Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3377175pxb; Mon, 17 Jan 2022 19:02:21 -0800 (PST) X-Google-Smtp-Source: ABdhPJzcqDhh/lECC4E40yy/v6paI5JboJXPXR1OQKi9yc0iR0pCsNLUXlNJNgRCfqkDHhe9d710 X-Received: by 2002:a17:902:c10c:b0:14a:922d:39d5 with SMTP id 12-20020a170902c10c00b0014a922d39d5mr16616878pli.66.1642474941372; Mon, 17 Jan 2022 19:02:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642474941; cv=none; d=google.com; s=arc-20160816; b=xeKjdoC3OmGOprGKnirPeOBoN2I1viVKtXPNLwJbajGJlyhDPAso5Yvs9Xe85I0y0V TtoQWYYZjE7hy5OQNFEDuEVNEOobICw2P+kz5tA3Fufiw0yX5e5Tr+m6XWi6jfzGRbSN mZSZFJf82QZNiIaGGlmnjqlhCI/L3yJ4v+xL+xYdbSD4UqI4Gn2XdHqMD8PlF/0lQm7W DWKfWsBjPzTmWwhFFz1vYNfiAxRnKDOXt9MGiIRhyqoLaWuwDsV19kv/2AUHEF4DIhhk dvXnYQt7TBGnBQ7sRazBq74eO1yCJjyKytbKqLPCoQiePrEs6NX97U6tFDTkg9zuBT4M 7Dag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=5nO+aSuCgLfccHAEP/QXT2JhhL9/1MJXfO32NiTj3ik=; b=G4/6M+DVbvjpu0EVCrZNpqk61KPVSaAJ3zumPnlVVAekWpul49RLJQZ++vOR0iaiNU kjDSg+PFg0Rcoy8EL4oBhPF60Hc6bwd4PpdUwu1jRhKw5JD4IknU3D/57S2yG3OOXsQB 9HhdSVuGLD6i67mdrQCPl6SM/tIECeA/pUCyLTpai8MYJwDwMos+gx5prDobA+wbHg3B x/vrd4A4+WsQPlE6EKL+xMMIWnGHUgXGt9f25Im+PAGmVBQNhDezUIknUqaW5a5UgyST wlm2cgy3sAGWp5N9zPjEYordvu+7Tv6FzlrXUwJJkTiCRtQ1T3J1/n5NQPVRNKaXFxPS UUOA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n12si16004682pgl.831.2022.01.17.19.02.09; Mon, 17 Jan 2022 19:02:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243030AbiAQTs6 (ORCPT + 99 others); Mon, 17 Jan 2022 14:48:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55604 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235639AbiAQTs5 (ORCPT ); Mon, 17 Jan 2022 14:48:57 -0500 Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [IPv6:2607:5300:60:148a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BA6E1C06161C; Mon, 17 Jan 2022 11:48:57 -0800 (PST) Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1n9Xzl-002dQo-IP; Mon, 17 Jan 2022 19:48:49 +0000 Date: Mon, 17 Jan 2022 19:48:49 +0000 From: Al Viro To: Brian Foster Cc: Ian Kent , "Darrick J. Wong" , Christoph Hellwig , Miklos Szeredi , David Howells , Kernel Mailing List , linux-fsdevel , xfs Subject: Re: [PATCH] vfs: check dentry is still valid in get_link() Message-ID: References: <164180589176.86426.501271559065590169.stgit@mickey.themaw.net> <275358741c4ee64b5e4e008d514876ed4ec1071c.camel@themaw.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 17, 2022 at 06:10:36PM +0000, Al Viro wrote: > On Mon, Jan 17, 2022 at 04:28:52PM +0000, Al Viro wrote: > > > IOW, ->free_inode() is RCU-delayed part of ->destroy_inode(). If both > > are present, ->destroy_inode() will be called synchronously, followed > > by ->free_inode() from RCU callback, so you can have both - moving just > > the "finally mark for reuse" part into ->free_inode() would be OK. > > Any blocking stuff (if any) can be left in ->destroy_inode()... > > BTW, we *do* have a problem with ext4 fast symlinks. Pathwalk assumes that > strings it parses are not changing under it. There are rather delicate > dances in dcache lookups re possibility of ->d_name contents changing under > it, but the search key is assumed to be stable. > > What's more, there's a correctness issue even if we do not oops. Currently > we do not recheck ->d_seq of symlink dentry when we dismiss the symlink from > the stack. After all, we'd just finished traversing what used to be the > contents of a symlink that used to be in the right place. It might have been > unlinked while we'd been traversing it, but that's not a correctness issue. > > But that critically depends upon the contents not getting mangled. If it > *can* be screwed by such unlink, we risk successful lookup leading to the > wrong place, with nothing to tell us that it's happening. We could handle > that by adding a check to fs/namei.c:put_link(), and propagating the error > to callers. It's not impossible, but it won't be pretty. > > And that assumes we avoid oopsen on string changing under us in the first > place. Which might or might not be true - I hadn't finished the audit yet. > Note that it's *NOT* just fs/namei.c + fs/dcache.c + some fs methods - > we need to make sure that e.g. everything called by ->d_hash() instances > is OK with strings changing right under them. Including utf8_to_utf32(), > crc32_le(), utf8_casefold_hash(), etc. And AFAICS, ext4, xfs and possibly ubifs (I'm unfamiliar with that one and the call chains there are deep enough for me to miss something) have the "bugger the contents of string returned by RCU ->get_link() if unlink() happens" problem. I would very much prefer to have them deal with that crap, especially since I don't see why does ext4_evict_inode() need to do that memset() - can't we simply check ->i_op in ext4_can_truncate() and be done with that?