From: Al Viro <viro@zeniv.linux.org.uk>
To: linux-fsdevel@vger.kernel.org
Cc: torvalds@linux-foundation.org, brauner@kernel.org, jack@suse.cz,
raven@themaw.net, miklos@szeredi.hu, neil@brown.name,
a.hindborg@kernel.org, linux-mm@kvack.org,
linux-efi@vger.kernel.org, ocfs2-devel@lists.linux.dev,
kees@kernel.org, rostedt@goodmis.org, gregkh@linuxfoundation.org,
linux-usb@vger.kernel.org, paul@paul-moore.com,
casey@schaufler-ca.com, linuxppc-dev@lists.ozlabs.org,
john.johansen@canonical.com, selinux@vger.kernel.org,
borntraeger@linux.ibm.com, bpf@vger.kernel.org
Subject: [PATCH v3 50/50] d_make_discardable(): warn if given a non-persistent dentry
Date: Tue, 11 Nov 2025 06:55:19 +0000 [thread overview]
Message-ID: <20251111065520.2847791-51-viro@zeniv.linux.org.uk> (raw)
In-Reply-To: <20251111065520.2847791-1-viro@zeniv.linux.org.uk>
At this point there are very few call chains that might lead to
d_make_discardable() on a dentry that hadn't been made persistent:
calls of simple_unlink() and simple_rmdir() in configfs and
apparmorfs.
Both filesystems do pin (part of) their contents in dcache, but
they are currently playing very unusual games with that. Converting
them to more usual patterns might be possible, but it's definitely
going to be a long series of changes in both cases.
For now the easiest solution is to have both stop using simple_unlink()
and simple_rmdir() - that allows to make d_make_discardable() warn
when given a non-persistent dentry.
Rather than giving them full-blown private copies (with calls of
d_make_discardable() replaced with dput()), let's pull the parts of
simple_unlink() and simple_rmdir() that deal with timestamps and link
counts into separate helpers (__simple_unlink() and __simple_rmdir()
resp.) and have those used by configfs and apparmorfs.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
fs/configfs/dir.c | 10 ++++++++--
fs/configfs/inode.c | 3 ++-
fs/dcache.c | 9 +--------
fs/libfs.c | 21 +++++++++++++++++----
include/linux/fs.h | 2 ++
security/apparmor/apparmorfs.c | 13 +++++++++----
6 files changed, 39 insertions(+), 19 deletions(-)
diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index 81f4f06bc87e..e8f2f44012e9 100644
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -400,8 +400,14 @@ static void remove_dir(struct dentry * d)
configfs_remove_dirent(d);
- if (d_really_is_positive(d))
- simple_rmdir(d_inode(parent),d);
+ if (d_really_is_positive(d)) {
+ if (likely(simple_empty(d))) {
+ __simple_rmdir(d_inode(parent),d);
+ dput(d);
+ } else {
+ pr_warn("remove_dir (%pd): attributes remain", d);
+ }
+ }
pr_debug(" o %pd removing done (%d)\n", d, d_count(d));
diff --git a/fs/configfs/inode.c b/fs/configfs/inode.c
index 1d2e3a5738d1..bcda3372e141 100644
--- a/fs/configfs/inode.c
+++ b/fs/configfs/inode.c
@@ -211,7 +211,8 @@ void configfs_drop_dentry(struct configfs_dirent * sd, struct dentry * parent)
dget_dlock(dentry);
__d_drop(dentry);
spin_unlock(&dentry->d_lock);
- simple_unlink(d_inode(parent), dentry);
+ __simple_unlink(d_inode(parent), dentry);
+ dput(dentry);
} else
spin_unlock(&dentry->d_lock);
}
diff --git a/fs/dcache.c b/fs/dcache.c
index 5ee2e78a91b3..824d620bb563 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -931,14 +931,7 @@ EXPORT_SYMBOL(dput);
void d_make_discardable(struct dentry *dentry)
{
spin_lock(&dentry->d_lock);
- /*
- * By the end of the series we'll add
- * WARN_ON(!(dentry->d_flags & DCACHE_PERSISTENT);
- * here, but while object removal is done by a few common helpers,
- * object creation tends to be open-coded (if nothing else, new inode
- * needs to be set up), so adding a warning from the very beginning
- * would make for much messier patch series.
