fs: Establish locking order for unrelated directories

commit f23ce757185319886ca80c4864ce5f81ac6cc9e9 upstream.

Currently the locking order of inode locks for directories that are not
in ancestor relationship is not defined because all operations that
needed to lock two directories like this were serialized by
sb->s_vfs_rename_mutex. However some filesystems need to lock two
subdirectories for RENAME_EXCHANGE operations and for this we need the
locking order established even for two tree-unrelated directories.
Provide a helper function lock_two_inodes() that establishes lock
ordering for any two inodes and use it in lock_two_directories().

CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Message-Id: <20230601105830.13168-4-jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/inode.c b/fs/inode.c
index 8c4078889754febf4284a3d4bfb63007effa3143..6ae760db13116351c2b06a485a57b0eb8e759967 100644 (file)
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -1103,6 +1103,48 @@ void discard_new_inode(struct inode *inode)
 }
 EXPORT_SYMBOL(discard_new_inode);
 
+/**
+ * lock_two_inodes - lock two inodes (may be regular files but also dirs)
+ *
+ * Lock any non-NULL argument. The caller must make sure that if he is passing
+ * in two directories, one is not ancestor of the other.  Zero, one or two
+ * objects may be locked by this function.
+ *
+ * @inode1: first inode to lock
+ * @inode2: second inode to lock
+ * @subclass1: inode lock subclass for the first lock obtained
+ * @subclass2: inode lock subclass for the second lock obtained
+ */
+void lock_two_inodes(struct inode *inode1, struct inode *inode2,
+                    unsigned subclass1, unsigned subclass2)
+{
+       if (!inode1 || !inode2) {
+               /*
+                * Make sure @subclass1 will be used for the acquired lock.
+                * This is not strictly necessary (no current caller cares) but
+                * let's keep things consistent.
+                */
+               if (!inode1)
+                       swap(inode1, inode2);
+               goto lock;
+       }
+
+       /*
+        * If one object is directory and the other is not, we must make sure
+        * to lock directory first as the other object may be its child.
+        */
+       if (S_ISDIR(inode2->i_mode) == S_ISDIR(inode1->i_mode)) {
+               if (inode1 > inode2)
+                       swap(inode1, inode2);
+       } else if (!S_ISDIR(inode1->i_mode))
+               swap(inode1, inode2);
+lock:
+       if (inode1)
+               inode_lock_nested(inode1, subclass1);
+       if (inode2 && inode2 != inode1)
+               inode_lock_nested(inode2, subclass2);
+}
+
 /**
  * lock_two_nondirectories - take two i_mutexes on non-directory objects
  *

diff --git a/fs/internal.h b/fs/internal.h
index 5545c26d86ae54d5ad5d5bce18dd3c616500e10b..46caa33373a48cf1659b24580d3b33c4c225641c 100644 (file)
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -153,6 +153,8 @@ extern long prune_icache_sb(struct super_block *sb, struct shrink_control *sc);
 int dentry_needs_remove_privs(struct user_namespace *, struct dentry *dentry);
 bool in_group_or_capable(struct user_namespace *mnt_userns,
                         const struct inode *inode, vfsgid_t vfsgid);
+void lock_two_inodes(struct inode *inode1, struct inode *inode2,
+                    unsigned subclass1, unsigned subclass2);
 
 /*
  * fs-writeback.c

diff --git a/fs/namei.c b/fs/namei.c
index 9155ecb547ce62464dd8b304e63ed73b7cf2b73e..734d516b81fda13c450a4bfc3bae3057ce5ce252 100644 (file)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3007,8 +3007,8 @@ struct dentry *lock_rename(struct dentry *p1, struct dentry *p2)
                return p;
        }
 
-       inode_lock_nested(p1->d_inode, I_MUTEX_PARENT);
-       inode_lock_nested(p2->d_inode, I_MUTEX_PARENT2);
+       lock_two_inodes(p1->d_inode, p2->d_inode,
+                       I_MUTEX_PARENT, I_MUTEX_PARENT2);
        return NULL;
 }
 EXPORT_SYMBOL(lock_rename);