Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp176166pxu;
        Thu, 15 Oct 2020 00:34:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw620eLICipHmu9+FOytCKay+WhCs49BLwN2CeSyxGvVVtwb6mVSO+9JeyI5atfnk/yiL2f
X-Received: by 2002:aa7:d79a:: with SMTP id s26mr2876220edq.251.1602747282078;
        Thu, 15 Oct 2020 00:34:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1602747282; cv=none;
        d=google.com; s=arc-20160816;
        b=ua5doa0bAWBGI7V3B/Zl0iqcN9NJ2CRae50L4T5g83aZYtf/NIjc/pfNu6knTmKA7a
         dEbfhknH0CXwY/7r8zt6z05daqrswFquAecsjMhkTmMjJRq82YLaMurElur/UyBfwxxE
         Fg17j7RBW+AtO4+q5//cPkf2isYLDZc/1ueGXfHMs6PHWc4AoSeEt4XrXEy8c4YOSiTF
         +/ZvJD/T4Z2D2cl7K69zdmPyA5lrKK4nDL0mKhbUo7uJLFRkGV5SO0QZ7D21OEjJle2O
         c091AbxB2SxvVR3MCIP36QwB+ZEdMqCIbft0tKGiYs03/I4Pgdqocd8g37O7uwbXGtcP
         yeWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=F+PgrjkcIkmu+076L7tWgIroll5ax17nHCM3RZy5YJY=;
        b=msAuKgEQ7xImAusgAb+OXblDnhSdSuKPpwIuK14od6ZI+rrCS56R4t4izXlLJZ4SeY
         Dkl2tJtVMtzqcUiOQS46RG51m7QS8J2Y5JHDulapVdOjk2n8t48bgoeJWoEqRrsCeqiv
         r5G6/SDTd9f5CMlBvHpe1aQ+tx82uL60QgDetHUZ8wsb9Wygb3V4z4l5FZSPXgZVGTEJ
         nebysDW5VSQGSySSQ4e2wlX8uFgTnXTjqNOmC/FUflTxOfc+A5EBRSM646zyP7Yr7XO9
         4EQYqVtiiA6M0Cb+tpsqi2hHAD3FT7qFNqeHqbfkDs0UKoQZI9c4NRWMM+IipiJpHgeK
         G9Tg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=WT2Rj2jw;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z24si1414710edq.365.2020.10.15.00.34.18;
        Thu, 15 Oct 2020 00:34:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=WT2Rj2jw;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732162AbgJOBYo (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Wed, 14 Oct 2020 21:24:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48190 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2387741AbgJOBYh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Oct 2020 21:24:37 -0400
Received: from mail-yb1-xb42.google.com (mail-yb1-xb42.google.com [IPv6:2607:f8b0:4864:20::b42])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AAB9AC045700;
        Wed, 14 Oct 2020 18:07:59 -0700 (PDT)
Received: by mail-yb1-xb42.google.com with SMTP id h6so839991ybi.11;
        Wed, 14 Oct 2020 18:07:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=F+PgrjkcIkmu+076L7tWgIroll5ax17nHCM3RZy5YJY=;
        b=WT2Rj2jw0/E5FIZbOZ0S882a+YX0FFzXV11/lzknamJ1ZSbdOQFQLRP8acyzhESnju
         HerOSpCkFQsDI31snh3zgOEMCUddiS4ae2VNDilEqftnwDThN/oD0sfdnkaybjXckrQG
         Hp4T2R4A8dHnk2JNMkle2mLly0Y+yiMxK4tyWci2fOp/TwMl8WN2fLL41CKUTig/UzkY
         7pubICVz3XncFyDl/0CtZfJ5zVy/GJ7uX1ybvxF7wKqad6PavHwzBPo4jg8TtRN1SkoU
         SCMsFjn4oC7Sxrg/PCVqFSDK0u0nlTWx4gUeqUcHCbLA39nwoKlORGvsLzgc0HJQ/qXN
         7jvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=F+PgrjkcIkmu+076L7tWgIroll5ax17nHCM3RZy5YJY=;
        b=dAjFh4VqZHziNqc2S2pnF2F/HPsOVr02j+MvcF3AcqlB6mJjo24aG7TU96ny80OaAq
         I4zbIN2W/MzJiUTaS7GBowTd5twT/yfK0miQrR+vvQl9M7K8bM2VFUFEm05Egubzr5xD
         KcB+hV36OLKaUz2zxtR6+S4ya2mpvGunVAJveGrINMw75SqXeNqCspdm+LR7/Gq3SVsu
         WrMuCw3IF9a3BhAYcj0gHRq/kc5XGaeKNXjSI5eudb/dYgeJQkSn4nzY4qBuQZ/YeCoK
         R8c25Aq5sCIIsdiMJUuJnW5DSg9EOue7Pi5Lum2Gp/m8MNM6ebmFhhU0TmRS8ARJFweQ
         /djw==
X-Gm-Message-State: AOAM5318jwmj4WOEeKoWA/HAdipskCUdBsoxgoOIMU2utJmBoQ24K3BC
        zMw6Y1ixJEQkaBxDF8k7J8l3A583dhugpq9LuFs=
X-Received: by 2002:a25:2687:: with SMTP id m129mr1993747ybm.425.1602724079004;
 Wed, 14 Oct 2020 18:07:59 -0700 (PDT)
MIME-Version: 1.0
References: <20201014204529.934574-1-andrii@kernel.org> <20201014230812.GK3576660@ZenIV.linux.org.uk>
In-Reply-To: <20201014230812.GK3576660@ZenIV.linux.org.uk>
From:   Andrii Nakryiko <andrii.nakryiko@gmail.com>
Date:   Wed, 14 Oct 2020 18:07:48 -0700
Message-ID: <CAEf4BzZQdkJaaqx7CQ6kjA+_nKuE3N1sBzR933wohmB+a5GvpA@mail.gmail.com>
Subject: Re: [PATCH] fs: fix NULL dereference due to data race in prepend_path()
To:     Al Viro <viro@zeniv.linux.org.uk>
Cc:     Andrii Nakryiko <andrii@kernel.org>, linux-fsdevel@vger.kernel.org,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Kernel Team <kernel-team@fb.com>,
        open list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Oct 14, 2020 at 4:08 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Wed, Oct 14, 2020 at 01:45:28PM -0700, Andrii Nakryiko wrote:
> > Fix data race in prepend_path() with re-reading mnt->mnt_ns twice without
> > holding the lock. is_mounted() does check for NULL, but is_anon_ns(mnt->mnt_ns)
> > might re-read the pointer again which could be NULL already, if in between
> > reads one of kern_unmount()/kern_unmount_array()/umount_tree() sets mnt->mnt_ns
> > to NULL.
>
> Cute...  What config/compiler has resulted in that?  I agree with the analysis, but

