[1/7] fuse: Check for fc->connected in fuse_dev_alloc()

Message ID	154754755979.4244.14965151684224631403.stgit@localhost.localdomain (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-fsdevel-owner@kernel.org> Subject: [PATCH 1/7] fuse: Check for fc->connected in fuse_dev_alloc() From: Kirill Tkhai <ktkhai@virtuozzo.com> To: miklos@szeredi.hu, ktkhai@virtuozzo.com, linux-fsdevel@vger.kernel.org Date: Tue, 15 Jan 2019 13:19:19 +0300 Message-ID: <154754755979.4244.14965151684224631403.stgit@localhost.localdomain> In-Reply-To: <154754701031.4244.8089449938935364463.stgit@localhost.localdomain> References: <154754701031.4244.8089449938935364463.stgit@localhost.localdomain> User-Agent: StGit/0.18 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk
Series	fuse: Improve disconnect scheme and avoid taking fpq->lock on hot paths \| expand [0/7] fuse: Improve disconnect scheme and avoid taking fpq->lock on hot paths [1/7] fuse: Check for fc->connected in fuse_dev_alloc() [2/7] fuse: Move flush_bg_queue() up in fuse_abort_conn() [3/7] fuse: Drop and reacquire fc->lock in middle of fuse_abort_conn() [4/7] fuse: Add fud pointer to struct fuse_copy_state [5/7] fuse: Introduce generic fuse_copy_aborted() [6/7] fuse: Kill unused FR_ABORTED, FR_LOCKED and FR_PRIVATE flags [7/7] fuse: Kill fuse_pqueue::io list and avoid taking fpq->lock on hot paths

Kirill Tkhai Jan. 15, 2019, 10:19 a.m. UTC

fuse_dev_alloc() may be called after fc->connected
is dropped (from ioctl), so here we add sanity check
for that case.

Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
---
 fs/fuse/inode.c |    9 +++++++++
 1 file changed, 9 insertions(+)

Miklos Szeredi Jan. 18, 2019, 12:07 p.m. UTC | #1

On Tue, Jan 15, 2019 at 11:19 AM Kirill Tkhai <ktkhai@virtuozzo.com> wrote:
>
> fuse_dev_alloc() may be called after fc->connected
> is dropped (from ioctl), so here we add sanity check
> for that case.

AFAICS this is not fixing a bug; i.e. even if the fuse_dev is added to
the fuse_conn's list after disconnection there would be no leak.

In other words, it's irrelevant whether the connection reset comes
just before the ioctl completes or just after.   Or am I missing
something?

Thanks,
Miklos

>
> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
> ---
>  fs/fuse/inode.c |    9 +++++++++
>  1 file changed, 9 insertions(+)
>
> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
> index 336844d0eb3a..0361a3d62356 100644
> --- a/fs/fuse/inode.c
> +++ b/fs/fuse/inode.c
> @@ -1054,10 +1054,19 @@ struct fuse_dev *fuse_dev_alloc(struct fuse_conn *fc)
>         fuse_pqueue_init(&fud->pq);
>
>         spin_lock(&fc->lock);
> +       if (!fc->connected) {
> +               spin_unlock(&fc->lock);
> +               goto out_put;
> +       }
>         list_add_tail(&fud->entry, &fc->devices);
>         spin_unlock(&fc->lock);
>
>         return fud;
> +out_put:
> +       fuse_conn_put(fc);
> +       kfree(pq);
> +       kfree(fud);
> +       return NULL;
>  }
>  EXPORT_SYMBOL_GPL(fuse_dev_alloc);
>
>

Kirill Tkhai Jan. 18, 2019, 12:28 p.m. UTC | #2

On 18.01.2019 15:07, Miklos Szeredi wrote:
> On Tue, Jan 15, 2019 at 11:19 AM Kirill Tkhai <ktkhai@virtuozzo.com> wrote:
>>
>> fuse_dev_alloc() may be called after fc->connected
>> is dropped (from ioctl), so here we add sanity check
>> for that case.
> 
> AFAICS this is not fixing a bug; i.e. even if the fuse_dev is added to
> the fuse_conn's list after disconnection there would be no leak.
> 
> In other words, it's irrelevant whether the connection reset comes
> just before the ioctl completes or just after.   Or am I missing
> something?

Yeah, there won't be a leak. The only problem I see, userspace daemon
may become waiting in fuse_dev_do_read() after abort is finished.
This means fc->count won't be put, and manual killing signal will be
needed.

I.e., umount -f will wait till the daemon is killed manually.
Not so big a problem, but not very pleasant...

Kirill

>>
>> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
>> ---
>>  fs/fuse/inode.c |    9 +++++++++
>>  1 file changed, 9 insertions(+)
>>
>> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
>> index 336844d0eb3a..0361a3d62356 100644
>> --- a/fs/fuse/inode.c
>> +++ b/fs/fuse/inode.c
>> @@ -1054,10 +1054,19 @@ struct fuse_dev *fuse_dev_alloc(struct fuse_conn *fc)
>>         fuse_pqueue_init(&fud->pq);
>>
>>         spin_lock(&fc->lock);
>> +       if (!fc->connected) {
>> +               spin_unlock(&fc->lock);
>> +               goto out_put;
>> +       }
>>         list_add_tail(&fud->entry, &fc->devices);
>>         spin_unlock(&fc->lock);
>>
>>         return fud;
>> +out_put:
>> +       fuse_conn_put(fc);
>> +       kfree(pq);
>> +       kfree(fud);
>> +       return NULL;
>>  }
>>  EXPORT_SYMBOL_GPL(fuse_dev_alloc);
>>
>>

