Prevent inode sharing for directory dentries by by-passing cache.

Introduce `dontCache` argument in `getOrCreateInode`. In both
directfs and lisafs, set the new arg to true if the inode
represents a directory in new*fsDentry.

This avoids issues with hard-linking directories and correctly handles scenarios
 involving bind mounts on the host, where different paths can map to the same
device and inode number for a directory.

Co-authored-by: Andrei Vagin <avagin@google.com>
PiperOrigin-RevId: 813023661

Author: 2 people

pkg/sentry/fsimpl/gofer/directfs_inode.go

@@ -123,6 +123,7 @@ func (fs *filesystem) newDirectfsDentry(controlFD int) (*dentry, error) {
 		_ = unix.Close(controlFD)
 		return nil, err
 	}
+	isDir := stat.Mode&linux.FileTypeMask == linux.ModeDirectory
 	inoKey := inoKeyFromStat(&stat)
 
 	// Common case. Performance hack which is used to allocate the dentry
@@ -134,30 +135,36 @@ func (fs *filesystem) newDirectfsDentry(controlFD int) (*dentry, error) {
 		d dentry
 		i directfsInode
 	}{}
-	temp.d.inode = fs.getOrCreateInode(inoKey, func() { _ = unix.Close(controlFD) }, func() *inode {
-		temp.i = directfsInode{
-			inode: inode{
-				fs:        fs,
-				inoKey:    inoKey,
-				ino:       fs.inoFromKey(inoKey),
-				mode:      atomicbitops.FromUint32(stat.Mode),
-				uid:       atomicbitops.FromUint32(stat.Uid),
-				gid:       atomicbitops.FromUint32(stat.Gid),
-				blockSize: atomicbitops.FromUint32(uint32(stat.Blksize)),
-				readFD:    atomicbitops.FromInt32(-1),
-				writeFD:   atomicbitops.FromInt32(-1),
-				mmapFD:    atomicbitops.FromInt32(-1),
-				size:      atomicbitops.FromUint64(uint64(stat.Size)),
-				atime:     atomicbitops.FromInt64(dentryTimestampFromUnix(stat.Atim)),
-				mtime:     atomicbitops.FromInt64(dentryTimestampFromUnix(stat.Mtim)),
-				ctime:     atomicbitops.FromInt64(dentryTimestampFromUnix(stat.Ctim)),
-				nlink:     atomicbitops.FromUint32(uint32(stat.Nlink)),
-			},
-			controlFD: controlFD,
-		}
-		temp.i.inode.init(&temp.i)
-		return &temp.i.inode
-	})
+	// Force new inode creation for directory inodes to avoid hard-linking directories.
+	// This also avoids a correctness issue when a directory is bind-mounted on the host:
+	// different paths (e.g., /mnt/ and /mnt/a/b/c if /mnt/a/b/c is a bind mount of /mnt/)
+	// can return the same device ID and inode number from a stat call.
+	temp.d.inode = fs.getOrCreateInode(inoKey /* dontCache = */, isDir,
+		func() { _ = unix.Close(controlFD) },
+		func() *inode {
+			temp.i = directfsInode{
+				inode: inode{
+					fs:        fs,
+					inoKey:    inoKey,
+					ino:       fs.inoFromKey(inoKey),
+					mode:      atomicbitops.FromUint32(stat.Mode),
+					uid:       atomicbitops.FromUint32(stat.Uid),
+					gid:       atomicbitops.FromUint32(stat.Gid),
+					blockSize: atomicbitops.FromUint32(uint32(stat.Blksize)),
+					readFD:    atomicbitops.FromInt32(-1),
+					writeFD:   atomicbitops.FromInt32(-1),
+					mmapFD:    atomicbitops.FromInt32(-1),
+					size:      atomicbitops.FromUint64(uint64(stat.Size)),
+					atime:     atomicbitops.FromInt64(dentryTimestampFromUnix(stat.Atim)),
+					mtime:     atomicbitops.FromInt64(dentryTimestampFromUnix(stat.Mtim)),
+					ctime:     atomicbitops.FromInt64(dentryTimestampFromUnix(stat.Ctim)),
+					nlink:     atomicbitops.FromUint32(uint32(stat.Nlink)),
+				},
+				controlFD: controlFD,
+			}
+			temp.i.inode.init(&temp.i)
+			return &temp.i.inode
+		})
 
