• Eric W. Biederman's avatar
    proc: Fix proc_sys_prune_dcache to hold a sb reference · 2fd1d2c4
    Eric W. Biederman authored
    Andrei Vagin writes:
    FYI: This bug has been reproduced on 4.11.7
    > BUG: Dentry ffff895a3dd01240{i=4e7c09a,n=lo}  still in use (1) [unmount of proc proc]
    > ------------[ cut here ]------------
    > WARNING: CPU: 1 PID: 13588 at fs/dcache.c:1445 umount_check+0x6e/0x80
    > CPU: 1 PID: 13588 Comm: kworker/1:1 Not tainted 4.11.7-200.fc25.x86_64 #1
    > Hardware name: CompuLab sbc-flt1/fitlet, BIOS SBCFLT_0.08.04 06/27/2015
    > Workqueue: events proc_cleanup_work
    > Call Trace:
    >  dump_stack+0x63/0x86
    >  __warn+0xcb/0xf0
    >  warn_slowpath_null+0x1d/0x20
    >  umount_check+0x6e/0x80
    >  d_walk+0xc6/0x270
    >  ? dentry_free+0x80/0x80
    >  do_one_tree+0x26/0x40
    >  shrink_dcache_for_umount+0x2d/0x90
    >  generic_shutdown_super+0x1f/0xf0
    >  kill_anon_super+0x12/0x20
    >  proc_kill_sb+0x40/0x50
    >  deactivate_locked_super+0x43/0x70
    >  deactivate_super+0x5a/0x60
    >  cleanup_mnt+0x3f/0x90
    >  mntput_no_expire+0x13b/0x190
    >  kern_unmount+0x3e/0x50
    >  pid_ns_release_proc+0x15/0x20
    >  proc_cleanup_work+0x15/0x20
    >  process_one_work+0x197/0x450
    >  worker_thread+0x4e/0x4a0
    >  kthread+0x109/0x140
    >  ? process_one_work+0x450/0x450
    >  ? kthread_park+0x90/0x90
    >  ret_from_fork+0x2c/0x40
    > ---[ end trace e1c109611e5d0b41 ]---
    > VFS: Busy inodes after unmount of proc. Self-destruct in 5 seconds.  Have a nice day...
    > BUG: unable to handle kernel NULL pointer dereference at           (null)
    > IP: _raw_spin_lock+0xc/0x30
    > PGD 0
    
    Fix this by taking a reference to the super block in proc_sys_prune_dcache.
    
    The superblock reference is the core of the fix however the sysctl_inodes
    list is converted to a hlist so that hlist_del_init_rcu may be used.  This
    allows proc_sys_prune_dache to remove inodes the sysctl_inodes list, while
    not causing problems for proc_sys_evict_inode when if it later choses to
    remove the inode from the sysctl_inodes list.  Removing inodes from the
    sysctl_inodes list allows proc_sys_prune_dcache to have a progress
    guarantee, while still being able to drop all locks.  The fact that
    head->unregistering is set in start_unregistering ensures that no more
    inodes will be added to the the sysctl_inodes list.
    
    Previously the code did a dance where it delayed calling iput until the
    next entry in the list was being considered to ensure the inode remained on
    the sysctl_inodes list until the next entry was walked to.  The structure
    of the loop in this patch does not need that so is much easier to
    understand and maintain.
    
    Cc: stable@vger.kernel.org
    Reported-by: default avatarAndrei Vagin <avagin@gmail.com>
    Tested-by: default avatarAndrei Vagin <avagin@openvz.org>
    Fixes: ace0c791 ("proc/sysctl: Don't grab i_lock under sysctl_lock.")
    Fixes: d6cffbbe ("proc/sysctl: prune stale dentries during unregistering")
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    2fd1d2c4
proc_sysctl.c 40.3 KB