Don't know for sure, but nothing special or exotic, a typical Facebook
production kernel config and some version of GCC (I didn't check
exactly which one).

Just given enough servers in the fleet, with time and intensive
workloads races like this, however unlikely, do surface up pretty
regularly.

> I really hate the open-coded (and completely unexplained) use of IS_ERR_OR_NULL()
> there.
>
> > -                     if (is_mounted(vfsmnt) && !is_anon_ns(mnt->mnt_ns))
> > +                     mnt_ns = READ_ONCE(mnt->mnt_ns);
> > +                     /* open-coded is_mounted() to use local mnt_ns */
> > +                     if (!IS_ERR_OR_NULL(mnt_ns) && !is_anon_ns(mnt_ns))
> >                               error = 1;      // absolute root
> >                       else
> >                               error = 2;      // detached or not attached yet
>
> Better turn that into an inlined helper in fs/mount.h, next to is_mounted(), IMO,
> and kill that IS_ERR_OR_NULL garbage there.  What that thing does is
>         if (ns == NULL || ns == MNT_NS_INTERNAL)
> and it's *not* on any kind of hot path to warrant that kind of microoptimizations.

Sounds good. I didn't know code well enough to infer NULL ||
MNT_NS_INTERNAL instead of IS_ERR_OR_NULL from is_mounted(), so just
open-coded the latter.

>
> So let's make that
>
> static inline bool is_real_ns(struct mnt_namespace *mnt_ns)
> {
>         return mnt_ns && mnt_ns != MNT_NS_INTERNAL;
> }
>
> turn is_mounted(m) into is_real_ns(m->mnt_ns) and replace that line in your fix
> with
>                         if (is_real_ns(mnt_ns) && !is_anon_ns(mnt_ns))
>
> Objections?

Nope, I'll send a follow-up patch, thanks.