lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230826022852.GO3390869@ZenIV>
Date:   Sat, 26 Aug 2023 03:28:52 +0100
From:   Al Viro <viro@...iv.linux.org.uk>
To:     Jan Kara <jack@...e.cz>
Cc:     linux-fsdevel@...r.kernel.org, linux-block@...r.kernel.org,
        Christoph Hellwig <hch@...radead.org>,
        Alasdair Kergon <agk@...hat.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Anna Schumaker <anna@...nel.org>, Chao Yu <chao@...nel.org>,
        Christian Borntraeger <borntraeger@...ux.ibm.com>,
        "Darrick J. Wong" <djwong@...nel.org>,
        Dave Kleikamp <shaggy@...nel.org>,
        David Sterba <dsterba@...e.com>, dm-devel@...hat.com,
        drbd-dev@...ts.linbit.com, Gao Xiang <xiang@...nel.org>,
        Jack Wang <jinpu.wang@...os.com>,
        Jaegeuk Kim <jaegeuk@...nel.org>,
        jfs-discussion@...ts.sourceforge.net,
        Joern Engel <joern@...ybastard.org>,
        Joseph Qi <joseph.qi@...ux.alibaba.com>,
        Kent Overstreet <kent.overstreet@...il.com>,
        linux-bcache@...r.kernel.org, linux-btrfs@...r.kernel.org,
        linux-erofs@...ts.ozlabs.org, linux-ext4@...r.kernel.org,
        linux-f2fs-devel@...ts.sourceforge.net, linux-mm@...ck.org,
        linux-mtd@...ts.infradead.org, linux-nfs@...r.kernel.org,
        linux-nilfs@...r.kernel.org, linux-nvme@...ts.infradead.org,
        linux-pm@...r.kernel.org, linux-raid@...r.kernel.org,
        linux-s390@...r.kernel.org, linux-scsi@...r.kernel.org,
        linux-xfs@...r.kernel.org,
        "Md. Haris Iqbal" <haris.iqbal@...os.com>,
        Mike Snitzer <snitzer@...nel.org>,
        Minchan Kim <minchan@...nel.org>, ocfs2-devel@....oracle.com,
        reiserfs-devel@...r.kernel.org,
        Sergey Senozhatsky <senozhatsky@...omium.org>,
        Song Liu <song@...nel.org>,
        Sven Schnelle <svens@...ux.ibm.com>,
        target-devel@...r.kernel.org, Ted Tso <tytso@....edu>,
        Trond Myklebust <trond.myklebust@...merspace.com>,
        xen-devel@...ts.xenproject.org, Jens Axboe <axboe@...nel.dk>,
        Christian Brauner <brauner@...nel.org>
Subject: Re: [PATCH v2 0/29] block: Make blkdev_get_by_*() return handle

On Fri, Aug 25, 2023 at 03:47:56PM +0200, Jan Kara wrote:

> I can see the appeal of not having to introduce the new bdev_handle type
> and just using struct file which unifies in-kernel and userspace block
> device opens. But I can see downsides too - the last fput() happening from
> task work makes me a bit nervous whether it will not break something
> somewhere with exclusive bdev opens. Getting from struct file to bdev is
> somewhat harder but I guess a helper like F_BDEV() would solve that just
> fine.
> 
> So besides my last fput() worry about I think this could work and would be
> probably a bit nicer than what I have. But before going and redoing the whole
> series let me gather some more feedback so that we don't go back and forth.
> Christoph, Christian, Jens, any opinion?

Redoing is not an issue - it can be done on top of your series just
as well.  Async behaviour of fput() might be, but...  need to look
through the actual users; for a lot of them it's perfectly fine.

FWIW, from a cursory look there appears to be a missing primitive: take
an opened bdev (or bdev_handle, with your variant, or opened file if we
go that way eventually) and claim it.

I mean, look at claim_swapfile() for example:
                p->bdev = blkdev_get_by_dev(inode->i_rdev,
                                   FMODE_READ | FMODE_WRITE | FMODE_EXCL, p);
                if (IS_ERR(p->bdev)) {
                        error = PTR_ERR(p->bdev);
                        p->bdev = NULL;
                        return error;
                }
                p->old_block_size = block_size(p->bdev);
                error = set_blocksize(p->bdev, PAGE_SIZE);
                if (error < 0)
                        return error;
we already have the file opened, and we keep it opened all the way until
the swapoff(2); here we have noticed that it's a block device and we
	* open the fucker again (by device number), this time claiming
it with our swap_info_struct as holder, to be closed at swapoff(2) time
(just before we close the file)
	* flip the block size to PAGE_SIZE, to be reverted at swapoff(2)
time That really looks like it ought to be
	* take the opened file, see that it's a block device
	* try to claim it with that holder
	* on success, flip the block size
with close_filp() in the swapoff(2) (or failure exit path in swapon(2))
doing what it would've done for an O_EXCL opened block device.
The only difference from O_EXCL userland open is that here we would
end up with holder pointing not to struct file in question, but to our
swap_info_struct.  It will do the right thing.

This extra open is entirely due to "well, we need to claim it and the
primitive that does that happens to be tied to opening"; feels rather
counter-intuitive.

For that matter, we could add an explicit "unclaim" primitive - might
be easier to follow.  That would add another example where that could
be used - in blkdev_bszset() we have an opened block device (it's an
ioctl, after all), we want to change block size and we *really* don't
want to have that happen under a mounted filesystem.  So if it's not
opened exclusive, we do a temporary exclusive open of own and act on
that instead.   Might as well go for a temporary claim...

BTW, what happens if two threads call ioctl(fd, BLKBSZSET, &n)
for the same descriptor that happens to have been opened O_EXCL?
Without O_EXCL they would've been unable to claim the sucker at the same
time - the holder we are using is the address of a function argument,
i.e. something that points to kernel stack of the caller.  Those would
conflict and we either get set_blocksize() calls fully serialized, or
one of the callers would eat -EBUSY.  Not so in "opened with O_EXCL"
case - they can very well overlap and IIRC set_blocksize() does *not*
expect that kind of crap...  It's all under CAP_SYS_ADMIN, so it's not
as if it was a meaningful security hole anyway, but it does look fishy.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