This is a note to let you know that I've just added the patch titled
eventfs: Test for ei->is_freed when accessing ei->dentry
to the 6.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
eventfs-test-for-ei-is_freed-when-accessing-ei-dentry.patch
and it can be found in the queue-6.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From SRS0=eEWY=JP=rostedt.homelinux.com=rostedt@xxxxxxxxxx Tue Feb 6 13:10:41 2024
From: Steven Rostedt <rostedt@xxxxxxxxxxx>
Date: Tue, 06 Feb 2024 07:09:23 -0500
Subject: eventfs: Test for ei->is_freed when accessing ei->dentry
To: linux-kernel@xxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx
Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Sasha Levin <sashal@xxxxxxxxxx>, Masami Hiramatsu <mhiramat@xxxxxxxxxx>, Mark Rutland <mark.rutland@xxxxxxx>, Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>, Ajay Kaher <akaher@xxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, Linux Kernel Functional Testing <lkft@xxxxxxxxxx>, Naresh Kamboju <naresh.kamboju@xxxxxxxxxx>, Beau Belgrave <beaub@xxxxxxxxxxxxxxxxxxx>
Message-ID: <20240206120949.301438848@xxxxxxxxxxxxxxxxxxxxx>
From: "Steven Rostedt (Google)" <rostedt@xxxxxxxxxxx>
commit 77a06c33a22d13f3a6e31f06f6ee6bca666e6898 upstream.
The eventfs_inode (ei) is protected by SRCU, but the ei->dentry is not. It
is protected by the eventfs_mutex. Anytime the eventfs_mutex is released,
and access to the ei->dentry needs to be done, it should first check if
ei->is_freed is set under the eventfs_mutex. If it is, then the ei->dentry
is invalid and must not be used. The ei->dentry must only be accessed
under the eventfs_mutex and after checking if ei->is_freed is set.
When the ei is being freed, it will (under the eventfs_mutex) set is_freed
and at the same time move the dentry to a free list to be cleared after
the eventfs_mutex is released. This means that any access to the
ei->dentry must check first if ei->is_freed is set, because if it is, then
the dentry is on its way to be freed.
Also add comments to describe this better.
Link: https://lore.kernel.org/all/CA+G9fYt6pY+tMZEOg=SoEywQOe19fGP3uR15SGowkdK+_X85Cg@xxxxxxxxxxxxxx/
Link: https://lore.kernel.org/all/CA+G9fYuDP3hVQ3t7FfrBAjd_WFVSurMgCepTxunSJf=MTe=6aA@xxxxxxxxxxxxxx/
Link: https://lkml.kernel.org/r/20231101172649.477608228@xxxxxxxxxxx
Cc: Ajay Kaher <akaher@xxxxxxxxxx>
Cc: Mark Rutland <mark.rutland@xxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Fixes: 5790b1fb3d672 ("eventfs: Remove eventfs_file and just use eventfs_inode")
Reported-by: Linux Kernel Functional Testing <lkft@xxxxxxxxxx>
Reported-by: Naresh Kamboju <naresh.kamboju@xxxxxxxxxx>
Reported-by: Beau Belgrave <beaub@xxxxxxxxxxxxxxxxxxx>
Reviewed-by: Masami Hiramatsu (Google) <mhiramat@xxxxxxxxxx>
Tested-by: Linux Kernel Functional Testing <lkft@xxxxxxxxxx>
Tested-by: Naresh Kamboju <naresh.kamboju@xxxxxxxxxx>
Tested-by: Beau Belgrave <beaub@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Steven Rostedt (Google) <rostedt@xxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/tracefs/event_inode.c | 45 +++++++++++++++++++++++++++++++++++++++------
fs/tracefs/internal.h | 3 ++-
2 files changed, 41 insertions(+), 7 deletions(-)
--- a/fs/tracefs/event_inode.c
+++ b/fs/tracefs/event_inode.c
@@ -24,7 +24,20 @@
#include <linux/delay.h>
#include "internal.h"
+/*
+ * eventfs_mutex protects the eventfs_inode (ei) dentry. Any access
+ * to the ei->dentry must be done under this mutex and after checking
+ * if ei->is_freed is not set. The ei->dentry is released under the
+ * mutex at the same time ei->is_freed is set. If ei->is_freed is set
+ * then the ei->dentry is invalid.
+ */
static DEFINE_MUTEX(eventfs_mutex);
+
+/*
+ * The eventfs_inode (ei) itself is protected by SRCU. It is released from
+ * its parent's list and will have is_freed set (under eventfs_mutex).
+ * After the SRCU grace period is over, the ei may be freed.
