| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 15 Dec 2022 16:49:52 +0800
From: Zhang Yi <yi.zhang@...weicloud.com>
To: Zhang Yi <yi.zhang@...wei.com>, Theodore Ts'o <tytso@....edu>,
Jan Kara <jack@...e.cz>
Cc: linux-ext4@...r.kernel.org, adilger.kernel@...ger.ca,
yukuai3@...wei.com, ritesh.list@...il.com
Subject: Re: [RFC PATCH] ext4: dio take shared inode lock when overwriting
preallocated blocks
On 2022/12/15 16:41, Zhang Yi wrote:
> On 2022/12/15 2:52, Theodore Ts'o wrote:
>> On Wed, Dec 14, 2022 at 06:01:25PM +0100, Jan Kara wrote:
>>>
>>> Besides some naming nits (see below) I think this should work. But I have
>>> to say I'm a bit uneasy about this because we will now be changing block
>>> mapping from unwritten to written only with shared i_rwsem. OTOH that
>>> happens during writeback as well so we should be fine and the gain is very
>>> nice.
>>
>> Hmm.... when I was looking potential impacts of the change what
>> ext4_overwrite_io() would do, I looked at the current user of that
>> function in ext4_dio_write_checks().
>>
>> /*
>> * Determine whether the IO operation will overwrite allocated
>> * and initialized blocks.
>> * We need exclusive i_rwsem for changing security info
>> * in file_modified().
>> */
>> if (*ilock_shared && (!IS_NOSEC(inode) || *extend ||
>> !ext4_overwrite_io(inode, offset, count))) {
>> if (iocb->ki_flags & IOCB_NOWAIT) {
>> ret = -EAGAIN;
>> goto out;
>> }
>> inode_unlock_shared(inode);
>> *ilock_shared = false;
>> inode_lock(inode);
>> goto restart;
>> }
>>
>> ret = file_modified(file);
>> if (ret < 0)
>> goto out;
>>
>> What is confusing me is the comment, "We need exclusive i_rwsem for
>> changing security info in file_modified().". But then we end up
>> calling file_modified() unconditionally, regardless of whether we've
>> transitioned from a shared lock to an exclusive lock.
>>
>> So file_modified() can get called either with or without the inode
>> locked r/w. I realize that this patch doesn't change this
>> inconsistency, but it appears either the comment is wrong, or the code
>> is wrong.
>>
>> What am I missing?
>>
>
> IIUC, both of the comment and the code are correct, the __file_remove_privs()
> in file_modified() should execute under exclusive lock, and we have already
> check the IS_NOSEC(inode) and could make sure taking exclusive lock before we
> remove privs. If we take share lock, __file_remove_privs() will return directly
> because below check. So it's find now, but it looks that call file_update_time()
> is enough for the shared lock case.
>
> int file_update_time(struct file *file)
static int __file_remove_privs(struct file *file, unsigned int flags)
> {
...
> if (IS_NOSEC(inode) || !S_ISREG(inode->i_mode))
> return 0;
> ...
> }
>
> Thanks,
> Yi.
>
Powered by blists - more mailing lists