);
|
2009-09-24 02:57:03 +04:00
|
|
|
|
2006-10-02 13:17:15 +04:00
|
|
|
type = fown->pid_type;
|
2005-04-17 02:20:36 +04:00
|
|
|
pid = fown->pid;
|
|
|
|
if (!pid)
|
|
|
|
goto out_unlock_fown;
|
2017-07-17 06:05:57 +03:00
|
|
|
|
|
|
|
if (type <= PIDTYPE_TGID) {
|
|
|
|
rcu_read_lock();
|
|
|
|
p = pid_task(pid, PIDTYPE_PID);
|
2018-08-16 05:20:46 +03:00
|
|
|
if (p)
|
|
|
|
send_sigio_to_task(p, fown, fd, band, type);
|
2017-07-17 06:05:57 +03:00
|
|
|
rcu_read_unlock();
|
|
|
|
} else {
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
do_each_pid_task(pid, type, p) {
|
2018-07-21 16:17:29 +03:00
|
|
|
send_sigio_to_task(p, fown, fd, band, type);
|
2017-07-17 06:05:57 +03:00
|
|
|
} while_each_pid_task(pid, type, p);
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
out_unlock_fown:
|
2020-11-05 09:23:51 +03:00
|
|
|
read_unlock_irqrestore(&fown->lock, flags);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static void send_sigurg_to_task(struct task_struct *p,
|
2018-07-21 16:17:29 +03:00
|
|
|
struct fown_struct *fown, enum pid_type type)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
|
|
|
if (sigio_perm(p, fown, SIGURG))
|
2018-07-21 18:45:15 +03:00
|
|
|
do_send_sig_info(SIGURG, SEND_SIG_PRIV, p, type);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
int send_sigurg(struct fown_struct *fown)
|
|
|
|
{
|
|
|
|
struct task_struct *p;
|
2006-10-02 13:17:15 +04:00
|
|
|
enum pid_type type;
|
|
|
|
struct pid *pid;
|
2020-11-05 09:23:51 +03:00
|
|
|
unsigned long flags;
|
2006-10-02 13:17:15 +04:00
|
|
|
int ret = 0;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2020-11-05 09:23:51 +03:00
|
|
|
read_lock_irqsave(&fown->lock, flags);
|
2009-09-24 02:57:03 +04:00
|
|
|
|
2006-10-02 13:17:15 +04:00
|
|
|
type = fown->pid_type;
|
2005-04-17 02:20:36 +04:00
|
|
|
pid = fown->pid;
|
|
|
|
if (!pid)
|
|
|
|
goto out_unlock_fown;
|
|
|
|
|
|
|
|
ret = 1;
|
2017-07-17 06:05:57 +03:00
|
|
|
|
|
|
|
if (type <= PIDTYPE_TGID) {
|
|
|
|
rcu_read_lock();
|
|
|
|
p = pid_task(pid, PIDTYPE_PID);
|
2018-08-16 05:20:46 +03:00
|
|
|
if (p)
|
|
|
|
send_sigurg_to_task(p, fown, type);
|
2017-07-17 06:05:57 +03:00
|
|
|
rcu_read_unlock();
|
|
|
|
} else {
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
do_each_pid_task(pid, type, p) {
|
2018-07-21 16:17:29 +03:00
|
|
|
send_sigurg_to_task(p, fown, type);
|
2017-07-17 06:05:57 +03:00
|
|
|
} while_each_pid_task(pid, type, p);
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
out_unlock_fown:
|
2020-11-05 09:23:51 +03:00
|
|
|
read_unlock_irqrestore(&fown->lock, flags);
|
2005-04-17 02:20:36 +04:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2010-04-14 13:55:35 +04:00
|
|
|
static DEFINE_SPINLOCK(fasync_lock);
|
2006-12-07 07:33:20 +03:00
|
|
|
static struct kmem_cache *fasync_cache __read_mostly;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2010-04-14 13:55:35 +04:00
|
|
|
static void fasync_free_rcu(struct rcu_head *head)
|
|
|
|
{
|
|
|
|
kmem_cache_free(fasync_cache,
|
|
|
|
container_of(head, struct fasync_struct, fa_rcu));
|
|
|
|
}
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
/*
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
* Remove a fasync entry. If successfully removed, return
|
|
|
|
* positive and clear the FASYNC flag. If no entry exists,
|
|
|
|
* do nothing and return 0.
|
|
|
|
*
|
|
|
|
* NOTE! It is very important that the FASYNC flag always
|
|
|
|
* match the state "is the filp on a fasync list".
