On Tue, Feb 11, 2020 at 10:34:40PM -0800, Eric Biggers wrote: > On Mon, Feb 10, 2020 at 11:42:07PM +0000, Al Viro wrote: > > On Mon, Feb 10, 2020 at 03:11:13PM -0800, Daniel Rosenberg wrote: > > > On Fri, Feb 7, 2020 at 6:12 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > On Fri, Feb 07, 2020 at 05:35:46PM -0800, Daniel Rosenberg wrote: > > > > > > > > > > > > Again, is that safe in case when the contents of the string str points to > > > > keeps changing under you? > > > > > > I'm not sure what you mean. I thought it was safe to use the str and > > > len passed into d_compare. Even if it gets changed under RCU > > > conditions I thought there was some code to ensure that the name/len > > > pair passed in is consistent, and any other inconsistencies would get > > > caught by d_seq later. Are there unsafe code paths that can follow? > > > > If you ever fetch the same byte twice, you might see different values. > > You need a fairly careful use of READ_ONCE() or equivalents to make > > sure that you don't get screwed over by that. > > > > Sure, ->d_seq mismatch will throw the result out, but you need to make > > sure you won't oops/step on uninitialized memory/etc. in process. > > > > It's not impossible to get right, but it's not trivial and you need all > > code working with that much more careful than normal for string handling. > > It looks like this is a real problem, not just a "theoretical" data race. > For example, see: > > utf8ncursor(): > /* The first byte of s may not be an utf8 continuation. */ > if (len > 0 && (*s & 0xC0) == 0x80) > return -1; > > and then utf8byte(): > } else if ((*u8c->s & 0xC0) == 0x80) { > /* This is a continuation of the current character. */ > if (!u8c->p) > u8c->len--; > return (unsigned char)*u8c->s++; > > The first byte of the string is checked in two different functions, so it's very > likely to be loaded twice. In between, it could change from a non-continuation > byte to a continuation byte. That would cause the string length to be > decremented from 0 to UINT_MAX. Then utf8_strncasecmp() would run beyond the > bounds of the string until something happened to mismatch. > > That's just an example that I found right away; there are probably more. > > IMO, this needs to be fixed before anyone can actually use the ext4 and f2fs > casefolding stuff. > > I don't know the best solution. One option is to fix fs/unicode/ to handle > concurrently modified strings. Another could be to see what it would take to > serialize lookups and renames for casefolded directories... > Or (just throwing another idea out there) the dentry's name could be copied to a temporary buffer in ->d_compare(). The simplest version would be: u8 _name[NAME_MAX]; memcpy(_name, name, len); name = _name; Though, 255 bytes is a bit large for a stack buffer (so for long names it may need kmalloc with GFP_ATOMIC), and technically it would need a special version of memcpy() to be guaranteed safe from compiler optimizations (though I expect this would work in practice). Alternatively, take_dentry_name_snapshot() kind of does this already, except that it takes a dentry and not a (name, len) pair. - Eric ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/