Linux 6.15 compat

[robn]

Motivation and Context

"I wish it need not have happened in my time," said Frodo. "So do I," said Gandalf, "and so do all who live to see such times. But that is not for them to decide. All we have to decide is what to do with the time that is given us."

6.15-rc1 released, so off we go again.

Description

First two changes are benign: minor signature change for iops->mkdir, and a rename for del_timer_sync. Nothing to see here.

Update 2025-04-29: the third change, to update the credential checks, has been removed in favour of #17273. This PR has been rebased on that one. Original PR description in the collapsed section for posterity.

Original description of changes to credential checks.

The last one is more complicated, and I would like a subject-matter expert or two to have a look, because I'm not that and this is educated guesswork.

For background, since I had to go figure it out myself: secpolicy_zfs_proc() is used to ensure that a given process (or credential from it) is allowed to perform some operation. It's used by various async admin tasks (eg taking a snapshot), where the calling process (eg zfs snapshot in userspace) is not the one that actually performs the work (some kernel thread), and of particular interest, I think, is the use in channel programs, where we need to consider the permissions of the zfs program process as different Lua functions are called.

On Linux, most of the capability-checking functions check permissions for the current task, not some arbitrary task. We have used has_capability(), which can take a credential from a target process; exactly what we want. However, this function has been removed in 6.15, and there's no easy equivalent we can just drop in:

• has_capabaility_noaudit() would drop in, but as it says, doesn't post an audit event, which isn't something I just want to get rid of unless we have no choice
• has_ns_capability(), security_capable() and other low-level functions aren't exported to modules
• file_ns_capable() is exported, but it's a quite awful to cook a struct file with only a struct cred inside

So, I've taken a slightly different approach. There's a set of APIs for swapping a struct cred into the current task, and reverting it. I'm now using this to get the cred from the target task, swap it in, do the check, swap it all back out and return. This appears to at least not break anything in the test suite, but I don't know to what extent it's actually exercised, so I'd like someone who knows this subsystem or has the ability to test properly to do so and report back.

I don't love this, in part because of the warning in the kernel headers for get_task_cred() that "the caller must make sure task doesn't go away". However, it seems that if this is a problem, then it's already a problem, in that the stashed task we pass to secpolicy_zfs_proc() could have disappeared since the original call from userspace. I'm assuming that's not already happening for now.

Incidentally, if this does pan out, it might be the way to change the API to only need the cred_t, like on FreeBSD, by calling prepare_kernel_cred() wherever we would call CRED() now. This creates a struct cred explicitly designed to allow a kernel thread to do something on behalf of a userspace program. It does change thing a little, as we need a release function (the returned cred is heap-allocated), but it might allow us to not have to pass the task around with the cred. I'm not going to do this (for now) as I really don't know enough about it all, but there's a small project if someone wants it.

Tiny spanner: get_task_cred() exists but was not exported in upstream 4.19 (though I'd be surprised if it were not backported to an EL8 kernel). Regardless, it is trivial to implement a wrapper, or to just fall back to has_capability() there. The reason I haven't kept has_capability() for <6.15 is because I would rather not have two entirely different methods on "active" kernel releases unless there's a real need. Too many places for bugs and quirks to hide otherwise.

How Has This Been Tested?

Compiled checked on all LTS kernel series >= 4.19, and all 6.x kernel series.

Sanity run (create pool, fio, export, import, scrub) run on >= 4.19, completed successfully. (except 5.5, something weird is stopping it booting on my test VMs, unrelated)

ZTS passed on 6.15-rc1, -rc2, -rc4, rc5, -rc6.

Update 2025-04-29: rechecked after rebase onto #17273.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[robn]

Died overnight during the ZTS run with a hard panic:

