lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 15 Dec 2022 16:41:17 +0800
From:   Zhang Yi <yi.zhang@...wei.com>
To:     Theodore Ts'o <tytso@....edu>, Jan Kara <jack@...e.cz>
CC:     <linux-ext4@...r.kernel.org>, <adilger.kernel@...ger.ca>,
        <yi.zhang@...weicloud.com>, <yukuai3@...wei.com>,
        <ritesh.list@...il.com>
Subject: Re: [RFC PATCH] ext4: dio take shared inode lock when overwriting
 preallocated blocks

On 2022/12/15 2:52, Theodore Ts'o wrote:
> On Wed, Dec 14, 2022 at 06:01:25PM +0100, Jan Kara wrote:
>>
>> Besides some naming nits (see below) I think this should work. But I have
>> to say I'm a bit uneasy about this because we will now be changing block
>> mapping from unwritten to written only with shared i_rwsem. OTOH that
>> happens during writeback as well so we should be fine and the gain is very
>> nice.
> 
> Hmm.... when I was looking potential impacts of the change what
> ext4_overwrite_io() would do, I looked at the current user of that
> function in ext4_dio_write_checks().
> 
> 	/*
> 	 * Determine whether the IO operation will overwrite allocated
> 	 * and initialized blocks.
> 	 * We need exclusive i_rwsem for changing security info
> 	 * in file_modified().
> 	 */
> 	if (*ilock_shared && (!IS_NOSEC(inode) || *extend ||
> 	     !ext4_overwrite_io(inode, offset, count))) {
> 		if (iocb->ki_flags & IOCB_NOWAIT) {
> 			ret = -EAGAIN;
> 			goto out;
> 		}
> 		inode_unlock_shared(inode);
> 		*ilock_shared = false;
> 		inode_lock(inode);
> 		goto restart;
> 	}
> 
> 	ret = file_modified(file);
> 	if (ret < 0)
> 		goto out;
> 
> What is confusing me is the comment, "We need exclusive i_rwsem for
> changing security info in file_modified().".  But then we end up
> calling file_modified() unconditionally, regardless of whether we've
> transitioned from a shared lock to an exclusive lock.
> 
> So file_modified() can get called either with or without the inode
> locked r/w.  I realize that this patch doesn't change this
> inconsistency, but it appears either the comment is wrong, or the code
> is wrong.
> 
> What am I missing?
> 

IIUC, both of the comment and the code are correct, the __file_remove_privs()
in file_modified() should execute under exclusive lock, and we have already
check the IS_NOSEC(inode) and could make sure taking exclusive lock before we
remove privs. If we take share lock, __file_remove_privs() will return directly
because below check. So it's find now, but it looks that call file_update_time()
is enough for the shared lock case.

int file_update_time(struct file *file)
{
	if (IS_NOSEC(inode) || !S_ISREG(inode->i_mode))
		return 0;
...
}

Thanks,
Yi.

Powered by blists - more mailing lists