On Thu, Aug 31, 2023 at 12:18:24PM +0200, Mateusz Guzik wrote:
> So I figured an assert should be there on the write lock held, then the
> issue would have been automagically reported.
>
> Turns out notify_change has the following:
> WARN_ON_ONCE(!inode_is_locked(inode));
>
> Which expands to:
> static inline int rwsem_is_locked(struct rw_semaphore *sem)
> {
> return atomic_long_read(&sem->count) != 0;
> }
>
> So it does check the lock, except it passes *any* locked state,
> including just readers.
>
> According to git blame this regressed from commit 5955102c9984
> ("wrappers for ->i_mutex access") by Al -- a bunch of mutex_is_locked
> were replaced with inode_is_locked, which unintentionally provides
> weaker guarantees.
>
> I don't see a rwsem helper for wlock check and I don't think it is all
> that beneficial to add. Instead, how about a bunch of lockdep, like so:
> diff --git a/fs/attr.c b/fs/attr.c
> index a8ae5f6d9b16..f47e718766d1 100644
> --- a/fs/attr.c
> +++ b/fs/attr.c
> @@ -387,7 +387,7 @@ int notify_change(struct mnt_idmap *idmap, struct dentry *dentry,
> struct timespec64 now;
> unsigned int ia_valid = attr->ia_valid;
>
> - WARN_ON_ONCE(!inode_is_locked(inode));
> + lockdep_assert_held_write(&inode->i_rwsem);
>
> error = may_setattr(idmap, inode, ia_valid);
> if (error)
>
> Alternatively hide it behind inode_assert_is_wlocked() or whatever other
> name.
Better to do it like mmap_lock:
static inline void mmap_assert_write_locked(struct mm_struct *mm)
{
lockdep_assert_held_write(&mm->mmap_lock);
VM_BUG_ON_MM(!rwsem_is_locked(&mm->mmap_lock), mm);
}
