lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240612092703.u5ialfzz74pfnafk@quack3>
Date: Wed, 12 Jun 2024 11:27:03 +0200
From: Jan Kara <jack@...e.cz>
To: Mateusz Guzik <mjguzik@...il.com>
Cc: brauner@...nel.org, viro@...iv.linux.org.uk, jack@...e.cz,
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	linux-bcachefs@...r.kernel.org, kent.overstreet@...ux.dev,
	linux-xfs@...r.kernel.org, david@...morbit.com
Subject: Re: [PATCH v2 2/4] vfs: partially sanitize i_state zeroing on inode
 creation

On Tue 11-06-24 14:06:24, Mateusz Guzik wrote:
> new_inode used to have the following:
> 	spin_lock(&inode_lock);
> 	inodes_stat.nr_inodes++;
> 	list_add(&inode->i_list, &inode_in_use);
> 	list_add(&inode->i_sb_list, &sb->s_inodes);
> 	inode->i_ino = ++last_ino;
> 	inode->i_state = 0;
> 	spin_unlock(&inode_lock);
> 
> over time things disappeared, got moved around or got replaced (global
> inode lock with a per-inode lock), eventually this got reduced to:
> 	spin_lock(&inode->i_lock);
> 	inode->i_state = 0;
> 	spin_unlock(&inode->i_lock);
> 
> But the lock acquire here does not synchronize against anyone.
> 
> Additionally iget5_locked performs i_state = 0 assignment without any
> locks to begin with, the two combined look confusing at best.
> 
> It looks like the current state is a leftover which was not cleaned up.
> 
> Ideally it would be an invariant that i_state == 0 to begin with, but
> achieving that would require dealing with all filesystem alloc handlers
> one by one.
> 
> In the meantime drop the misleading locking and move i_state zeroing to
> inode_init_always so that others don't need to deal with it by hand.
> 
> Signed-off-by: Mateusz Guzik <mjguzik@...il.com>

Just one nit below:

> diff --git a/fs/inode.c b/fs/inode.c
> index 3a4c67bfe085..8f05d79de01d 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -231,6 +231,8 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
>  
>  	if (unlikely(security_inode_alloc(inode)))
>  		return -ENOMEM;
> +
> +	inode->i_state = 0;
>  	this_cpu_inc(nr_inodes);

This would be more logical above where inode content is initialized (and
less errorprone just in case security_inode_alloc() grows dependency on
i_state value) - like just after:

	inode->i_flags = 0;

With that fixed feel free to add:

Reviewed-by: Jan Kara <jack@...e.cz>

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