• David Howells's avatar
    Add a dentry op to allow processes to be held during pathwalk transit · cc53ce53
    David Howells authored
    Add a dentry op (d_manage) to permit a filesystem to hold a process and make it
    sleep when it tries to transit away from one of that filesystem's directories
    during a pathwalk.  The operation is keyed off a new dentry flag
    (DCACHE_MANAGE_TRANSIT).
    
    The filesystem is allowed to be selective about which processes it holds and
    which it permits to continue on or prohibits from transiting from each flagged
    directory.  This will allow autofs to hold up client processes whilst letting
    its userspace daemon through to maintain the directory or the stuff behind it
    or mounted upon it.
    
    The ->d_manage() dentry operation:
    
    	int (*d_manage)(struct path *path, bool mounting_here);
    
    takes a pointer to the directory about to be transited away from and a flag
    indicating whether the transit is undertaken by do_add_mount() or
    do_move_mount() skipping through a pile of filesystems mounted on a mountpoint.
    
    It should return 0 if successful and to let the process continue on its way;
    -EISDIR to prohibit the caller from skipping to overmounted filesystems or
    automounting, and to use this directory; or some other error code to return to
    the user.
    
    ->d_manage() is called with namespace_sem writelocked if mounting_here is true
    and no other locks held, so it may sleep.  However, if mounting_here is true,
    it may not initiate or wait for a mount or unmount upon the parameter
    directory, even if the act is actually performed by userspace.
    
    Within fs/namei.c, follow_managed() is extended to check with d_manage() first
    on each managed directory, before transiting away from it or attempting to
    automount upon it.
    
    follow_down() is renamed follow_down_one() and should only be used where the
    filesystem deliberately intends to avoid management steps (e.g. autofs).
    
    A new follow_down() is added that incorporates the loop done by all other
    callers of follow_down() (do_add/move_mount(), autofs and NFSD; whilst AFS, NFS
    and CIFS do use it, their use is removed by converting them to use
    d_automount()).  The new follow_down() calls d_manage() as appropriate.  It
    also takes an extra parameter to indicate if it is being called from mount code
    (with namespace_sem writelocked) which it passes to d_manage().  follow_down()
    ignores automount points so that it can be used to mount on them.
    
    __follow_mount_rcu() is made to abort rcu-walk mode if it hits a directory with
    DCACHE_MANAGE_TRANSIT set on the basis that we're probably going to have to
    sleep.  It would be possible to enter d_manage() in rcu-walk mode too, and have
    that determine whether to abort or not itself.  That would allow the autofs
    daemon to continue on in rcu-walk mode.
    
    Note that DCACHE_MANAGE_TRANSIT on a directory should be cleared when it isn't
    required as every tranist from that directory will cause d_manage() to be
    invoked.  It can always be set again when necessary.
    
    ==========================
    WHAT THIS MEANS FOR AUTOFS
    ==========================
    
    Autofs currently uses the lookup() inode op and the d_revalidate() dentry op to
    trigger the automounting of indirect mounts, and both of these can be called
    with i_mutex held.
    
    autofs knows that the i_mutex will be held by the caller in lookup(), and so
    can drop it before invoking the daemon - but this isn't so for d_revalidate(),
    since the lock is only held on _some_ of the code paths that call it.  This
    means that autofs can't risk dropping i_mutex from its d_revalidate() function
    before it calls the daemon.
    
    The bug could manifest itself as, for example, a process that's trying to
    validate an automount dentry that gets made to wait because that dentry is
    expired and needs cleaning up:
    
    	mkdir         S ffffffff8014e05a     0 32580  24956
    	Call Trace:
    	 [<ffffffff885371fd>] :autofs4:autofs4_wait+0x674/0x897
    	 [<ffffffff80127f7d>] avc_has_perm+0x46/0x58
    	 [<ffffffff8009fdcf>] autoremove_wake_function+0x0/0x2e
    	 [<ffffffff88537be6>] :autofs4:autofs4_expire_wait+0x41/0x6b
    	 [<ffffffff88535cfc>] :autofs4:autofs4_revalidate+0x91/0x149
    	 [<ffffffff80036d96>] __lookup_hash+0xa0/0x12f
    	 [<ffffffff80057a2f>] lookup_create+0x46/0x80
    	 [<ffffffff800e6e31>] sys_mkdirat+0x56/0xe4
    
    versus the automount daemon which wants to remove that dentry, but can't
    because the normal process is holding the i_mutex lock:
    
    	automount     D ffffffff8014e05a     0 32581      1              32561
    	Call Trace:
    	 [<ffffffff80063c3f>] __mutex_lock_slowpath+0x60/0x9b
    	 [<ffffffff8000ccf1>] do_path_lookup+0x2ca/0x2f1
    	 [<ffffffff80063c89>] .text.lock.mutex+0xf/0x14
    	 [<ffffffff800e6d55>] do_rmdir+0x77/0xde
    	 [<ffffffff8005d229>] tracesys+0x71/0xe0
    	 [<ffffffff8005d28d>] tracesys+0xd5/0xe0
    
    which means that the system is deadlocked.
    
    This patch allows autofs to hold up normal processes whilst the daemon goes
    ahead and does things to the dentry tree behind the automouter point without
    risking a deadlock as almost no locks are held in d_manage() and none in
    d_automount().
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Was-Acked-by: default avatarIan Kent <raven@themaw.net>
    Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    cc53ce53
namespace.c 6.85 KB