From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D1805C4360C for ; Tue, 24 Sep 2019 14:51:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A779E21655 for ; Tue, 24 Sep 2019 14:51:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726594AbfIXOvL (ORCPT ); Tue, 24 Sep 2019 10:51:11 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:50448 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725865AbfIXOvL (ORCPT ); Tue, 24 Sep 2019 10:51:11 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.2 #3 (Red Hat Linux)) id 1iCm9g-0002aV-7b; Tue, 24 Sep 2019 14:51:04 +0000 Date: Tue, 24 Sep 2019 15:51:04 +0100 From: Al Viro To: Josef Bacik Cc: Linus Torvalds , "zhengbin (A)" , Jan Kara , Andrew Morton , linux-fsdevel , "zhangyi (F)" , renxudong1@huawei.com, Hou Tao , linux-btrfs@vger.kernel.org, "Yan, Zheng" , linux-cifs@vger.kernel.org, Steve French Subject: Re: [PATCH] Re: Possible FS race condition between iterate_dir and d_alloc_parallel Message-ID: <20190924145104.GE26530@ZenIV.linux.org.uk> References: <20190914200412.GU1131@ZenIV.linux.org.uk> <20190915005046.GV1131@ZenIV.linux.org.uk> <20190915160236.GW1131@ZenIV.linux.org.uk> <20190921140731.GQ1131@ZenIV.linux.org.uk> <20190924025215.GA9941@ZenIV.linux.org.uk> <20190924133025.jeh7ond2svm3lsub@macbook-pro-91.dhcp.thefacebook.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190924133025.jeh7ond2svm3lsub@macbook-pro-91.dhcp.thefacebook.com> User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org On Tue, Sep 24, 2019 at 09:30:26AM -0400, Josef Bacik wrote: > > We pass next->d_name.name to dir_emit() (i.e. potentially to > > copy_to_user()). And we have no warranty that it's not a long > > (== separately allocated) name, that will be freed while > > copy_to_user() is in progress. Sure, it'll get an RCU delay > > before freeing, but that doesn't help us at all. > > > > I'm not familiar with those areas in btrfs or cifs; could somebody > > explain what's going on there and can we indeed end up finding aliases > > to those suckers? > > We can't for the btrfs case. This is used for the case where we have a link to > a subvolume but the root has disappeared already, so we add in that dummy inode. > We completely drop the dcache from that root downards when we drop the > subvolume, so we're not going to find aliases underneath those things. Is that > what you're asking? Thanks, Umm... Completely drop, you say? What happens if something had been opened in there at that time? Could you give a bit more background? How much of that subvolume remains and what does btrfs_lookup() have to work with?