From: Christian Brauner <brauner@kernel.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH][RFC] do_lock_mount() races in 'beneath' case
Date: Tue, 22 Apr 2025 09:47:43 +0200 [thread overview]
Message-ID: <20250422-umstehend-freie-c60bc65a946d@brauner> (raw)
In-Reply-To: <20250422031448.GY2023217@ZenIV>
On Tue, Apr 22, 2025 at 04:14:48AM +0100, Al Viro wrote:
> On Mon, Apr 21, 2025 at 06:03:19PM +0100, Al Viro wrote:
> > On Mon, Apr 21, 2025 at 05:29:47PM +0100, Al Viro wrote:
> >
> > > What's to prevent the 'beneath' case from getting mnt mount --move'd
> > > away *AND* the ex-parent from getting unmounted while we are blocked
> > > in inode_lock? At this point we are not holding any locks whatsoever
> > > (and all mount-related locks nest inside inode_lock(), so we couldn't
> > > hold them there anyway).
> > >
> > > Hit that race and watch a very unhappy umount...
> >
> > While we are at it, in normal case inode_unlock() in unlock_mount()
> > is safe since we have dentry (and associated mount) pinned by
> > struct path we'd fed to matching lock_mount(). No longer true for
> > the 'beneath' case, AFAICS...
>
> Completely untested patch follows; 'beneath' case in do_lock_mount() is made
> to grab mount reference to match the dentry one (same lifetime; dropped
> simultaneously), unlock_mount() unlocks the inode *before* namespace_unlock(),
> so we don't depend upon the externally held references.
Afaict both isssues you mentioned shouldn't exist. So I'd first like to
have details on how they're supposed to happen before fiddling with the
code, please.
next prev parent reply other threads:[~2025-04-22 7:47 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-21 3:35 [PATCH][RFC] ->mnt_devname is never NULL Al Viro
2025-04-21 7:56 ` Christian Brauner
2025-04-21 16:29 ` Al Viro
2025-04-21 17:03 ` Al Viro
2025-04-22 3:14 ` [PATCH][RFC] do_lock_mount() races in 'beneath' case Al Viro
2025-04-22 7:47 ` Christian Brauner [this message]
2025-04-22 7:43 ` [PATCH][RFC] ->mnt_devname is never NULL Christian Brauner
2025-04-22 7:31 ` Christian Brauner
2025-04-22 12:25 ` Al Viro
2025-04-22 13:40 ` Christian Brauner
2025-04-23 1:30 ` Al Viro
2025-04-23 22:20 ` Al Viro
2025-04-24 8:56 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250422-umstehend-freie-c60bc65a946d@brauner \
--to=brauner@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).