linux-hardened/Documentation/filesystems
David Howells cc53ce53c8 Add a dentry op to allow processes to be held during pathwalk transit
Add a dentry op (d_manage) to permit a filesystem to hold a process and make it
sleep when it tries to transit away from one of that filesystem's directories
during a pathwalk.  The operation is keyed off a new dentry flag
(DCACHE_MANAGE_TRANSIT).

The filesystem is allowed to be selective about which processes it holds and
which it permits to continue on or prohibits from transiting from each flagged
directory.  This will allow autofs to hold up client processes whilst letting
its userspace daemon through to maintain the directory or the stuff behind it
or mounted upon it.

The ->d_manage() dentry operation:

	int (*d_manage)(struct path *path, bool mounting_here);

takes a pointer to the directory about to be transited away from and a flag
indicating whether the transit is undertaken by do_add_mount() or
do_move_mount() skipping through a pile of filesystems mounted on a mountpoint.

It should return 0 if successful and to let the process continue on its way;
-EISDIR to prohibit the caller from skipping to overmounted filesystems or
automounting, and to use this directory; or some other error code to return to
the user.

->d_manage() is called with namespace_sem writelocked if mounting_here is true
and no other locks held, so it may sleep.  However, if mounting_here is true,
it may not initiate or wait for a mount or unmount upon the parameter
directory, even if the act is actually performed by userspace.

Within fs/namei.c, follow_managed() is extended to check with d_manage() first
on each managed directory, before transiting away from it or attempting to
automount upon it.

follow_down() is renamed follow_down_one() and should only be used where the
filesystem deliberately intends to avoid management steps (e.g. autofs).

A new follow_down() is added that incorporates the loop done by all other
callers of follow_down() (do_add/move_mount(), autofs and NFSD; whilst AFS, NFS
and CIFS do use it, their use is removed by converting them to use
d_automount()).  The new follow_down() calls d_manage() as appropriate.  It
also takes an extra parameter to indicate if it is being called from mount code
(with namespace_sem writelocked) which it passes to d_manage().  follow_down()
ignores automount points so that it can be used to mount on them.

__follow_mount_rcu() is made to abort rcu-walk mode if it hits a directory with
DCACHE_MANAGE_TRANSIT set on the basis that we're probably going to have to
sleep.  It would be possible to enter d_manage() in rcu-walk mode too, and have
that determine whether to abort or not itself.  That would allow the autofs
daemon to continue on in rcu-walk mode.

Note that DCACHE_MANAGE_TRANSIT on a directory should be cleared when it isn't
required as every tranist from that directory will cause d_manage() to be
invoked.  It can always be set again when necessary.

==========================
WHAT THIS MEANS FOR AUTOFS
==========================

Autofs currently uses the lookup() inode op and the d_revalidate() dentry op to
trigger the automounting of indirect mounts, and both of these can be called
with i_mutex held.

autofs knows that the i_mutex will be held by the caller in lookup(), and so
can drop it before invoking the daemon - but this isn't so for d_revalidate(),
since the lock is only held on _some_ of the code paths that call it.  This
means that autofs can't risk dropping i_mutex from its d_revalidate() function
before it calls the daemon.

The bug could manifest itself as, for example, a process that's trying to
validate an automount dentry that gets made to wait because that dentry is
expired and needs cleaning up:

	mkdir         S ffffffff8014e05a     0 32580  24956
	Call Trace:
	 [<ffffffff885371fd>] :autofs4:autofs4_wait+0x674/0x897
	 [<ffffffff80127f7d>] avc_has_perm+0x46/0x58
	 [<ffffffff8009fdcf>] autoremove_wake_function+0x0/0x2e
	 [<ffffffff88537be6>] :autofs4:autofs4_expire_wait+0x41/0x6b
	 [<ffffffff88535cfc>] :autofs4:autofs4_revalidate+0x91/0x149
	 [<ffffffff80036d96>] __lookup_hash+0xa0/0x12f
	 [<ffffffff80057a2f>] lookup_create+0x46/0x80
	 [<ffffffff800e6e31>] sys_mkdirat+0x56/0xe4

