From: JeffleXu <jefflexu@linux.alibaba.com>
To: Greg Kurz <groug@kaod.org>
Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>,
miklos@szeredi.hu, virtualization@lists.linux-foundation.org,
virtio-fs@redhat.com, joseph.qi@linux.alibaba.com,
stefanha@redhat.com, linux-fsdevel@vger.kernel.org,
vgoyal@redhat.com
Subject: Re: [Virtio-fs] [virtiofsd PATCH v4 4/4] virtiofsd: support per-file DAX in FUSE_LOOKUP
Date: Wed, 8 Sep 2021 18:34:53 +0800 [thread overview]
Message-ID: <88041d90-d170-3ae1-903e-2fa32e51027f@linux.alibaba.com> (raw)
In-Reply-To: <20210824121515.5419d6a7@bahia.lan>
On 8/24/21 6:15 PM, Greg Kurz wrote:
> On Fri, 20 Aug 2021 13:03:23 +0800
> JeffleXu <jefflexu@linux.alibaba.com> wrote:
>>
>> Fine. Got it. However the returned fd (opened without O_PATH) is only
>> used for FS_IOC_GETFLAGS/FS_IOC_FSGETXATTR ioctl, while in most cases
>> for special device files, these two ioctls should return -ENOTTY.
>>
>
> The actual problem is that a FIFO will cause openat() to block until
> the other end of the FIFO is open for writing...
Got it.
>
>> If it's really a security issue, then lo_inode_open() could be used to
>
> ... and cause a DoS on virtiofsd. So yes, this is a security issue and
> lo_inode_open() was introduced specifically to handle this.
>
>> get a temporary fd, i.e., check if it's a special file before opening.
>> After all, FUSE_OPEN also handles in this way. Besides, I can't
>> understand what "race-free way" means.
>>
>
> "race-free way" means a way that guarantees that file type
> cannot change between the time you check it and the time
> you open it (TOCTOU error). For example, doing a plain stat(),
> checking st_mode and proceeding to open() is wrong : nothing
> prevents the file to be unlinked and replaced by something
> else between stat() and open().
>
> We avoid that by keeping O_PATH fds around and using
> lo_inode_open() instead of openat().
Thanks for the detailed explanation. Got it.
>
> In your case, it seems that you should do the checking after
> you have an actual lo_inode for the target file, and pass
> that to lo_should_enable_dax() instead of the parent lo_inode
> and target name.
>
Yes, that will be more reasonable. Thanks.
--
Thanks,
Jeffle
WARNING: multiple messages have this Message-ID (diff)
From: JeffleXu <jefflexu@linux.alibaba.com>
To: Greg Kurz <groug@kaod.org>
Cc: miklos@szeredi.hu, "Dr. David Alan Gilbert" <dgilbert@redhat.com>,
virtualization@lists.linux-foundation.org, virtio-fs@redhat.com,
joseph.qi@linux.alibaba.com, stefanha@redhat.com,
linux-fsdevel@vger.kernel.org, vgoyal@redhat.com
Subject: Re: [Virtio-fs] [virtiofsd PATCH v4 4/4] virtiofsd: support per-file DAX in FUSE_LOOKUP
Date: Wed, 8 Sep 2021 18:34:53 +0800 [thread overview]
Message-ID: <88041d90-d170-3ae1-903e-2fa32e51027f@linux.alibaba.com> (raw)
In-Reply-To: <20210824121515.5419d6a7@bahia.lan>
On 8/24/21 6:15 PM, Greg Kurz wrote:
> On Fri, 20 Aug 2021 13:03:23 +0800
> JeffleXu <jefflexu@linux.alibaba.com> wrote:
>>
>> Fine. Got it. However the returned fd (opened without O_PATH) is only
>> used for FS_IOC_GETFLAGS/FS_IOC_FSGETXATTR ioctl, while in most cases
>> for special device files, these two ioctls should return -ENOTTY.
>>
>
> The actual problem is that a FIFO will cause openat() to block until
> the other end of the FIFO is open for writing...
Got it.
>
>> If it's really a security issue, then lo_inode_open() could be used to
>
> ... and cause a DoS on virtiofsd. So yes, this is a security issue and
> lo_inode_open() was introduced specifically to handle this.
>
>> get a temporary fd, i.e., check if it's a special file before opening.
>> After all, FUSE_OPEN also handles in this way. Besides, I can't
>> understand what "race-free way" means.
