lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAOg9mSTGuDXfz3tn2Ug18V2AwyFUWg5hMtx=KuLXfzHeLc-GJg@mail.gmail.com>
Date:   Fri, 14 Apr 2017 14:43:07 -0400
From:   Mike Marshall <hubcap@...ibond.com>
To:     Martin Brandenburg <martin@...ibond.com>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Al Viro <viro@...iv.linux.org.uk>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>, stable@...r.kernel.org
Subject: Re: [PATCH] orangefs: free superblock when mount fails

ACK.

I tried to mount orangefs with a nonsense option and got:

[96967.205842] ================================================
[96967.206439] [ BUG: lock held when returning to user space! ]
[96967.207046] 4.10.0-00008-g554ce8b #2 Not tainted
[96967.207531] ------------------------------------------------
[96967.208130] mount/6371 is leaving the kernel with locks still held!
[96967.208797] 1 lock held by mount/6371:
[96967.209211]  #0:  (&type->s_umount_key#52/1){+.+.+.}, at:
[<ffffffffbe2a1782>] sget_userns+0x2d2/0x510

and then I typed sync and it wedged...

After applying Martin's patch, the nonsense mount option merely caused
the mount to fail without sickening the kernel...

-Mike

On Fri, Apr 14, 2017 at 2:22 PM, Martin Brandenburg <martin@...ibond.com> wrote:
> Otherwise lockdep says:
>
> [ 1337.483798] ================================================
> [ 1337.483999] [ BUG: lock held when returning to user space! ]
> [ 1337.484252] 4.11.0-rc6 #19 Not tainted
> [ 1337.484423] ------------------------------------------------
> [ 1337.484626] mount/14766 is leaving the kernel with locks still held!
> [ 1337.484841] 1 lock held by mount/14766:
> [ 1337.485017]  #0:  (&type->s_umount_key#33/1){+.+.+.}, at: [<ffffffff8124171f>] sget_userns+0x2af/0x520
>
> Caught by xfstests generic/413 which tried to mount with the unsupported
> mount option dax.  Then xfstests generic/422 ran sync which deadlocks.
>
> Signed-off-by: Martin Brandenburg <martin@...ibond.com>
> Cc: stable@...r.kernel.org
> ---
>  fs/orangefs/devorangefs-req.c |  9 +++++++--
>  fs/orangefs/orangefs-kernel.h |  1 +
>  fs/orangefs/super.c           | 23 ++++++++++++++++-------
>  3 files changed, 24 insertions(+), 9 deletions(-)
>
> diff --git a/fs/orangefs/devorangefs-req.c b/fs/orangefs/devorangefs-req.c
> index c4ab6fdf17a0..e1534c9bab16 100644
> --- a/fs/orangefs/devorangefs-req.c
> +++ b/fs/orangefs/devorangefs-req.c
> @@ -208,14 +208,19 @@ static ssize_t orangefs_devreq_read(struct file *file,
>                                 continue;
>                         /*
>                          * Skip ops whose filesystem we don't know about unless
> -                        * it is being mounted.
> +                        * it is being mounted or unmounted.  It is possible for
> +                        * a filesystem we don't know about to be unmounted if
> +                        * it fails to mount in the kernel after userspace has
> +                        * been sent the mount request.
>                          */
>                         /* XXX: is there a better way to detect this? */
>                         } else if (ret == -1 &&
>                                    !(op->upcall.type ==
>                                         ORANGEFS_VFS_OP_FS_MOUNT ||
>                                      op->upcall.type ==
> -                                       ORANGEFS_VFS_OP_GETATTR)) {
> +                                       ORANGEFS_VFS_OP_GETATTR ||
> +                                    op->upcall.type ==
> +                                       ORANGEFS_VFS_OP_FS_UMOUNT)) {
>                                 gossip_debug(GOSSIP_DEV_DEBUG,
>                                     "orangefs: skipping op tag %llu %s\n",
>                                     llu(op->tag), get_opname_string(op));
> diff --git a/fs/orangefs/orangefs-kernel.h b/fs/orangefs/orangefs-kernel.h
> index 5e48a0be9761..8afac46fcc87 100644
> --- a/fs/orangefs/orangefs-kernel.h
> +++ b/fs/orangefs/orangefs-kernel.h
> @@ -249,6 +249,7 @@ struct orangefs_sb_info_s {
>         char devname[ORANGEFS_MAX_SERVER_ADDR_LEN];
>         struct super_block *sb;
>         int mount_pending;
> +       int no_list;
>         struct list_head list;
>  };
>
> diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c
> index cd261c8de53a..629d8c917fa6 100644
> --- a/fs/orangefs/super.c
> +++ b/fs/orangefs/super.c
> @@ -493,7 +493,7 @@ struct dentry *orangefs_mount(struct file_system_type *fst,
>
>         if (ret) {
>                 d = ERR_PTR(ret);
> -               goto free_op;
> +               goto free_sb_and_op;
>         }
>
>         /*
> @@ -519,6 +519,9 @@ struct dentry *orangefs_mount(struct file_system_type *fst,
>         spin_unlock(&orangefs_superblocks_lock);
>         op_release(new_op);
>
> +       /* Must be removed from the list now. */
> +       ORANGEFS_SB(sb)->no_list = 0;
> +
>         if (orangefs_userspace_version >= 20906) {
>                 new_op = op_alloc(ORANGEFS_VFS_OP_FEATURES);
>                 if (!new_op)
> @@ -533,6 +536,10 @@ struct dentry *orangefs_mount(struct file_system_type *fst,
>
>         return dget(sb->s_root);
>
> +free_sb_and_op:
> +       /* Will call orangefs_kill_sb with sb not in list. */
> +       ORANGEFS_SB(sb)->no_list = 1;
> +       deactivate_locked_super(sb);
>  free_op:
>         gossip_err("orangefs_mount: mount request failed with %d\n", ret);
>         if (ret == -EINVAL) {
> @@ -558,12 +565,14 @@ void orangefs_kill_sb(struct super_block *sb)
>          */
>          orangefs_unmount_sb(sb);
>
> -       /* remove the sb from our list of orangefs specific sb's */
> -
> -       spin_lock(&orangefs_superblocks_lock);
> -       __list_del_entry(&ORANGEFS_SB(sb)->list);       /* not list_del_init */
> -       ORANGEFS_SB(sb)->list.prev = NULL;
> -       spin_unlock(&orangefs_superblocks_lock);
> +       if (!ORANGEFS_SB(sb)->no_list) {
> +               /* remove the sb from our list of orangefs specific sb's */
> +               spin_lock(&orangefs_superblocks_lock);
> +               /* not list_del_init */
> +               __list_del_entry(&ORANGEFS_SB(sb)->list);
> +               ORANGEFS_SB(sb)->list.prev = NULL;
> +               spin_unlock(&orangefs_superblocks_lock);
> +       }
>
>         /*
>          * make sure that ORANGEFS_DEV_REMOUNT_ALL loop that might've seen us
> --
> 2.11.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