|
|
|
|
*
|
2005-04-17 02:20:36 +04:00
|
|
|
*/
|
2010-10-27 20:38:12 +04:00
|
|
|
int fasync_remove_entry(struct file *filp, struct fasync_struct **fapp)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
|
|
|
struct fasync_struct *fa, **fp;
|
|
|
|
int result = 0;
|
|
|
|
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
spin_lock(&filp->f_lock);
|
2010-04-14 13:55:35 +04:00
|
|
|
spin_lock(&fasync_lock);
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
for (fp = fapp; (fa = *fp) != NULL; fp = &fa->fa_next) {
|
|
|
|
if (fa->fa_file != filp)
|
|
|
|
continue;
|
2010-04-14 13:55:35 +04:00
|
|
|
|
fasync: Fix deadlock between task-context and interrupt-context kill_fasync()
I observed the following deadlock between them:
[task 1] [task 2] [task 3]
kill_fasync() mm_update_next_owner() copy_process()
spin_lock_irqsave(&fa->fa_lock) read_lock(&tasklist_lock) write_lock_irq(&tasklist_lock)
send_sigio() <IRQ> ...
read_lock(&fown->lock) kill_fasync() ...
read_lock(&tasklist_lock) spin_lock_irqsave(&fa->fa_lock) ...
Task 1 can't acquire read locked tasklist_lock, since there is
already task 3 expressed its wish to take the lock exclusive.
Task 2 holds the read locked lock, but it can't take the spin lock.
Also, there is possible another deadlock (which I haven't observed):
[task 1] [task 2]
f_getown() kill_fasync()
read_lock(&f_own->lock) spin_lock_irqsave(&fa->fa_lock,)
<IRQ> send_sigio() write_lock_irq(&f_own->lock)
kill_fasync() read_lock(&fown->lock)
spin_lock_irqsave(&fa->fa_lock,)
Actually, we do not need exclusive fa->fa_lock in kill_fasync_rcu(),
as it guarantees fa->fa_file->f_owner integrity only. It may seem,
that it used to give a task a small possibility to receive two sequential
signals, if there are two parallel kill_fasync() callers, and task
handles the first signal fastly, but the behaviour won't become
different, since there is exclusive sighand lock in do_send_sig_info().
The patch converts fa_lock into rwlock_t, and this fixes two above
deadlocks, as rwlock is allowed to be taken from interrupt handler
by qrwlock design.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
2018-04-05 14:58:06 +03:00
|
|
|
write_lock_irq(&fa->fa_lock);
|
2010-04-14 13:55:35 +04:00
|
|
|
fa->fa_file = NULL;
|
fasync: Fix deadlock between task-context and interrupt-context kill_fasync()
I observed the following deadlock between them:
[task 1] [task 2] [task 3]
kill_fasync() mm_update_next_owner() copy_process()
spin_lock_irqsave(&fa->fa_lock) read_lock(&tasklist_lock) write_lock_irq(&tasklist_lock)
send_sigio() <IRQ> ...
read_lock(&fown->lock) kill_fasync() ...
read_lock(&tasklist_lock) spin_lock_irqsave(&fa->fa_lock) ...
Task 1 can't acquire read locked tasklist_lock, since there is
already task 3 expressed its wish to take the lock exclusive.
Task 2 holds the read locked lock, but it can't take the spin lock.
Also, there is possible another deadlock (which I haven't observed):
[task 1] [task 2]
f_getown() kill_fasync()
read_lock(&f_own->lock) spin_lock_irqsave(&fa->fa_lock,)
<IRQ> send_sigio() write_lock_irq(&f_own->lock)
kill_fasync() read_lock(&fown->lock)
spin_lock_irqsave(&fa->fa_lock,)
Actually, we do not need exclusive fa->fa_lock in kill_fasync_rcu(),
as it guarantees fa->fa_file->f_owner integrity only. It may seem,
that it used to give a task a small possibility to receive two sequential
signals, if there are two parallel kill_fasync() callers, and task
handles the first signal fastly, but the behaviour won't become
different, since there is exclusive sighand lock in do_send_sig_info().
The patch converts fa_lock into rwlock_t, and this fixes two above
deadlocks, as rwlock is allowed to be taken from interrupt handler
by qrwlock design.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
2018-04-05 14:58:06 +03:00
|
|
|
write_unlock_irq(&fa->fa_lock);
|
2010-04-14 13:55:35 +04:00
|
|
|
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
*fp = fa->fa_next;
|
2010-04-14 13:55:35 +04:00
|
|
|
call_rcu(&fa->fa_rcu, fasync_free_rcu);
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
filp->f_flags &= ~FASYNC;
|
|
|
|
result = 1;
|
|
|
|
break;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
2010-04-14 13:55:35 +04:00
|
|
|
spin_unlock(&fasync_lock);
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
spin_unlock(&filp->f_lock);
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
2010-10-27 20:38:12 +04:00
|
|
|
struct fasync_struct *fasync_alloc(void)
|
|
|
|
{
|
|
|
|
return kmem_cache_alloc(fasync_cache, GFP_KERNEL);
|
|
|
|
}
|
|
|
|
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
/*
|
2010-10-27 20:38:12 +04:00
|
|
|
* NOTE! This can be used only for unused fasync entries:
|
|
|
|
* entries that actually got inserted on the fasync list
|
|
|
|
* need to be released by rcu - see fasync_remove_entry.
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
*/
|
2010-10-27 20:38:12 +04:00
|
|
|
void fasync_free(struct fasync_struct *new)
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
{
|
2010-10-27 20:38:12 +04:00
|
|
|
kmem_cache_free(fasync_cache, new);
|
|
|
|
}
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
|
2010-10-27 20:38:12 +04:00
|
|
|
/*
|
|
|
|
* Insert a new entry into the fasync list. Return the pointer to the
|
|
|
|
* old one if we didn't use the new one.
|
2010-10-28 05:17:02 +04:00
|
|
|
*
|
|
|
|
* NOTE! It is very important that the FASYNC flag always
|
|
|
|
* match the state "is the filp on a fasync list".
|
2010-10-27 20:38:12 +04:00
|
|
|
*/
|
|
|
|
struct fasync_struct *fasync_insert_entry(int fd, struct file *filp, struct fasync_struct **fapp, struct fasync_struct *new)
|
|
|
|
{
|
|
|
|
struct fasync_struct *fa, **fp;
|
2009-03-27 21:24:31 +03:00
|
|
|
|
|
|
|
spin_lock(&filp->f_lock);
|
2010-04-14 13:55:35 +04:00
|
|
|
spin_lock(&fasync_lock);
|
2005-04-17 02:20:36 +04:00
|
|
|
for (fp = fapp; (fa = *fp) != NULL; fp = &fa->fa_next) {
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
if (fa->fa_file != filp)
|
|
|
|
continue;
|
2010-04-14 13:55:35 +04:00
|
|
|
|
fasync: Fix deadlock between task-context and interrupt-context kill_fasync()
I observed the following deadlock between them:
[task 1] [task 2] [task 3]
kill_fasync() mm_update_next_owner() copy_process()
spin_lock_irqsave(&fa->fa_lock) read_lock(&tasklist_lock) write_lock_irq(&tasklist_lock)
send_sigio() <IRQ> ...
read_lock(&fown->lock) kill_fasync() ...
read_lock(&tasklist_lock) spin_lock_irqsave(&fa->fa_lock) ...
Task 1 can't acquire read locked tasklist_lock, since there is
already task 3 expressed its wish to take the lock exclusive.
Task 2 holds the read locked lock, but it can't take the spin lock.
Also, there is possible another deadlock (which I haven't observed):
[task 1] [task 2]
f_getown() kill_fasync()
read_lock(&f_own->lock) spin_lock_irqsave(&fa->fa_lock,)
<IRQ> send_sigio() write_lock_irq(&f_own->lock)
kill_fasync() read_lock(&fown->lock)
spin_lock_irqsave(&fa->fa_lock,)
Actually, we do not need exclusive fa->fa_lock in kill_fasync_rcu(),
as it guarantees fa->fa_file->f_owner integrity only. It may seem,
that it used to give a task a small possibility to receive two sequential
signals, if there are two parallel kill_fasync() callers, and task
handles the first signal fastly, but the behaviour won't become
different, since there is exclusive sighand lock in do_send_sig_info().
The patch converts fa_lock into rwlock_t, and this fixes two above
deadlocks, as rwlock is allowed to be taken from interrupt handler
by qrwlock design.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
2018-04-05 14:58:06 +03:00
|
|
|
write_lock_irq(&fa->fa_lock);
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
fa->fa_fd = fd;
|
fasync: Fix deadlock between task-context and interrupt-context kill_fasync()
I observed the following deadlock between them:
[task 1] [task 2] [task 3]
kill_fasync() mm_update_next_owner() copy_process()
spin_lock_irqsave(&fa->fa_lock) read_lock(&tasklist_lock) write_lock_irq(&tasklist_lock)
send_sigio() <IRQ> ...
read_lock(&fown->lock) kill_fasync() ...
read_lock(&tasklist_lock) spin_lock_irqsave(&fa->fa_lock) ...