Miklos Szeredi Jan. 23, 2019, 9:45 a.m. UTC | #3

On Fri, Jan 18, 2019 at 1:28 PM Kirill Tkhai <ktkhai@virtuozzo.com> wrote:
>
> On 18.01.2019 15:07, Miklos Szeredi wrote:
> > On Tue, Jan 15, 2019 at 11:19 AM Kirill Tkhai <ktkhai@virtuozzo.com> wrote:
> >>
> >> fuse_dev_alloc() may be called after fc->connected
> >> is dropped (from ioctl), so here we add sanity check
> >> for that case.
> >
> > AFAICS this is not fixing a bug; i.e. even if the fuse_dev is added to
> > the fuse_conn's list after disconnection there would be no leak.
> >
> > In other words, it's irrelevant whether the connection reset comes
> > just before the ioctl completes or just after.   Or am I missing
> > something?
>
> Yeah, there won't be a leak. The only problem I see, userspace daemon
> may become waiting in fuse_dev_do_read() after abort is finished.

By that time fiq->connected will be reset, so fuse_dev_do_read() will
return ENODEV/ECONNABORTED.

Am I missing something?

Thanks,
Miklos

Kirill Tkhai Jan. 23, 2019, 9:55 a.m. UTC | #4

On 23.01.2019 12:45, Miklos Szeredi wrote:
> On Fri, Jan 18, 2019 at 1:28 PM Kirill Tkhai <ktkhai@virtuozzo.com> wrote:
>>
>> On 18.01.2019 15:07, Miklos Szeredi wrote:
>>> On Tue, Jan 15, 2019 at 11:19 AM Kirill Tkhai <ktkhai@virtuozzo.com> wrote:
>>>>
>>>> fuse_dev_alloc() may be called after fc->connected
>>>> is dropped (from ioctl), so here we add sanity check
>>>> for that case.
>>>
>>> AFAICS this is not fixing a bug; i.e. even if the fuse_dev is added to
>>> the fuse_conn's list after disconnection there would be no leak.
>>>
>>> In other words, it's irrelevant whether the connection reset comes
>>> just before the ioctl completes or just after.   Or am I missing
>>> something?
>>
>> Yeah, there won't be a leak. The only problem I see, userspace daemon
>> may become waiting in fuse_dev_do_read() after abort is finished.
> 
> By that time fiq->connected will be reset, so fuse_dev_do_read() will
> return ENODEV/ECONNABORTED.
> 
> Am I missing something?

I mean:

[cpu0]                                          [cpu1]
fuse_device_clone()              
  fuse_dev_alloc()                              fuse_abort_conn()
                                                  spin_lock(&fc->lock)
                                                  list_for_each_entry(fud, &fc->devices, entry)
                                                    fpq->connected = 0
                                                  spin_unlock(&fc->lock)
  spin_lock(&fc->lock);
  list_add_tail(&fud->entry, &fc->devices);
  spin_unlock(&fc->lock);
...
fuse_dev_do_read()
  wait_event_interruptible_exclusive_locked() <-- wait forever

If you have manager-thread on cpu1, and it expects all worker-threads (like on cpu0)
will finish after abort, this won't be true.

Kirill

Miklos Szeredi Jan. 23, 2019, 10:24 a.m. UTC | #5

On Wed, Jan 23, 2019 at 10:55 AM Kirill Tkhai <ktkhai@virtuozzo.com> wrote:
>
> On 23.01.2019 12:45, Miklos Szeredi wrote:
> > On Fri, Jan 18, 2019 at 1:28 PM Kirill Tkhai <ktkhai@virtuozzo.com> wrote:
> >>
> >> On 18.01.2019 15:07, Miklos Szeredi wrote:
> >>> On Tue, Jan 15, 2019 at 11:19 AM Kirill Tkhai <ktkhai@virtuozzo.com> wrote:
> >>>>
> >>>> fuse_dev_alloc() may be called after fc->connected
> >>>> is dropped (from ioctl), so here we add sanity check
> >>>> for that case.
> >>>
> >>> AFAICS this is not fixing a bug; i.e. even if the fuse_dev is added to
> >>> the fuse_conn's list after disconnection there would be no leak.
> >>>
> >>> In other words, it's irrelevant whether the connection reset comes
> >>> just before the ioctl completes or just after.   Or am I missing
> >>> something?
> >>
> >> Yeah, there won't be a leak. The only problem I see, userspace daemon
> >> may become waiting in fuse_dev_do_read() after abort is finished.
> >
> > By that time fiq->connected will be reset, so fuse_dev_do_read() will
> > return ENODEV/ECONNABORTED.
> >
> > Am I missing something?
>
> I mean:
>
> [cpu0]                                          [cpu1]
> fuse_device_clone()
>   fuse_dev_alloc()                              fuse_abort_conn()
>                                                   spin_lock(&fc->lock)
>                                                   list_for_each_entry(fud, &fc->devices, entry)
>                                                     fpq->connected = 0
>                                                   spin_unlock(&fc->lock)
>   spin_lock(&fc->lock);
>   list_add_tail(&fud->entry, &fc->devices);

Okay, so there's missing

     fpq->connected = fc->connected;

here.

>   spin_unlock(&fc->lock);
> ...
> fuse_dev_do_read()
>   wait_event_interruptible_exclusive_locked() <-- wait forever

That will exit immediately, because it checks fiq->connected (not
fpq->connected) which is already zero.

Thanks,
Miklos

[1/7] fuse: Check for fc->connected in fuse_dev_alloc()

Commit Message

Comments

Patch