Re: [PATCH 00/12] vfs patch queue

[Miklos Szeredi <miklos@szeredi.hu>]

On Wed, May 13, 2020 at 9:48 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Wed, May 13, 2020 at 09:47:07AM +0200, Miklos Szeredi wrote:
> > On Tue, May 5, 2020 at 11:59 AM Miklos Szeredi <mszeredi@redhat.com> wrote:
> > >
> > > Hi Al,
> > >
> > > Can you please apply the following patches?
> >
> > Ping?  Could you please have a look at these patches?
> >
> > - /proc/mounts cursor is almost half the total lines changed, and that
> > one was already pretty damn well reviewed by you
> >
> > - unprivileged whiteout one was approved by the security guys
> >
> > - aio fsync one is a real bug, please comment on whether the patch is
> > acceptable or should I work around it in fuse
> >
> > - STATX_MNT_ID extension is a no brainer, the other one may or may not
> > be useful, that's arguable...
> >
> > - the others are not important, but I think useful
> >
> > - and I missed one (faccess2); amending to patch series
>
> I can live with that, modulo couple of trivial nits.  Have you tested the
> /proc/mounts part for what happens if it's opened shitloads of times,
> with each instance lseek'ed a bit forward (all to the same position, that
> is)?  That, in principle, allows an unpriveleged user to pile a lot of list
> entries and cause serious looping under a spinlock...

Hmm, indeed.

Did some testing: a single loop takes on the order of 40ns.  To
trigger the soft lockup detector it would take 20s/40ns=500M cursors.
Each new cursor is added after the existing ones, so inserting 500M
cursors would take 40ns*500M^2/2 = ~158 years.  That's obviously not a
great way to DoS the system.

I understand that 100ms could be a serious problem in some cases, but
even that would take 34 hours to set up.

Is less than that still a worry?   I don't really know how much effort
is needed (if at all) in order to make this a non-issue.

Thanks,
Miklos