From: ebiederm@xmission.com (Eric W. Biederman)
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH] mnt: Fix a memory stomp in umount
Date: Thu, 18 Dec 2014 15:18:49 -0600 [thread overview]
Message-ID: <87d27ghd1i.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <20141218210553.GQ22149@ZenIV.linux.org.uk> (Al Viro's message of "Thu, 18 Dec 2014 21:05:54 +0000")
Al Viro <viro@ZenIV.linux.org.uk> writes:
> On Thu, Dec 18, 2014 at 01:24:26PM -0600, Eric W. Biederman wrote:
>> Linus Torvalds <torvalds@linux-foundation.org> writes:
>>
>> > On Thu, Dec 18, 2014 at 9:07 AM, Linus Torvalds
>> > <torvalds@linux-foundation.org> wrote:
>> >> Why is this piece of code using its own made up and buggy list handling in
>> >> the first place? We have list functions for these things, exactly so that
>> >> people shouldn't write buggy stuff by hand.
>> >
>> > Oh. Ok, I see what's going on. We have "list_splice()", but we don't
>> > have the equivalent "hlist_splice()". So it's doing that by hand, and
>> > did it badly.
>> >
>> > Al, this is your bug. I guess I can take the "manual hlist_splice" fix
>> > from Eric, but I'm not really happy with it. There's a few other
>> > places in that same commit where the list splice operation has been
>> > open-coded.
>> >
>> > Mind taking a look?
>>
>> It looks like we can pretty easily use mnt_list instead of mnt_hash,
>> see below (note: the code is only compile tested).
>>
>> While converting this to ordinary list helpers I found something
>> strange.
>>
>> In __propagate_umount we currently add the child to be unmounted in a
>> different location in the list then we did before the conversion of
>> mnt_hash to a hlist for rcu's accesses benefit.
>>
>> Now maybe propagate_next handles this (I still need to read and
>> understand that code) if not it looks like I may have found another bug,
>> as it looks like today we can add a node to our list without propogating
>> the unmount from the node.
>
> Er... Why would we want to reprocess it? The loop goes through all nodes
> getting events from ours; everything that gets events from _them_ included
> at the same time they are.
We might have wanted to because before your change to an hlist that is
what the code did.
Having read through the code of propagate_next it does look like it
iterates through the entire propagation hierarchy so there shouldn't be
a need to visit mounts that we have placed on the propagation list.
Any thoughts on using mnt_list instead of mnt_hash to allow the use of
list_splice and list_move?
Eric
next prev parent reply other threads:[~2014-12-18 21:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-18 16:57 [PATCH] mnt: Fix a memory stomp in umount Eric W. Biederman
[not found] ` <CA+55aFz6grtss0SXqOizXMOOF4sxT3FC4GC4NCiMF2Huy1vE4A@mail.gmail.com>
2014-12-18 18:41 ` Linus Torvalds
2014-12-18 19:24 ` Eric W. Biederman
2014-12-18 19:34 ` Linus Torvalds
2014-12-18 21:05 ` Al Viro
2014-12-18 21:18 ` Eric W. Biederman [this message]
2014-12-19 0:02 ` Al Viro
2014-12-19 0:03 ` Al Viro
2015-01-02 21:06 ` Eric W. Biederman
2015-01-02 21:13 ` Al Viro
2015-01-02 21:56 ` Eric W. Biederman
2014-12-18 20:01 ` Al Viro
2014-12-18 20:15 ` Al Viro
2014-12-18 20:40 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d27ghd1i.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox