From: Mikulas Patocka <mpatocka@redhat.com>
To: Christian Brauner <brauner@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Zdenek Kabelac <zkabelac@redhat.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
dm-devel@redhat.com, Jan Kara <jack@suse.cz>,
Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH] fix writing to the filesystem after unmount
Date: Wed, 6 Sep 2023 17:03:34 +0200 (CEST) [thread overview]
Message-ID: <f5d63867-5b3e-294b-d1f5-a128817cfc7@redhat.com> (raw)
In-Reply-To: <20230906-launenhaft-kinder-118ea59706c8@brauner>
On Wed, 6 Sep 2023, Christian Brauner wrote:
> > What happens:
> > * dmsetup suspend calls freeze_bdev, that goes to freeze_super and it
> > increments sb->s_active
> > * then we unmount the filesystem, we go to cleanup_mnt, cleanup_mnt calls
> > deactivate_super, deactivate_super sees that sb->s_active is 2, so it
> > decreases it to 1 and does nothing - the umount syscall returns
> > successfully
> > * now we have a mounted filesystem despite the fact that umount returned
>
> That can happen for any number of reasons. Other codepaths might very
> well still hold active references to the superblock. The same thing can
> happen when you have your filesystem pinned in another mount namespace.
>
> If you really want to be absolutely sure that the superblock is
> destroyed you must use a mechanism like fanotify which allows you to get
> notified on superblock destruction.
If the administrator runs a script that performs unmount and then back-up
of the underlying block device, it may read corrupted data. I think that
this is a problem.
> > @@ -1251,7 +1251,7 @@ static void cleanup_mnt(struct mount *mn
> > }
> > fsnotify_vfsmount_delete(&mnt->mnt);
> > dput(mnt->mnt.mnt_root);
> > - deactivate_super(mnt->mnt.mnt_sb);
> > + wait_and_deactivate_super(mnt->mnt.mnt_sb);
>
> Your patch means that we hang on any umount when the filesystem is
> frozen.
Currently, if we freeze a filesystem with "fsfreeze" and unmount it, the
mount point is removed, but the filesystem stays active and it is leaked.
You can't unfreeze it with "fsfreeze --unfreeze" because the mount point
is gone. (the only way how to recover it is "echo j>/proc/sysrq-trigger").
> IOW, you'd also hang on any umount of a bind-mount. IOW, every
> single container making use of this filesystems via bind-mounts would
> hang on umount and shutdown.
bind-mount doesn't modify "s->s_writers.frozen", so the patch does nothing
in this case. I tried unmounting bind-mounts and there was no deadlock.
> You'd effectively build a deadlock trap for userspace when the
> filesystem is frozen. And nothing can make progress until that thing is
> thawed. Umount can't block if the block device is frozen.
unmounting a filesystem frozen with "fsfreeze" doesn't work in the current
kernel. We can say that the administrator shouldn't do it. But reading the
block device after umount finishes is something that the administrator may
do.
BTW. what do you think that unmount of a frozen filesystem should properly
do? Fail with -EBUSY? Or, unfreeze the filesystem and unmount it? Or
something else?
> That msleep(1) alone is a pretty nasty hack. We should definitely not
> spin in code like this. That superblock could stay frozen for a long
> time without s_umount held. So this is spinning.
>
> Even if we wanted to do this it would need to use a similar wait
> mechanism for the filesystem to be thawed like we do in
> thaw_super_locked().
Yes, it may be possible to rework it using a wait queue.
Mikulas
next prev parent reply other threads:[~2023-09-06 15:04 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-06 13:26 [PATCH] fix writing to the filesystem after unmount Mikulas Patocka
2023-09-06 14:27 ` Christian Brauner
2023-09-06 15:03 ` Mikulas Patocka [this message]
2023-09-06 15:33 ` Christian Brauner
2023-09-06 15:58 ` Christian Brauner
2023-09-06 16:01 ` Mikulas Patocka
2023-09-06 16:19 ` Christian Brauner
2023-09-06 16:52 ` Mikulas Patocka
2023-09-07 9:44 ` Jan Kara
2023-09-07 10:43 ` Christian Brauner
2023-09-07 12:04 ` Mikulas Patocka
2023-09-08 7:32 ` Jan Kara
2023-09-08 9:29 ` Zdenek Kabelac
2023-09-08 10:20 ` Jan Kara
2023-09-08 12:02 ` Christian Brauner
2023-09-08 16:49 ` John Stoffel
2023-09-09 11:21 ` Christoph Hellwig
[not found] ` <15c62097-d58f-4e66-bdf5-e0edb1306b2f@redhat.com>
2023-09-08 11:32 ` Christian Brauner
2023-09-08 12:07 ` Zdenek Kabelac
2023-09-08 12:34 ` Christian Brauner
2023-09-12 9:10 ` Jan Kara
2023-09-08 12:01 ` Pavel Machek
2023-09-08 11:59 ` Pavel Machek
2023-09-06 17:10 ` Al Viro
2023-09-06 17:08 ` Al Viro
2023-09-06 15:22 ` Darrick J. Wong
2023-09-06 15:38 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f5d63867-5b3e-294b-d1f5-a128817cfc7@redhat.com \
--to=mpatocka@redhat.com \
--cc=brauner@kernel.org \
--cc=dm-devel@redhat.com \
--cc=hch@lst.de \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=zkabelac@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).