svn commit: r270648 - in head/sys: kern sys
Mateusz Guzik
mjg at FreeBSD.org
Tue Aug 26 08:17:23 UTC 2014
Author: mjg
Date: Tue Aug 26 08:17:22 2014
New Revision: 270648
URL: http://svnweb.freebsd.org/changeset/base/270648
Log:
Fix up races with f_seqcount handling.
It was possible that the kernel would overwrite user-supplied hint.
Abuse vnode lock for this purpose.
In collaboration with: kib
MFC after: 1 week
Modified:
head/sys/kern/kern_descrip.c
head/sys/kern/vfs_vnops.c
head/sys/sys/file.h
Modified: head/sys/kern/kern_descrip.c
==============================================================================
--- head/sys/kern/kern_descrip.c Tue Aug 26 08:13:30 2014 (r270647)
+++ head/sys/kern/kern_descrip.c Tue Aug 26 08:17:22 2014 (r270648)
@@ -476,7 +476,6 @@ kern_fcntl(struct thread *td, int fd, in
struct vnode *vp;
cap_rights_t rights;
int error, flg, tmp;
- u_int old, new;
uint64_t bsize;
off_t foffset;
@@ -760,26 +759,24 @@ kern_fcntl(struct thread *td, int fd, in
error = EBADF;
break;
}
+ vp = fp->f_vnode;
+ /*
+ * Exclusive lock synchronizes against f_seqcount reads and
+ * writes in sequential_heuristic().
+ */
+ error = vn_lock(vp, LK_EXCLUSIVE);
+ if (error != 0) {
+ fdrop(fp, td);
+ break;
+ }
if (arg >= 0) {
- vp = fp->f_vnode;
- error = vn_lock(vp, LK_SHARED);
- if (error != 0) {
- fdrop(fp, td);
- break;
- }
bsize = fp->f_vnode->v_mount->mnt_stat.f_iosize;
- VOP_UNLOCK(vp, 0);
fp->f_seqcount = (arg + bsize - 1) / bsize;
- do {
- new = old = fp->f_flag;
- new |= FRDAHEAD;
- } while (!atomic_cmpset_rel_int(&fp->f_flag, old, new));
+ atomic_set_int(&fp->f_flag, FRDAHEAD);
} else {
- do {
- new = old = fp->f_flag;
- new &= ~FRDAHEAD;
- } while (!atomic_cmpset_rel_int(&fp->f_flag, old, new));
+ atomic_clear_int(&fp->f_flag, FRDAHEAD);
}
+ VOP_UNLOCK(vp, 0);
fdrop(fp, td);
break;
Modified: head/sys/kern/vfs_vnops.c
==============================================================================
--- head/sys/kern/vfs_vnops.c Tue Aug 26 08:13:30 2014 (r270647)
+++ head/sys/kern/vfs_vnops.c Tue Aug 26 08:17:22 2014 (r270648)
@@ -438,7 +438,8 @@ static int
sequential_heuristic(struct uio *uio, struct file *fp)
{
- if (atomic_load_acq_int(&(fp->f_flag)) & FRDAHEAD)
+ ASSERT_VOP_LOCKED(fp->f_vnode, __func__);
+ if (fp->f_flag & FRDAHEAD)
return (fp->f_seqcount << IO_SEQSHIFT);
/*
Modified: head/sys/sys/file.h
==============================================================================
--- head/sys/sys/file.h Tue Aug 26 08:13:30 2014 (r270647)
+++ head/sys/sys/file.h Tue Aug 26 08:17:22 2014 (r270648)
@@ -143,6 +143,7 @@ struct fileops {
*
* Below is the list of locks that protects members in struct file.
*
+ * (a) f_vnode lock required (shared allows both reads and writes)
* (f) protected with mtx_lock(mtx_pool_find(fp))
* (d) cdevpriv_mtx
* none not locked
@@ -168,7 +169,7 @@ struct file {
/*
* DTYPE_VNODE specific fields.
*/
- int f_seqcount; /* Count of sequential accesses. */
+ int f_seqcount; /* (a) Count of sequential accesses. */
off_t f_nextoff; /* next expected read/write offset. */
union {
struct cdev_privdata *fvn_cdevpriv;
More information about the svn-src-head
mailing list