Task 1 can't acquire read locked tasklist_lock, since there is
already task 3 expressed its wish to take the lock exclusive.
Task 2 holds the read locked lock, but it can't take the spin lock.
Also, there is possible another deadlock (which I haven't observed):
[task 1] [task 2]
f_getown() kill_fasync()
read_lock(&f_own->lock) spin_lock_irqsave(&fa->fa_lock,)
<IRQ> send_sigio() write_lock_irq(&f_own->lock)
kill_fasync() read_lock(&fown->lock)
spin_lock_irqsave(&fa->fa_lock,)
Actually, we do not need exclusive fa->fa_lock in kill_fasync_rcu(),
as it guarantees fa->fa_file->f_owner integrity only. It may seem,
that it used to give a task a small possibility to receive two sequential
signals, if there are two parallel kill_fasync() callers, and task
handles the first signal fastly, but the behaviour won't become
different, since there is exclusive sighand lock in do_send_sig_info().
The patch converts fa_lock into rwlock_t, and this fixes two above
deadlocks, as rwlock is allowed to be taken from interrupt handler
by qrwlock design.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
2018-04-05 14:58:06 +03:00
|
|
|
write_unlock_irq(&fa->fa_lock);
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
goto out;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
fasync: Fix deadlock between task-context and interrupt-context kill_fasync()
I observed the following deadlock between them:
[task 1] [task 2] [task 3]
kill_fasync() mm_update_next_owner() copy_process()
spin_lock_irqsave(&fa->fa_lock) read_lock(&tasklist_lock) write_lock_irq(&tasklist_lock)
send_sigio() <IRQ> ...
read_lock(&fown->lock) kill_fasync() ...
read_lock(&tasklist_lock) spin_lock_irqsave(&fa->fa_lock) ...
Task 1 can't acquire read locked tasklist_lock, since there is
already task 3 expressed its wish to take the lock exclusive.
Task 2 holds the read locked lock, but it can't take the spin lock.
Also, there is possible another deadlock (which I haven't observed):
[task 1] [task 2]
f_getown() kill_fasync()
read_lock(&f_own->lock) spin_lock_irqsave(&fa->fa_lock,)
<IRQ> send_sigio() write_lock_irq(&f_own->lock)
kill_fasync() read_lock(&fown->lock)
spin_lock_irqsave(&fa->fa_lock,)
Actually, we do not need exclusive fa->fa_lock in kill_fasync_rcu(),
as it guarantees fa->fa_file->f_owner integrity only. It may seem,
that it used to give a task a small possibility to receive two sequential
signals, if there are two parallel kill_fasync() callers, and task
handles the first signal fastly, but the behaviour won't become
different, since there is exclusive sighand lock in do_send_sig_info().
The patch converts fa_lock into rwlock_t, and this fixes two above
deadlocks, as rwlock is allowed to be taken from interrupt handler
by qrwlock design.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
2018-04-05 14:58:06 +03:00
|
|
|
rwlock_init(&new->fa_lock);
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
new->magic = FASYNC_MAGIC;
|
|
|
|
new->fa_file = filp;
|
|
|
|
new->fa_fd = fd;
|
|
|
|
new->fa_next = *fapp;
|
2010-04-14 13:55:35 +04:00
|
|
|
rcu_assign_pointer(*fapp, new);
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
filp->f_flags |= FASYNC;
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
out:
|
2010-04-14 13:55:35 +04:00
|
|
|
spin_unlock(&fasync_lock);
|
2009-03-27 21:24:31 +03:00
|
|
|
spin_unlock(&filp->f_lock);
|
2010-10-27 20:38:12 +04:00
|
|
|
return fa;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Add a fasync entry. Return negative on error, positive if
|
|
|
|
* added, and zero if did nothing but change an existing one.
|
|
|
|
*/
|
|
|
|
static int fasync_add_entry(int fd, struct file *filp, struct fasync_struct **fapp)
|
|
|
|
{
|
|
|
|
struct fasync_struct *new;
|
|
|
|
|
|
|
|
new = fasync_alloc();
|
|
|
|
if (!new)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* fasync_insert_entry() returns the old (update) entry if
|
|
|
|
* it existed.
|
|
|
|
*
|
|
|
|
* So free the (unused) new entry and return 0 to let the
|
|
|
|
* caller know that we didn't add any new fasync entries.
|
|
|
|
*/
|
|
|
|
if (fasync_insert_entry(fd, filp, fapp, new)) {
|
|
|
|
fasync_free(new);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 1;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
fasync: split 'fasync_helper()' into separate add/remove functions
Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway. And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.
In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.
We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.
