From: Krister Johansen <kjlx@templeofstupid.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] mnt: Protect the mountpoint hashtable with mount_lock
Date: Thu, 5 Jan 2017 23:00:29 -0800 [thread overview]
Message-ID: <20170106070029.GC2707@templeofstupid.com> (raw)
In-Reply-To: <87shoz32g8.fsf_-_@xmission.com>
On Wed, Jan 04, 2017 at 04:53:59PM +1300, Eric W. Biederman wrote:
>
> Protecting the mountpoint hashtable with namespace_sem was sufficient
> until a call to umount_mnt was added to mntput_no_expire. At which
> point it became possible for multiple calls of put_mountpoint on
> the same hash chain to happen on the same time.
>
> Kristen Johansen <kjlx@templeofstupid.com> reported:
> > This can cause a panic when simultaneous callers of put_mountpoint
> > attempt to free the same mountpoint. This occurs because some callers
> > hold the mount_hash_lock, while others hold the namespace lock. Some
> > even hold both.
> >
> > In this submitter's case, the panic manifested itself as a GP fault in
> > put_mountpoint() when it called hlist_del() and attempted to dereference
> > a m_hash.pprev that had been poisioned by another thread.
>
> Al Viro observed that the simple fix is to switch from using the namespace_sem
> to the mount_lock to protect the mountpoint hash table.
>
> I have taken Al's suggested patch moved put_mountpoint in pivot_root
> (instead of taking mount_lock an additional time), and have replaced
> new_mountpoint with get_mountpoint a function that does the hash table
> lookup and addition under the mount_lock. The introduction of get_mounptoint
> ensures that only the mount_lock is needed to manipulate the mountpoint
> hashtable.
>
> d_set_mounted is modified to only set DCACHE_MOUNTED if it is not
> already set. This allows get_mountpoint to use the setting of
> DCACHE_MOUNTED to ensure adding a struct mountpoint for a dentry
> happens exactly once.
>
> Cc: stable@vger.kernel.org
> Fixes: ce07d891a089 ("mnt: Honor MNT_LOCKED when detaching mounts")
> Reported-by: Krister Johansen <kjlx@templeofstupid.com>
> Suggested-by: Al Viro <viro@ZenIV.linux.org.uk>
> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
> ---
Sorry for the slow reply.
This looks right to me. I just pulled in the patch and went through all
of the code paths in cscope. Everything is now under the mount_lock,
which solves the problem from my perspective. Feel free to put me down
as a reviewed-by if my vote counts.`
There's another issue with MNT_LOCKED and detached mounts that I've been
investigating. I'd be curious to get your opinion before I write any
code. I'll send that out in a separate e-mail, though.
-K
prev parent reply other threads:[~2017-01-06 7:00 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-31 4:10 [PATCH] Fix a race in put_mountpoint Krister Johansen
2016-12-31 6:17 ` Al Viro
2017-01-03 0:51 ` Eric W. Biederman
2017-01-03 1:48 ` Al Viro
2017-01-03 3:17 ` Eric W. Biederman
2017-01-03 4:00 ` Al Viro
2017-01-04 3:52 ` Eric W. Biederman
2017-01-04 3:53 ` [PATCH] mnt: Protect the mountpoint hashtable with mount_lock Eric W. Biederman
2017-01-04 21:04 ` [REVIEW][PATCH] mnt: Tuck mounts under others instead of creating shadow/side mounts Eric W. Biederman
2017-01-07 5:06 ` Al Viro
2017-01-11 0:10 ` Eric W. Biederman
2017-01-11 4:11 ` Al Viro
2017-01-11 16:03 ` Eric W. Biederman
2017-01-11 16:18 ` [REVIEW][PATCH 1/2] mnt: Fix propagate_mount_busy to notice all cases of busy mounts Eric W. Biederman
2017-01-11 16:19 ` [REVIEW][PATCH 2/2] mnt: Tuck mounts under others instead of creating shadow/side mounts Eric W. Biederman
2017-01-12 5:45 ` Al Viro
2017-01-20 7:20 ` Eric W. Biederman
2017-01-20 7:26 ` [PATCH v5] " Eric W. Biederman
2017-01-21 3:58 ` Ram Pai
2017-01-21 4:15 ` Eric W. Biederman
2017-01-23 19:02 ` Ram Pai
2017-01-24 0:16 ` Eric W. Biederman
2017-02-03 10:54 ` Eric W. Biederman
2017-02-03 17:10 ` Ram Pai
2017-02-03 18:26 ` Eric W. Biederman
2017-02-03 20:28 ` Ram Pai
2017-02-03 20:58 ` Eric W. Biederman
2017-02-06 3:25 ` Andrei Vagin
2017-02-06 21:40 ` Ram Pai
2017-02-07 6:35 ` Andrei Vagin
2017-01-12 5:30 ` [REVIEW][PATCH 1/2] mnt: Fix propagate_mount_busy to notice all cases of busy mounts Al Viro
2017-01-20 7:18 ` Eric W. Biederman
2017-01-13 20:32 ` Andrei Vagin
2017-01-18 19:20 ` Andrei Vagin
2017-01-20 23:18 ` Ram Pai
2017-01-23 8:15 ` Eric W. Biederman
2017-01-23 17:04 ` Ram Pai
2017-01-12 5:03 ` [REVIEW][PATCH] mnt: Tuck mounts under others instead of creating shadow/side mounts Al Viro
2017-05-14 2:15 ` Andrei Vagin
2017-05-14 4:05 ` Eric W. Biederman
2017-05-14 9:26 ` Eric W. Biederman
2017-05-15 18:27 ` Andrei Vagin
2017-05-15 19:42 ` Eric W. Biederman
2017-05-15 20:10 ` [REVIEW][PATCH] mnt: In umount propagation reparent in a separate pass Eric W. Biederman
2017-05-15 23:12 ` Andrei Vagin
2017-05-16 5:42 ` [PATCH] test: check a case when a mount is propagated between exiting mounts Andrei Vagin
2017-05-17 5:54 ` [REVIEW][PATCH 1/2] mnt: In propgate_umount handle visiting mounts in any order Eric W. Biederman
2017-05-17 5:55 ` [REVIEW][PATCH 2/2] mnt: Make propagate_umount less slow for overlapping mount propagation trees Eric W. Biederman
2017-05-17 22:48 ` Andrei Vagin
2017-05-17 23:26 ` Eric W. Biederman
2017-05-18 0:51 ` Andrei Vagin
2017-05-24 20:42 ` [REVIEW][PATCH 1/2] mnt: In propgate_umount handle visiting mounts in any order Ram Pai
2017-05-24 21:54 ` Eric W. Biederman
2017-05-24 22:35 ` Ram Pai
2017-05-30 6:07 ` Ram Pai
2017-05-30 15:07 ` Eric W. Biederman
2017-06-07 9:54 ` Ram Pai
2017-06-07 13:09 ` Eric W. Biederman
2017-05-22 8:15 ` [REVIEW][PATCH] mnt: In umount propagation reparent in a separate pass Ram Pai
2017-05-22 18:33 ` Eric W. Biederman
2017-05-22 22:34 ` Ram Pai
2017-05-23 13:58 ` Eric W. Biederman
2017-01-06 7:00 ` Krister Johansen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170106070029.GC2707@templeofstupid.com \
--to=kjlx@templeofstupid.com \
--cc=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.