On Mon, Jul 04, 2022 at 01:24:48PM -0700, Linus Torvalds wrote: > On Mon, Jul 4, 2022 at 12:55 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > > > You are checking the wrong thing here. It's really about mount_lock - > > ->d_seq is *not* bumped when we or attach in some namespace. > > I think we're talking past each other. We might be. > Yes, we need to check the mount sequence lock too, because we're doing > that mount traversal. > > But I think we *also* need to check the dentry sequence count, because > the dentry itself could have been moved to another parent. Why is that a problem? It could have been moved to another parent, but so it could after we'd crossed to the mounted and we wouldn't have noticed (or cared). What the chain of seqcount checks gives us is that with some timings it would be possible to traverse that path, not that it had remained valid through the entire pathwalk. What I'm suggesting is to treat transition from mountpoint to mount as happening instantly, with transition from mount to root sealed by mount_lock check. If that succeeds, there had been possible history in which refwalk would have passed through the same dentry/mount/dentry and arrived to the root dentry when it had the sampled ->d_seq value. Sure, mountpoint might be moved since we'd reached it. And the mount would move with it, so we can pretend that we'd won the race and got into the mount before it had the mountpoint had been moved. Am I missing something fundamental about the things the sequence of sampling and verifications gives us? I'd always thought it's about verifying that resulting history would be possible for a non-RCU pathwalk with the right timings. What am I missing?
