• Al Viro's avatar
    rename(): fix the locking of subdirectories · 22e111ed
    Al Viro authored
    	We should never lock two subdirectories without having taken
    ->s_vfs_rename_mutex; inode pointer order or not, the "order" proposed
    in 28eceeda "fs: Lock moved directories" is not transitive, with
    the usual consequences.
    
    	The rationale for locking renamed subdirectory in all cases was
    the possibility of race between rename modifying .. in a subdirectory to
    reflect the new parent and another thread modifying the same subdirectory.
    For a lot of filesystems that's not a problem, but for some it can lead
    to trouble (e.g. the case when short directory contents is kept in the
    inode, but creating a file in it might push it across the size limit
    and copy its contents into separate data block(s)).
    
    	However, we need that only in case when the parent does change -
    otherwise ->rename() doesn't need to do anything with .. entry in the
    first place.  Some instances are lazy and do a tautological update anyway,
    but it's really not hard to avoid.
    
    Amended locking rules for rename():
    	find the parent(s) of source and target
    	if source and target have the same parent
    		lock the common parent
    	else
    		lock ->s_vfs_rename_mutex
    		lock both parents, in ancestor-first order; if neither
    		is an ancestor of another, lock the parent of source
    		first.
    	find the source and target.
    	if source and target have the same parent
    		if operation is an overwriting rename of a subdirectory
    			lock the target subdirectory
    	else
    		if source is a subdirectory
    			lock the source
    		if target is a subdirectory
    			lock the target
    	lock non-directories involved, in inode pointer order if both
    	source and target are such.
    
    That way we are guaranteed that parents are locked (for obvious reasons),
    that any renamed non-directory is locked (nfsd relies upon that),
    that any victim is locked (emptiness check needs that, among other things)
    and subdirectory that changes parent is locked (needed to protect the update
    of .. entries).  We are also guaranteed that any operation locking more
    than one directory either takes ->s_vfs_rename_mutex or locks a parent
    followed by its child.
    
    Cc: stable@vger.kernel.org
    Fixes: 28eceeda "fs: Lock moved directories"
    Reviewed-by: default avatarJan Kara <jack@suse.cz>
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    22e111ed
directory-locking.rst 6.58 KB