lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 15 Dec 2022 16:49:52 +0800
From:   Zhang Yi <yi.zhang@...weicloud.com>
To:     Zhang Yi <yi.zhang@...wei.com>, Theodore Ts'o <tytso@....edu>,
        Jan Kara <jack@...e.cz>
Cc:     linux-ext4@...r.kernel.org, adilger.kernel@...ger.ca,
        yukuai3@...wei.com, ritesh.list@...il.com
Subject: Re: [RFC PATCH] ext4: dio take shared inode lock when overwriting
 preallocated blocks

On 2022/12/15 16:41, Zhang Yi wrote:
> On 2022/12/15 2:52, Theodore Ts'o wrote:
>> On Wed, Dec 14, 2022 at 06:01:25PM +0100, Jan Kara wrote:
>>>
>>> Besides some naming nits (see below) I think this should work. But I have
>>> to say I'm a bit uneasy about this because we will now be changing block
>>> mapping from unwritten to written only with shared i_rwsem. OTOH that
>>> happens during writeback as well so we should be fine and the gain is very
>>> nice.
>>
>> Hmm.... when I was looking potential impacts of the change what
>> ext4_overwrite_io() would do, I looked at the current user of that
>> function in ext4_dio_write_checks().
>>
>> 	/*
>> 	 * Determine whether the IO operation will overwrite allocated
>> 	 * and initialized blocks.
>> 	 * We need exclusive i_rwsem for changing security info
>> 	 * in file_modified().
>> 	 */
>> 	if (*ilock_shared && (!IS_NOSEC(inode) || *extend ||
>> 	     !ext4_overwrite_io(inode, offset, count))) {
>> 		if (iocb->ki_flags & IOCB_NOWAIT) {
>> 			ret = -EAGAIN;
>> 			goto out;
>> 		}
>> 		inode_unlock_shared(inode);
>> 		*ilock_shared = false;
>> 		inode_lock(inode);
>> 		goto restart;
>> 	}
>>
>> 	ret = file_modified(file);
>> 	if (ret < 0)
>> 		goto out;
>>
>> What is confusing me is the comment, "We need exclusive i_rwsem for
>> changing security info in file_modified().".  But then we end up
>> calling file_modified() unconditionally, regardless of whether we've
>> transitioned from a shared lock to an exclusive lock.
>>
>> So file_modified() can get called either with or without the inode
>> locked r/w.  I realize that this patch doesn't change this
>> inconsistency, but it appears either the comment is wrong, or the code
>> is wrong.
>>
>> What am I missing?
>>
> 
> IIUC, both of the comment and the code are correct, the __file_remove_privs()
> in file_modified() should execute under exclusive lock, and we have already
> check the IS_NOSEC(inode) and could make sure taking exclusive lock before we
> remove privs. If we take share lock, __file_remove_privs() will return directly
> because below check. So it's find now, but it looks that call file_update_time()
> is enough for the shared lock case.
> 
> int file_update_time(struct file *file)
static int __file_remove_privs(struct file *file, unsigned int flags)
> {
...
> 	if (IS_NOSEC(inode) || !S_ISREG(inode->i_mode))
> 		return 0;
> ...
> }
> 
> Thanks,
> Yi.
> 

Powered by blists - more mailing lists