| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 4 Jan 2020 21:09:20 +0200
From: Amir Goldstein <amir73il@...il.com>
To: Chris Down <chris@...isdown.name>
Cc: linux-fsdevel <linux-fsdevel@...r.kernel.org>,
Al Viro <viro@...iv.linux.org.uk>,
Matthew Wilcox <willy@...radead.org>,
Jeff Layton <jlayton@...nel.org>,
Johannes Weiner <hannes@...xchg.org>,
Tejun Heo <tj@...nel.org>,
linux-kernel <linux-kernel@...r.kernel.org>, kernel-team@...com
Subject: Re: [PATCH v3 1/2] tmpfs: Add per-superblock i_ino support
On Fri, Jan 3, 2020 at 7:30 PM Chris Down <chris@...isdown.name> wrote:
>
> get_next_ino has a number of problems:
>
> - It uses and returns a uint, which is susceptible to become overflowed
> if a lot of volatile inodes that use get_next_ino are created.
> - It's global, with no specificity per-sb or even per-filesystem. This
> means it's not that difficult to cause inode number wraparounds on a
> single device, which can result in having multiple distinct inodes
> with the same inode number.
>
> This patch adds a per-superblock counter that mitigates the second case.
> This design also allows us to later have a specific i_ino size
> per-device, for example, allowing users to choose whether to use 32- or
> 64-bit inodes for each tmpfs mount. This is implemented in the next
> commit.
>
> Signed-off-by: Chris Down <chris@...isdown.name>
> Cc: Al Viro <viro@...iv.linux.org.uk>
> Cc: Matthew Wilcox <willy@...radead.org>
> Cc: Amir Goldstein <amir73il@...il.com>
> Cc: Jeff Layton <jlayton@...nel.org>
> Cc: Johannes Weiner <hannes@...xchg.org>
> Cc: Tejun Heo <tj@...nel.org>
> Cc: linux-fsdevel@...r.kernel.org
> Cc: linux-kernel@...r.kernel.org
> Cc: kernel-team@...com
> ---
Some nits. When fixed you may add:
Reviewed-by: Amir Goldstein <amir73il@...il.com>
> include/linux/shmem_fs.h | 1 +
> mm/shmem.c | 33 ++++++++++++++++++++++++++++++++-
> 2 files changed, 33 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/shmem_fs.h b/include/linux/shmem_fs.h
> index de8e4b71e3ba..7fac91f490dc 100644
> --- a/include/linux/shmem_fs.h
> +++ b/include/linux/shmem_fs.h
> @@ -35,6 +35,7 @@ struct shmem_sb_info {
> unsigned char huge; /* Whether to try for hugepages */
> kuid_t uid; /* Mount uid for root directory */
> kgid_t gid; /* Mount gid for root directory */
> + ino_t next_ino; /* The next per-sb inode number to use */
> struct mempolicy *mpol; /* default memory policy for mappings */
> spinlock_t shrinklist_lock; /* Protects shrinklist */
> struct list_head shrinklist; /* List of shinkable inodes */
> diff --git a/mm/shmem.c b/mm/shmem.c
> index 8793e8cc1a48..638b1e30625f 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -2236,6 +2236,15 @@ static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
> return 0;
> }
>
> +/*
> + * shmem_get_inode - reserve, allocate, and initialise a new inode
> + *
> + * If SB_KERNMOUNT, we use the per-sb inode allocator to avoid wraparound.
> + * Otherwise, we use get_next_ino, which is global.
Its the other way around.
> + *
> + * If max_inodes is greater than 0 (ie. non-SB_KERNMOUNT), we may have to grab
> + * the per-sb stat_lock.
It's not a "may" it's for sure, but I don't see what this comment adds
in this context.
The comment about stat_lock below seems enough to me.
> + */
> static struct inode *shmem_get_inode(struct super_block *sb, const struct inode *dir,
> umode_t mode, dev_t dev, unsigned long flags)
> {
> @@ -2248,7 +2257,28 @@ static struct inode *shmem_get_inode(struct super_block *sb, const struct inode
>
> inode = new_inode(sb);
> if (inode) {
> - inode->i_ino = get_next_ino();
> + if (sb->s_flags & SB_KERNMOUNT) {
> + /*
> + * __shmem_file_setup, one of our callers, is lock-free:
> + * it doesn't hold stat_lock in shmem_reserve_inode
> + * since max_inodes is always 0, and is called from
> + * potentially unknown contexts. As such, use the global
> + * allocator which doesn't require the per-sb
.
> + */
> + inode->i_ino = get_next_ino();
> + } else {
> + spin_lock(&sbinfo->stat_lock);
> + if (unlikely(sbinfo->next_ino > UINT_MAX)) {
> + /*
> + * Emulate get_next_ino uint wraparound for
> + * compatibility
> + */
> + sbinfo->next_ino = 1;
> + }
> + inode->i_ino = sbinfo->next_ino++;
> + spin_unlock(&sbinfo->stat_lock);
> + }
> +
> inode_init_owner(inode, dir, mode);
> inode->i_blocks = 0;
> inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
> @@ -3662,6 +3692,7 @@ static int shmem_fill_super(struct super_block *sb, struct fs_context *fc)
> #else
> sb->s_flags |= SB_NOUSER;
> #endif
> + sbinfo->next_ino = 1;
> sbinfo->max_blocks = ctx->blocks;
> sbinfo->free_inodes = sbinfo->max_inodes = ctx->inodes;
> sbinfo->uid = ctx->uid;
> --
> 2.24.1
>
Powered by blists - more mailing lists