- */
+ WARN_ON(!(dentry->d_flags & DCACHE_PERSISTENT));
dentry->d_flags &= ~DCACHE_PERSISTENT;
dentry->d_lockref.count--;
rcu_read_lock();
diff --git a/fs/libfs.c b/fs/libfs.c
index 80f288a771e3..0aa630e7eb00 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -790,13 +790,27 @@ int simple_empty(struct dentry *dentry)
}
EXPORT_SYMBOL(simple_empty);
-int simple_unlink(struct inode *dir, struct dentry *dentry)
+void __simple_unlink(struct inode *dir, struct dentry *dentry)
{
struct inode *inode = d_inode(dentry);
inode_set_mtime_to_ts(dir,
inode_set_ctime_to_ts(dir, inode_set_ctime_current(inode)));
drop_nlink(inode);
+}
+EXPORT_SYMBOL(__simple_unlink);
+
+void __simple_rmdir(struct inode *dir, struct dentry *dentry)
+{
+ drop_nlink(d_inode(dentry));
+ __simple_unlink(dir, dentry);
+ drop_nlink(dir);
+}
+EXPORT_SYMBOL(__simple_rmdir);
+
+int simple_unlink(struct inode *dir, struct dentry *dentry)
+{
+ __simple_unlink(dir, dentry);
d_make_discardable(dentry);
return 0;
}
@@ -807,9 +821,8 @@ int simple_rmdir(struct inode *dir, struct dentry *dentry)
if (!simple_empty(dentry))
return -ENOTEMPTY;
- drop_nlink(d_inode(dentry));
- simple_unlink(dir, dentry);
- drop_nlink(dir);
+ __simple_rmdir(dir, dentry);
+ d_make_discardable(dentry);
return 0;
}
EXPORT_SYMBOL(simple_rmdir);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 95933ceaae51..ef842adbd418 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -3621,6 +3621,8 @@ extern int simple_open(struct inode *inode, struct file *file);
extern int simple_link(struct dentry *, struct inode *, struct dentry *);
extern int simple_unlink(struct inode *, struct dentry *);
extern int simple_rmdir(struct inode *, struct dentry *);
+extern void __simple_unlink(struct inode *, struct dentry *);
+extern void __simple_rmdir(struct inode *, struct dentry *);
void simple_rename_timestamp(struct inode *old_dir, struct dentry *old_dentry,
struct inode *new_dir, struct dentry *new_dentry);
extern int simple_rename_exchange(struct inode *old_dir, struct dentry *old_dentry,
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 391a586d0557..9b9090d38ea2 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -358,10 +358,15 @@ static void aafs_remove(struct dentry *dentry)
dir = d_inode(dentry->d_parent);
inode_lock(dir);
if (simple_positive(dentry)) {
- if (d_is_dir(dentry))
- simple_rmdir(dir, dentry);
- else
- simple_unlink(dir, dentry);
+ if (d_is_dir(dentry)) {
+ if (!WARN_ON(!simple_empty(dentry))) {
+ __simple_rmdir(dir, dentry);
+ dput(dentry);
+ }
+ } else {
+ __simple_unlink(dir, dentry);
+ dput(dentry);
+ }
d_delete(dentry);
dput(dentry);
}
--
2.47.3
prev parent reply other threads:[~2025-11-11 6:55 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-11 6:54 [PATCH v3 00/50] tree-in-dcache stuff Al Viro
2025-11-11 6:54 ` [PATCH v3 01/50] fuse_ctl_add_conn(): fix nlink breakage in case of early failure Al Viro
2025-11-11 10:22 ` Miklos Szeredi
2025-11-11 6:54 ` [PATCH v3 02/50] tracefs: fix a leak in eventfs_create_events_dir() Al Viro
2025-11-11 6:54 ` [PATCH v3 03/50] new helper: simple_remove_by_name() Al Viro
2025-11-11 10:29 ` Miklos Szeredi
2025-11-11 6:54 ` [PATCH v3 04/50] new helper: simple_done_creating() Al Viro
2025-11-11 6:54 ` [PATCH v3 05/50] introduce a flag for explicitly marking persistently pinned dentries Al Viro
2025-11-11 6:54 ` [PATCH v3 06/50] primitives for maintaining persisitency Al Viro
2025-11-11 6:54 ` [PATCH v3 07/50] convert simple_{link,unlink,rmdir,rename,fill_super}() to new primitives Al Viro
2025-11-11 6:54 ` [PATCH v3 08/50] convert ramfs and tmpfs Al Viro
2025-11-11 6:54 ` [PATCH v3 09/50] procfs: make /self and /thread_self dentries persistent Al Viro
2025-11-11 6:54 ` [PATCH v3 10/50] configfs, securityfs: kill_litter_super() not needed Al Viro
2025-11-11 6:54 ` [PATCH v3 11/50] convert xenfs Al Viro
2025-11-11 6:54 ` [PATCH v3 12/50] convert smackfs Al Viro
2025-11-11 6:54 ` [PATCH v3 13/50] convert hugetlbfs Al Viro
2025-11-11 6:54 ` [PATCH v3 14/50] convert mqueue Al Viro
2025-11-11 6:54 ` [PATCH v3 15/50] convert bpf Al Viro
2025-11-11 6:54 ` [PATCH v3 16/50] convert dlmfs Al Viro
