| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Nov 2023 01:12:08 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Christian Brauner <brauner@...nel.org>,
Gabriel Krisman Bertazi <krisman@...e.de>, tytso@....edu,
linux-f2fs-devel@...ts.sourceforge.net, ebiggers@...nel.org,
linux-fsdevel@...r.kernel.org, jaegeuk@...nel.org,
linux-ext4@...r.kernel.org
Subject: Re: [f2fs-dev] [PATCH v6 0/9] Support negative dentries on
case-insensitive ext4 and f2fs
On Wed, Nov 22, 2023 at 09:19:01PM +0000, Al Viro wrote:
> On Tue, Nov 21, 2023 at 02:27:34AM +0000, Al Viro wrote:
>
> > I will review that series; my impression from the previous iterations
> > had been fairly unpleasant, TBH, but I hadn't rechecked since April
> > or so.
>
> The serious gap, AFAICS, is the interplay with open-by-fhandle.
> It's not unfixable, but we need to figure out what to do when
> lookup runs into a disconnected directory alias. d_splice_alias()
> will move it in place, all right, but any state ->lookup() has
> hung off the dentry that had been passed to it will be lost.
>
> And I seriously suspect that we want to combine that state
> propagation with d_splice_alias() (or its variant to be used in
> such cases), rather than fixing the things up afterwards.
>
> In particular, propagating ->d_op is really not trivial at that
> point; it is safe to do to ->lookup() argument prior to d_splice_alias()
> (even though that's too subtle and brittle, IMO), but after
> d_splice_alias() has succeeded, the damn thing is live and can
> be hit by hash lookups, revalidate, etc.
>
> The only things that can't happen to it are ->d_delete(), ->d_prune(),
> ->d_iput() and ->d_init(). Everything else is fair game.
>
> And then there's an interesting question about the interplay with
> reparenting. It's OK to return an error rather than reparent,
> but we need some way to tell if we need to do so.
Hmm... int (*d_transfer)(struct dentry *alias, struct dentry *new)?
Called if d_splice_alias() picks that sucker, under rename_lock,
before the call of __d_move(). Can check IS_ROOT(alias) (due to
rename_lock), so can tell attaching from reparenting, returning
an error - failed d_splice_alias().
Perhaps would be even better inside __d_move(), once all ->d_lock
are taken... Turn the current bool exchange in there into honest
enum (exchange/move/splice) and call ->d_transfer() on splice.
In case of failure it's still not too late to back out - __d_move()
would return an int, ignored in d_move() and d_exchange() and
treated as "fail in unlikely case it's non-zero" in d_splice_alias()
and __d_unalias()...
Comments? Note that e.g.
res = d_splice_alias(inode, dentry);
if (!IS_ERR(fid)) {
if (!res)
v9fs_fid_add(dentry, &fid);
else if (!IS_ERR(res))
v9fs_fid_add(res, &fid);
else
p9_fid_put(fid);
}
in 9p ->lookup() would turn into
v9fs_fid_add(dentry, &fid);
return d_splice_alias(inode, dentry);
with ->d_transfer(alias, new) being simply
struct hlist_node *p = new->d_fsdata;
hlist_del_init(p);
__add_fid(alias, hlist_entry(p, struct p9_fid, dlist));
return 0;
assuming the call from __d_move()...
Powered by blists - more mailing lists