+ */
DEFINE_STATIC_SRCU(eventfs_srcu);
static struct dentry *eventfs_root_lookup(struct inode *dir,
@@ -239,6 +252,10 @@ create_file_dentry(struct eventfs_inode
bool invalidate = false;
mutex_lock(&eventfs_mutex);
+ if (ei->is_freed) {
+ mutex_unlock(&eventfs_mutex);
+ return NULL;
+ }
/* If the e_dentry already has a dentry, use it */
if (*e_dentry) {
/* lookup does not need to up the ref count */
@@ -312,6 +329,8 @@ static void eventfs_post_create_dir(stru
struct eventfs_inode *ei_child;
struct tracefs_inode *ti;
+ lockdep_assert_held(&eventfs_mutex);
+
/* srcu lock already held */
/* fill parent-child relation */
list_for_each_entry_srcu(ei_child, &ei->children, list,
@@ -325,6 +344,7 @@ static void eventfs_post_create_dir(stru
/**
* create_dir_dentry - Create a directory dentry for the eventfs_inode
+ * @pei: The eventfs_inode parent of ei.
* @ei: The eventfs_inode to create the directory for
* @parent: The dentry of the parent of this directory
* @lookup: True if this is called by the lookup code
@@ -332,12 +352,17 @@ static void eventfs_post_create_dir(stru
* This creates and attaches a directory dentry to the eventfs_inode @ei.
*/
static struct dentry *
-create_dir_dentry(struct eventfs_inode *ei, struct dentry *parent, bool lookup)
+create_dir_dentry(struct eventfs_inode *pei, struct eventfs_inode *ei,
+ struct dentry *parent, bool lookup)
{
bool invalidate = false;
struct dentry *dentry = NULL;
mutex_lock(&eventfs_mutex);
+ if (pei->is_freed || ei->is_freed) {
+ mutex_unlock(&eventfs_mutex);
+ return NULL;
+ }
if (ei->dentry) {
/* If the dentry already has a dentry, use it */
dentry = ei->dentry;
@@ -440,7 +465,7 @@ static struct dentry *eventfs_root_looku
*/
mutex_lock(&eventfs_mutex);
ei = READ_ONCE(ti->private);
- if (ei)
+ if (ei && !ei->is_freed)
ei_dentry = READ_ONCE(ei->dentry);
mutex_unlock(&eventfs_mutex);
@@ -454,7 +479,7 @@ static struct dentry *eventfs_root_looku
if (strcmp(ei_child->name, name) != 0)
continue;
ret = simple_lookup(dir, dentry, flags);
- create_dir_dentry(ei_child, ei_dentry, true);
+ create_dir_dentry(ei, ei_child, ei_dentry, true);
created = true;
break;
}
@@ -588,7 +613,7 @@ static int dcache_dir_open_wrapper(struc
list_for_each_entry_srcu(ei_child, &ei->children, list,
srcu_read_lock_held(&eventfs_srcu)) {
- d = create_dir_dentry(ei_child, parent, false);
+ d = create_dir_dentry(ei, ei_child, parent, false);
if (d) {
ret = add_dentries(&dentries, d, cnt);
if (ret < 0)
@@ -705,12 +730,20 @@ struct eventfs_inode *eventfs_create_dir
ei->nr_entries = size;
ei->data = data;
INIT_LIST_HEAD(&ei->children);
+ INIT_LIST_HEAD(&ei->list);
mutex_lock(&eventfs_mutex);
- list_add_tail(&ei->list, &parent->children);
- ei->d_parent = parent->dentry;
+ if (!parent->is_freed) {
+ list_add_tail(&ei->list, &parent->children);
+ ei->d_parent = parent->dentry;
+ }
mutex_unlock(&eventfs_mutex);
+ /* Was the parent freed? */
+ if (list_empty(&ei->list)) {
+ free_ei(ei);
+ ei = NULL;
+ }
return ei;
}
--- a/fs/tracefs/internal.h
+++ b/fs/tracefs/internal.h
@@ -24,6 +24,7 @@ struct tracefs_inode {
* @d_children: The array of dentries to represent the files when created
* @data: The private data to pass to the callbacks
* @is_freed: Flag set if the eventfs is on its way to be freed
+ * Note if is_freed is set, then dentry is corrupted.