2025-11-11 6:54 ` [PATCH v3 17/50] convert fuse_ctl Al Viro
2025-11-11 10:28 ` Miklos Szeredi
2025-11-11 6:54 ` [PATCH v3 18/50] convert pstore Al Viro
2025-11-11 6:54 ` [PATCH v3 19/50] convert tracefs Al Viro
2025-11-11 6:54 ` [PATCH v3 20/50] convert debugfs Al Viro
2025-11-11 6:54 ` [PATCH v3 21/50] debugfs: remove duplicate checks in callers of start_creating() Al Viro
2025-11-11 6:54 ` [PATCH v3 22/50] convert efivarfs Al Viro
2025-11-11 6:54 ` [PATCH v3 23/50] convert spufs Al Viro
2025-11-11 6:54 ` [PATCH v3 24/50] convert ibmasmfs Al Viro
2025-11-11 6:54 ` [PATCH v3 25/50] ibmasmfs: get rid of ibmasmfs_dir_ops Al Viro
2025-11-11 6:54 ` [PATCH v3 26/50] convert devpts Al Viro
2025-11-11 6:54 ` [PATCH v3 27/50] binderfs: use simple_start_creating() Al Viro
2025-11-11 6:54 ` [PATCH v3 28/50] binderfs_binder_ctl_create(): kill a bogus check Al Viro
2025-11-11 6:54 ` [PATCH v3 29/50] convert binderfs Al Viro
2025-11-11 6:54 ` [PATCH v3 30/50] autofs_{rmdir,unlink}: dentry->d_fsdata->dentry == dentry there Al Viro
2025-11-11 6:55 ` [PATCH v3 31/50] convert autofs Al Viro
2025-11-11 6:55 ` [PATCH v3 32/50] convert binfmt_misc Al Viro
2025-11-11 6:55 ` [PATCH v3 33/50] selinuxfs: don't stash the dentry of /policy_capabilities Al Viro
2025-11-11 6:55 ` [PATCH v3 34/50] selinuxfs: new helper for attaching files to tree Al Viro
2025-11-11 7:53 ` bot+bpf-ci
2025-11-11 9:49 ` Al Viro
2025-11-12 3:55 ` Chris Mason
2025-11-11 6:55 ` [PATCH v3 35/50] convert selinuxfs Al Viro
2025-11-11 6:55 ` [PATCH v3 36/50] functionfs: switch to simple_remove_by_name() Al Viro
2025-11-11 7:53 ` bot+bpf-ci
2025-11-11 9:22 ` Al Viro
2025-11-11 9:30 ` Christian Brauner
2025-11-11 10:01 ` Al Viro
2025-11-11 14:25 ` Chris Mason
2025-11-12 3:44 ` Chris Mason
2025-11-13 9:26 ` [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) Al Viro
2025-11-13 21:20 ` Greg Kroah-Hartman
2025-11-14 2:16 ` Chris Mason
2025-11-14 7:58 ` Al Viro
2025-11-14 7:46 ` Al Viro
2025-11-14 11:42 ` Christian Brauner
2025-11-15 13:21 ` Greg Kroah-Hartman
2025-11-16 6:30 ` Al Viro
2025-11-17 22:04 ` Al Viro
2025-11-17 22:04 ` [PATCH 1/4] functionfs: don't abuse ffs_data_closed() on fs shutdown Al Viro
2025-11-17 22:05 ` [PATCH 2/4] functionfs: don't bother with ffs->ref in ffs_data_{opened,closed}() Al Viro
2025-11-17 22:06 ` [PATCH 3/4] functionfs: need to cancel ->reset_work in ->kill_sb() Al Viro
2025-11-17 22:06 ` [PATCH 4/4] functionfs: fix the open/removal races Al Viro
2025-11-18 2:35 ` [functionfs] mainline UAF (was Re: [PATCH v3 36/50] functionfs: switch to simple_remove_by_name()) Greg Kroah-Hartman
2025-11-11 6:55 ` [PATCH v3 37/50] convert functionfs Al Viro
2025-11-11 6:55 ` [PATCH v3 38/50] gadgetfs: switch to simple_remove_by_name() Al Viro
2025-11-11 6:55 ` [PATCH v3 39/50] convert gadgetfs Al Viro
2025-11-11 6:55 ` [PATCH v3 40/50] hypfs: don't pin dentries twice Al Viro
2025-11-11 6:55 ` [PATCH v3 41/50] hypfs: switch hypfs_create_str() to returning int Al Viro
2025-11-11 6:55 ` [PATCH v3 42/50] hypfs: swich hypfs_create_u64() " Al Viro
2025-11-11 6:55 ` [PATCH v3 43/50] convert hypfs Al Viro
2025-11-11 6:55 ` [PATCH v3 44/50] convert rpc_pipefs Al Viro
2025-11-11 6:55 ` [PATCH v3 45/50] convert nfsctl Al Viro
2025-11-11 6:55 ` [PATCH v3 46/50] convert rust_binderfs Al Viro
2025-11-11 6:55 ` [PATCH v3 47/50] get rid of kill_litter_super() Al Viro
2025-11-11 6:55 ` [PATCH v3 48/50] convert securityfs Al Viro
2025-11-11 6:55 ` [PATCH v3 49/50] kill securityfs_recursive_remove() Al Viro
2025-11-11 6:55 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251111065520.2847791-51-viro@zeniv.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=a.hindborg@kernel.org \
--cc=borntraeger@linux.ibm.com \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=john.johansen@canonical.com \
--cc=kees@kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-usb@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=miklos@szeredi.hu \
--cc=neil@brown.name \
--cc=ocfs2-devel@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=raven@themaw.net \
--cc=rostedt@goodmis.org \
--cc=selinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox