From: Al Viro <viro@zeniv.linux.org.uk>
To: linux-fsdevel@vger.kernel.org
Cc: Christian Brauner <brauner@kernel.org>,
Christoph Hellwig <hch@lst.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Namjae Jeon <linkinjeon@kernel.org>,
David Sterba <dsterba@suse.com>,
David Howells <dhowells@redhat.com>,
Miklos Szeredi <miklos@szeredi.hu>,
Amir Goldstein <amir73il@gmail.com>,
Trond Myklebust <trond.myklebust@hammerspace.com>,
Bob Peterson <rpeterso@redhat.com>,
Steve French <sfrench@samba.org>,
Luis Chamberlain <mcgrof@kernel.org>
Subject: [PATCH 15/15] overlayfs: make use of ->layers safe in rcu pathwalk
Date: Mon, 2 Oct 2023 03:37:11 +0100 [thread overview]
Message-ID: <20231002023711.GP3389589@ZenIV> (raw)
In-Reply-To: <20231002023643.GO3389589@ZenIV>
ovl_permission() accesses ->layers[...].mnt; we can't have ->layers
freed without an RCU delay on fs shutdown. Fortunately, kern_unmount_array()
used to drop those mounts does include an RCU delay, so freeing is
delayed; unfortunately, the array passed to kern_unmount_array() is
formed by mangling ->layers contents and that happens without any
delays.
Use a separate array instead; local if we have a few layers,
kmalloc'ed if there's a lot of them. If allocation fails,
fall back to kern_unmount() for individual mounts; it's
not a fast path by any stretch of imagination.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
fs/overlayfs/ovl_entry.h | 1 -
fs/overlayfs/params.c | 26 ++++++++++++++++++++------
2 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h
index e9539f98e86a..618b63bb7987 100644
--- a/fs/overlayfs/ovl_entry.h
+++ b/fs/overlayfs/ovl_entry.h
@@ -30,7 +30,6 @@ struct ovl_sb {
};
struct ovl_layer {
- /* ovl_free_fs() relies on @mnt being the first member! */
struct vfsmount *mnt;
/* Trap in ovl inode cache */
struct inode *trap;
diff --git a/fs/overlayfs/params.c b/fs/overlayfs/params.c
index b9355bb6d75a..ab594fd407b4 100644
--- a/fs/overlayfs/params.c
+++ b/fs/overlayfs/params.c
@@ -738,8 +738,15 @@ int ovl_init_fs_context(struct fs_context *fc)
void ovl_free_fs(struct ovl_fs *ofs)
{
struct vfsmount **mounts;
+ struct vfsmount *m[16];
+ unsigned n = ofs->numlayer;
unsigned i;
+ if (n > 16)
+ mounts = kmalloc_array(n, sizeof(struct mount *), GFP_KERNEL);
+ else
+ mounts = m;
+
iput(ofs->workbasedir_trap);
iput(ofs->indexdir_trap);
iput(ofs->workdir_trap);
@@ -752,14 +759,21 @@ void ovl_free_fs(struct ovl_fs *ofs)
if (ofs->upperdir_locked)
ovl_inuse_unlock(ovl_upper_mnt(ofs)->mnt_root);
- /* Hack! Reuse ofs->layers as a vfsmount array before freeing it */
- mounts = (struct vfsmount **) ofs->layers;
- for (i = 0; i < ofs->numlayer; i++) {
+ for (i = 0; i < n; i++) {
iput(ofs->layers[i].trap);
- mounts[i] = ofs->layers[i].mnt;
- kfree(ofs->layers[i].name);
+ if (unlikely(!mounts))
+ kern_unmount(ofs->layers[i].mnt);
+ else
+ mounts[i] = ofs->layers[i].mnt;
}
- kern_unmount_array(mounts, ofs->numlayer);
+ if (mounts) {
+ kern_unmount_array(mounts, n);
+ if (mounts != m)
+ kfree(mounts);
+ }
+ // by this point we had an RCU delay from kern_unmount{_array,}()
