On Mon, 2 Oct 2023 at 14:04, Amir Goldstein <amir73il@xxxxxxxxx> wrote: > > ovl_permission() accesses ->layers[...].mnt; we can't have ->layers > freed without an RCU delay on fs shutdown. > > Fortunately, kern_unmount_array() that is used to drop those mounts > does include an RCU delay, so freeing is delayed; unfortunately, the > array passed to kern_unmount_array() is formed by mangling ->layers > contents and that happens without any delays. > > The ->layers[...].name string entries are used to store the strings to > display in "lowerdir=..." by ovl_show_options(). Those entries are not > accessed in RCU walk. > > Move the name strings into a separate array ofs->config.lowerdirs and > reuse the ofs->config.lowerdirs array as the temporary mount array to > pass to kern_unmount_array(). > > Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > Link: https://lore.kernel.org/r/20231002023711.GP3389589@ZenIV/ > Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx> > --- > > Miklos, > > Please review my proposal to fix the RCU walk race pointed out by Al. > I have already tested it with xfstests and I will queue it in ovl-fixes > to get more exposure in linux-next. Looks good. Acked-by: Miklos Szeredi <mszeredi@xxxxxxxxxx> Thanks, Miklos
