| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <hzrj5b7x3rvtxt4qgjxdihhi5vjoc5gw3i35pbyopa7ccucizo@q5c42kjlkly3> Date: Mon, 12 May 2025 19:33:13 +0200 From: Jan Kara <jack@...e.cz> To: Christian Brauner <brauner@...nel.org> Cc: Max Kellermann <max.kellermann@...os.com>, jack@...e.cz, viro@...iv.linux.org.uk, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] fs: make several inode lock operations killable On Mon 12-05-25 11:52:14, Christian Brauner wrote: > On Tue, Apr 29, 2025 at 01:28:49PM +0200, Max Kellermann wrote: > > On Tue, Apr 29, 2025 at 1:12 PM Christian Brauner <brauner@...nel.org> wrote: > > > > --- a/fs/read_write.c > > > > +++ b/fs/read_write.c > > > > @@ -332,7 +332,9 @@ loff_t default_llseek(struct file *file, loff_t offset, int whence) > > > > struct inode *inode = file_inode(file); > > > > loff_t retval; > > > > > > > > - inode_lock(inode); > > > > + retval = inode_lock_killable(inode); > > > > > > That change doesn't seem so obviously fine to me. > > > > Why do you think so? And how is this different than the other two. > > chown_common() and chmod_common() are very close to the syscall boundary > so it's very unlikely that we run into weird issues apart from userspace > regression when they suddenly fail a change for new unexpected reasons. > > But just look at default_llseek(): > > > git grep default_llseek | wc -l > 461 > > That is a lot of stuff and it's not immediately clear how deeply or > nested they are called. For example from overlayfs in stacked > callchains. Who knows what strange assumptions some of the callers have > including the possible return values from that helper. > > > > > > Either way I'd like to see this split in three patches and some > > > reasoning why it's safe and some justification why it's wanted... > > > > Sure I can split this patch, but before I spend the time, I'd like us > > first to agree that the patch is useful. > > This is difficult to answer. Yes, on the face of it it seems useful to > be able to kill various operations that sleep on inode lock but who > knows what implicit guarantees/expectations we're going to break if we > do it. Maybe @Jan has some thoughts here as well. So I think having lock killable is useful and generally this should be safe wrt userspace (the process will get killed before it can notice the difference anyway). The concern about guarantees / expectations is still valid for the *kernel* code (which is I think what you meant above). So I guess some audit of kernel paths that can end up calling ->llseek handler and whether they are OK with the handler returning EINTR is needed. I expect this will be fine but I would not bet too much on it :) Honza -- Jan Kara <jack@...e.com> SUSE Labs, CR
Powered by blists - more mailing lists