[ 5253.763882] Kernel panic - not syncing: buffer modified while frozen!
[ 5253.764100] CPU: 3 UID: 0 PID: 891629 Comm: rm Tainted: P           OE       6.15.0-rc1 #1 PREEMPT(voluntary)
[ 5253.764424] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[ 5253.764664] Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021
[ 5253.764872] Call Trace:
[ 5253.764961]  <TASK>
[ 5253.765039]  panic+0x33f/0x3a0
[ 5253.765155]  arc_cksum_verify+0x20e/0x210 [zfs]
[ 5253.765554]  arc_buf_destroy_impl+0x38/0x330 [zfs]
[ 5253.765840]  arc_buf_destroy+0xf7/0x370 [zfs]
[ 5253.766113]  dbuf_destroy+0x5d/0x790 [zfs]
[ 5253.766384]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5253.766433]  ? aggsum_add+0x1eb/0x310 [zfs]
[ 5253.766433]  dbuf_free_range+0x286/0x710 [zfs]
[ 5253.766433]  dnode_free_range+0x1f5/0x8c0 [zfs]
[ 5253.766433]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5253.766433]  ? dmu_tx_try_assign+0x3c5/0x470 [zfs]
[ 5253.766433]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5253.766433]  ? txg_rele_to_quiesce+0x40/0x90 [zfs]
[ 5253.766433]  dmu_free_long_range_impl+0x2b0/0x4e0 [zfs]
[ 5253.766433]  dmu_free_long_range+0x76/0xc0 [zfs]
[ 5253.766433]  zfs_rmnode+0x3a8/0x5b0 [zfs]
[ 5253.766433]  zfs_inactive+0x1e9/0x300 [zfs]
[ 5253.766433]  ? down_read+0xe/0xa0
[ 5253.766433]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5253.766433]  zpl_evict_inode+0x36/0x50 [zfs]
[ 5253.766433]  evict+0x113/0x280
[ 5253.766433]  do_unlinkat+0x29a/0x2f0
[ 5253.766433]  __x64_sys_unlinkat+0x31/0x60
[ 5253.766433]  do_syscall_64+0x7e/0x190
[ 5253.766433]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5253.766433]  ? __do_sys_newfstatat+0x4d/0x80
[ 5253.766433]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5253.766433]  ? syscall_exit_to_user_mode+0x49/0x210
[ 5253.766433]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5253.766433]  ? do_syscall_64+0x8a/0x190
[ 5253.766433]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5253.766433]  ? srso_alias_return_thunk+0x5/0xfbef5
[ 5253.766433]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 5253.766433] RIP: 0033:0x7f978d243ab7
[ 5253.766433] Code: 73 01 c3 48 8b 0d 49 83 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 07 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 19 83 0d 00 f7 d8 64 89 01 48
[ 5253.766433] RSP: 002b:00007ffca3d4ad88 EFLAGS: 00000206 ORIG_RAX: 0000000000000107
[ 5253.766433] RAX: ffffffffffffffda RBX: 0000561e9ecb75a0 RCX: 00007f978d243ab7
[ 5253.766433] RDX: 0000000000000000 RSI: 0000561e9ecb6380 RDI: 00000000ffffff9c
[ 5253.766433] RBP: 0000561e9ecb62f0 R08: 0000000000000003 R09: 0000000000000000
[ 5253.766433] R10: 00007f978d162f80 R11: 0000000000000206 R12: 0000000000000000
[ 5253.766433] R13: 00007ffca3d4af70 R14: 0000000000000003 R15: 0000561e9ecb75a0
[ 5253.766433]  </TASK>
[ 5253.766433] Kernel Offset: 0x14800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 5253.766433] ---[ end Kernel panic - not syncing: buffer modified while frozen! ]---

Last log says it was in cleanup for cli_root/zpool_resilver, but nothing interesting had happened up until that point, and no failures. My gut feeling is that it's nothing to do with any particular test, but rather, something in inode cleanup. I'll set it running again to see if it blows up in the same way and/or the same spot, and later today I'll see if there were any changes around inode cleanup that didn't change the API but did change behaviour.

[robn]

Second run ran to completion, all successful. I'll do a few, see if I can run into it again.

[ascendbeing]

Just tried this, using pf-6.15, latest zfs git with this applied as a patch. everything compiled fine, except nvidia-drivers, which is normal for an RC-stage kernel. Booted fine. Running 3 pools (+1 dormant, all running 2.3), so far so good (only been about 10 min live), will report back if anything untoward occurs.
My root is bcachefs now, compared to previous compat prs, where I had zfs root. I still have /home on zfs for whatever it's worth.

[robn]

Haven't tripped the above panic again since. ZTS completed sucessfully on 6.15.0-rc3.

This is shaping up towards "probably mostly fine", but I'm still eager for thorough review on the capability change. Is there a Linux kernel boffin in the room?

[snajpa]

Died overnight during the ZTS run with a hard panic:

that seems related to what we're after here #17118

[robn]

Rebased to master + #17273, original description updated.

