| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240628111345.3bbcgie4gar6icyj@quack3>
Date: Fri, 28 Jun 2024 13:13:45 +0200
From: Jan Kara <jack@...e.cz>
To: Ian Kent <ikent@...hat.com>
Cc: Jan Kara <jack@...e.cz>, Matthew Wilcox <willy@...radead.org>,
Lucas Karpinski <lkarpins@...hat.com>, viro@...iv.linux.org.uk,
brauner@...nel.org, raven@...maw.net, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, Alexander Larsson <alexl@...hat.com>,
Eric Chanudet <echanude@...hat.com>
Subject: Re: [RFC v3 1/1] fs/namespace: remove RCU sync for MNT_DETACH umount
On Fri 28-06-24 10:58:54, Ian Kent wrote:
>
> On 27/6/24 19:54, Jan Kara wrote:
> > On Thu 27-06-24 09:11:14, Ian Kent wrote:
> > > On 27/6/24 04:47, Matthew Wilcox wrote:
> > > > On Wed, Jun 26, 2024 at 04:07:49PM -0400, Lucas Karpinski wrote:
> > > > > +++ b/fs/namespace.c
> > > > > @@ -78,6 +78,7 @@ static struct kmem_cache *mnt_cache __ro_after_init;
> > > > > static DECLARE_RWSEM(namespace_sem);
> > > > > static HLIST_HEAD(unmounted); /* protected by namespace_sem */
> > > > > static LIST_HEAD(ex_mountpoints); /* protected by namespace_sem */
> > > > > +static bool lazy_unlock = false; /* protected by namespace_sem */
> > > > That's a pretty ugly way of doing it. How about this?
> > > Ha!
> > >
> > > That was my original thought but I also didn't much like changing all the
> > > callers.
> > >
> > > I don't really like the proliferation of these small helper functions either
> > > but if everyone
> > >
> > > is happy to do this I think it's a great idea.
> > So I know you've suggested removing synchronize_rcu_expedited() call in
> > your comment to v2. But I wonder why is it safe? I *thought*
> > synchronize_rcu_expedited() is there to synchronize the dropping of the
> > last mnt reference (and maybe something else) - see the comment at the
> > beginning of mntput_no_expire() - and this change would break that?
>
> Interesting, because of the definition of lazy umount I didn't look closely
> enough at that.
>
> But I wonder, how exactly would that race occur, is holding the rcu read
> lock sufficient since the rcu'd mount free won't be done until it's
> released (at least I think that's how rcu works).
I'm concerned about a race like:
[path lookup] [umount -l]
...
path_put()
mntput(mnt)
mntput_no_expire(m)
rcu_read_lock();
if (likely(READ_ONCE(mnt->mnt_ns))) {
do_umount()
umount_tree()
...
mnt->mnt_ns = NULL;
...
namespace_unlock()
mntput(&m->mnt)
mntput_no_expire(mnt)
smp_mb();
mnt_add_count(mnt, -1);
count = mnt_get_count(mnt);
if (count != 0) {
...
return;
mnt_add_count(mnt, -1);
rcu_read_unlock();
return;
-> KABOOM, mnt->mnt_count dropped to 0 but nobody cleaned up the mount!
}
And this scenario is exactly prevented by synchronize_rcu() in
namespace_unlock().
Honza
--
Jan Kara <jack@...e.com>
SUSE Labs, CR
Powered by blists - more mailing lists