lsm sb_delete hook, was Re: [PATCH 4/7] vfs: Convert sb->s_inodes iteration to super_iter_inodes()
Linus Torvalds
torvalds at linux-foundation.org
Mon Oct 7 20:37:19 UTC 2024
On Thu, 3 Oct 2024 at 04:57, Jan Kara <jack at suse.cz> wrote:
>
> Fair enough. If we go with the iterator variant I've suggested to Dave in
> [1], we could combine the evict_inodes(), fsnotify_unmount_inodes() and
> Landlocks hook_sb_delete() into a single iteration relatively easily. But
> I'd wait with that convertion until this series lands.
Honza, I looked at this a bit more, particularly with an eye of "what
happens if we just end up making the inode lifetimes subject to the
dentry lifetimes" as suggested by Dave elsewhere.
And honestly, the whole inode list use by the fsnotify layer seems to
kind of suck. But I may be entirely missing something, so maybe I'm
very wrong for some reason.
The reason I say it "seems to kind of suck" is that the whole final
/* for each watch, send FS_UNMOUNT and then remove it */
fsnotify_inode(inode, FS_UNMOUNT);
fsnotify_inode_delete(inode);
sequence seems to be entirely timing-dependent, and largely pointless and wrong.
Why?
Because inodes with no users will get removed at completely arbitrary
times under memory pressure in evict() -> destroy_inode(), and
obviously with I_DONTCACHE that ends up happening even earlier when
the dentry is removed.
So the whole "send FS_UNMOUNT and then remove it " thing seems to be
entirely bogus, and depending on memory pressure, lots of inodes will
only see the fsnotify_inode_delete() at eviction time and never get
the FS_UNMOUNT notification anyway.
So I get the feeling that we'd be better off entirely removing the
sb->s_inodes use from fsnotify, and replace this "get rid of them at
umount" with something like this instead:
diff --git a/fs/dcache.c b/fs/dcache.c
index 0f6b16ba30d0..aa2558de8d1f 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -406,6 +406,7 @@ static void dentry_unlink_inode(struct dentry * dentry)
spin_unlock(&inode->i_lock);
if (!inode->i_nlink)
fsnotify_inoderemove(inode);
+ fsnotify_inode_delete(inode);
if (dentry->d_op && dentry->d_op->d_iput)
dentry->d_op->d_iput(dentry, inode);
else
diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
index 278620e063ab..ea91cc216028 100644
--- a/include/linux/fsnotify.h
+++ b/include/linux/fsnotify.h
@@ -261,7 +261,6 @@ static inline void
fsnotify_vfsmount_delete(struct vfsmount *mnt)
static inline void fsnotify_inoderemove(struct inode *inode)
{
fsnotify_inode(inode, FS_DELETE_SELF);
- __fsnotify_inode_delete(inode);
}
/*
which makes the fsnotify_inode_delete() happen when the inode is
removed from the dentry.
Then at umount time, the dentry shrinking will deal with all live
dentries, and at most the fsnotify layer would send the FS_UNMOUNT to
just the root dentry inodes?
Wouldn't that make things much cleaner, and remove at least *one* odd
use of the nasty s_inodes list?
I have this feeling that maybe we can just remove the other users too
using similar models. I think the LSM layer use (in landlock) is bogus
for exactly the same reason - there's really no reason to keep things
around for a random cached inode without a dentry.
And I wonder if the quota code (which uses the s_inodes list to enable
quotas on already mounted filesystems) could for all the same reasons
just walk the dentry tree instead (and remove_dquot_ref similarly
could just remove it at dentry_unlink_inode() time)?
It really feels like most (all?) of the s_inode list users are
basically historical, and shouldn't use that list at all. And there
aren't _that_ many of them. I think Dave was right in just saying that
this list should go away entirely (or was it somebody else who made
that comment?)
Linus
More information about the Linux-security-module-archive
mailing list