versus the automount daemon which wants to remove that dentry, but can't
because the normal process is holding the i_mutex lock:

	automount     D ffffffff8014e05a     0 32581      1              32561
	Call Trace:
	 [<ffffffff80063c3f>] __mutex_lock_slowpath+0x60/0x9b
	 [<ffffffff8000ccf1>] do_path_lookup+0x2ca/0x2f1
	 [<ffffffff80063c89>] .text.lock.mutex+0xf/0x14
	 [<ffffffff800e6d55>] do_rmdir+0x77/0xde
	 [<ffffffff8005d229>] tracesys+0x71/0xe0
	 [<ffffffff8005d28d>] tracesys+0xd5/0xe0

which means that the system is deadlocked.

This patch allows autofs to hold up normal processes whilst the daemon goes
ahead and does things to the dentry tree behind the automouter point without
risking a deadlock as almost no locks are held in d_manage() and none in
d_automount().

Signed-off-by: David Howells <dhowells@redhat.com>
Was-Acked-by: Ian Kent <raven@themaw.net>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-01-15 20:07:31 -05:00
..
caching fscache: convert object to use workqueue instead of slow-work 2010-07-22 22:58:34 +02:00
configfs Documentation: make configfs example code simpler, clearer 2010-11-18 15:00:46 -08:00
nfs NFS: rename nfs.upcall -> nfs.idmap 2010-10-26 13:57:10 -04:00
pohmelfs Staging: Pohmelfs: Added IO permissions and priorities. 2009-04-17 11:06:30 -07:00
00-INDEX smbfs: move to drivers/staging 2010-10-05 09:08:21 -07:00
9p.txt fs/9p: Add access = client option to opt in acl evaluation. 2010-10-28 09:08:46 -05:00
adfs.txt Fix typos in /Documentation : 'U-Z' 2006-11-30 04:58:40 +01:00
affs.txt Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
afs.txt AFS: Documentation updates 2009-08-19 10:40:13 -07:00
autofs4-mount-control.txt Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
automount-support.txt
befs.txt Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
bfs.txt remove mention of CONFIG_KMOD from documentation 2008-07-22 19:24:29 +10:00
btrfs.txt Btrfs: Add Documentation/filesystem/btrfs.txt, remove old COPYING 2009-01-07 09:54:24 -05:00
ceph.txt Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
cifs.txt
coda.txt
cramfs.txt
debugfs.txt Document the debugfs API 2009-06-06 10:28:14 -06:00
devpts.txt Document usage of multiple-instances of devpts 2009-01-02 10:19:36 -08:00
directory-locking Documentation: Fix up docs still talking about i_sem 2007-05-24 10:16:17 -07:00
dlmfs.txt Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
dnotify.txt Documentation/fs/: split txt and source files 2010-03-12 15:52:35 -08:00
dnotify_test.c Documentation/fs/: split txt and source files 2010-03-12 15:52:35 -08:00
ecryptfs.txt eCryptfs: Move ecryptfs docs into Documentation/filesystems/ 2007-07-17 10:23:08 -07:00
exofs.txt trivial: some small fixes in exofs documentation 2009-12-10 09:59:16 +02:00
ext2.txt Doc fix: ext2 can only have 32,000 subdirs, not 32,768 2009-06-18 13:03:44 -07:00
ext3.txt ext3: make barrier options consistent with ext4 2010-05-21 19:30:41 +02:00
ext4.txt ext4: add support for lazy inode table initialization 2010-10-27 21:30:05 -04:00
fiemap.txt Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
files.txt fix f_count description in Documentation/filesystems/files.txt 2008-12-31 18:07:42 -05:00
fuse.txt Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
gfs2-glocks.txt GFS2: Update docs 2009-05-19 10:23:23 +01:00
gfs2-uevents.txt GFS2: Add a document explaining GFS2's uevents 2009-08-17 11:11:41 +01:00
