| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Apr 2014 15:15:39 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: Al Viro <viro@...IV.linux.org.uk> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, "Serge E. Hallyn" <serge@...lyn.com>, Linux-Fsdevel <linux-fsdevel@...r.kernel.org>, Kernel Mailing List <linux-kernel@...r.kernel.org>, Andy Lutomirski <luto@...capital.net>, Rob Landley <rob@...dley.net>, Miklos Szeredi <miklos@...redi.hu>, Christoph Hellwig <hch@...radead.org>, Karel Zak <kzak@...hat.com>, "J. Bruce Fields" <bfields@...ldses.org>, Fengguang Wu <fengguang.wu@...el.com> Subject: Re: [RFC][PATCH] vfs: In mntput run deactivate_super on a shallow stack. Al Viro <viro@...IV.linux.org.uk> writes: > On Wed, Apr 09, 2014 at 03:58:25PM -0700, Eric W. Biederman wrote: >> >> mntput as part of pathput is called from all over the vfs sometimes as >> in the case of symlink chasing from some rather deep call chains. >> During filesystem unmount with the right set of races those innocuous >> little mntput calls that take very little stack space can become calls >> become mosters calling deactivate_super that can take up 3k or more of >> stack space as syncrhonous filesystem I/O is performed, through >> multiple levels of the I/O stack. >> >> Avoid deactivate_super being called from a deep stack by converting >> mntput to use task_work_add when the mnt_count goes to 0. The >> filesystem is still unmounted synchronously preserving the semantics >> that system calls like umount require. > > Careful. For one thing, you've just introduced a massive leak in knfsd > and any other kernel thread that might do mntput(). task_work_add() > makes no sense there - there is no userland to return to. For another, > in things like cleanup of failing modprobe we might end up delaying fs > shutdown too much. So it's not that simple, unfortunately. Can you explain which scenario you are thinking about with respect to a failed modprobe? I don't see any problems on the mount path, and copy_module_from_fd already uses struct file which does this. So I am curious to know which scenario you were thinking of. Outside of mount (where we demand load the fs module) I can't think of a scenario with modprobe where we would require immediate free semantics. Unmout certainly needs to have the filesystem freed by the time we reach userspace (in the normal case) but other than that I am drawing a blank. > I agree that fs shutdown is better dealt with on mostly empty stack, of > course - moreover, done right that has a potential to make mntput() > safe in atomic contexts (there's also acct_auto_close_mnt() to deal > with; that might take some work to get right, but I think it's not > fatal). I just about have a working version, and acct_auto_close_mnt wasn't particularly difficult. Just one more thing that had to be done. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists