mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-03 19:55:31 +00:00
fs: Lock moved directories
When a directory is moved to a different directory, some filesystems (udf, ext4, ocfs2, f2fs, and likely gfs2, reiserfs, and others) need to update their pointer to the parent and this must not race with other operations on the directory. Lock the directories when they are moved. Although not all filesystems need this locking, we perform it in vfs_rename() because getting the lock ordering right is really difficult and we don't want to expose these locking details to filesystems. CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Message-Id: <20230601105830.13168-5-jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org>
This commit is contained in:
parent
f23ce75718
commit
28eceeda13
@ -22,12 +22,11 @@ exclusive.
|
|||||||
3) object removal. Locking rules: caller locks parent, finds victim,
|
3) object removal. Locking rules: caller locks parent, finds victim,
|
||||||
locks victim and calls the method. Locks are exclusive.
|
locks victim and calls the method. Locks are exclusive.
|
||||||
|
|
||||||
4) rename() that is _not_ cross-directory. Locking rules: caller locks
|
4) rename() that is _not_ cross-directory. Locking rules: caller locks the
|
||||||
the parent and finds source and target. In case of exchange (with
|
parent and finds source and target. We lock both (provided they exist). If we
|
||||||
RENAME_EXCHANGE in flags argument) lock both. In any case,
|
need to lock two inodes of different type (dir vs non-dir), we lock directory
|
||||||
if the target already exists, lock it. If the source is a non-directory,
|
first. If we need to lock two inodes of the same type, lock them in inode
|
||||||
lock it. If we need to lock both, lock them in inode pointer order.
|
pointer order. Then call the method. All locks are exclusive.
|
||||||
Then call the method. All locks are exclusive.
|
|
||||||
NB: we might get away with locking the source (and target in exchange
|
NB: we might get away with locking the source (and target in exchange
|
||||||
case) shared.
|
case) shared.
|
||||||
|
|
||||||
@ -44,15 +43,17 @@ All locks are exclusive.
|
|||||||
rules:
|
rules:
|
||||||
|
|
||||||
* lock the filesystem
|
* lock the filesystem
|
||||||
* lock parents in "ancestors first" order.
|
* lock parents in "ancestors first" order. If one is not ancestor of
|
||||||
|
the other, lock them in inode pointer order.
|
||||||
* find source and target.
|
* find source and target.
|
||||||
* if old parent is equal to or is a descendent of target
|
* if old parent is equal to or is a descendent of target
|
||||||
fail with -ENOTEMPTY
|
fail with -ENOTEMPTY
|
||||||
* if new parent is equal to or is a descendent of source
|
* if new parent is equal to or is a descendent of source
|
||||||
fail with -ELOOP
|
fail with -ELOOP
|
||||||
* If it's an exchange, lock both the source and the target.
|
* Lock both the source and the target provided they exist. If we
|
||||||
* If the target exists, lock it. If the source is a non-directory,
|
need to lock two inodes of different type (dir vs non-dir), we lock
|
||||||
lock it. If we need to lock both, do so in inode pointer order.
|
the directory first. If we need to lock two inodes of the same type,
|
||||||
|
lock them in inode pointer order.
|
||||||
* call the method.
|
* call the method.
|
||||||
|
|
||||||
All ->i_rwsem are taken exclusive. Again, we might get away with locking
|
All ->i_rwsem are taken exclusive. Again, we might get away with locking
|
||||||
@ -66,8 +67,9 @@ If no directory is its own ancestor, the scheme above is deadlock-free.
|
|||||||
|
|
||||||
Proof:
|
Proof:
|
||||||
|
|
||||||
First of all, at any moment we have a partial ordering of the
|
First of all, at any moment we have a linear ordering of the
|
||||||
objects - A < B iff A is an ancestor of B.
|
objects - A < B iff (A is an ancestor of B) or (B is not an ancestor
|
||||||
|
of A and ptr(A) < ptr(B)).
|
||||||
|
|
||||||
That ordering can change. However, the following is true:
|
That ordering can change. However, the following is true:
|
||||||
|
|
||||||
|
22
fs/namei.c
22
fs/namei.c
@ -4731,7 +4731,7 @@ SYSCALL_DEFINE2(link, const char __user *, oldname, const char __user *, newname
|
|||||||
* sb->s_vfs_rename_mutex. We might be more accurate, but that's another
|
* sb->s_vfs_rename_mutex. We might be more accurate, but that's another
|
||||||
* story.
|
* story.
|
||||||
* c) we have to lock _four_ objects - parents and victim (if it exists),
|
* c) we have to lock _four_ objects - parents and victim (if it exists),
|
||||||
* and source (if it is not a directory).
|
* and source.
|
||||||
* And that - after we got ->i_mutex on parents (until then we don't know
|
* And that - after we got ->i_mutex on parents (until then we don't know
|
||||||
* whether the target exists). Solution: try to be smart with locking
|
* whether the target exists). Solution: try to be smart with locking
|
||||||
* order for inodes. We rely on the fact that tree topology may change
|
* order for inodes. We rely on the fact that tree topology may change
|
||||||
@ -4815,10 +4815,16 @@ int vfs_rename(struct renamedata *rd)
|
|||||||
|
|
||||||
take_dentry_name_snapshot(&old_name, old_dentry);
|
take_dentry_name_snapshot(&old_name, old_dentry);
|
||||||
dget(new_dentry);
|
dget(new_dentry);
|
||||||
if (!is_dir || (flags & RENAME_EXCHANGE))
|
/*
|
||||||
lock_two_nondirectories(source, target);
|
* Lock all moved children. Moved directories may need to change parent
|
||||||
else if (target)
|
* pointer so they need the lock to prevent against concurrent
|
||||||
inode_lock(target);
|
* directory changes moving parent pointer. For regular files we've
|
||||||
|
* historically always done this. The lockdep locking subclasses are
|
||||||
|
* somewhat arbitrary but RENAME_EXCHANGE in particular can swap
|
||||||
|
* regular files and directories so it's difficult to tell which
|
||||||
|
* subclasses to use.
|
||||||
|
*/
|
||||||
|
lock_two_inodes(source, target, I_MUTEX_NORMAL, I_MUTEX_NONDIR2);
|
||||||
|
|
||||||
error = -EPERM;
|
error = -EPERM;
|
||||||
if (IS_SWAPFILE(source) || (target && IS_SWAPFILE(target)))
|
if (IS_SWAPFILE(source) || (target && IS_SWAPFILE(target)))
|
||||||
@ -4866,9 +4872,9 @@ int vfs_rename(struct renamedata *rd)
|
|||||||
d_exchange(old_dentry, new_dentry);
|
d_exchange(old_dentry, new_dentry);
|
||||||
}
|
}
|
||||||
out:
|
out:
|
||||||
if (!is_dir || (flags & RENAME_EXCHANGE))
|
if (source)
|
||||||
unlock_two_nondirectories(source, target);
|
inode_unlock(source);
|
||||||
else if (target)
|
if (target)
|
||||||
inode_unlock(target);
|
inode_unlock(target);
|
||||||
dput(new_dentry);
|
dput(new_dentry);
|
||||||
if (!error) {
|
if (!error) {
|
||||||
|
Loading…
Reference in New Issue
Block a user