[resend PATCH v2 0/2] virtiofs submounts that are still in use forgotten by shrinker

From: Krister Johansen
Date: Mon Oct 02 2023 - 11:30:49 EST

Next message: Gregory Price: "Re: [RFC PATCH 2/3] mm/mempolicy: Implement set_mempolicy2 and get_mempolicy2 syscalls"
Previous message: Rob Herring: "Re: [PATCH v9 2/3] dt-bindings: hwmon: Support Aspeed g6 PWM TACH Control"
Next in thread: Krister Johansen: "[resend PATCH v2 1/2] fuse: revalidate: move lookup into a separate function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
I recently ran into a situation where a virtiofs client began
encountering EBADF after the client / guest system had an OOM. After
reproducing the issue and debugging, the problem is caused by a
virtiofsd submount having the nodeid of its root dentry fogotten. This
occurs because it borrows the reference for this dentry from the parent
that is passed into the function.

In this particular case, the submount had been bind mounted into a
container's mount namespace. The reference count on the original parent
dentry was 0, making it eligible for eviction. However, because this
dentry was also the last reference the fuse client knew it had, it sent
a forget message to the server. This caused all future references to
the FUSE node-id from virtiofsd perspective to become invalid.
Subsequent attempts to use the node-id for operations against the
submount's root received an EBADF from the server.

This pair of patches modifies the virtiofs submount code to perform a
lookup on the nodeid that forms the root of the submount. The patch
before this pulls the revalidate lookup code into a helper function that
can be used both in revalidate and submount superblock fill.

Tested via:

- fstests for virtiofs
- fstests for fuse (against passthrough_ll)
- manual testing to watch how refcounts change between client and server
in response to filesytem access, umount, and eviction by the shrinker.

This resend has rebased against the latest tip of fuse/for-next and
massaged the commit messages in the patches, but hasn't made any
functional modifications since the original v2.

There's also been an issue opened with the project that uses this
functionality. More details on that can be found at [1].

Changes since v1:

- Cleanups to pacify test robot

Changes since RFC:

- Modified fuse_fill_super_submount to always fail if dentry cannot be
revalidated. (Feedback from Bernd Schubert)
- Fixed up an edge case where looked up but subsequently declared
invalid dentries were not correctly tracking nlookup. (Error was
introduced in my RFC).

Thanks,

-K

[1] https://github.com/kata-containers/kata-containers/issues/8040

Krister Johansen (2):
fuse: revalidate: move lookup into a separate function
fuse: ensure that submounts lookup their parent

fs/fuse/dir.c | 85 +++++++++++++++++++++++++++++++++---------------
fs/fuse/fuse_i.h | 6 ++++
fs/fuse/inode.c | 43 ++++++++++++++++++++----
3 files changed, 101 insertions(+), 33 deletions(-)

--
2.25.1

Next message: Gregory Price: "Re: [RFC PATCH 2/3] mm/mempolicy: Implement set_mempolicy2 and get_mempolicy2 syscalls"
Previous message: Rob Herring: "Re: [PATCH v9 2/3] dt-bindings: hwmon: Support Aspeed g6 PWM TACH Control"
Next in thread: Krister Johansen: "[resend PATCH v2 1/2] fuse: revalidate: move lookup into a separate function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]