 	temp.d.init()
 	fs.syncMu.Lock()

pkg/sentry/fsimpl/gofer/filesystem.go

@@ -283,7 +283,10 @@ func (fs *filesystem) getRemoteChildLocked(ctx context.Context, parent *dentry,
 			fs.inodeMu.Lock()
 			child.inode.refs.DecRef(func() {
 				destroyInode = true
-				delete(fs.inodeByKey, child.inode.inoKey)
+				if !child.isDir() {
+					// Only non-directory inodes are cached in inodeByKey.
+					delete(fs.inodeByKey, child.inode.inoKey)
+				}
 			})
 			fs.inodeMu.Unlock()
 			child.destroyDisconnected(ctx, destroyInode)

pkg/sentry/fsimpl/gofer/gofer.go

@@ -239,9 +239,11 @@ type filesystem struct {
 	// files across checkpoint/restore. inoByKey is protected by inoMu.
 	inoMu    sync.Mutex        `state:"nosave"`
 	inoByKey map[inoKey]uint64 `state:"nosave"`
-	// inodeByKey maps internal inodeKeys [virtual ino and device ID] to inodes. inodeByKey is
-	// protected by inodeMu. inodeByKey is similar to inoByKey, except that is not an
-	// ever-growing map. As inodes are destroyed, its entry in this map is cleared.
+	// inodeByKey maps inoKey to non-directory inodes. inodeByKey is protected by
+	// inodeMu. inodeByKey is similar to inoByKey, except that is not an
+	// ever-growing map. This is to allow for the sharing of inodes across
+	// dentries. As non-directory dentries are destroyed, their associated inode
+	// entry in this map is cleared.
 	inodeMu    sync.Mutex        `state:"nosave"`
 	inodeByKey map[inoKey]*inode `state:"nosave"`
 
@@ -260,12 +262,20 @@ type filesystem struct {
 	released atomicbitops.Int32
 }
 
-// getOrCreateInode returns the inode for the given inoKey and upon inode cache
-// hit, calls onCacheHit and increments the inode's reference count. On cache
-// miss, createInode is called and the new inode is returned.
-// getOrCreateInode locks fs.inodeMu.
+// getOrCreateInode returns an inode for the given inoKey, to avoid creating
+// multiple inodes objects for the same inoKey. This is useful for sharing
+// inodes across dentries.
+//
+// If a miss, `createInode` is called and the result is cached. If a hit,
+// `onCacheHit` is called. This path locks fs.inodeMu.
+//
 // The caller is responsible for decrementing the inode's reference count when done.
-func (fs *filesystem) getOrCreateInode(inoKey inoKey, onCacheHit func(), createInode func() *inode) *inode {
+func (fs *filesystem) getOrCreateInode(inoKey inoKey, dontCache bool, onCacheHit func(), createInode func() *inode) *inode {
+	if dontCache {
+		// Create a new inode and return it bypassing the cache. This is used for
+		// creating inodes that are not meant to be shared across dentries.
+		return createInode()
+	}
 	fs.inodeMu.Lock()
 	defer fs.inodeMu.Unlock()
 	if cachedInode, ok := fs.inodeByKey[inoKey]; ok {
@@ -1886,7 +1896,10 @@ func (d *dentry) destroyLocked(ctx context.Context) {
 	d.inode.fs.inodeMu.Lock()
 	d.inode.refs.DecRef(func() {
 		destroyInode = true
-		delete(d.inode.fs.inodeByKey, d.inode.inoKey)
+		if !d.isDir() {
+			// Only non-directory inodes are cached in inodeByKey.
+			delete(d.inode.fs.inodeByKey, d.inode.inoKey)
+		}
 	})
 	d.inode.fs.inodeMu.Unlock()
 

