From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: [PATCH 03/19] fs: release anon dev_t in deactivate_locked_super Date: Fri, 15 Sep 2023 15:33:43 +0100 Message-ID: <20230915143343.GM800259@ZenIV> References: <20230913111013.77623-1-hch@lst.de> <20230913111013.77623-4-hch@lst.de> <20230913232712.GC800259@ZenIV> <20230914023705.GH800259@ZenIV> <20230914053843.GI800259@ZenIV> <20230914-munkeln-pelzmantel-3e3a761acb72@brauner> <20230914165805.GJ800259@ZenIV> <20230915-elstern-etatplanung-906c6780af19@brauner> <20230915-zweit-frech-0e06394208a3@brauner> <20230915142814.GL800259@ZenIV> Mime-Version: 1.0 Return-path: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=tqcCFg+GZbSgwZKnqTUl8J8yKTkkr5or8a2TzqKdwfE=; b=fI03x0kfMwTyWxXp0q9RswfM3A kbA9MXFRf4J4DxmUwHoBdDY8tdCbQDKmmRR0wSeZ/O5QcnoQ/OO7EAWa2cT/b5N/VqRspAalCW9x7 f+Wm67Sdn+ONcURBcbs7KKK7upRaV+2FlkVVuyK/sRhy7ddvUV56FEvtMaGUnI/F8F2p7b/+noDyT jczSmUTmHrCWdQANori9mXgiTJ3Mg54g4LDIXCW6OrIGlzNfwGvn+gKJvLG5vvGji8SvjvZzxf5eX mrJlm/8G9rWZmQ+0cv4Lj91/6YyMGTkxIfW5GAGSzneczvuVPPWV8ffiFIKmlaN4R5ROY1siEVCv0 xE6+/x8A==; Content-Disposition: inline In-Reply-To: <20230915142814.GL800259@ZenIV> Sender: Al Viro List-ID: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Christian Brauner Cc: Jan Kara , Christoph Hellwig , Heiko Carstens , Vasily Gorbik , Alexander Gordeev , Fenghua Yu , Reinette Chatre , Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , Dennis Dalessandro , Tejun Heo , Trond Myklebust , Anna Schumaker , Kees Cook , Damien Le Moal , Naohiro Aota , Greg Kroah-Hartman , linux-usb-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org On Fri, Sep 15, 2023 at 03:28:14PM +0100, Al Viro wrote: > On Fri, Sep 15, 2023 at 04:12:07PM +0200, Christian Brauner wrote: > > + static void some_fs_kill_sb(struct super_block *sb) > > + { > > + struct some_fs_info *info = sb->s_fs_info; > > + > > + kill_*_super(sb); > > + kfree(info); > > + } > > + > > +It's best practice to never deviate from this pattern. > > The last part is flat-out incorrect. If e.g. fatfs or cifs ever switches > to that pattern, you'll get UAF - they need freeing of ->s_fs_info > of anything that ever had been mounted done with RCU delay; moreover, > unload_nls() in fatfs needs to be behind the same. > > Lifetime rules for fs-private parts of superblock are really private to > filesystem; their use by sget/sget_fc callbacks might impose restrictions > on those, but that again is none of the VFS business. PS: and no, we don't want to impose such RCU delay on every filesystem out there; what's more, there's nothing to prohibit e.g. having ->s_fs_info pointing to a refcounted fs-private object (possibly shared by various superblocks), so freeing might very well be "drop the reference and destroy if refcount has reached 0".