| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 26 Aug 2023 03:28:52 +0100
From: Al Viro <viro@...iv.linux.org.uk>
To: Jan Kara <jack@...e.cz>
Cc: linux-fsdevel@...r.kernel.org, linux-block@...r.kernel.org,
Christoph Hellwig <hch@...radead.org>,
Alasdair Kergon <agk@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Anna Schumaker <anna@...nel.org>, Chao Yu <chao@...nel.org>,
Christian Borntraeger <borntraeger@...ux.ibm.com>,
"Darrick J. Wong" <djwong@...nel.org>,
Dave Kleikamp <shaggy@...nel.org>,
David Sterba <dsterba@...e.com>, dm-devel@...hat.com,
drbd-dev@...ts.linbit.com, Gao Xiang <xiang@...nel.org>,
Jack Wang <jinpu.wang@...os.com>,
Jaegeuk Kim <jaegeuk@...nel.org>,
jfs-discussion@...ts.sourceforge.net,
Joern Engel <joern@...ybastard.org>,
Joseph Qi <joseph.qi@...ux.alibaba.com>,
Kent Overstreet <kent.overstreet@...il.com>,
linux-bcache@...r.kernel.org, linux-btrfs@...r.kernel.org,
linux-erofs@...ts.ozlabs.org, linux-ext4@...r.kernel.org,
linux-f2fs-devel@...ts.sourceforge.net, linux-mm@...ck.org,
linux-mtd@...ts.infradead.org, linux-nfs@...r.kernel.org,
linux-nilfs@...r.kernel.org, linux-nvme@...ts.infradead.org,
linux-pm@...r.kernel.org, linux-raid@...r.kernel.org,
linux-s390@...r.kernel.org, linux-scsi@...r.kernel.org,
linux-xfs@...r.kernel.org,
"Md. Haris Iqbal" <haris.iqbal@...os.com>,
Mike Snitzer <snitzer@...nel.org>,
Minchan Kim <minchan@...nel.org>, ocfs2-devel@....oracle.com,
reiserfs-devel@...r.kernel.org,
Sergey Senozhatsky <senozhatsky@...omium.org>,
Song Liu <song@...nel.org>,
Sven Schnelle <svens@...ux.ibm.com>,
target-devel@...r.kernel.org, Ted Tso <tytso@....edu>,
Trond Myklebust <trond.myklebust@...merspace.com>,
xen-devel@...ts.xenproject.org, Jens Axboe <axboe@...nel.dk>,
Christian Brauner <brauner@...nel.org>
Subject: Re: [PATCH v2 0/29] block: Make blkdev_get_by_*() return handle
On Fri, Aug 25, 2023 at 03:47:56PM +0200, Jan Kara wrote:
> I can see the appeal of not having to introduce the new bdev_handle type
> and just using struct file which unifies in-kernel and userspace block
> device opens. But I can see downsides too - the last fput() happening from
> task work makes me a bit nervous whether it will not break something
> somewhere with exclusive bdev opens. Getting from struct file to bdev is
> somewhat harder but I guess a helper like F_BDEV() would solve that just
> fine.
>
> So besides my last fput() worry about I think this could work and would be
> probably a bit nicer than what I have. But before going and redoing the whole
> series let me gather some more feedback so that we don't go back and forth.
> Christoph, Christian, Jens, any opinion?
Redoing is not an issue - it can be done on top of your series just
as well. Async behaviour of fput() might be, but... need to look
through the actual users; for a lot of them it's perfectly fine.
FWIW, from a cursory look there appears to be a missing primitive: take
an opened bdev (or bdev_handle, with your variant, or opened file if we
go that way eventually) and claim it.
I mean, look at claim_swapfile() for example:
p->bdev = blkdev_get_by_dev(inode->i_rdev,
FMODE_READ | FMODE_WRITE | FMODE_EXCL, p);
if (IS_ERR(p->bdev)) {
error = PTR_ERR(p->bdev);
p->bdev = NULL;
return error;
}
p->old_block_size = block_size(p->bdev);
error = set_blocksize(p->bdev, PAGE_SIZE);
if (error < 0)
return error;
we already have the file opened, and we keep it opened all the way until
the swapoff(2); here we have noticed that it's a block device and we
* open the fucker again (by device number), this time claiming
it with our swap_info_struct as holder, to be closed at swapoff(2) time
(just before we close the file)
* flip the block size to PAGE_SIZE, to be reverted at swapoff(2)
time That really looks like it ought to be
* take the opened file, see that it's a block device
* try to claim it with that holder
* on success, flip the block size
with close_filp() in the swapoff(2) (or failure exit path in swapon(2))
doing what it would've done for an O_EXCL opened block device.
The only difference from O_EXCL userland open is that here we would
end up with holder pointing not to struct file in question, but to our
swap_info_struct. It will do the right thing.
This extra open is entirely due to "well, we need to claim it and the
primitive that does that happens to be tied to opening"; feels rather
counter-intuitive.
For that matter, we could add an explicit "unclaim" primitive - might
be easier to follow. That would add another example where that could
be used - in blkdev_bszset() we have an opened block device (it's an
ioctl, after all), we want to change block size and we *really* don't
want to have that happen under a mounted filesystem. So if it's not
opened exclusive, we do a temporary exclusive open of own and act on
that instead. Might as well go for a temporary claim...
BTW, what happens if two threads call ioctl(fd, BLKBSZSET, &n)
for the same descriptor that happens to have been opened O_EXCL?
Without O_EXCL they would've been unable to claim the sucker at the same
time - the holder we are using is the address of a function argument,
i.e. something that points to kernel stack of the caller. Those would
conflict and we either get set_blocksize() calls fully serialized, or
one of the callers would eat -EBUSY. Not so in "opened with O_EXCL"
case - they can very well overlap and IIRC set_blocksize() does *not*
expect that kind of crap... It's all under CAP_SYS_ADMIN, so it's not
as if it was a meaningful security hole anyway, but it does look fishy.
Powered by blists - more mailing lists