From: Al Viro <viro@zeniv.linux.org.uk>
To: Amir Goldstein <amir73il@gmail.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
Dmitry Vyukov <dvyukov@google.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH v2] acct: fix possible deadlock in acct_pin_kill
Date: Thu, 4 Apr 2019 19:44:48 +0100 [thread overview]
Message-ID: <20190404184448.GC2217@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20190404105255.12189-1-amir73il@gmail.com>
On Thu, Apr 04, 2019 at 01:52:55PM +0300, Amir Goldstein wrote:
> This looks like an old bug, pre-dating the "Fixes" commit, but the
> "Fixes" commit did not handle it properly.
>
> The bug recently surfaced as a lockdep possible deadlock warning
> with commit d1d04ef8572b ("ovl: stack file ops").
>
> When acct_on() replaces one acct file with another, it takes sb_writers
> lock on new file sb and calls acct_pin_kill(old) before releasing the
> sb_writers lock.
>
> If new file is on the same fs as old file, acct_pin_kill(old) fail to
> file_start_write_trylock() and skip writing the old file, because
> sb_writers (of new) is already taken by acct_on().
>
> If new file is not on same fs as old file, this ordering violation
> creates an unneeded dependency between new sb_writers and old sb_writers,
> which may later be reported as possible deadlock.
>
> This could result in an actual deadlock if acct file is replaced from
> an old file in overlayfs over "real fs" to a new file in "real fs".
> acct_on() takes freeze protection on "real fs" and tries to write to
> overlayfs file. overlayfs is not freeze protected so do_acct_process()
> can carry on with __kernel_write() to overlayfs file, which would
> try to take freeze protection on "real fs" and deadlock.
Huh? sb_writers is taken when we *open* the new file. Then we replace
its ->path.mnt with a clone and transfer the write count from the original
to new one. And close the old file while we are at it.
From sb_writers POV mainline has
sb_start_write(new_sb) // in open
sb_start_write(new_sb) // mnt_want_write() on clone
last write to old_sb, then sb_end_write(old_sb) // acct_pin_kill()
sb_end_write(new_sb) // mnt_drop_write(mnt)
and you flip the order of the last two lines.
Could you explain how exactly does your patch help whatever
problem overlayfs has?
next prev parent reply other threads:[~2019-04-04 18:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-04 10:52 [PATCH v2] acct: fix possible deadlock in acct_pin_kill Amir Goldstein
2019-04-04 18:44 ` Al Viro [this message]
2019-04-04 18:49 ` Al Viro
2019-04-04 19:05 ` Al Viro
2019-04-04 19:33 ` Amir Goldstein
2019-04-11 19:10 ` Amir Goldstein
2019-04-04 19:19 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190404184448.GC2217@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=amir73il@gmail.com \
--cc=dvyukov@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.