From: Al Viro <viro@zeniv.linux.org.uk>
To: "Paul E. McKenney" <paulmck@kernel.org>
Cc: David Howells <dhowells@redhat.com>,
mszeredi@redhat.com, linux-fsdevel@vger.kernel.org
Subject: Re: How to abuse RCU to scan the children of a mount?
Date: Wed, 4 Mar 2020 19:44:51 +0000 [thread overview]
Message-ID: <20200304194451.GS23230@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20200304192816.GI2935@paulmck-ThinkPad-P72>
On Wed, Mar 04, 2020 at 11:28:16AM -0800, Paul E. McKenney wrote:
> Huh. The mount structure isn't suffering from a shortage of list_head
> structures, is it?
>
> So the following can happen, then?
>
> o The __attach_mnt() function adds a struct mount to its parent
> list, but in a non-RCU manner. Unless there is some other
> safeguard, the list_add_tail() in this function needs to be
> list_add_tail_rcu().
>
> o I am assuming that the various non-RCU traversals that I see,
> for example, next_mnt(), are protected by lock_mount_hash().
> Especially skip_mnt_tree(), which uses mnt_mounts.prev. (I didn't
> find any exceptions, but I don't claim an exhaustive search.)
>
> o The umount_tree() function's use of list_del_init() looks like
> it could trap an RCU reader in the newly singular list formed
> by the removal. It appears that there are other functions that
> use list_del_init() on this list, though I cannot claim any sort
> of familiarity with this code.
>
> So, do you need to add a check for child->mnt_child being in this
> self-referential state within fsinfo_generic_mount_children()?
>
> Plus list_del_init() doesn't mark its stores, though
> some would argue that unmarked stores are OK in this situation.
>
> o There might be other operations in need of RCU-ification.
>
> Maybe the list_add_tail() in umount_tree(), but it is not
> immediately clear that this is adding a new element instead of
> re-inserting an element already exposed to readers.
IMO all of that is a good argument *against* trying to pull any kind of RCU
games here. Access to these lists is assumed to be serialized on
mount_lock spinlock component held exclusive and unless there is a very
good reason to go for something trickier, let's not.
Hash chains are supposed to be walked under rcu_read_lock(), requiring
to recheck the mount_lock seqcount *AND* with use of legitimize_mnt()
if you are to try and get a reference out of that. ->mnt_parent chains
also can be walked in the same conditions (subject to the same
requirements). The policy with everything else is
* get mount_lock spinlock exclusive or
* get namespace_sem or
* just fucking don't do it.
next prev parent reply other threads:[~2020-03-04 19:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-04 17:45 How to abuse RCU to scan the children of a mount? David Howells
2020-03-04 19:28 ` Paul E. McKenney
2020-03-04 19:44 ` Al Viro [this message]
2020-03-08 14:32 ` Paul E. McKenney
2020-03-05 12:47 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200304194451.GS23230@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=dhowells@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mszeredi@redhat.com \
--cc=paulmck@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.