[tonyhutter]

The code looks ok 👍 I just kicked off the CI to see if Fedora 42 behaves.

[snajpa]

The tests won’t reveal the possible downstream effects of returning NULL instead of the dentry on success, especially in setup with kNFSd, I mean sorry for being annoying, but the kernel guys seem to be after some speedups there and if every in tree vfs api consumer complies, then it’s possible that over time, this becomes an undertested edge case for them… at least that’s how I understand the new notes.

I haven’t dived any deeper into this so far than looking at the diff to see what’s new and applying my recent experience :))

[KrzysztofHajdamowicz]

Are those patches compatible with 2.2.7 or require backporting?

---
I started to backport changes to 2.2.7 and I have a question about master...robn:zfs:linux-6.15-compat#diff-bba0c7fe617958d737a9694576af28faa61b3b0ac6cea4f598859f1573edd355R405
There's no such snippet in 2.2.7

if (is_nametoolong(dentry)) {
return (-ENAMETOOLONG);
}

---
That's my progress so far, I'll appreciate reviewing
KrzysztofHajdamowicz@0f00067
Patch file: https://paste.opensuse.org/pastes/288ba23b65db

[robn]

@KrzysztofHajdamowicz that particular snippet comes from the long filename support added in 2.3.

The last kernel supported by 2.2.7 in 6.12, so you'll probably need to backport at least some of the 6.13 and 6.14 patches first.

[robn]

Clean ZTS run on 6.15-rc5 overnight.

[KrzysztofHajdamowicz]

@KrzysztofHajdamowicz that particular snippet comes from the long filename support added in 2.3.

The last kernel supported by 2.2.7 in 6.12, so you'll probably need to backport at least some of the 6.13 and 6.14 patches first.

I have 6.13 and 6.14 [1] working with 2.2.7 [2] so it's pretty compatible right now.
Do I need to backport more 2.3 changes or just trim 6.15 compatibility patch to skip parts that does not exist in that release family?

1: https://github.com/KrzysztofHajdamowicz/pve-kernel/releases
2: https://github.com/KrzysztofHajdamowicz/pve-kernel-zfsonlinux

[tonyhutter]

So I agree we should switch over to d_instantiate_new, and maybe I'll go do that this week. But, as it currently stands, I don't see why we'd change to returning the dentry. It seems to be only necessary if the inode might not be I_NEW, but I don't see how it couldn't be, because we always create it.

I see your latest push still uses d_instantiate(). Were you still planning to go the d_instantiate_new() route?

[robn]

@tonyhutter sorry, wasn't clear. I think d_instantiate_new() is the right thing in general, but not required for this PR.

[robn]

@KrzysztofHajdamowicz more the latter - just go through the patches, take the bits you need. You probably do need c8fa39b though.

[tonyhutter]

@tonyhutter sorry, wasn't clear. I think d_instantiate_new() is the right thing in general, but not required for this PR.

Ok, we should probably give a heads-up in the code why we didn't use d_instantiate_new() though. Maybe this? (untested, feel free to re-word):

diff --git a/module/os/linux/zfs/zpl_inode.c b/module/os/linux/zfs/zpl_inode.c
index f9f6406f8..08f7713b4 100644
--- a/module/os/linux/zfs/zpl_inode.c
+++ b/module/os/linux/zfs/zpl_inode.c
@@ -205,6 +205,11 @@ zpl_create(struct inode *dir, struct dentry *dentry, umode_t mode, bool flag)
                        remove_inode_hash(ZTOI(zp));
                        iput(ZTOI(zp));
                } else {
+                       /*
+                        * We can use d_instantiate() here since we know our
+                        * inode will always be I_NEW since we create it.
+                        */
+                       ASSERT(ZTOI(zp)->i_state & I_NEW);
                        d_instantiate(dentry, ZTOI(zp));
                }
        }

[robn]

I haven't studied it closely enough to know if that assert is safe.

To be clear, d_instantiate_new() was introduced in 4.17. This is not a 6.15 thing I'm trying to avoid or anything like that. I'm totally on board with making updating the Linux code to use the "right" way, but I don't want to lump it into this PR; it seems unrelated, and it's the kind of study that can take hours, so I don't want this PR to block on it.