>>
>
> "race-free way" means a way that guarantees that file type
> cannot change between the time you check it and the time
> you open it (TOCTOU error). For example, doing a plain stat(),
> checking st_mode and proceeding to open() is wrong : nothing
> prevents the file to be unlinked and replaced by something
> else between stat() and open().
>
> We avoid that by keeping O_PATH fds around and using
> lo_inode_open() instead of openat().
Thanks for the detailed explanation. Got it.
>
> In your case, it seems that you should do the checking after
> you have an actual lo_inode for the target file, and pass
> that to lo_should_enable_dax() instead of the parent lo_inode
> and target name.
>
Yes, that will be more reasonable. Thanks.
--
Thanks,
Jeffle
_______________________________________________
Virtualization mailing list
Virtualization@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/virtualization
WARNING: multiple messages have this Message-ID (diff)
From: JeffleXu <jefflexu@linux.alibaba.com>
To: Greg Kurz <groug@kaod.org>
Cc: miklos@szeredi.hu, virtualization@lists.linux-foundation.org,
virtio-fs@redhat.com, joseph.qi@linux.alibaba.com,
linux-fsdevel@vger.kernel.org, vgoyal@redhat.com
Subject: Re: [Virtio-fs] [virtiofsd PATCH v4 4/4] virtiofsd: support per-file DAX in FUSE_LOOKUP
Date: Wed, 8 Sep 2021 18:34:53 +0800 [thread overview]
Message-ID: <88041d90-d170-3ae1-903e-2fa32e51027f@linux.alibaba.com> (raw)
In-Reply-To: <20210824121515.5419d6a7@bahia.lan>
On 8/24/21 6:15 PM, Greg Kurz wrote:
> On Fri, 20 Aug 2021 13:03:23 +0800
> JeffleXu <jefflexu@linux.alibaba.com> wrote:
>>
>> Fine. Got it. However the returned fd (opened without O_PATH) is only
>> used for FS_IOC_GETFLAGS/FS_IOC_FSGETXATTR ioctl, while in most cases
>> for special device files, these two ioctls should return -ENOTTY.
>>
>
> The actual problem is that a FIFO will cause openat() to block until
> the other end of the FIFO is open for writing...
Got it.
>
>> If it's really a security issue, then lo_inode_open() could be used to
>
> ... and cause a DoS on virtiofsd. So yes, this is a security issue and
> lo_inode_open() was introduced specifically to handle this.
>
>> get a temporary fd, i.e., check if it's a special file before opening.
>> After all, FUSE_OPEN also handles in this way. Besides, I can't
>> understand what "race-free way" means.
>>
>
> "race-free way" means a way that guarantees that file type
> cannot change between the time you check it and the time
> you open it (TOCTOU error). For example, doing a plain stat(),
> checking st_mode and proceeding to open() is wrong : nothing
> prevents the file to be unlinked and replaced by something
> else between stat() and open().
>
> We avoid that by keeping O_PATH fds around and using
> lo_inode_open() instead of openat().
Thanks for the detailed explanation. Got it.
>
> In your case, it seems that you should do the checking after
> you have an actual lo_inode for the target file, and pass
> that to lo_should_enable_dax() instead of the parent lo_inode
> and target name.
>
Yes, that will be more reasonable. Thanks.
