Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> writes: > On Thu, 18 Jan 2024 at 07:42, Gabriel Krisman Bertazi <krisman@xxxxxxx> wrote: >> >> But I don't see how this could be a problem. the str pointer itself >> can't change since it's already a copy of the dentry->d_name pointer; if >> the string is external, it is guaranteed to exist until the end of the >> lookup; Finally, If it's inlined, the string can change concurrently >> which, in the worst case scenario, gives us a false result. But then, >> VFS will retry, like we do for the case-insensitive comparison right >> below. >> >> ..Right? :) > > Wrong, for two subtle reasons. > > The issue is not that the string can go away. The issue is that the > string and the length have been loaded independently - and may not > match. > > So when you do that > > if (len == name->len && !memcmp(str, name->name, len)) > > the 'name->len' you test for equality with 'len' may not match the > length of the string allocated in 'name->name', because they are two > different loads of two different values, and we do not hold the lock > that makes them consistent. > > See the big comment (and the READ_ONCE()" in dentry_cmp(), and notice > how dentry_cmp() intentionally doesn't use 'name->len' at all. > I see what you mean. I really appreciate the explanation, by the way. Thanks for that. I'll follow up with a v3. -- Gabriel Krisman Bertazi