Of course, if sorting it out now is required for 6.15, then I'll do it now (like the CRED() stuff), but I haven't seen any evidence of that. Someone let me know if I'm wrong, please!

[tonyhutter]

@robn sorry, my earlier diff was in zpl_create() instead of zpl_mkdir(). It should be:

diff --git a/module/os/linux/zfs/zpl_inode.c b/module/os/linux/zfs/zpl_inode.c
index f9f6406f8..0b6fdc6ba 100644
--- a/module/os/linux/zfs/zpl_inode.c
+++ b/module/os/linux/zfs/zpl_inode.c
@@ -423,6 +423,12 @@ zpl_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
                        remove_inode_hash(ZTOI(zp));
                        iput(ZTOI(zp));
                } else {
+                       /*
+                        * We can use d_instantiate() here since we know our
+                        * inode will always be I_NEW.
+                        */
+                       ASSERT(ZTOI(zp)->i_state & I_NEW);
+
                        d_instantiate(dentry, ZTOI(zp));
                }
        }

To be clear, d_instantiate_new() was introduced in 4.17. This is not a 6.15 thing I'm trying to avoid or anything like that. I'm totally on board with making updating the Linux code to use the "right" way, but I don't want to lump it into this PR; it seems unrelated, and it's the kind of study that can take hours, so I don't want this PR to block on it.

I bring it up in the context of this PR since zpl_mkdir() is now returning a dentry. I believe we need to call d_instantiate_new() and return the new dentry if the inode is not I_NEW. Or at least that's my reading of the docs:

mkdir
	called by the mkdir(2) system call.  Only required if you want
	to support creating subdirectories.  You will probably need to
	call d_instantiate_new() just as you would in the create() method.

	If d_instantiate_new() is not used and if the fh_to_dentry()
	export operation is provided, or if the storage might be
	accessible by another path (e.g. with a network filesystem)
	then more care may be needed.  Importantly d_instantate()
	should not be used with an inode that is no longer I_NEW if there
	any chance that the inode could already be attached to a dentry.
	This is because of a hard rule in the VFS that a directory must
	only ever have one dentry.

	For example, if an NFS filesystem is mounted twice the new directory
	could be visible on the other mount before it is on the original
	mount, and a pair of name_to_handle_at(), open_by_handle_at()
	calls could instantiate the directory inode with an IS_ROOT()
	dentry before the first mkdir returns.

	If there is any chance this could happen, then the new inode
	should be d_drop()ed and attached with d_splice_alias().  The
	returned dentry (if any) should be returned by ->mkdir().

(https://elixir.bootlin.com/linux/v6.15-rc5/source/Documentation/filesystems/vfs.rst)

But if we're sure the inode is always I_NEW then the ASSERT() will always pass, and we can keep things simple with d_instantiate().

[robn]

I agree you're probably right, but I have definitely not thought hard about the conditional "if there any chance that the inode could already be attached to a dentry". I am fairly sure that's not the case, but there's stuff I haven't looked at much (like snapdirs) and I don't know much about how things like overlays, bind mounts and such interact here.

My take is that this call always took a dentry from the kernel, and if you wanted to replace it you had to do jump through some hoops, whereas now you just have to return it. We haven't been jumping through hoops, so we can continue not to, and that's it.

But, like I said, I reckon it's probably right, I just haven't done the work to be sure and as we know, I am very averse to risk. But I sense I might be overblowing it here, so I'll push it for the test runners to take a look at, and get a fresh run going against rc5, and see that they are probably fine :)

[robn]

Heh, nope. On 6.8.12 and 6.15-rc5:

[    6.473283] ZTS run /usr/local/share/zfs/zfs-tests/tests/functional/acl/off/setup
[    6.862132] VERIFY(ZTOI(zp)->i_state & I_NEW) failed
[    6.862365] PANIC at zpl_inode.c:430:zpl_mkdir()

So yeah. lets not do that.

[robn]

ZTS pass on -rc6. Pretty sure I have nothing more to add here.

[behlendorf]

Thanks guys, merged. We'll bump the META version when the final 6.15 is tagged and we're able to retest with it.

[robn]

Great, thanks. FYI, it passed on -rc7 overnight.

[vedranmiletic]

Thanks guys, merged. We'll bump the META version when the final 6.15 is tagged and we're able to retest with it.

Just FYI, final 6.15 was tagged yesterday.