This is a note to let you know that I've just added the patch titled
__follow_mount_rcu(): verify that mount_lock remains unchanged
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
__follow_mount_rcu-verify-that-mount_lock-remains-unchanged.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 20aac6c60981f5bfacd66661d090d907bf1482f0 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Date: Mon, 4 Jul 2022 17:26:29 -0400
Subject: __follow_mount_rcu(): verify that mount_lock remains unchanged
From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
commit 20aac6c60981f5bfacd66661d090d907bf1482f0 upstream.
Validate mount_lock seqcount as soon as we cross into mount in RCU
mode. Sure, ->mnt_root is pinned and will remain so until we
do rcu_read_unlock() anyway, and we will eventually fail to unlazy if
the mount_lock had been touched, but we might run into a hard error
(e.g. -ENOENT) before trying to unlazy. And it's possible to end
up with RCU pathwalk racing with rename() and umount() in a way
that would fail with -ENOENT while non-RCU pathwalk would've
succeeded with any timings.
Once upon a time we hadn't needed that, but analysis had been subtle,
brittle and went out of window as soon as RENAME_EXCHANGE had been
added.
It's narrow, hard to hit and won't get you anything other than
stray -ENOENT that could be arranged in much easier way with the
same priveleges, but it's a bug all the same.
Cc: stable@xxxxxxxxxx
X-sky-is-falling: unlikely
Fixes: da1ce0670c14 "vfs: add cross-rename"
Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/namei.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1461,6 +1461,8 @@ static bool __follow_mount_rcu(struct na
* becoming unpinned.
*/
flags = dentry->d_flags;
+ if (read_seqretry(&mount_lock, nd->m_seq))
+ return false;
continue;
}
if (read_seqretry(&mount_lock, nd->m_seq))
Patches currently in stable-queue which might be from viro@xxxxxxxxxxxxxxxxxx are
queue-5.15/fs-check-fmode_lseek-to-control-internal-pipe-splici.patch
queue-5.15/epoll-autoremove-wakers-even-more-aggressively.patch
queue-5.15/proc-fix-a-dentry-lock-race-between-release_task-and.patch
queue-5.15/vfs-check-the-truncate-maximum-size-in-inode_newsize_ok.patch
queue-5.15/__follow_mount_rcu-verify-that-mount_lock-remains-unchanged.patch
queue-5.15/fix-short-copy-handling-in-copy_mc_pipe_to_iter.patch
