From: Al Viro <viro@zeniv.linux.org.uk>
To: Christian Brauner <brauner@kernel.org>
Cc: Brian Foster <bfoster@redhat.com>, Ian Kent <raven@themaw.net>,
"Darrick J. Wong" <djwong@kernel.org>,
Christoph Hellwig <hch@lst.de>,
Miklos Szeredi <miklos@szeredi.hu>,
David Howells <dhowells@redhat.com>,
Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
xfs <linux-xfs@vger.kernel.org>
Subject: Re: [PATCH] vfs: check dentry is still valid in get_link()
Date: Tue, 18 Jan 2022 16:04:50 +0000 [thread overview]
Message-ID: <YeblIix0fyXyBipW@zeniv-ca.linux.org.uk> (raw)
In-Reply-To: <20220118082911.rsmv5m2pjeyt6wpg@wittgenstein>
On Tue, Jan 18, 2022 at 09:29:11AM +0100, Christian Brauner wrote:
> On Mon, Jan 17, 2022 at 06:10:36PM +0000, Al Viro wrote:
> > On Mon, Jan 17, 2022 at 04:28:52PM +0000, Al Viro wrote:
> >
> > > IOW, ->free_inode() is RCU-delayed part of ->destroy_inode(). If both
> > > are present, ->destroy_inode() will be called synchronously, followed
> > > by ->free_inode() from RCU callback, so you can have both - moving just
> > > the "finally mark for reuse" part into ->free_inode() would be OK.
> > > Any blocking stuff (if any) can be left in ->destroy_inode()...
> >
> > BTW, we *do* have a problem with ext4 fast symlinks. Pathwalk assumes that
> > strings it parses are not changing under it. There are rather delicate
> > dances in dcache lookups re possibility of ->d_name contents changing under
> > it, but the search key is assumed to be stable.
> >
> > What's more, there's a correctness issue even if we do not oops. Currently
> > we do not recheck ->d_seq of symlink dentry when we dismiss the symlink from
> > the stack. After all, we'd just finished traversing what used to be the
> > contents of a symlink that used to be in the right place. It might have been
> > unlinked while we'd been traversing it, but that's not a correctness issue.
> >
> > But that critically depends upon the contents not getting mangled. If it
> > *can* be screwed by such unlink, we risk successful lookup leading to the
>
> Out of curiosity: whether or not it can get mangled depends on the
> filesystem and how it implements fast symlinks or do fast symlinks
> currently guarantee that contents are mangled?
Not sure if I understand your question correctly...
Filesystems should guarantee that the contents of string returned
by ->get_link() (or pointed to by ->i_link) remains unchanged for as long
as we are looking at it (until fs/namei.c:put_link() that drops it or
fs/namei.c:drop_links() in the end of pathwalk). Fast symlinks or not -
doesn't matter.
The only cases where that does not hold (there are two of them in
the entire kernel) happen to be fast symlinks. Both cases are bugs.
ext4 case is actually easy to fix - the only reason it ends up mangling
the string is the way ext4_truncate() implements its check for victim
being a fast symlink (and thus needing no work). It gets disrupted
by zeroing ->i_size, which we need to do in this case (inode removal).
That's not hard to get right.
A plenty of other fast symlink variants (starting with ext2 ones,
BTW) do not step into anything of that sort. IIRC, we used to have at
least some cases (orangefs, perhaps?) where revalidate on a symlink
might (with confused or malicious server) end up modifying the contents,
possibly right under somebody else walking that symlink. Also a bug...
next prev parent reply other threads:[~2022-01-18 16:05 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-10 9:11 [PATCH] vfs: check dentry is still valid in get_link() Ian Kent
2022-01-15 6:38 ` Al Viro
2022-01-17 2:55 ` Ian Kent
2022-01-17 14:35 ` Brian Foster
2022-01-17 16:28 ` Al Viro
2022-01-17 18:10 ` Al Viro
2022-01-17 19:48 ` Al Viro
2022-01-18 1:32 ` Al Viro
2022-01-18 2:31 ` Ian Kent
2022-01-18 3:03 ` Al Viro
2022-01-18 13:47 ` Brian Foster
2022-01-18 18:25 ` Brian Foster
2022-01-18 19:20 ` Al Viro
2022-01-18 20:58 ` Brian Foster
2022-01-18 8:29 ` Christian Brauner
2022-01-18 16:04 ` Al Viro [this message]
2022-01-19 9:05 ` Christian Brauner
2022-01-17 18:42 ` Brian Foster
2022-01-18 3:00 ` Dave Chinner
2022-01-18 3:17 ` Al Viro
2022-01-18 4:12 ` Dave Chinner
2022-01-18 5:58 ` Al Viro
2022-01-18 23:25 ` Dave Chinner
2022-01-19 14:08 ` Brian Foster
2022-01-19 22:07 ` Dave Chinner
2022-01-20 16:03 ` Brian Foster
2022-01-20 16:34 ` Brian Foster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YeblIix0fyXyBipW@zeniv-ca.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=bfoster@redhat.com \
--cc=brauner@kernel.org \
--cc=dhowells@redhat.com \
--cc=djwong@kernel.org \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=raven@themaw.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.