fs-verity: use smp_load_acquire() for ->i_verity_info
authorEric Biggers <ebiggers@google.com>
Tue, 21 Jul 2020 22:59:20 +0000 (15:59 -0700)
committerEric Biggers <ebiggers@google.com>
Tue, 21 Jul 2020 23:02:41 +0000 (16:02 -0700)
commitf3db0bed458314a835ccef5ccb130270c5b2cf04
tree0a9b6eacb0dea29a4a18bf24ae56e29a67d3de08
parentba47d845d715a010f7b51f6f89bae32845e6acb7
fs-verity: use smp_load_acquire() for ->i_verity_info

Normally smp_store_release() or cmpxchg_release() is paired with
smp_load_acquire().  Sometimes smp_load_acquire() can be replaced with
the more lightweight READ_ONCE().  However, for this to be safe, all the
published memory must only be accessed in a way that involves the
pointer itself.  This may not be the case if allocating the object also
involves initializing a static or global variable, for example.

fsverity_info::tree_params.hash_alg->tfm is a crypto_ahash object that's
internal to and is allocated by the crypto subsystem.  So by using
READ_ONCE() for ->i_verity_info, we're relying on internal
implementation details of the crypto subsystem.

Remove this fragile assumption by using smp_load_acquire() instead.

Also fix the cmpxchg logic to correctly execute an ACQUIRE barrier when
losing the cmpxchg race, since cmpxchg doesn't guarantee a memory
barrier on failure.

(Note: I haven't seen any real-world problems here.  This change is just
fixing the code to be guaranteed correct and less fragile.)

Fixes: fd2d1acfcadf ("fs-verity: add the hook for file ->open()")
Link: https://lore.kernel.org/r/20200721225920.114347-6-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
fs/verity/open.c
include/linux/fsverity.h