[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200119011233.GU8904@ZenIV.linux.org.uk>
Date: Sun, 19 Jan 2020 01:12:33 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Aleksa Sarai <cyphar@...har.com>
Cc: Jeff Layton <jlayton@...nel.org>,
"J. Bruce Fields" <bfields@...ldses.org>,
Shuah Khan <shuah@...nel.org>,
Florian Weimer <fweimer@...hat.com>,
David Laight <david.laight@...lab.com>,
Christian Brauner <christian.brauner@...ntu.com>,
quae@...rnimator.com, dev@...ncontainers.org,
containers@...ts.linux-foundation.org, libc-alpha@...rceware.org,
linux-api@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v3 0/2] openat2: minor uapi cleanups
On Sun, Jan 19, 2020 at 10:03:13AM +1100, Aleksa Sarai wrote:
> > possibly trigger? The only things that ever clean ->root.mnt are
>
> You're quite right -- the codepath I was worried about was pick_link()
> failing (which *does* clear nd->path.mnt, and I must've misread it at
> the time as nd->root.mnt).
pick_link() (allocation failure of external stack in RCU case, followed
by failure to legitimize the link) is, unfortunately, subtle and nasty.
We *must* path_put() the link; if we'd managed to legitimize the mount
and failed on dentry, the mount needs to be dropped. No way around it.
And while everything else there can be left for soon-to-be-reached
terminate_walk(), this cannot. We have no good way to pass what
we need to drop to the place where that eventual terminate_walk()
drops rcu_read_lock(). So we end up having to do what terminate_walk()
would've done and do it right there, so we could do that path_put(link)
before we bugger off.
I'm not happy about that, but I don't see cleaner solutions, more's the
pity. However, it doesn't mess with ->root - nor should it, since
we don't have LOOKUP_ROOT_GRABBED (not in RCU mode), so it can and
should be left alone.
> We can drop this check, though now complete_walk()'s main defence
> against a NULL nd->root.mnt is that path_is_under() will fail and
> trigger -EXDEV (or set_root() will fail at some point in the future).
> However, as you pointed out, a NULL nd->root.mnt won't happen with
> things as they stand today -- I might be a little too paranoid. :P
The only reason why complete_walk() zeroes nd->root in some cases is
microoptimization - we *know* we won't be using it later, so we don't
care whether it's stale or not and can spare unlazy_walk() a bit of
work. All there is to that one.
I don't see any reason for adding code that would clear nd->root in later
work; if such thing does get added (again, I don't see what purpose
could that possibly serve), we'll need to watch out for a lot of things.
Starting with LOOKUP_ROOT case... It's not something likely to slip
in unnoticed.
Powered by blists - more mailing lists