--
Thanks,
Jeffle
next prev parent reply other threads:[~2021-09-08 10:34 UTC|newest]
Thread overview: 151+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-17 2:22 [PATCH v4 0/8] fuse,virtiofs: support per-file DAX Jeffle Xu
2021-08-17 2:22 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:22 ` Jeffle Xu
2021-08-17 2:22 ` [PATCH v4 1/8] fuse: add fuse_should_enable_dax() helper Jeffle Xu
2021-08-17 2:22 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:22 ` Jeffle Xu
2021-08-17 2:22 ` [PATCH v4 2/8] fuse: Make DAX mount option a tri-state Jeffle Xu
2021-08-17 2:22 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:22 ` Jeffle Xu
2021-08-17 2:22 ` [PATCH v4 3/8] fuse: support per-file DAX Jeffle Xu
2021-08-17 2:22 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:22 ` Jeffle Xu
2021-08-17 2:22 ` [PATCH v4 4/8] fuse: negotiate if server/client supports " Jeffle Xu
2021-08-17 2:22 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:22 ` Jeffle Xu
2021-08-17 2:22 ` [PATCH v4 5/8] fuse: enable " Jeffle Xu
2021-08-17 2:22 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:22 ` Jeffle Xu
2021-08-17 2:22 ` [PATCH v4 6/8] fuse: mark inode DONT_CACHE when per-file DAX indication changes Jeffle Xu
2021-08-17 2:22 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:22 ` Jeffle Xu
2021-08-17 10:26 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-08-17 10:26 ` Dr. David Alan Gilbert
2021-08-17 10:26 ` Dr. David Alan Gilbert
2021-08-17 13:23 ` JeffleXu
2021-08-17 13:23 ` JeffleXu
2021-08-17 13:23 ` JeffleXu
2021-08-17 2:22 ` [PATCH v4 7/8] fuse: support changing per-file DAX flag inside guest Jeffle Xu
2021-08-17 2:22 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:22 ` Jeffle Xu
2021-08-17 2:22 ` [PATCH v4 8/8] fuse: show '-o dax=inode' option only when FUSE server supports Jeffle Xu
2021-08-17 2:22 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:22 ` Jeffle Xu
2021-08-17 2:23 ` [virtiofsd PATCH v4 0/4] virtiofsd: support per-file DAX Jeffle Xu
2021-08-17 2:23 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:23 ` Jeffle Xu
2021-08-17 2:23 ` [virtiofsd PATCH v4 1/4] virtiofsd: add .ioctl() support Jeffle Xu
2021-08-17 2:23 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:23 ` Jeffle Xu
2021-08-18 17:33 ` Vivek Goyal
2021-08-18 17:33 ` [Virtio-fs] " Vivek Goyal
2021-08-18 17:33 ` Vivek Goyal
2021-08-17 2:23 ` [virtiofsd PATCH v4 2/4] virtiofsd: expand fuse protocol to support per-file DAX Jeffle Xu
2021-08-17 2:23 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:23 ` Jeffle Xu
2021-08-17 2:23 ` [virtiofsd PATCH v4 3/4] virtiofsd: support per-file DAX negotiation in FUSE_INIT Jeffle Xu
2021-08-17 2:23 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:23 ` Jeffle Xu
2021-08-17 17:15 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-08-17 17:15 ` Dr. David Alan Gilbert
2021-08-17 17:15 ` Dr. David Alan Gilbert
2021-08-18 5:28 ` JeffleXu
2021-08-18 5:28 ` JeffleXu
2021-08-18 5:28 ` JeffleXu
2021-08-19 13:57 ` Dr. David Alan Gilbert
2021-08-19 13:57 ` Dr. David Alan Gilbert
2021-08-19 13:57 ` Dr. David Alan Gilbert
2021-08-18 17:30 ` Vivek Goyal
2021-08-18 17:30 ` Vivek Goyal
2021-08-18 17:30 ` Vivek Goyal
2021-08-17 2:23 ` [virtiofsd PATCH v4 4/4] virtiofsd: support per-file DAX in FUSE_LOOKUP Jeffle Xu
2021-08-17 2:23 ` [Virtio-fs] " Jeffle Xu
