From owner-freebsd-fs@freebsd.org Wed Jul 8 22:07:17 2015 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77DED996509 for ; Wed, 8 Jul 2015 22:07:17 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 116223084; Wed, 8 Jul 2015 22:07:17 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: by wgov12 with SMTP id v12so23027257wgo.1; Wed, 08 Jul 2015 15:07:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=xPDiIhuPmA9c8YtF3XJrW3Tfst+wQXiSu7NJ7Yjzk0I=; b=k52YzkcwzSlJUXp8pr7BnGp+CTjX5sBPz9SnsZIiuC7aP6ZhU8K6dXsfQGIwxnv17z RxFF+bF4paILRlXoMVykrMNEicenLnY3d1szT5TKIH/+djgICpJ8XG8c72C6jwvmLDx8 A9NRjAweOGN23lr0aOvIuWgn0/ilHO9Uk0uML5CyjrTaufOCbCh0aV+UU52WeFTh3TOH 5lqNfoCNoqHgsz0LB+148/yrTLZPAhQWkergRUV0e52sg4q/LZki3REpuyv2XwUp5Nf6 M7RL94/OS+0x/0EyBNPABz699jM4tToYuYRtnKphWgVTgSDa9SGO8KtjRgm6HTfkUyER d6GQ== X-Received: by 10.180.82.199 with SMTP id k7mr55241414wiy.54.1436393235602; Wed, 08 Jul 2015 15:07:15 -0700 (PDT) Received: from localhost.localdomain (ip-89-102-11-63.net.upcbroadband.cz. [89.102.11.63]) by smtp.gmail.com with ESMTPSA id fo17sm5483921wjc.46.2015.07.08.15.07.13 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jul 2015 15:07:14 -0700 (PDT) From: Mateusz Guzik To: Konstantin Belousov Cc: rwatson@FreeBSD.org, freebsd-fs@freebsd.org, Mateusz Guzik Subject: [PATCH 0/4] namei + audit changes to prepare for getting rid of filedesc lock Date: Thu, 9 Jul 2015 00:07:07 +0200 Message-Id: <1436393231-5831-1-git-send-email-mjguzik@gmail.com> X-Mailer: git-send-email 2.4.3 In-Reply-To: <20150707085857.GZ2080@kib.kiev.ua> References: <20150707085857.GZ2080@kib.kiev.ua> X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2015 22:07:17 -0000 From: Mateusz Guzik On Tue, Jul 07, 2015 at 11:58:57AM +0300, Konstantin Belousov wrote: > On Mon, Jul 06, 2015 at 05:07:14AM +0200, Mateusz Guzik wrote: > > From: Mateusz Guzik > > > > namei used to vref fd_cdir, which was immediatley vrele'd on entry to > > the loop. > Does it make sense to do this, if the other patch, for interlock-less > vref/vrele on holdcount > 0, is in progress ? > Well it is optional, but I would argue it makes the code more readable. It also simplifies future code which may remove the need to vref root vnode for lookups. > > > > Simplify error handling and remove type checking for ni_startdir vnode. > > It is only set by nfs which does the check on its own. Assert the > > correct type instead. > > --- > > sys/kern/vfs_lookup.c | 92 ++++++++++++++++++++++++++++----------------------- > > 1 file changed, 51 insertions(+), 41 deletions(-) > > > > diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c > > index 5dc07dc..c5218ec 100644 > > --- a/sys/kern/vfs_lookup.c > > +++ b/sys/kern/vfs_lookup.c > > @@ -109,6 +109,27 @@ namei_cleanup_cnp(struct componentname *cnp) > > #endif > > } > > > > +static int > > +namei_handle_root(struct nameidata *ndp, struct vnode **dpp) > > +{ > > + struct componentname *cnp = &ndp->ni_cnd; > > + > > + if (ndp->ni_strictrelative != 0) { > > +#ifdef KTRACE > > + if (KTRPOINT(curthread, KTR_CAPFAIL)) > > + ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); > > +#endif > > + return (ENOTCAPABLE); > > + } > > + while (*(cnp->cn_nameptr) == '/') { > > + cnp->cn_nameptr++; > > + ndp->ni_pathlen--; > > + } > > + *dpp = ndp->ni_rootdir; > > + VREF(*dpp); > > + return (0); > > +} > > + > > /* > > * Convert a pathname into a pointer to a locked vnode. > > * > > @@ -148,6 +169,8 @@ namei(struct nameidata *ndp) > > ("namei: nameiop contaminated with flags")); > > KASSERT((cnp->cn_flags & OPMASK) == 0, > > ("namei: flags contaminated with nameiops")); > > + if (ndp->ni_startdir != NULL) > > + MPASS(ndp->ni_startdir->v_type == VDIR); > ni_startdir is not locked, am I correct ? If yes, the assert is not safe. > Added a || v_type == BAD check. > > if (!lookup_shared) > > cnp->cn_flags &= ~LOCKSHARED; > > fdp = p->p_fd; > > Could this patch be further split ? E.g. could the introduction of the > namei_handle_root() and its use twice be done in the first patch, while > the loop logic reorganization come into the follow-up ? > > As it is now, the patch is almost impossible to review without rewriting > the logic independently. Patch split. I completely forgot about a pre-existing bug with a use-after-free of fd_rdir vnode when writing the previous patchset. see the first patch in this one. Mateusz Guzik (4): vfs: plug a use-after-free of fd_rdir in namei vfs: avoid spurious vref/vrele for absolute lookups vfs: simplify error handling in namei audit: utilize vnode pointer found by namei instead of looking it up again sys/kern/vfs_lookup.c | 127 +++++++++++++++++++++--------------- sys/security/audit/audit.h | 14 ++++ sys/security/audit/audit_arg.c | 36 ++++++++++ sys/security/audit/audit_bsm_klib.c | 82 +++++++++++++++-------- sys/security/audit/audit_private.h | 2 + 5 files changed, 181 insertions(+), 80 deletions(-) -- 2.4.5