* @nr_entries: The number of items in @entries
*/
struct eventfs_inode {
@@ -31,7 +32,7 @@ struct eventfs_inode {
const struct eventfs_entry *entries;
const char *name;
struct list_head children;
- struct dentry *dentry;
+ struct dentry *dentry; /* Check is_freed to access */
struct dentry *d_parent;
struct dentry **d_children;
void *data;
Patches currently in stable-queue which might be from rostedt@xxxxxxxxxx are
queue-6.6/eventfs-keep-all-directory-links-at-1.patch
queue-6.6/eventfs-make-sure-that-parent-d_inode-is-locked-in-creating-files-dirs.patch
queue-6.6/eventfs-save-directory-inodes-in-the-eventfs_inode-structure.patch
queue-6.6/revert-eventfs-save-ownership-and-mode.patch
queue-6.6/tracefs-zero-out-the-tracefs_inode-when-allocating-it.patch
queue-6.6/eventfs-read-ei-entries-before-ei-children-in-eventfs_iterate.patch
queue-6.6/eventfs-do-not-invalidate-dentry-in-create_file-dir_dentry.patch
queue-6.6/eventfs-fix-file-and-directory-uid-and-gid-ownership.patch
queue-6.6/eventfs-remove-lookup-parameter-from-create_dir-file_dentry.patch
queue-6.6/eventfs-use-gfp_nofs-for-allocation-when-eventfs_mutex-is-held.patch
queue-6.6/eventfs-remove-fsnotify-functions-from-lookup.patch
queue-6.6/eventfs-use-err_cast-in-eventfs_create_events_dir.patch
queue-6.6/revert-eventfs-use-simple_recursive_removal-to-clean-up-dentries.patch
queue-6.6/eventfs-use-simple_recursive_removal-to-clean-up-dentries.patch
queue-6.6/eventfs-stop-using-dcache_readdir-for-getdents.patch
queue-6.6/eventfs-have-event-files-and-directories-default-to-parent-uid-and-gid.patch
queue-6.6/eventfs-use-eventfs_remove_events_dir.patch
queue-6.6/eventfs-delete-eventfs_inode-when-the-last-dentry-is-freed.patch
queue-6.6/tracefs-avoid-using-the-ei-dentry-pointer-unnecessarily.patch
queue-6.6/tracefs-remove-stale-update_gid-code.patch
queue-6.6/eventfs-initialize-the-tracefs-inode-properly.patch
queue-6.6/eventfs-remove-special-processing-of-dput-of-events-directory.patch
queue-6.6/eventfs-save-ownership-and-mode.patch
queue-6.6/tracefs-check-for-dentry-d_inode-exists-in-set_gid.patch
queue-6.6/eventfs-do-ctx-pos-update-for-all-iterations-in-eventfs_iterate.patch
queue-6.6/tracefs-dentry-lookup-crapectomy.patch
queue-6.6/eventfs-move-taking-of-inode_lock-into-dcache_dir_open_wrapper.patch
queue-6.6/eventfs-have-a-free_ei-that-just-frees-the-eventfs_inode.patch
queue-6.6/revert-eventfs-remove-is_freed-union-with-rcu-head.patch
queue-6.6/eventfs-have-the-inodes-all-for-files-and-directories-all-be-the-same.patch
queue-6.6/eventfs-use-kcalloc-instead-of-kzalloc.patch
queue-6.6/eventfs-test-for-ei-is_freed-when-accessing-ei-dentry.patch
queue-6.6/eventfs-fix-bitwise-fields-for-is_events.patch
queue-6.6/eventfs-fix-warn_on-in-create_file_dentry.patch
queue-6.6/eventfs-fix-events-beyond-name_max-blocking-tasks.patch
queue-6.6/eventfs-shortcut-eventfs_iterate-by-skipping-entries-already-read.patch
queue-6.6/revert-eventfs-do-not-allow-null-parent-to-eventfs_start_creating.patch
queue-6.6/eventfs-do-not-allow-null-parent-to-eventfs_start_creating.patch
queue-6.6/eventfs-do-not-create-dentries-nor-inodes-in-iterate_shared.patch
queue-6.6/eventfs-have-eventfs_iterate-stop-immediately-if-ei-is_freed-is-set.patch
queue-6.6/eventfs-fix-typo-in-eventfs_inode-union-comment.patch
queue-6.6/eventfs-remove-expectation-that-ei-is_freed-means-ei-dentry-null.patch
queue-6.6/eventfs-restructure-eventfs_inode-structure-to-be-more-condensed.patch
queue-6.6/eventfs-warn-if-an-eventfs_inode-is-freed-without-is_freed-being-set.patch
queue-6.6/eventfs-get-rid-of-dentry-pointers-without-refcounts.patch
queue-6.6/eventfs-remove-unused-d_parent-pointer-field.patch
queue-6.6/eventfs-hold-eventfs_mutex-when-calling-callback-functions.patch
queue-6.6/eventfs-remove-is_freed-union-with-rcu-head.patch
queue-6.6/tracefs-eventfs-modify-mismatched-function-name.patch
queue-6.6/eventfs-fix-kerneldoc-of-eventfs_remove_rec.patch
queue-6.6/tracefs-eventfs-use-root-and-instance-inodes-as-default-ownership.patch
queue-6.6/revert-eventfs-check-for-null-ef-in-eventfs_set_attr.patch
queue-6.6/eventfs-fix-failure-path-in-eventfs_create_events_dir.patch
queue-6.6/eventfs-clean-up-dentry-ops-and-add-revalidate-function.patch