+ for (i = 0; i < n; i++)
+ kfree(ofs->layers[i].name);
kfree(ofs->layers);
for (i = 0; i < ofs->numfs; i++)
free_anon_bdev(ofs->fs[i].pseudo_dev);
--
2.39.2
next prev parent reply other threads:[~2023-10-02 2:37 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-02 2:28 [RFC][PATCHES] fixes in methods exposed to rcu pathwalk Al Viro
2023-10-02 2:28 ` Al Viro
2023-10-02 2:29 ` [PATCH 01/15] rcu pathwalk: prevent bogus hard errors from may_lookup() Al Viro
2023-10-02 2:30 ` [PATCH 02/15] exfat: move freeing sbi, upcase table and dropping nls into rcu-delayed helper Al Viro
2023-10-02 16:10 ` Linus Torvalds
2023-10-02 18:04 ` Al Viro
2023-10-02 2:30 ` [PATCH 03/15] affs: free affs_sb_info with kfree_rcu() Al Viro
2023-10-02 2:31 ` [PATCH 04/15] hfsplus: switch to rcu-delayed unloading of nls and freeing ->s_fs_info Al Viro
2023-10-02 6:49 ` Christoph Hellwig
2023-10-02 7:14 ` Al Viro
2023-10-02 7:21 ` Al Viro
2023-10-02 18:09 ` Al Viro
2023-10-04 19:04 ` Linus Torvalds
2023-10-04 19:06 ` Linus Torvalds
2023-10-02 2:31 ` [PATCH 05/15] cifs_get_link(): bail out in unsafe case Al Viro
2023-10-02 2:32 ` [PATCH 06/15] procfs: move dropping pde and pid from ->evict_inode() to ->free_inode() Al Viro
2023-10-02 2:33 ` [PATCH 07/15] procfs: make freeing proc_fs_info rcu-delayed Al Viro
2023-10-02 2:33 ` [PATCH 08/15] gfs2: fix an oops in gfs2_permission() Al Viro
2023-10-02 11:46 ` Bob Peterson
2023-10-02 12:59 ` Al Viro
2023-10-02 14:16 ` Al Viro
2023-10-03 14:46 ` Andreas Grünbacher
2023-10-02 2:34 ` [PATCH 09/15] nfs: make nfs_set_verifier() safe for use in RCU pathwalk Al Viro
2023-10-02 2:34 ` [PATCH 10/15] nfs: fix UAF on pathwalk running into umount Al Viro
2023-10-02 2:35 ` [PATCH 11/15] fuse: fix UAF in rcu pathwalks Al Viro
2023-10-02 2:35 ` [PATCH 12/15] afs: fix __afs_break_callback() / afs_drop_open_mmap() race Al Viro
2023-10-02 2:36 ` [PATCH 13/15] overlayfs: move freeing ovl_entry past rcu delay Al Viro
2023-10-02 2:36 ` [PATCH 14/15] ovl_dentry_revalidate_common(): fetch inode once Al Viro
2023-10-02 2:37 ` Al Viro [this message]
2023-10-02 6:40 ` [PATCH 15/15] overlayfs: make use of ->layers safe in rcu pathwalk Amir Goldstein
2023-10-02 7:23 ` Al Viro
2023-10-02 8:53 ` Amir Goldstein
2023-10-03 20:47 ` Al Viro
2023-10-02 5:47 ` [PATCH 14/15] ovl_dentry_revalidate_common(): fetch inode once Amir Goldstein
2023-10-02 5:56 ` Amir Goldstein
2023-10-02 14:47 ` Amir Goldstein
2023-10-02 5:51 ` [PATCH 13/15] overlayfs: move freeing ovl_entry past rcu delay Amir Goldstein
2023-10-02 2:52 ` [RFC][PATCHES] fixes in methods exposed to rcu pathwalk Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231002023711.GP3389589@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=dhowells@redhat.com \
--cc=dsterba@suse.com \
--cc=hch@lst.de \
--cc=linkinjeon@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=miklos@szeredi.hu \
--cc=rpeterso@redhat.com \
--cc=sfrench@samba.org \
--cc=torvalds@linux-foundation.org \
--cc=trond.myklebust@hammerspace.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.