Re: [PATCH] xfs: preserve i_mode if __xfs_set_acl() fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Dave, thanks for the review!

On Tue, Aug 15, 2017 at 12:00:18PM +1000, Dave Chinner wrote:
> On Mon, Aug 14, 2017 at 05:18:10AM -0300, Ernesto A. Fernández wrote:
> > diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c
> > index de7b9bd..c3193e1 100644
> > --- a/fs/xfs/libxfs/xfs_attr.c
> > +++ b/fs/xfs/libxfs/xfs_attr.c
> > @@ -395,6 +395,7 @@ xfs_attr_remove(
> >  	struct xfs_defer_ops	dfops;
> >  	xfs_fsblock_t		firstblock;
> >  	int			error;
> > +	int			noattr = 0;
> 
> bool.
> 
> And make it "bool has_attr = true" to avoid the nasty double
> negative of "!noattr" later on.

I called it noattr because the error was -ENOATTR, but you are right,
has_attr is better. I assume you would prefer mode_changed to be a bool
as well?

> 
> >  
> >  	XFS_STATS_INC(mp, xs_attr_remove);
> >  
> > @@ -438,7 +439,12 @@ xfs_attr_remove(
> >  	xfs_trans_ijoin(args.trans, dp, 0);
> >  
> >  	if (!xfs_inode_hasattr(dp)) {
> > -		error = -ENOATTR;
> > +		/*
> > +		 * Commit even if there is no attr to remove, because when
> > +		 * setting ACLs the caller may be changing the mode in the
> > +		 * same transaction.
> > +		 */
> > +		noattr = 1;
> >  	} else if (dp->i_d.di_aformat == XFS_DINODE_FMT_LOCAL) {
> >  		ASSERT(dp->i_afp->if_flags & XFS_IFINLINE);
> >  		error = xfs_attr_shortform_remove(&args);
> > @@ -458,7 +464,7 @@ xfs_attr_remove(
> >  	if (mp->m_flags & XFS_MOUNT_WSYNC)
> >  		xfs_trans_set_sync(args.trans);
> >  
> > -	if ((flags & ATTR_KERNOTIME) == 0)
> > +	if ((flags & ATTR_KERNOTIME) == 0 && !noattr)
> >  		xfs_trans_ichgtime(args.trans, dp, XFS_ICHGTIME_CHG);
> 
> Why?

Because we don't want the ctime to change when you try to delete an
attribute that didn't exist in the first place. At least that's how
it went before, so I tried to keep it the same.

> 
> >  
> >  	/*
> > @@ -468,6 +474,9 @@ xfs_attr_remove(
> >  	error = xfs_trans_commit(args.trans);
> >  	xfs_iunlock(dp, XFS_ILOCK_EXCL);
> >  
> > +	if (!error && noattr)
> > +		error = -ENOATTR;
> > +
> >  	return error;
> >  
> >  out:
> > diff --git a/fs/xfs/xfs_acl.c b/fs/xfs/xfs_acl.c
> > index 7034e17..1fe4363 100644
> > --- a/fs/xfs/xfs_acl.c
> > +++ b/fs/xfs/xfs_acl.c
> > @@ -226,28 +226,13 @@ __xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
> >  	return error;
> >  }
> >  
> > -static int
> > -xfs_set_mode(struct inode *inode, umode_t mode)
> > -{
> > -	int error = 0;
> > -
> > -	if (mode != inode->i_mode) {
> > -		struct iattr iattr;
> > -
> > -		iattr.ia_valid = ATTR_MODE | ATTR_CTIME;
> > -		iattr.ia_mode = mode;
> > -		iattr.ia_ctime = current_time(inode);
> > -
> > -		error = xfs_setattr_nonsize(XFS_I(inode), &iattr, XFS_ATTR_NOACL);
> > -	}
> > -
> > -	return error;
> > -}
> 
> Ok, so that does an atomic, transactional change to the inode
> mode....
> 
> >  int
> >  xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
> >  {
> >  	int error = 0;
> > +	int mode_changed = 0;
> > +	umode_t old_mode = inode->i_mode;
> > +	struct timespec old_ctime = inode->i_ctime;
> >  
> >  	if (!acl)
> >  		goto set_acl;
> > @@ -257,16 +242,20 @@ xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
> >  		return error;
> >  
> >  	if (type == ACL_TYPE_ACCESS) {
> > -		umode_t mode;
> > -
> > -		error = posix_acl_update_mode(inode, &mode, &acl);
> > -		if (error)
> > -			return error;
> > -		error = xfs_set_mode(inode, mode);
> > +		error = posix_acl_update_mode(inode, &inode->i_mode, &acl);
> >  		if (error)
> >  			return error;
> > +		inode->i_ctime = current_time(inode);
> > +		XFS_STATS_INC(XFS_I(inode)->i_mount, xs_ig_attrchg);
> > +		mode_changed = 1;
> >  	}
> 
> And this doesn't.
> 
> So this breaks all our rules for inode metadata updates, both for
> runtime access serialisation and for crash consistency.
> 

I'm only making changes to the vfs inode, and xfs_set_acl() should always
be called with i_rwsem held for writing. I think that should be enough to
serialize access to the vfs inode fields.

I'm sorry, I'm not sure I follow the crash consistency part. This is not
writing anything to disk. My expectation was that the changes I made to
the vfs inode would be attached to the transaction later, when calling
xfs_trans_log_inode() in xfs_attr_set() or xfs_attr_remove(). Would that
not work as intended? I was mostly imitating how btrfs sets an ACL, so I
could be misunderstanding how xfs does journaling.

> >   set_acl:
> > -	return __xfs_set_acl(inode, acl, type);
> > +	error = __xfs_set_acl(inode, acl, type);
> > +	if (error && mode_changed) {
> > +		inode->i_mode = old_mode;
> > +		inode->i_ctime = old_ctime;
> > +		XFS_STATS_DEC(XFS_I(inode)->i_mount, xs_ig_attrchg);
> > +	}
> 
> Same here.

i_rwsem would still be held here. My reasoning is that, since there was
an error, no changes were actually committed; so there would be no need
to commit the restoration either, just restore the old in-memory vfs inode
fields. Once again, this is inspired by btrfs, so I suppose it may fail
here in some way I can't see.

(I should probably clarify I did run tests before submitting)

> IOWs, you can't just remove a transactional modification of inode
> state and replace it with in-memory VFS inode level changes. You
> need to do the changes in transaction context and with the correct
> locks held.
>
> IOWs, if you need to undo the mode changes xfs_set_mode() did, you
> need to call xfs_set_mode() again. And because modifications have

But that could fail as well, and how would we handle that? If this bug
is to be fixed the whole thing needs to be a single transaction. That's
why I removed the xfs_set_mode() function in the first place.

> been made, the new ctime should remain in place, too.
>
> Of course, this still isn't atomic from a runtime access POV, but
> that's substantially harder to provide than just undoing the mode
> change on ACL attribute save error.
>
> Cheers,
> 
> Dave.
> -- 
> Dave Chinner
> david@xxxxxxxxxxxxx

Thanks,
Ernest
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [XFS Filesystem Development (older mail)]     [Linux Filesystem Development]     [Linux Audio Users]     [Yosemite Trails]     [Linux Kernel]     [Linux RAID]     [Linux SCSI]


  Powered by Linux