pkg/sentry/fsimpl/gofer/lisafs_inode.go

@@ -114,7 +114,7 @@ func (fs *filesystem) newLisafsDentry(ctx context.Context, ino *lisafs.Inode) (*
 		fs.client.CloseFD(ctx, ino.ControlFD, false /* flush */)
 		return nil, linuxerr.EIO
 	}
-
+	isDir := ino.Stat.Mode&linux.FileTypeMask == linux.ModeDirectory
 	inoKey := inoKeyFromStatx(&ino.Stat)
 	// Common case. Performance hack which is used to allocate the dentry
 	// and its inode together in the heap. This will help reduce allocations and memory
@@ -125,69 +125,73 @@ func (fs *filesystem) newLisafsDentry(ctx context.Context, ino *lisafs.Inode) (*
 		d dentry
 		i lisafsInode
 	}{}
-	temp.d.inode = fs.getOrCreateInode(inoKey, func() {
-		fs.client.CloseFD(ctx, ino.ControlFD, false /* flush */)
-	}, func() *inode {
-		temp.i = lisafsInode{
-			inode: inode{
-				fs:        fs,
-				inoKey:    inoKey,
-				ino:       fs.inoFromKey(inoKey),
-				mode:      atomicbitops.FromUint32(uint32(ino.Stat.Mode)),
-				uid:       atomicbitops.FromUint32(uint32(fs.opts.dfltuid)),
-				gid:       atomicbitops.FromUint32(uint32(fs.opts.dfltgid)),
-				blockSize: atomicbitops.FromUint32(hostarch.PageSize),
-				readFD:    atomicbitops.FromInt32(-1),
-				writeFD:   atomicbitops.FromInt32(-1),
-				mmapFD:    atomicbitops.FromInt32(-1),
-			},
-			controlFD: fs.client.NewFD(ino.ControlFD),
-		}
-		temp.i.inode.init(&temp.i)
-		inode := &temp.i.inode
-		if ino.Stat.Mask&linux.STATX_UID != 0 {
-			inode.uid = atomicbitops.FromUint32(dentryUID(lisafs.UID(ino.Stat.UID)))
-		}
-		if ino.Stat.Mask&linux.STATX_GID != 0 {
-			inode.gid = atomicbitops.FromUint32(dentryGID(lisafs.GID(ino.Stat.GID)))
-		}
-		if ino.Stat.Mask&linux.STATX_SIZE != 0 {
-			inode.size = atomicbitops.FromUint64(ino.Stat.Size)
-		}
-		if ino.Stat.Blksize != 0 {
-			inode.blockSize = atomicbitops.FromUint32(ino.Stat.Blksize)
-		}
-		if ino.Stat.Mask&linux.STATX_ATIME != 0 {
-			inode.atime = atomicbitops.FromInt64(dentryTimestamp(ino.Stat.Atime))
-		} else {
-			inode.atime = atomicbitops.FromInt64(fs.clock.Now().Nanoseconds())
-		}
-		if ino.Stat.Mask&linux.STATX_MTIME != 0 {
-			inode.mtime = atomicbitops.FromInt64(dentryTimestamp(ino.Stat.Mtime))
-		} else {
-			inode.mtime = atomicbitops.FromInt64(fs.clock.Now().Nanoseconds())
-		}
-		if ino.Stat.Mask&linux.STATX_CTIME != 0 {
-			inode.ctime = atomicbitops.FromInt64(dentryTimestamp(ino.Stat.Ctime))
-		} else {
-			// Approximate ctime with mtime if ctime isn't available.
-			inode.ctime = atomicbitops.FromInt64(inode.mtime.Load())
-		}
-		if ino.Stat.Mask&linux.STATX_BTIME != 0 {
-			inode.btime = atomicbitops.FromInt64(dentryTimestamp(ino.Stat.Btime))
-		}
+	// Force new inode creation for directory inodes to avoid hard-linking directories.
+	// This also avoids a correctness issue when a directory is bind-mounted on the host:
