[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8690c10ec37a730659d5481054fc605c9741e2b4.1694541252.git.kjlx@templeofstupid.com>
Date: Tue, 12 Sep 2023 11:34:36 -0700
From: Krister Johansen <kjlx@...pleofstupid.com>
To: Miklos Szeredi <miklos@...redi.hu>, linux-fsdevel@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
German Maglione <gmaglione@...hat.com>,
Greg Kurz <groug@...d.org>, Max Reitz <mreitz@...hat.com>,
Bernd Schubert <bernd.schubert@...tmail.fm>
Subject: [PATCH v2 2/2] fuse: ensure that submounts lookup their root
Prior to this commit, the submount code assumed that the inode for the
root filesystem could not be evicted. When eviction occurs the server
may forget the inode. This author has observed a submount get an EBADF
from a virtiofsd server that resulted from the sole dentry / inode
pair getting evicted from a mount namespace and superblock where they
were originally referenced. The dentry shrinker triggered a forget
after killing the dentry with the last reference.
As a result, a container that was also using this submount failed to
access its filesystem because it had borrowed the reference instead of
taking its own when setting up its superblock for the submount.
Fix by ensuring that submount superblock configuration looks up the
nodeid for the submount as well.
Cc: stable@...r.kernel.org
Fixes: 1866d779d5d2 ("fuse: Allow fuse_fill_super_common() for submounts")
Signed-off-by: Krister Johansen <kjlx@...pleofstupid.com>
---
fs/fuse/dir.c | 10 +++++-----
fs/fuse/fuse_i.h | 6 ++++++
fs/fuse/inode.c | 43 +++++++++++++++++++++++++++++++++++++------
3 files changed, 48 insertions(+), 11 deletions(-)
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c
index da5b6079d88c..0002667170a9 100644
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -183,11 +183,11 @@ static void fuse_lookup_init(struct fuse_conn *fc, struct fuse_args *args,
args->out_args[0].value = outarg;
}
-static int fuse_dentry_revalidate_lookup(struct fuse_mount *fm,
- struct dentry *entry,
- struct inode *inode,
- struct fuse_entry_out *outarg,
- bool *lookedup)
+int fuse_dentry_revalidate_lookup(struct fuse_mount *fm,
+ struct dentry *entry,
+ struct inode *inode,
+ struct fuse_entry_out *outarg,
+ bool *lookedup)
{
struct dentry *parent;
struct fuse_forget_link *forget;
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index bf0b85d0b95c..f8ba293d5d30 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -1325,6 +1325,12 @@ void fuse_dax_dontcache(struct inode *inode, unsigned int flags);
bool fuse_dax_check_alignment(struct fuse_conn *fc, unsigned int map_alignment);
void fuse_dax_cancel_work(struct fuse_conn *fc);
+/* dir.c */
+int fuse_dentry_revalidate_lookup(struct fuse_mount *fm, struct dentry *entry,
+ struct inode *inode,
+ struct fuse_entry_out *outarg,
+ bool *lookedup);
+
/* ioctl.c */
long fuse_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
long fuse_file_compat_ioctl(struct file *file, unsigned int cmd,
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index d47606206ec3..b3e7b0a397ae 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1464,7 +1464,13 @@ static int fuse_fill_super_submount(struct super_block *sb,
struct fuse_mount *fm = get_fuse_mount_super(sb);
struct super_block *parent_sb = parent_fi->inode.i_sb;
struct fuse_attr root_attr;
+ struct fuse_inode *fi;
struct inode *root;
+ struct inode *parent;
+ struct dentry *pdent;
+ struct fuse_entry_out outarg;
+ bool lookedup = false;
+ int ret;
fuse_sb_defaults(sb);
fm->sb = sb;
@@ -1480,14 +1486,39 @@ static int fuse_fill_super_submount(struct super_block *sb,
if (parent_sb->s_subtype && !sb->s_subtype)
return -ENOMEM;
- fuse_fill_attr_from_inode(&root_attr, parent_fi);
- root = fuse_iget(sb, parent_fi->nodeid, 0, &root_attr, 0, 0);
/*
- * This inode is just a duplicate, so it is not looked up and
- * its nlookup should not be incremented. fuse_iget() does
- * that, though, so undo it here.
+ * It is necessary to lookup the parent_if->nodeid in case the dentry
+ * that triggered the automount of the submount is later evicted.
+ * If this dentry is evicted without the lookup count getting increased
+ * on the submount root, then the server can subsequently forget this
+ * nodeid which leads to errors when trying to access the root of the
+ * submount.
*/
- get_fuse_inode(root)->nlookup--;
+ parent = &parent_fi->inode;
+ pdent = d_find_alias(parent);
+ if (!pdent)
+ return -EINVAL;
+
+ ret = fuse_dentry_revalidate_lookup(fm, pdent, parent, &outarg,
+ &lookedup);
+ dput(pdent);
+ /*
+ * The new root owns this nlookup on success, and it is incremented by
+ * fuse_iget(). In the case the lookup succeeded but revalidate fails,
+ * ensure that the lookup count is tracked by the parent.
+ */
+ if (ret <= 0) {
+ if (lookedup) {
+ fi = get_fuse_inode(parent);
+ spin_lock(&fi->lock);
+ fi->nlookup++;
+ spin_unlock(&fi->lock);
+ }
+ return ret ? ret : -EINVAL;
+ }
+
+ fuse_fill_attr_from_inode(&root_attr, parent_fi);
+ root = fuse_iget(sb, parent_fi->nodeid, 0, &root_attr, 0, 0);
sb->s_d_op = &fuse_dentry_operations;
sb->s_root = d_make_root(root);
if (!sb->s_root)
--
2.25.1
Powered by blists - more mailing lists