Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1041778rwd; Thu, 1 Jun 2023 09:40:28 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4NMdzu88XZl3KqsqYsX1rwYEvzJYUdkX80WcIZKnO3oSme8de1ca87suvPFAatRu4aUExJ X-Received: by 2002:a17:902:bb8f:b0:1b0:46ae:ff96 with SMTP id m15-20020a170902bb8f00b001b046aeff96mr6838954pls.51.1685637627927; Thu, 01 Jun 2023 09:40:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1685637627; cv=none; d=google.com; s=arc-20160816; b=ddE0jzIfEIkUW55fLH7C+V3uh9iU+CrxVIt2sxfzPkVYROBFWO2CU4r9tNC3uZ+7W2 4ns5OUosqGsvbl8fxLcJ172ShvCpRCgFm4Grmj6pBfE5OhODzyjA1yUIRTMqnuAO30Sw Rk3x87yulGdke27EGv8MvgXqB+NtbQtNThgDtELydSqXMK6DUSZpyCaO9fc8CubldSvz EEmaCSsCzITf6ryKf8DszVyEXwze5xA3S41bMVQ2+kN7kAwVypJpBHhCuYk0V53DZog6 wuc9GuNFZNkp6VluBkbn4psGG7fodW+sgi7nWGarUeotbpIiPm53tAPKT+7D8UX5cB4W kMcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :mime-version:accept-language:in-reply-to:references:message-id:date :thread-index:thread-topic:subject:cc:to:from; bh=xkepRLY40A5ByLxRaBsEc648tPP589jmN5yQTYv+tck=; b=yekIIINieeNadQswYeP3LKPbL0npLbAgXTSp+EEExzrt6xgZQIkw5aE3muoDpbE86T oCvv+WaDTCr0Wdy8c4uysi3VGNYRW89G5VF2wmKpIziYlqsofBvujFA7LhtVj0lGa6WN 8h1VftuJQjEV2tkaHGjd7DJSOqJieRJg98W0ZUli4SqZoKqFYVWqCHHOJi05su8mJndD iApVKT7K1sO3C8a/U55VHxhILtfvhxPYEIizQxvqX9rwlhsA7EG82fak77kpoov5J0LP qf7Yk2ODEVN7NtYqjpy2s+EZLPehuVsxNC5w/x3Q6HnEWJKRbLQSiBIRyqEbaaWUgrwN atQg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t14-20020a1709028c8e00b001b0266579desi2782743plo.608.2023.06.01.09.40.14; Thu, 01 Jun 2023 09:40:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=aculab.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231783AbjFAQe1 convert rfc822-to-8bit (ORCPT + 99 others); Thu, 1 Jun 2023 12:34:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51922 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231664AbjFAQe0 (ORCPT ); Thu, 1 Jun 2023 12:34:26 -0400 Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [185.58.85.151]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9D6C318D for ; Thu, 1 Jun 2023 09:34:05 -0700 (PDT) Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) by relay.mimecast.com with ESMTP with both STARTTLS and AUTH (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id uk-mta-118-HGYaWkwuPHeTz2fi0dWn6Q-1; Thu, 01 Jun 2023 17:34:02 +0100 X-MC-Unique: HGYaWkwuPHeTz2fi0dWn6Q-1 Received: from AcuMS.Aculab.com (10.202.163.6) by AcuMS.aculab.com (10.202.163.6) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Thu, 1 Jun 2023 17:33:58 +0100 Received: from AcuMS.Aculab.com ([::1]) by AcuMS.aculab.com ([::1]) with mapi id 15.00.1497.048; Thu, 1 Jun 2023 17:33:58 +0100 From: David Laight To: 'Jan Kara' CC: Christian Brauner , Al Viro , "linux-fsdevel@vger.kernel.org" , "Miklos Szeredi" , "Darrick J. Wong" , Ted Tso , Jaegeuk Kim , "linux-ext4@vger.kernel.org" , "linux-xfs@vger.kernel.org" , "linux-f2fs-devel@lists.sourceforge.net" , "stable@vger.kernel.org" Subject: RE: [PATCH v2 4/6] fs: Establish locking order for unrelated directories Thread-Topic: [PATCH v2 4/6] fs: Establish locking order for unrelated directories Thread-Index: AQHZlJ1FZufsO2GDRE+EhxV9kbhF9692EqgQ///7d4CAABPFwA== Date: Thu, 1 Jun 2023 16:33:58 +0000 Message-ID: References: <20230601104525.27897-1-jack@suse.cz> <20230601105830.13168-4-jack@suse.cz> <20230601-gebracht-gesehen-c779a56b3bf3@brauner> <20230601152449.h4ur5zrfqjqygujd@quack3> <20230601161353.4o6but7hb7i7qfki@quack3> In-Reply-To: <20230601161353.4o6but7hb7i7qfki@quack3> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org From: Jan Kara > Sent: 01 June 2023 17:14 > > On Thu 01-06-23 15:37:32, David Laight wrote: > > ... > > > > > + * Lock any non-NULL argument. The caller must make sure that if he is passing > > > > > + * in two directories, one is not ancestor of the other > > > > Not directly relevant to this change but is the 'not an ancestor' > > check actually robust? > > > > I found a condition in which the kernel 'pwd' code (which follows > > the inode chain) failed to stop at the base of a chroot. > > > > I suspect that the ancestor check would fail the same way. > > Honestly, I'm not sure how this could be the case but I'm not a dcache > expert. d_ancestor() works on dentries and the whole dcache code pretty > much relies on the fact that there always is at most one dentry for any > directory. Also in case we call d_ancestor() from this code, we have the > whole filesystem locked from any other directory moves so the ancestor > relationship of two dirs cannot change (which is different from pwd code > AFAIK). So IMHO no failure is possible in our case. I've found the test program. This uses readlinkat() to get the full path /proc/self/fd/0. It should be inside the chroot, but the comparison done to detect the 'root' fails. Now maybe any rename that would hit this is invalid for other reasons. But something is awry somewhere. David The program below reproduces this when run with stdin redirected to a file in the current directory. This sequence is used by 'ip netns exec' so isn't actually that unusual. David #define _GNU_SOURCE #include #include #include #include static void print_link(const char *where, int fd) { char buf[256]; printf("%s: %.*s\n", where, (int)readlinkat(fd, "", buf, sizeof buf), buf); } int main(int argc, char **argv) { int link_fd = open("/proc/self/fd/0", O_PATH | O_NOFOLLOW); print_link("initial", link_fd); if (chroot(".")) return 1; print_link("after chroot", link_fd); if (unshare(CLONE_NEWNS)) return 2; print_link("after unshare", link_fd); return 0; } - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)