gfs2.txt GFS2: docs update 2010-03-29 14:28:52 +01:00
hfs.txt
hfsplus.txt Documentation: document HFSPlus 2007-07-31 15:39:38 -07:00
hpfs.txt Documentation/: it's -> its where appropriate 2010-04-23 02:09:52 +02:00
inotify.txt
isofs.txt Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
jfs.txt JFS: document uid, gid, and umask mount options in jfs.txt 2007-03-09 10:27:31 -06:00
Locking Add a dentry op to allow processes to be held during pathwalk transit 2011-01-15 20:07:31 -05:00
locks.txt Documentation: move locks.txt in filesystems/ 2007-10-09 18:32:45 -04:00
logfs.txt fix "seperate" typos in comments 2010-05-10 11:56:30 +02:00
Makefile Documentation/fs/: split txt and source files 2010-03-12 15:52:35 -08:00
mandatory-locking.txt locks: add warning about mandatory locking races 2007-10-09 18:32:45 -04:00
ncpfs.txt ncpfs: remove dead URL from documentation 2009-09-23 07:39:42 -07:00
nilfs2.txt nilfs2: add nodiscard mount option 2010-07-23 10:02:12 +09:00
ntfs.txt NTFS: writev() fix and maintenance/contact details update 2011-01-12 08:35:53 -08:00
ocfs2.txt ocfs2: Add a mount option "coherency=*" to handle cluster coherency for O_DIRECT writes. 2010-10-11 14:14:55 -07:00
omfs.txt omfs: add filesystem documentation 2008-07-26 12:00:05 -07:00
path-lookup.txt fs: provide rcu-walk aware permission i_ops 2011-01-07 17:50:29 +11:00
porting Merge branch 'vfs-scale-working' of git://git.kernel.org/pub/scm/linux/kernel/git/npiggin/linux-npiggin 2011-01-13 20:14:13 -08:00
proc.txt oom: allow a non-CAP_SYS_RESOURCE proces to oom_score_adj down 2011-01-13 17:32:35 -08:00
quota.txt quota: documentation for sending "below quota" messages via netlink and tiny doc update 2008-08-12 16:07:27 -07:00
ramfs-rootfs-initramfs.txt Trivial Documentation/filesystems/ramfs-rootfs-initramfs.txt fix 2008-11-30 11:40:56 -08:00
relay.txt relay: add buffer-only channels; useful for early logging 2008-07-26 12:00:04 -07:00
romfs.txt
seq_file.txt seq_file: use proc_create() in documentation 2009-12-16 07:20:07 -08:00
sharedsubtree.txt Documentation: Fix trivial typo in filesystems/sharedsubtree.txt 2010-10-25 21:18:21 -04:00
spufs.txt Fix typos in /Documentation : 'U-Z' 2006-11-30 04:58:40 +01:00
squashfs.txt Squashfs: update Kconfig and documentation for LZO 2010-08-05 23:42:54 +01:00
sysfs-pci.txt PCI: Allow read/write access to sysfs I/O port resources 2010-07-30 09:32:08 -07:00
sysfs-tagging.txt sysfs-namespaces: add a high-level Documentation file 2010-05-21 09:37:31 -07:00
sysfs.txt sysfs: Fix one more signature discrepancy between sysfs implementation and docs. 2010-08-05 13:53:34 -07:00
sysv-fs.txt [PATCH] fs/sysv/: doc cleanup 2006-12-07 08:39:44 -08:00
tmpfs.txt mempolicy: document cpuset interaction with tmpfs mpol mount option 2010-05-25 08:06:57 -07:00
ubifs.txt UBIFS: remove fast unmounting 2009-01-29 16:34:30 +02:00
udf.txt udf: implement mode and dmode mounting options 2009-04-02 12:29:50 +02:00
ufs.txt [PATCH] ufs2 write: mount as rw 2007-02-12 09:48:40 -08:00
vfat.txt Documentation: update broken web addresses. 2010-08-04 15:21:40 +02:00
vfs.txt Add a dentry op to allow processes to be held during pathwalk transit 2011-01-15 20:07:31 -05:00
xfs-delayed-logging-design.txt xfs: remove experimental tag from the delaylog option 2010-11-10 12:00:47 -06:00
xfs.txt xfs: remove obsolete osyncisosync mount option 2010-07-26 13:16:51 -05:00
xip.txt DOC: update xip method info 2008-11-12 17:17:17 -08:00