Date: Tue, 26 Aug 2014 08:17:22 +0000 (UTC) From: Mateusz Guzik <mjg@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r270648 - in head/sys: kern sys Message-ID: <201408260817.s7Q8HMMT044455@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mjg Date: Tue Aug 26 08:17:22 2014 New Revision: 270648 URL: http://svnweb.freebsd.org/changeset/base/270648 Log: Fix up races with f_seqcount handling. It was possible that the kernel would overwrite user-supplied hint. Abuse vnode lock for this purpose. In collaboration with: kib MFC after: 1 week Modified: head/sys/kern/kern_descrip.c head/sys/kern/vfs_vnops.c head/sys/sys/file.h Modified: head/sys/kern/kern_descrip.c ============================================================================== --- head/sys/kern/kern_descrip.c Tue Aug 26 08:13:30 2014 (r270647) +++ head/sys/kern/kern_descrip.c Tue Aug 26 08:17:22 2014 (r270648) @@ -476,7 +476,6 @@ kern_fcntl(struct thread *td, int fd, in struct vnode *vp; cap_rights_t rights; int error, flg, tmp; - u_int old, new; uint64_t bsize; off_t foffset; @@ -760,26 +759,24 @@ kern_fcntl(struct thread *td, int fd, in error = EBADF; break; } + vp = fp->f_vnode; + /* + * Exclusive lock synchronizes against f_seqcount reads and + * writes in sequential_heuristic(). + */ + error = vn_lock(vp, LK_EXCLUSIVE); + if (error != 0) { + fdrop(fp, td); + break; + } if (arg >= 0) { - vp = fp->f_vnode; - error = vn_lock(vp, LK_SHARED); - if (error != 0) { - fdrop(fp, td); - break; - } bsize = fp->f_vnode->v_mount->mnt_stat.f_iosize; - VOP_UNLOCK(vp, 0); fp->f_seqcount = (arg + bsize - 1) / bsize; - do { - new = old = fp->f_flag; - new |= FRDAHEAD; - } while (!atomic_cmpset_rel_int(&fp->f_flag, old, new)); + atomic_set_int(&fp->f_flag, FRDAHEAD); } else { - do { - new = old = fp->f_flag; - new &= ~FRDAHEAD; - } while (!atomic_cmpset_rel_int(&fp->f_flag, old, new)); + atomic_clear_int(&fp->f_flag, FRDAHEAD); } + VOP_UNLOCK(vp, 0); fdrop(fp, td); break; Modified: head/sys/kern/vfs_vnops.c ============================================================================== --- head/sys/kern/vfs_vnops.c Tue Aug 26 08:13:30 2014 (r270647) +++ head/sys/kern/vfs_vnops.c Tue Aug 26 08:17:22 2014 (r270648) @@ -438,7 +438,8 @@ static int sequential_heuristic(struct uio *uio, struct file *fp) { - if (atomic_load_acq_int(&(fp->f_flag)) & FRDAHEAD) + ASSERT_VOP_LOCKED(fp->f_vnode, __func__); + if (fp->f_flag & FRDAHEAD) return (fp->f_seqcount << IO_SEQSHIFT); /* Modified: head/sys/sys/file.h ============================================================================== --- head/sys/sys/file.h Tue Aug 26 08:13:30 2014 (r270647) +++ head/sys/sys/file.h Tue Aug 26 08:17:22 2014 (r270648) @@ -143,6 +143,7 @@ struct fileops { * * Below is the list of locks that protects members in struct file. * + * (a) f_vnode lock required (shared allows both reads and writes) * (f) protected with mtx_lock(mtx_pool_find(fp)) * (d) cdevpriv_mtx * none not locked @@ -168,7 +169,7 @@ struct file { /* * DTYPE_VNODE specific fields. */ - int f_seqcount; /* Count of sequential accesses. */ + int f_seqcount; /* (a) Count of sequential accesses. */ off_t f_nextoff; /* next expected read/write offset. */ union { struct cdev_privdata *fvn_cdevpriv;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201408260817.s7Q8HMMT044455>