lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 10 Dec 2021 22:53:59 +0300 (MSK)
From:   Roman Anufriev <>
To:     Dave Chinner <>
cc:     Andreas Dilger <>,
        "Theodore Y. Ts'o" <>,
        linux-ext4 <>, Jan Kara <>,
        Wang Shilong <>,
        Dmitry Monakhov <>,
        "Darrick J. Wong" <>
Subject: Re: [PATCH] ext4: compare inode's i_projid with EXT4_DEF_PROJID
 rather than check EXT4_INODE_PROJINHERIT flag

On Fri, 10 Dec 2021, Dave Chinner wrote:

> On Thu, Dec 09, 2021 at 03:53:55PM -0700, Andreas Dilger wrote:
>> On Dec 7, 2021, at 12:34 PM, Theodore Y. Ts'o <tytso@....EDU> wrote:
>>> On Tue, Dec 07, 2021 at 05:05:19PM +0300, Roman Anufriev wrote:
>>>>> Commit 7ddf79a10395 ("ext4: only set project inherit bit for directory")
>>>>> removes EXT4_INODE_PROJINHERIT flag from regular files. This makes
>>>>> ext4_statfs() output incorrect (function does not apply quota limits
>>>>> on used/available space, etc) when called on dentry of regular file
>>>>> with project quota enabled.
>>> Under what circumstance is userspace trying to call statfs on a file
>>> descriptor?
>> Who knows what users do?  Calling statfs() on a regular file works fine
>> (returns stats for the filesystem), so I don't see why it wouldn't be
>> consistent when calling statfs() on a file with projid set?
>> Darrick, how does XFS handle this case?  I think it makes sense to be
>> consistent with that implementation, since that was the main reason to
>> remove PROJINHERIT from regular files in the first place.
> If PROJINHERIT is set on the inode, it will return the information
> for the projid on that inode. XFS doesn't care what type of inode it
> is, just whether the PROJINHERIT flag is set.
> That said, on XFS, only directory inodes will have the PROJINHERIT
> flag set. So, in effect, only statfs() on directory inodes can
> report project quota limits.

This is the thing that confused our users. It basically means that user
program should always trim paths up to directories to get true available
space, etc.

> PROJINHERIT just indicates the default projid that an inode is
> created with; it does not mean that directory tree quotas are what
> the user it doing with them...
>>> Removing the test for EXT4_INODE_PROJINHERIT will cause
>>> incorrect/misleading results being returned in the case where we have
>>> a directory where a directory hierarchy is using project id's, but
>>> which is *not* using PROJINHERIT.
>> One alternative would be to check the PROJINHERIT status of the parent
>> directory after calling statfs() on the regular file?  That should
>> keep the semantics for PROJINHERIT the same, but avoid inconsistent
>> results if called on a regular file:
> This just opens a bigger can of worms that still has no consistent
> solution.
> What if the user has changed the projid of the file and it doesn't
> match the parent directory? That then reports something irrelevant
> to the user.
> What if there are hard links and the parent directories have
> different projid state? This can happen - we don't allow hard links
> into a new projid controlled directory, but we allow them into
> non-projid controlled directories even if the source is from a
> projid controlled heirarchy. We can add PROJINHERIT after a
> directory has already been populated. We can remove PROJINHERIT,
> too, after hardlinks within the same projid have been created. Hence
> a regular file inode can have different parent PROJINHERIT depending
> on path.  How do you do consistency then, because it's clearly not a
> directory quota controlled setup and there's no way of detecting
> that from statfs() context?

I think that part of these concerns are solved by the fact that we
check PROJINHERIT on parent directory, but use our own dentry/inode for
all calculations later (e.g. non-matching project ids of parent
directory and file is not an issue - statfs() will produce right output).
So, this approach is kinda useful for simple cases.


Powered by blists - more mailing lists