From owner-svn-src-head@FreeBSD.ORG  Tue Aug 26 08:17:23 2014
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 7A4E1739;
 Tue, 26 Aug 2014 08:17:23 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5A17E37D2;
 Tue, 26 Aug 2014 08:17:23 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s7Q8HNAV044458;
 Tue, 26 Aug 2014 08:17:23 GMT (envelope-from mjg@FreeBSD.org)
Received: (from mjg@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id s7Q8HMMT044455;
 Tue, 26 Aug 2014 08:17:22 GMT (envelope-from mjg@FreeBSD.org)
Message-Id: <201408260817.s7Q8HMMT044455@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: mjg set sender to mjg@FreeBSD.org
 using -f
From: Mateusz Guzik <mjg@FreeBSD.org>
Date: Tue, 26 Aug 2014 08:17:22 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r270648 - in head/sys: kern sys
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Aug 2014 08:17:23 -0000

Author: mjg
Date: Tue Aug 26 08:17:22 2014
New Revision: 270648
URL: http://svnweb.freebsd.org/changeset/base/270648

Log:
  Fix up races with f_seqcount handling.
  
  It was possible that the kernel would overwrite user-supplied hint.
  
  Abuse vnode lock for this purpose.
  
  In collaboration with: kib
  MFC after:	1 week

Modified:
  head/sys/kern/kern_descrip.c
  head/sys/kern/vfs_vnops.c
  head/sys/sys/file.h

Modified: head/sys/kern/kern_descrip.c
==============================================================================
--- head/sys/kern/kern_descrip.c	Tue Aug 26 08:13:30 2014	(r270647)
+++ head/sys/kern/kern_descrip.c	Tue Aug 26 08:17:22 2014	(r270648)
@@ -476,7 +476,6 @@ kern_fcntl(struct thread *td, int fd, in
 	struct vnode *vp;
 	cap_rights_t rights;
 	int error, flg, tmp;
-	u_int old, new;
 	uint64_t bsize;
 	off_t foffset;
 
@@ -760,26 +759,24 @@ kern_fcntl(struct thread *td, int fd, in
 			error = EBADF;
 			break;
 		}
+		vp = fp->f_vnode;
+		/*
+		 * Exclusive lock synchronizes against f_seqcount reads and
+		 * writes in sequential_heuristic().
+		 */
+		error = vn_lock(vp, LK_EXCLUSIVE);
+		if (error != 0) {
+			fdrop(fp, td);
+			break;
+		}
 		if (arg >= 0) {
-			vp = fp->f_vnode;
-			error = vn_lock(vp, LK_SHARED);
-			if (error != 0) {
-				fdrop(fp, td);
-				break;
-			}
 			bsize = fp->f_vnode->v_mount->mnt_stat.f_iosize;
-			VOP_UNLOCK(vp, 0);
 			fp->f_seqcount = (arg + bsize - 1) / bsize;
-			do {
-				new = old = fp->f_flag;
-				new |= FRDAHEAD;
-			} while (!atomic_cmpset_rel_int(&fp->f_flag, old, new));
+			atomic_set_int(&fp->f_flag, FRDAHEAD);
 		} else {
-			do {
-				new = old = fp->f_flag;
-				new &= ~FRDAHEAD;
-			} while (!atomic_cmpset_rel_int(&fp->f_flag, old, new));
+			atomic_clear_int(&fp->f_flag, FRDAHEAD);
 		}
+		VOP_UNLOCK(vp, 0);
 		fdrop(fp, td);
 		break;
 

Modified: head/sys/kern/vfs_vnops.c
==============================================================================
--- head/sys/kern/vfs_vnops.c	Tue Aug 26 08:13:30 2014	(r270647)
+++ head/sys/kern/vfs_vnops.c	Tue Aug 26 08:17:22 2014	(r270648)
@@ -438,7 +438,8 @@ static int
 sequential_heuristic(struct uio *uio, struct file *fp)
 {
 
-	if (atomic_load_acq_int(&(fp->f_flag)) & FRDAHEAD)
+	ASSERT_VOP_LOCKED(fp->f_vnode, __func__);
+	if (fp->f_flag & FRDAHEAD)
 		return (fp->f_seqcount << IO_SEQSHIFT);
 
 	/*

Modified: head/sys/sys/file.h
==============================================================================
--- head/sys/sys/file.h	Tue Aug 26 08:13:30 2014	(r270647)
+++ head/sys/sys/file.h	Tue Aug 26 08:17:22 2014	(r270648)
@@ -143,6 +143,7 @@ struct fileops {
  *
  * Below is the list of locks that protects members in struct file.
  *
+ * (a) f_vnode lock required (shared allows both reads and writes)
  * (f) protected with mtx_lock(mtx_pool_find(fp))
  * (d) cdevpriv_mtx
  * none	not locked
@@ -168,7 +169,7 @@ struct file {
 	/*
 	 *  DTYPE_VNODE specific fields.
 	 */
-	int		f_seqcount;	/* Count of sequential accesses. */
+	int		f_seqcount;	/* (a) Count of sequential accesses. */
 	off_t		f_nextoff;	/* next expected read/write offset. */
 	union {
 		struct cdev_privdata *fvn_cdevpriv;