From: Al Viro <viro@zeniv.linux.org.uk>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org, linux-unionfs@vger.kernel.org,
Sarthak Kukreti <sarthakkukreti@chromium.org>,
Gao Xiang <gaoxiang25@huawei.com>
Subject: Re: [PATCH 1/5] fscrypt: clean up and improve dentry revalidation
Date: Mon, 18 Mar 2019 21:25:22 +0000 [thread overview]
Message-ID: <20190318212522.GI2217@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20190318202948.GD194307@gmail.com>
On Mon, Mar 18, 2019 at 01:29:49PM -0700, Eric Biggers wrote:
> On Sun, Mar 17, 2019 at 08:38:22PM +0000, Al Viro wrote:
> > On Sun, Mar 17, 2019 at 01:04:40PM -0700, Eric Biggers wrote:
> > > + /*
> > > + * Ciphertext name; valid if the directory's key is still unavailable.
> > > + *
> > > + * Note: since fscrypt forbids rename() on ciphertext names, it should
> > > + * be safe to access ->d_parent directly here.
> >
> > No, it is not. Again, d_splice_alias() on buggered fs image picking a reference
> > to your subdirectory when doing a lookup elsewhere. It can relocate the
> > damn thing, without rename() being allowed for _anything_.
>
> You're talking about directory hard links, right?
In case of corrupted fs image - yes; the same can happen if you have a network
filesystem with subdirectory moved around on server at the same time, but
there you'll need a lot more elaborate ->d_revalidate() anyway.
Directory hardlinks are certainly not allowed; however, we need the kernel
to survive when it runs into that kind of crap on disk...
next prev parent reply other threads:[~2019-03-18 21:25 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-17 20:04 [PATCH 0/5] fscrypt: d_revalidate fixes and cleanups Eric Biggers
2019-03-17 20:04 ` [PATCH 1/5] fscrypt: clean up and improve dentry revalidation Eric Biggers
2019-03-17 20:38 ` Al Viro
2019-03-18 20:29 ` Eric Biggers
2019-03-18 21:25 ` Al Viro [this message]
2019-03-17 20:04 ` [PATCH 2/5] fscrypt: fix race allowing rename() and link() of ciphertext dentries Eric Biggers
2019-03-17 20:04 ` [PATCH 3/5] fs, fscrypt: clear DCACHE_ENCRYPTED_NAME when unaliasing directory Eric Biggers
2019-03-17 20:04 ` [PATCH 4/5] fscrypt: only set dentry_operations on ciphertext dentries Eric Biggers
2019-03-17 20:04 ` [PATCH 5/5] fscrypt: fix race where ->lookup() marks plaintext dentry as ciphertext Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190318212522.GI2217@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=ebiggers@kernel.org \
--cc=gaoxiang25@huawei.com \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=sarthakkukreti@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).