From: Christian Brauner <brauner@kernel.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH][RFC] ->mnt_devname is never NULL
Date: Tue, 22 Apr 2025 09:43:35 +0200 [thread overview]
Message-ID: <20250422-spaghetti-frohsinn-bc60b1563323@brauner> (raw)
In-Reply-To: <20250421170319.GX2023217@ZenIV>
On Mon, Apr 21, 2025 at 06:03:19PM +0100, Al Viro wrote:
> On Mon, Apr 21, 2025 at 05:29:47PM +0100, Al Viro wrote:
>
> > What's to prevent the 'beneath' case from getting mnt mount --move'd
> > away *AND* the ex-parent from getting unmounted while we are blocked
> > in inode_lock? At this point we are not holding any locks whatsoever
> > (and all mount-related locks nest inside inode_lock(), so we couldn't
> > hold them there anyway).
> >
> > Hit that race and watch a very unhappy umount...
>
> While we are at it, in normal case inode_unlock() in unlock_mount()
> is safe since we have dentry (and associated mount) pinned by
> struct path we'd fed to matching lock_mount(). No longer true for
> the 'beneath' case, AFAICS...
I'm not following. Please explain the issue in detail. Both mount and
dentry are pinned via struct path independent of whether its beneath or
not beneath.
What we pass to unlock_mount() is the mountpoint which pins the relevant
dentry separately. do_lock_mount() keeps @dentry for the mountpoint
pinned until it has taken a separate reference. We only put the
reference to the mountpoint's dentry if we know that the for (;;) will
continue aka not break or when get_mountpoint() has taken it's own
reference.
So really, I'm very confused atm.
Also if this were the case all invasive move mount beneath tests I added
should cause endless splats under any sort of KASAN which they are
constantly run under in a tight loop in my local testing and by syzbot.
For the latter I explicitly added support for it in:
https://github.com/google/syzkaller/commit/058b3a5a6a945a55767811552eb7b9f4a20307f8
next prev parent reply other threads:[~2025-04-22 7:43 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-21 3:35 [PATCH][RFC] ->mnt_devname is never NULL Al Viro
2025-04-21 7:56 ` Christian Brauner
2025-04-21 16:29 ` Al Viro
2025-04-21 17:03 ` Al Viro
2025-04-22 3:14 ` [PATCH][RFC] do_lock_mount() races in 'beneath' case Al Viro
2025-04-22 7:47 ` Christian Brauner
2025-04-22 7:43 ` Christian Brauner [this message]
2025-04-22 7:31 ` [PATCH][RFC] ->mnt_devname is never NULL Christian Brauner
2025-04-22 12:25 ` Al Viro
2025-04-22 13:40 ` Christian Brauner
2025-04-23 1:30 ` Al Viro
2025-04-23 22:20 ` Al Viro
2025-04-24 8:56 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250422-spaghetti-frohsinn-bc60b1563323@brauner \
--to=brauner@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).