| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5c6f3d62-4cec-2aea-4693-62928611c526@gmail.com>
Date: Sun, 7 Oct 2018 20:20:20 +0100
From: Alan Jenkins <alan.christopher.jenkins@...il.com>
To: David Howells <dhowells@...hat.com>, viro@...iv.linux.org.uk
Cc: torvalds@...ux-foundation.org, ebiederm@...ssion.com,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
mszeredi@...hat.com
Subject: Re: [PATCH 03/34] teach move_mount(2) to work with OPEN_TREE_CLONE
[ver #12]
On 07/10/2018 11:48, Alan Jenkins wrote:
> On 05/10/2018 19:24, Alan Jenkins wrote:
>> On 21/09/2018 17:30, David Howells wrote:
>>> From: Al Viro <viro@...iv.linux.org.uk>
>>>
>>> Allow a detached tree created by open_tree(..., OPEN_TREE_CLONE) to be
>>> attached by move_mount(2).
>>>
>>> If by the time of final fput() of OPEN_TREE_CLONE-opened file its
>>> tree is
>>> not detached anymore, it won't be dissolved. move_mount(2) is adjusted
>>> to handle detached source.
>>>
>>> That gives us equivalents of mount --bind and mount --rbind.
>>>
>>> Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
>>> Signed-off-by: David Howells <dhowells@...hat.com>
>>> ---
>>>
>>> fs/namespace.c | 26 ++++++++++++++++++++------
>>> 1 file changed, 20 insertions(+), 6 deletions(-)
>>> The lockup seems to be a general problem with the cleanup code. Even
>>> if I use this as advertised, i.e. for a simple bind mount.
Ah, I see. The problem is you were expecting me to use the FD from
open_tree() directly. But I did fchdir() into the FD, and then "mount
--move . /mnt" :-).
If I use the FD directly, it avoids the hang. I used two separate C
programs (attached, to avoid my MUA damage)...
> (I was suspicious that being able to pass around detached trees as an
> FD, and re-attach them in any namespace, allows leaking memory by
> creating a namespace loop. I.e. maybe it gives you enough rope to
> skip the test in mnt_ns_loop().
...so here's the memory leak.
# open_tree --help
usage: open_tree 3</source/path FD_NUMBER COMMAND...
# move_mount --help
usage: move_mount 3</from/path 4</to/path
Create a child namespace:
# mount --make-shared /tmp
# cd /tmp
# mkdir private_mnt
# mount -t tmpfs tmp private_mnt
# mount --make-private private_mnt
# touch private_mnt/child_ns
# unshare --mount=private_mnt/child_ns --propagation=shared ls -l /proc/self/ns/mnt
lrwxrwxrwx. 1 root root 0 Oct 7 19:23 /proc/self/ns/mnt -> 'mnt:[4026532334]'
# findmnt | grep /tmp
├─/tmp tmpfs tmpfs rw,nosuid,nodev,seclabel,size=1247640k,nr_inodes=311910
│ └─/tmp/private_mnt tmp tmpfs rw,relatime,seclabel,uid=1000,gid=1000
│ └─/tmp/private_mnt/child_ns nsfs[mnt:[4026532334]] nsfs rw,seclabel
Create a reference cycle:
# ~/test-open_tree 3</tmp/private_mnt 3 \
nsenter --mount=/tmp/private_mnt/child_ns \
sh -c '~/test-move_mount 4</mnt'
Attach 10MB of memory to the cycle:
# grep Shmem: /proc/meminfo
Shmem: 1464 kB
# dd if=/dev/zero of=/tmp/private_mnt/bigfile bs=1M count=10
10+0 records in
10+0 records out
10485760 bytes (10 MB, 10 MiB) copied, 0.00976358 s, 1.1 GB/s
# grep Shmem: /proc/meminfo
Shmem: 11704 kB
Detach the cycle, and leak all the memory:
# umount -l /tmp/private_mnt/
# grep Shmem: /proc/meminfo
Shmem: 11704 kB
View attachment "vfs_samples.diff" of type "text/x-patch" (3585 bytes)
Powered by blists - more mailing lists