+	// different paths (e.g., /mnt/ and /mnt/a/b/c if /mnt/a/b/c is a bind mount of /mnt/)
+	// can return the same device ID and inode number from a stat call.
+	temp.d.inode = fs.getOrCreateInode(inoKey /* dontCache = */, isDir,
+		func() { fs.client.CloseFD(ctx, ino.ControlFD, false /* flush */) },
+		func() *inode {
+			temp.i = lisafsInode{
+				inode: inode{
+					fs:        fs,
+					inoKey:    inoKey,
+					ino:       fs.inoFromKey(inoKey),
+					mode:      atomicbitops.FromUint32(uint32(ino.Stat.Mode)),
+					uid:       atomicbitops.FromUint32(uint32(fs.opts.dfltuid)),
+					gid:       atomicbitops.FromUint32(uint32(fs.opts.dfltgid)),
+					blockSize: atomicbitops.FromUint32(hostarch.PageSize),
+					readFD:    atomicbitops.FromInt32(-1),
+					writeFD:   atomicbitops.FromInt32(-1),
+					mmapFD:    atomicbitops.FromInt32(-1),
+				},
+				controlFD: fs.client.NewFD(ino.ControlFD),
+			}
+			temp.i.inode.init(&temp.i)
+			inode := &temp.i.inode
+			if ino.Stat.Mask&linux.STATX_UID != 0 {
+				inode.uid = atomicbitops.FromUint32(dentryUID(lisafs.UID(ino.Stat.UID)))
+			}
+			if ino.Stat.Mask&linux.STATX_GID != 0 {
+				inode.gid = atomicbitops.FromUint32(dentryGID(lisafs.GID(ino.Stat.GID)))
+			}
+			if ino.Stat.Mask&linux.STATX_SIZE != 0 {
+				inode.size = atomicbitops.FromUint64(ino.Stat.Size)
+			}
+			if ino.Stat.Blksize != 0 {
+				inode.blockSize = atomicbitops.FromUint32(ino.Stat.Blksize)
+			}
+			if ino.Stat.Mask&linux.STATX_ATIME != 0 {
+				inode.atime = atomicbitops.FromInt64(dentryTimestamp(ino.Stat.Atime))
+			} else {
+				inode.atime = atomicbitops.FromInt64(fs.clock.Now().Nanoseconds())
+			}
+			if ino.Stat.Mask&linux.STATX_MTIME != 0 {
+				inode.mtime = atomicbitops.FromInt64(dentryTimestamp(ino.Stat.Mtime))
+			} else {
+				inode.mtime = atomicbitops.FromInt64(fs.clock.Now().Nanoseconds())
+			}
+			if ino.Stat.Mask&linux.STATX_CTIME != 0 {
+				inode.ctime = atomicbitops.FromInt64(dentryTimestamp(ino.Stat.Ctime))
+			} else {
+				// Approximate ctime with mtime if ctime isn't available.
+				inode.ctime = atomicbitops.FromInt64(inode.mtime.Load())
+			}
+			if ino.Stat.Mask&linux.STATX_BTIME != 0 {
+				inode.btime = atomicbitops.FromInt64(dentryTimestamp(ino.Stat.Btime))
+			}
 
-		if ino.Stat.Mask&linux.STATX_NLINK != 0 {
-			inode.nlink = atomicbitops.FromUint32(ino.Stat.Nlink)
-		} else {
-			if ino.Stat.Mode&linux.FileTypeMask == linux.ModeDirectory {
-				inode.nlink = atomicbitops.FromUint32(2)
+			if ino.Stat.Mask&linux.STATX_NLINK != 0 {
+				inode.nlink = atomicbitops.FromUint32(ino.Stat.Nlink)
 			} else {
-				inode.nlink = atomicbitops.FromUint32(1)
+				if isDir {
+					inode.nlink = atomicbitops.FromUint32(2)
+				} else {
+					inode.nlink = atomicbitops.FromUint32(1)
+				}
 			}
-		}
-		return inode
-	})
+			return inode
+		})
 
 	temp.d.init()
 	fs.syncMu.Lock()