| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGudoHFVnOvshyXi9-1gMs+SOg5zc9e++iT9_Nz6UjwtmG6VuQ@mail.gmail.com>
Date: Thu, 6 Nov 2025 20:34:36 +0100
From: Mateusz Guzik <mjguzik@...il.com>
To: brauner@...nel.org
Cc: viro@...iv.linux.org.uk, jack@...e.cz, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-ext4@...r.kernel.org, tytso@....edu,
torvalds@...ux-foundation.org, josef@...icpanda.com,
linux-btrfs@...r.kernel.org
Subject: Re: [PATCH v2 0/4] permission check avoidance during lookup
On Thu, Nov 6, 2025 at 7:01 PM Mateusz Guzik <mjguzik@...il.com> wrote:
>
> To quote from patch 1:
> <quote>
> Vast majority of real-world lookups happen on directories which are
> traversable by anyone. Figuring out that this holds for a given inode
> can be done when instantiating it or changing permissions, avoiding the
> overhead during lookup. Stats below.
>
> A simple microbench of stating /usr/include/linux/fs.h on ext4 in a loop
> on Sapphire Rapids (ops/s):
> before: 3640352
> after: 3797258 (+4%)
> </quote>
>
> During a kernel build about 90% of all lookups managed to skip
> permission checks in my setup, see the commit message for a breakdown.
>
> WARNING: more testing is needed for correctness, but I'm largely happy
> with the state as is.
>
Forgot to explain more in the commit message, so here it is right now:
how almost the entirety of inode_permission() can get elided for
inodes which qualify for it.
inode_permission()
{
retval = sb_permission(inode->i_sb, inode, mask);
if (unlikely(retval))
return retval;
sb_permission starts with a check for mask & MAY_WRITE. Since mask is
MAY_EXEC, this does not need to execute.
if (unlikely(mask & MAY_WRITE)) {
Same here.
retval = do_inode_permission(idmap, inode, mask);
if (unlikely(retval))
return retval;
do_inode_permission starts with a check for IOP_FASTPERM. This is of
no relevance as we are skipping the perm checks and the behavior is as
if generic_permission() was always called.
Then generic_permission:
ret = acl_permission_check(idmap, inode, mask);
if (ret != -EACCES)
return ret;
We don't have to check the error code as we expect the perm is granted.
acl_permission_check:
if (!((mask & 7) * 0111 & ~mode)) {
if (no_acl_inode(inode))
return 0;
if (!IS_POSIXACL(inode))
return 0;
}
We don't need this as we already pre-checked the perm is at least 0111
and there are no acls set.
back to inode_permission:
retval = devcgroup_inode_permission(inode, mask);
if (unlikely(retval))
return retval;
This checks if we are dealing with a device. The IOP_FAST_MAY_EXEC is
only legally set on directories, so it is an invariant we are not
dealing with a device and don't need to check that.
Finally this:
return security_inode_permission(inode, mask);
.. *does* execute in the new scheme.
However, LSM has notpatchable calls inside and only 2 users, normally
not present on Ubuntu et al. Or to put it differently, this is a func
call to a nop slide on most kernels and with some extra work can also
get elided.
> WARNING: I'm assuming the following bit is applied:
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index 78ea864fa8cd..eaf776cd4175 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -5518,6 +5518,10 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
> goto bad_inode;
> brelse(iloc.bh);
>
> + /* Initialize the "no ACL's" state for the simple cases */
> + if (!ext4_test_inode_state(inode, EXT4_STATE_XATTR) && !ei->i_file_acl)
> + cache_no_acl(inode);
> +
> unlock_new_inode(inode);
> return inode;
>
> Lack of the patch does not affect correctness, but it does make the
> patch ineffective for ext4. I did not include it in the posting as other
> people promised to sort it out.
>
> Discussion is here with an ack from Jan:
> https://lore.kernel.org/linux-fsdevel/kn44smk4dgaj5rqmtcfr7ruecixzrik6omur2l2opitn7lbvfm@rm4y24fcfzbz/T/#m30d6cea6be48e95c0d824e98a328fb90c7a5766d
> and full thread:
> https://lore.kernel.org/linux-fsdevel/kn44smk4dgaj5rqmtcfr7ruecixzrik6omur2l2opitn7lbvfm@rm4y24fcfzbz/T/#t
>
> v2:
> - productize
> - btrfs and tmpfs support
>
> Mateusz Guzik (4):
> fs: speed up path lookup with cheaper MAY_EXEC checks
> ext4: opt-in for IOP_MAY_FAST_EXEC
> btrfs: opt-in for IOP_MAY_FAST_EXEC
> tmpfs: opt-in for IOP_MAY_FAST_EXEC
>
> fs/attr.c | 1 +
> fs/btrfs/inode.c | 12 +++++-
> fs/ext4/inode.c | 2 +
> fs/ext4/namei.c | 1 +
> fs/namei.c | 95 +++++++++++++++++++++++++++++++++++++++++++++-
> fs/posix_acl.c | 1 +
> fs/xattr.c | 1 +
> include/linux/fs.h | 21 +++++++---
> mm/shmem.c | 9 +++++
> 9 files changed, 134 insertions(+), 9 deletions(-)
>
> --
> 2.48.1
>
Powered by blists - more mailing lists