| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b3bd4181-daf1-457e-807d-b252673d5042@redhat.com>
Date: Mon, 1 Jul 2024 09:08:06 +0800
From: Ian Kent <ikent@...hat.com>
To: Jan Kara <jack@...e.cz>
Cc: Matthew Wilcox <willy@...radead.org>,
Lucas Karpinski <lkarpins@...hat.com>, viro@...iv.linux.org.uk,
brauner@...nel.org, raven@...maw.net, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, Alexander Larsson <alexl@...hat.com>,
Eric Chanudet <echanude@...hat.com>
Subject: Re: [RFC v3 1/1] fs/namespace: remove RCU sync for MNT_DETACH umount
On 28/6/24 19:13, Jan Kara wrote:
> On Fri 28-06-24 10:58:54, Ian Kent wrote:
>> On 27/6/24 19:54, Jan Kara wrote:
>>> On Thu 27-06-24 09:11:14, Ian Kent wrote:
>>>> On 27/6/24 04:47, Matthew Wilcox wrote:
>>>>> On Wed, Jun 26, 2024 at 04:07:49PM -0400, Lucas Karpinski wrote:
>>>>>> +++ b/fs/namespace.c
>>>>>> @@ -78,6 +78,7 @@ static struct kmem_cache *mnt_cache __ro_after_init;
>>>>>> static DECLARE_RWSEM(namespace_sem);
>>>>>> static HLIST_HEAD(unmounted); /* protected by namespace_sem */
>>>>>> static LIST_HEAD(ex_mountpoints); /* protected by namespace_sem */
>>>>>> +static bool lazy_unlock = false; /* protected by namespace_sem */
>>>>> That's a pretty ugly way of doing it. How about this?
>>>> Ha!
>>>>
>>>> That was my original thought but I also didn't much like changing all the
>>>> callers.
>>>>
>>>> I don't really like the proliferation of these small helper functions either
>>>> but if everyone
>>>>
>>>> is happy to do this I think it's a great idea.
>>> So I know you've suggested removing synchronize_rcu_expedited() call in
>>> your comment to v2. But I wonder why is it safe? I *thought*
>>> synchronize_rcu_expedited() is there to synchronize the dropping of the
>>> last mnt reference (and maybe something else) - see the comment at the
>>> beginning of mntput_no_expire() - and this change would break that?
>> Interesting, because of the definition of lazy umount I didn't look closely
>> enough at that.
>>
>> But I wonder, how exactly would that race occur, is holding the rcu read
>> lock sufficient since the rcu'd mount free won't be done until it's
>> released (at least I think that's how rcu works).
> I'm concerned about a race like:
>
> [path lookup] [umount -l]
> ...
> path_put()
> mntput(mnt)
> mntput_no_expire(m)
> rcu_read_lock();
> if (likely(READ_ONCE(mnt->mnt_ns))) {
> do_umount()
> umount_tree()
> ...
> mnt->mnt_ns = NULL;
> ...
> namespace_unlock()
> mntput(&m->mnt)
> mntput_no_expire(mnt)
> smp_mb();
> mnt_add_count(mnt, -1);
> count = mnt_get_count(mnt);
> if (count != 0) {
> ...
> return;
> mnt_add_count(mnt, -1);
> rcu_read_unlock();
> return;
> -> KABOOM, mnt->mnt_count dropped to 0 but nobody cleaned up the mount!
> }
>
> And this scenario is exactly prevented by synchronize_rcu() in
> namespace_unlock().
I just wanted to say that I don't have a reply to this yet, having been
distracted
looking at the concern that Christian raised, in fact this looks like it
will be hard
to grok ...
Ian
Powered by blists - more mailing lists