Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp8442161ybi; Tue, 9 Jul 2019 16:02:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqxYdbsgUAzTpd6bbPG84cb5jUhST/hFMQArlbE5hWTLCbi60bhayMrq58zbkAN2rJZAINsZ X-Received: by 2002:a63:595e:: with SMTP id j30mr31600386pgm.2.1562713323197; Tue, 09 Jul 2019 16:02:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562713323; cv=none; d=google.com; s=arc-20160816; b=rAfQfEAZzrBO6/kxv+/WdZiBq0U/DM6t6nXvrIF4lCF93o+80GOkgAzi2UzJM8TncP PPJQLvK66J/ZzQQxzyAjLhiGpsC8Kz85uGS2hqOKoZX3j2aZKW5/JKp8e+a/bMGHxgPa R9OkIeYHJ91h71MTizYJ2IyFMLfGgy0mcTvMnHH3Qo2PFTFX6EojgSbV3J+0ZzGWcZU6 Z+inEkKiNkYPIHx92HWUUVUNPHp6PK3AAhP+P86tBuUVNWpTu2lZp/clILlPtEgL+GXD n+DlwaZoj5X7p1j/xoJ7xkUQstuzYp+skwJwhtDiE4T8tK1d7hq9rn4lJj6DGtLN7nXD qKGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=xzhjpcmgOGIlO2nQ3UQ1nlCITYAkSA70hIkws61/528=; b=LPXX/Pc6ymu/JtYRxjh57n64yWxr1M+D7yZsrU2bZ73eHBw0nsnQPGtwaxHrsq/v6f cYw5nSuOWWR1o5cTtUb8J513VI1g49nXrRT2eFehnn5u50VuCjVjy4386zRrSKAH37vm gDJZo1MoWuqcjXuH+nfl+dxiGaEDcvAVx5j7W+SDEyLHLN+NbINpJQ0dZvx6gV9WFurp 3gWLNMhFUZComB7e+FoLNVCpbw5iGFvZHYiAcbc7PCiYFyG0NtOo7gZ23HEThxxrGvPc 6VgJg/6vpbfE+OKEF1pck64NObt79omes0841ihrWm1z5TUcmPPoZR8DpQ9PFsZZ8YbW H1/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vzXUz2HI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id az12si247778plb.5.2019.07.09.16.01.47; Tue, 09 Jul 2019 16:02:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=vzXUz2HI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726844AbfGIXAd (ORCPT + 99 others); Tue, 9 Jul 2019 19:00:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:40402 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726284AbfGIXAc (ORCPT ); Tue, 9 Jul 2019 19:00:32 -0400 Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1A1F720693; Tue, 9 Jul 2019 23:00:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562713231; bh=mqZhnQlsfaKKtYTzAc3OH9DchjWPLQmojcR0X/Nieqw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=vzXUz2HIFKteVEHxqti9rKG3oLGZG2C694w3R4hypaFOd0SA9dbT32K+xTO1i2Dh8 3nluBJ2isuTx2QR8wY5M52xwivDW/IP6fpTNGDAactYWvX4Pd/XRDyt4WT909VmEBB eB+Pw1bv/Q7NxX+QXpDoscKHvxGzJdwHqU2Fkowk= Date: Tue, 9 Jul 2019 16:00:29 -0700 From: Eric Biggers To: Miklos Szeredi Cc: David Howells , Alexander Viro , linux-fsdevel@vger.kernel.org, Mark Rutland , linux-kernel@vger.kernel.org Subject: Re: [PATCH] vfs: fsmount: add missing mntget() Message-ID: <20190709230029.GO641@sol.localdomain> Mail-Followup-To: Miklos Szeredi , David Howells , Alexander Viro , linux-fsdevel@vger.kernel.org, Mark Rutland , linux-kernel@vger.kernel.org References: <20190610183031.GE63833@gmail.com> <20190612184313.143456-1-ebiggers@kernel.org> <20190613084728.GA32129@miu.piliscsaba.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190613084728.GA32129@miu.piliscsaba.redhat.com> User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 13, 2019 at 10:47:28AM +0200, Miklos Szeredi wrote: > On Wed, Jun 12, 2019 at 11:43:13AM -0700, Eric Biggers wrote: > > From: Eric Biggers > > > > sys_fsmount() needs to take a reference to the new mount when adding it > > to the anonymous mount namespace. Otherwise the filesystem can be > > unmounted while it's still in use, as found by syzkaller. > > So it needs one count for the file (which dentry_open() obtains) and one for the > attachment into the anonymous namespace. The latter one is dropped at cleanup > time, so your patch appears to be correct at getting that ref. > > I wonder why such a blatant use-after-free was missed in normal testing. RCU > delayed freeing, I guess? > > How about this additional sanity checking patch? > > Thanks, > Miklos > > > diff --git a/fs/namespace.c b/fs/namespace.c > index b26778bdc236..c638f220805a 100644 > --- a/fs/namespace.c > +++ b/fs/namespace.c > @@ -153,10 +153,10 @@ static inline void mnt_add_count(struct mount *mnt, int n) > /* > * vfsmount lock must be held for write > */ > -unsigned int mnt_get_count(struct mount *mnt) > +int mnt_get_count(struct mount *mnt) > { > #ifdef CONFIG_SMP > - unsigned int count = 0; > + int count = 0; > int cpu; > > for_each_possible_cpu(cpu) { > @@ -1140,6 +1140,8 @@ static DECLARE_DELAYED_WORK(delayed_mntput_work, delayed_mntput); > > static void mntput_no_expire(struct mount *mnt) > { > + int count; > + > rcu_read_lock(); > if (likely(READ_ONCE(mnt->mnt_ns))) { > /* > @@ -1162,11 +1164,13 @@ static void mntput_no_expire(struct mount *mnt) > */ > smp_mb(); > mnt_add_count(mnt, -1); > - if (mnt_get_count(mnt)) { > + count = mnt_get_count(mnt); > + if (count > 0) { > rcu_read_unlock(); > unlock_mount_hash(); > return; > } > + WARN_ON(count < 0); > if (unlikely(mnt->mnt.mnt_flags & MNT_DOOMED)) { > rcu_read_unlock(); > unlock_mount_hash(); > diff --git a/fs/pnode.h b/fs/pnode.h > index 49a058c73e4c..26f74e092bd9 100644 > --- a/fs/pnode.h > +++ b/fs/pnode.h > @@ -44,7 +44,7 @@ int propagate_mount_busy(struct mount *, int); > void propagate_mount_unlock(struct mount *); > void mnt_release_group_id(struct mount *); > int get_dominating_id(struct mount *mnt, const struct path *root); > -unsigned int mnt_get_count(struct mount *mnt); > +int mnt_get_count(struct mount *mnt); > void mnt_set_mountpoint(struct mount *, struct mountpoint *, > struct mount *); > void mnt_change_mountpoint(struct mount *parent, struct mountpoint *mp, Miklos, are you planning to send this as a formal patch? - Eric