7c8b3ddfed
.sync and fsync used unnecessarily restrictive locking type
.fsync violated locking order by obtaining a vmnt lock after a filp lock
.fsync contained a TOCTOU bug
.new_node violated locking rules (didn't upgrade lock upon file creation)
.do_pipe used unnecessarily restrictive locking type
.always lock pipes exclusively; even a read operation might require to do
a write on a vnode object (update pipe size)
.when opening a file with O_TRUNC, upgrade vnode lock when truncating
.utime used unnecessarily restrictive locking type
.path parsing:
.always acquire VMNT_WRITE or VMNT_EXCL on vmnt and downgrade to
VMNT_READ if that was what was actually requested. This prevents the
following deadlock scenario:
thread A:
lock_vmnt(vmp, TLL_READSER);
lock_vnode(vp, TLL_READSER);
upgrade_vmnt_lock(vmp, TLL_WRITE);
thread B:
lock_vmnt(vmp, TLL_READ);
lock_vnode(vp, TLL_READSER);
thread A will be stuck in upgrade_vmnt_lock and thread B is stuck in
lock_vnode. This happens when, for example, thread A tries create a
new node (open.c:new_node) and thread B tries to do eat_path to
change dir (stadir.c:do_chdir). When the path is being resolved, a
vnode is always locked with VNODE_OPCL (TLL_READSER) and then
downgraded to VNODE_READ if read-only is actually requested. Thread
A locks the vmnt with VMNT_WRITE (TLL_READSER) which still allows
VMNT_READ locks. Thread B can't acquire a lock on the vnode because
thread A has it; Thread A can't upgrade its vmnt lock to VMNT_WRITE
(TLL_WRITE) because thread B has a VMNT_READ lock on it.
By serializing vmnt locks during path parsing, thread B can only
acquire a lock on vmp when thread A has completely finished its
operation.
72 lines
2 KiB
C
72 lines
2 KiB
C
/* This file takes care of those system calls that deal with time.
|
|
*
|
|
* The entry points into this file are
|
|
* do_utime: perform the UTIME system call
|
|
*/
|
|
|
|
#include "fs.h"
|
|
#include <minix/callnr.h>
|
|
#include <minix/com.h>
|
|
#include "file.h"
|
|
#include "fproc.h"
|
|
#include "path.h"
|
|
#include "param.h"
|
|
#include "vnode.h"
|
|
#include <minix/vfsif.h>
|
|
#include "vmnt.h"
|
|
|
|
/*===========================================================================*
|
|
* do_utime *
|
|
*===========================================================================*/
|
|
int do_utime()
|
|
{
|
|
/* Perform the utime(name, timep) system call. */
|
|
int r;
|
|
time_t actime, modtime, newactime, newmodtime;
|
|
struct vnode *vp;
|
|
struct vmnt *vmp;
|
|
char fullpath[PATH_MAX];
|
|
struct lookup resolve;
|
|
vir_bytes vname;
|
|
size_t vname_length, len;
|
|
|
|
vname = (vir_bytes) job_m_in.utime_file;
|
|
vname_length = (size_t) job_m_in.utime_length;
|
|
actime = job_m_in.utime_actime;
|
|
modtime = job_m_in.utime_modtime;
|
|
|
|
/* Adjust for case of 'timep' being NULL;
|
|
* utime_strlen then holds the actual size: strlen(name)+1 */
|
|
len = vname_length;
|
|
if (len == 0) len = (size_t) job_m_in.utime_strlen;
|
|
|
|
lookup_init(&resolve, fullpath, PATH_NOFLAGS, &vmp, &vp);
|
|
resolve.l_vmnt_lock = VMNT_READ;
|
|
resolve.l_vnode_lock = VNODE_READ;
|
|
|
|
/* Temporarily open the file */
|
|
if (fetch_name(vname, len, fullpath) != OK) return(err_code);
|
|
if ((vp = eat_path(&resolve, fp)) == NULL) return(err_code);
|
|
|
|
/* Only the owner of a file or the super user can change its name. */
|
|
r = OK;
|
|
if (vp->v_uid != fp->fp_effuid && fp->fp_effuid != SU_UID) r = EPERM;
|
|
if (vname_length == 0 && r != OK) r = forbidden(fp, vp, W_BIT);
|
|
if (read_only(vp) != OK) r = EROFS; /* Not even su can touch if R/O */
|
|
if (r == OK) {
|
|
/* Issue request */
|
|
if (vname_length == 0) {
|
|
newactime = newmodtime = clock_time();
|
|
} else {
|
|
newactime = actime;
|
|
newmodtime = modtime;
|
|
}
|
|
r = req_utime(vp->v_fs_e, vp->v_inode_nr, newactime, newmodtime);
|
|
}
|
|
|
|
unlock_vnode(vp);
|
|
unlock_vmnt(vmp);
|
|
|
|
put_vnode(vp);
|
|
return(r);
|
|
}
|