From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8AB6DC433B4 for ; Tue, 6 Apr 2021 02:24:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 59C016139B for ; Tue, 6 Apr 2021 02:24:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243379AbhDFCYT (ORCPT ); Mon, 5 Apr 2021 22:24:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54470 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243371AbhDFCYR (ORCPT ); Mon, 5 Apr 2021 22:24:17 -0400 Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [IPv6:2607:5300:60:148a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 64324C06174A; Mon, 5 Apr 2021 19:24:10 -0700 (PDT) Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94 #2 (Red Hat Linux)) id 1lTbNw-002t98-0J; Tue, 06 Apr 2021 02:24:08 +0000 Date: Tue, 6 Apr 2021 02:24:07 +0000 From: Al Viro To: Christian Brauner Cc: Jens Axboe , syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, io-uring@vger.kernel.org Subject: Re: [syzbot] WARNING in mntput_no_expire (2) Message-ID: References: <20210404170513.mfl5liccdaxjnpls@wittgenstein> <20210405114437.hjcojekyp5zt6huu@wittgenstein> <20210405170801.zrdhnon6g4ggb6c7@wittgenstein> <20210405200737.qurhkqitoxweousx@wittgenstein> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org On Tue, Apr 06, 2021 at 01:38:39AM +0000, Al Viro wrote: > On Mon, Apr 05, 2021 at 10:07:37PM +0200, Christian Brauner wrote: > > > > diff --git a/fs/namei.c b/fs/namei.c > > > index 216f16e74351..82344f1139ff 100644 > > > --- a/fs/namei.c > > > +++ b/fs/namei.c > > > @@ -2289,6 +2289,9 @@ static const char *path_init(struct nameidata *nd, unsigned flags) > > > int error; > > > const char *s = nd->name->name; > > > > > > + nd->path.mnt = NULL; > > > + nd->path.dentry = NULL; > > > + > > > /* LOOKUP_CACHED requires RCU, ask caller to retry */ > > > if ((flags & (LOOKUP_RCU | LOOKUP_CACHED)) == LOOKUP_CACHED) > > > return ERR_PTR(-EAGAIN); > > > @@ -2322,8 +2325,6 @@ static const char *path_init(struct nameidata *nd, unsigned flags) > > > } > > > > > > nd->root.mnt = NULL; > > > - nd->path.mnt = NULL; > > > - nd->path.dentry = NULL; > > > > > > /* Absolute pathname -- fetch the root (LOOKUP_IN_ROOT uses nd->dfd). */ > > > if (*s == '/' && !(flags & LOOKUP_IN_ROOT)) { > > > > Bingo. That fixes it. > > *grumble* > > OK, I suppose it'll do for backports, but longer term... I don't like how > convoluted the rules for nameidata fields' validity are. In particular, > for nd->path I would rather have it > * cleared in set_nameidata() > * cleared when it become invalid. That would be > * places that drop rcu_read_lock() without having legitimized the sucker > (already done, except for terminate_walk()) > * terminate_walk() in non-RCU case after path_put(&nd->path) > > OTOH... wait a sec - the whole thing is this cycle regression, so... BTW, there's another piece of brittleness that almost accidentally doesn't end up biting us - nd->depth should be cleared in set_nameidata(), not in path_init(). In this case we are saved by the fact that the only really early failure in path_init() can't happen on the first call, so if we do leave the sucker before zeroing nd->depth, we are saved by the fact that terminate_walk() has just been called and it *does* clear nd->depth. It's obviously cleaner to have it initialized from the very beginning and not bother with it in path_init() at all. Separate patch, though - this is not, strictly speaking, a bug.