Splitting the function up also makes it possible to do some future
optimizations without making the function even messier. In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:
- on remove, we don't even need to get the locks and traverse the list
if FASYNC isn't set, since we can know a priori that there is no
point (this is effectively the same optimization that we already do
in __fput() wrt removing fasync on file close)
- on add, we can use the FASYNC flag to decide whether we are changing
an existing entry or need to allocate a new one.
but this is just the cleanup + fix for the FASYNC flag.
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-16 19:23:37 +03:00
|
|
|
/*
|
|
|
|
* fasync_helper() is used by almost all character device drivers
|
|
|
|
* to set up the fasync queue, and for regular files by the file
|
|
|
|
* lease code. It returns negative on error, 0 if it did no changes
|
|
|
|
* and positive if it added/deleted the entry.
|
|
|
|
*/
|
|
|
|
int fasync_helper(int fd, struct file * filp, int on, struct fasync_struct **fapp)
|
|
|
|
{
|
|
|
|
if (!on)
|
|
|
|
return fasync_remove_entry(filp, fapp);
|
|
|
|
return fasync_add_entry(fd, filp, fapp);
|
|
|
|
}
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
EXPORT_SYMBOL(fasync_helper);
|
|
|
|
|
2010-04-14 13:55:35 +04:00
|
|
|
/*
|
|
|
|
* rcu_read_lock() is held
|
|
|
|
*/
|
|
|
|
static void kill_fasync_rcu(struct fasync_struct *fa, int sig, int band)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
|
|
|
while (fa) {
|
2010-04-14 13:55:35 +04:00
|
|
|
struct fown_struct *fown;
|
2021-07-02 12:18:31 +03:00
|
|
|
unsigned long flags;
|
2010-06-30 02:05:42 +04:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
if (fa->magic != FASYNC_MAGIC) {
|
|
|
|
printk(KERN_ERR "kill_fasync: bad magic number in "
|
|
|
|
"fasync_struct!\n");
|
|
|
|
return;
|
|
|
|
}
|
2021-07-02 12:18:31 +03:00
|
|
|
read_lock_irqsave(&fa->fa_lock, flags);
|
2010-04-14 13:55:35 +04:00
|
|
|
if (fa->fa_file) {
|
|
|
|
fown = &fa->fa_file->f_owner;
|
|
|
|
/* Don't send SIGURG to processes which have not set a
|
|
|
|
queued signum: SIGURG has its own default signalling
|
|
|
|
mechanism. */
|
|
|
|
if (!(sig == SIGURG && fown->signum == 0))
|
|
|
|
send_sigio(fown, fa->fa_fd, band);
|
|
|
|
}
|
2021-07-02 12:18:31 +03:00
|
|
|
read_unlock_irqrestore(&fa->fa_lock, flags);
|
2010-04-14 13:55:35 +04:00
|
|
|
fa = rcu_dereference(fa->fa_next);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void kill_fasync(struct fasync_struct **fp, int sig, int band)
|
|
|
|
{
|
|
|
|
/* First a quick test without locking: usually
|
|
|
|
* the list is empty.
|
|
|
|
*/
|
|
|
|
if (*fp) {
|
2010-04-14 13:55:35 +04:00
|
|
|
rcu_read_lock();
|
|
|
|
kill_fasync_rcu(rcu_dereference(*fp), sig, band);
|
|
|
|
rcu_read_unlock();
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(kill_fasync);
|
|
|
|
|
2010-08-11 05:01:29 +04:00
|
|
|
static int __init fcntl_init(void)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2010-09-10 03:38:12 +04:00
|
|
|
/*
|
|
|
|
* Please add new bits here to ensure allocation uniqueness.
|
|
|
|
* Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
|
|
|
|
* is defined as O_NONBLOCK on some platforms and not on others.
|
|
|
|
*/
|
2017-04-27 10:42:24 +03:00
|
|
|
BUILD_BUG_ON(21 - 1 /* for O_RDONLY being 0 */ !=
|
|
|
|
HWEIGHT32(
|
|
|
|
(VALID_OPEN_FLAGS & ~(O_NONBLOCK | O_NDELAY)) |
|
|
|
|
__FMODE_EXEC | __FMODE_NONOTIFY));
|
2010-08-11 05:01:29 +04:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
fasync_cache = kmem_cache_create("fasync_cache",
|
2021-09-03 00:55:23 +03:00
|
|
|
sizeof(struct fasync_struct), 0,
|
|
|
|
SLAB_PANIC | SLAB_ACCOUNT, NULL);
|
2005-04-17 02:20:36 +04:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-08-11 05:01:29 +04:00
|
|
|
module_init(fcntl_init)
|