2021-08-17 2:23 ` Jeffle Xu
2021-08-17 19:00 ` [Virtio-fs] " Dr. David Alan Gilbert
2021-08-17 19:00 ` Dr. David Alan Gilbert
2021-08-17 19:00 ` Dr. David Alan Gilbert
2021-08-18 5:46 ` JeffleXu
2021-08-18 5:46 ` JeffleXu
2021-08-18 5:46 ` JeffleXu
2021-08-19 13:08 ` Dr. David Alan Gilbert
2021-08-19 13:08 ` Dr. David Alan Gilbert
2021-08-19 13:08 ` Dr. David Alan Gilbert
2021-08-20 5:03 ` JeffleXu
2021-08-20 5:03 ` JeffleXu
2021-08-20 5:03 ` JeffleXu
2021-08-24 10:15 ` Greg Kurz
2021-08-24 10:15 ` Greg Kurz
2021-08-24 10:15 ` Greg Kurz
2021-09-08 10:34 ` JeffleXu [this message]
2021-09-08 10:34 ` JeffleXu
2021-09-08 10:34 ` JeffleXu
2021-08-17 8:06 ` [PATCH v4 0/8] fuse,virtiofs: support per-file DAX Miklos Szeredi
2021-08-17 8:06 ` [Virtio-fs] " Miklos Szeredi
2021-08-17 9:32 ` Dr. David Alan Gilbert
2021-08-17 9:32 ` Dr. David Alan Gilbert
2021-08-17 9:32 ` Dr. David Alan Gilbert
2021-08-17 10:09 ` Miklos Szeredi
2021-08-17 10:09 ` Miklos Szeredi
2021-08-17 10:37 ` Dr. David Alan Gilbert
2021-08-17 10:37 ` Dr. David Alan Gilbert
2021-08-17 10:37 ` Dr. David Alan Gilbert
2021-08-17 13:08 ` JeffleXu
2021-08-17 13:08 ` JeffleXu
2021-08-17 13:08 ` JeffleXu
2021-08-17 14:11 ` Miklos Szeredi
2021-08-17 14:11 ` Miklos Szeredi
2021-08-17 15:19 ` Vivek Goyal
2021-08-17 15:19 ` Vivek Goyal
2021-08-17 15:19 ` Vivek Goyal
2021-08-17 14:54 ` Vivek Goyal
2021-08-17 14:54 ` Vivek Goyal
2021-08-17 14:54 ` Vivek Goyal
2021-08-18 5:10 ` JeffleXu
2021-08-18 5:10 ` JeffleXu
2021-08-18 5:10 ` JeffleXu
2021-08-19 6:14 ` JeffleXu
2021-08-19 6:14 ` JeffleXu
2021-08-19 6:14 ` JeffleXu
2021-08-17 12:40 ` Vivek Goyal
2021-08-17 12:40 ` Vivek Goyal
2021-08-17 12:40 ` Vivek Goyal
2021-09-16 8:21 ` JeffleXu
2021-09-16 8:21 ` JeffleXu
2021-09-16 8:21 ` JeffleXu
2021-09-18 3:06 ` JeffleXu
2021-09-18 3:06 ` JeffleXu
2021-09-18 3:06 ` JeffleXu
2021-09-19 19:45 ` Vivek Goyal
2021-09-19 19:45 ` Vivek Goyal
2021-09-19 19:45 ` Vivek Goyal
2021-09-22 8:16 ` JeffleXu
2021-09-22 8:16 ` JeffleXu
2021-09-22 8:16 ` JeffleXu
2021-08-17 12:39 ` Vivek Goyal
2021-08-17 12:39 ` [Virtio-fs] " Vivek Goyal
2021-08-17 12:39 ` Vivek Goyal
2021-08-17 13:22 ` JeffleXu
2021-08-17 13:22 ` [Virtio-fs] " JeffleXu
2021-08-17 13:22 ` JeffleXu
2021-08-17 14:08 ` Miklos Szeredi
2021-08-17 14:08 ` [Virtio-fs] " Miklos Szeredi
2021-08-18 3:39 ` JeffleXu
2021-08-18 3:39 ` [Virtio-fs] " JeffleXu
2021-08-18 3:39 ` JeffleXu
2021-08-18 5:08 ` Miklos Szeredi
2021-08-18 5:08 ` [Virtio-fs] " Miklos Szeredi
2021-08-18 16:58 ` Vivek Goyal
2021-08-18 16:58 ` [Virtio-fs] " Vivek Goyal
2021-08-18 16:58 ` Vivek Goyal
2021-09-03 5:30 ` JeffleXu
2021-09-03 5:30 ` [Virtio-fs] " JeffleXu
2021-09-03 5:30 ` JeffleXu
2021-09-07 14:51 ` Miklos Szeredi
2021-09-07 14:51 ` [Virtio-fs] " Miklos Szeredi
2021-08-17 14:57 ` Vivek Goyal
2021-08-17 14:57 ` [Virtio-fs] " Vivek Goyal
2021-08-17 14:57 ` Vivek Goyal
2021-08-18 5:20 ` JeffleXu
2021-08-18 5:20 ` [Virtio-fs] " JeffleXu
2021-08-18 5:20 ` JeffleXu
2021-08-30 23:31 ` [Virtio-fs] " Liu Bo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=88041d90-d170-3ae1-903e-2fa32e51027f@linux.alibaba.com \
--to=jefflexu@linux.alibaba.com \
--cc=dgilbert@redhat.com \
--cc=groug@kaod.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=stefanha@redhat.com \
--cc=vgoyal@redhat.com \
--cc=virtio-fs@redhat.com \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.