From: Ira Weiny <ira.weiny@intel.com>
To: Jan Kara <jack@suse.cz>
Cc: Jeff Layton <jlayton@kernel.org>,
linux-fsdevel@vger.kernel.org, linux-xfs@vger.kernel.org,
linux-ext4@vger.kernel.org, linux-rdma@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-nvdimm@lists.01.org,
linux-mm@kvack.org, Dave Chinner <david@fromorbit.com>,
Theodore Ts'o <tytso@mit.edu>, John Hubbard <jhubbard@nvidia.com>,
Jason Gunthorpe <jgg@ziepe.ca>
Subject: Re: Lease semantic proposal
Date: Thu, 3 Oct 2019 10:05:23 -0700 [thread overview]
Message-ID: <20191003170523.GC31174@iweiny-DESK2.sc.intel.com> (raw)
In-Reply-To: <20191003090110.GC17911@quack2.suse.cz>
On Thu, Oct 03, 2019 at 11:01:10AM +0200, Jan Kara wrote:
> On Tue 01-10-19 11:17:00, Ira Weiny wrote:
> > On Mon, Sep 23, 2019 at 04:17:59PM -0400, Jeff Layton wrote:
> > > On Mon, 2019-09-23 at 12:08 -0700, Ira Weiny wrote:
> > >
> > > Will userland require any special privileges in order to set an
> > > F_UNBREAK lease? This seems like something that could be used for DoS. I
> > > assume that these will never time out.
> >
> > Dan and I discussed this some more and yes I think the uid of the process needs
> > to be the owner of the file. I think that is a reasonable mechanism.
>
> Honestly, I'm not convinced anything more than open-for-write should be
> required. Sure unbreakable lease may result in failing truncate and other
> ops but as we discussed at LFS/MM, this is not hugely different from
> executing a file resulting in ETXTBUSY for any truncate attempt (even from
> root). So sufficiently priviledged user has to be able to easily find which
> process(es) owns the lease so that he can kill it / take other
> administrative action to release the lease. But that's about it.
Well that was kind of what I was thinking. However I wanted to be careful
about requiring write permission when doing a F_RDLCK. I think that it has to
be clearly documented _why_ write permission is required.
>
> > > How will we deal with the case where something is is squatting on an
> > > F_UNBREAK lease and isn't letting it go?
> >
> > That is a good question. I had not considered someone taking the UNBREAK
> > without pinning the file.
>
> IMHO the same answer as above - sufficiently priviledged user should be
> able to easily find the process holding the lease and kill it. Given the
> lease owner has to have write access to the file, he better should be from
> the same "security domain"...
>
> > > Leases are technically "owned" by the file description -- we can't
> > > necessarily trace it back to a single task in a threaded program. The
> > > kernel task that set the lease may have exited by the time we go
> > > looking.
> > >
> > > Will we be content trying to determine this using /proc/locks+lsof, etc,
> > > or will we need something better?
> >
> > I think using /proc/locks is our best bet. Similar to my intention to report
> > files being pinned.[1]
> >
> > In fact should we consider files with F_UNBREAK leases "pinned" and just report
> > them there?
>
> As Jeff wrote later, /proc/locks is not enough. You need PID(s) which have
> access to the lease and hold it alive. Your /proc/<pid>/ files you had in your
> patches should do that, shouldn't they? Maybe they were not tied to the
> right structure... They really need to be tied to the existence of a lease.
Yes, sorry. I misspoke above.
Right now /proc/<pid>/file_pins indicates that the file is pinned by GUP. I
think it may be reasonable to extend that to any file which has F_UNBREAK
specified. 'file_pins' may be the wrong name when we include F_UNBREAK'ed
leased files, so I will think on the name. But I think this is possible and
desired.
Ira
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org
next prev parent reply other threads:[~2019-10-03 17:05 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-23 19:08 Lease semantic proposal Ira Weiny
2019-09-23 20:17 ` Jeff Layton
2019-10-01 18:17 ` Ira Weiny
2019-10-02 12:28 ` Jeff Layton
2019-10-02 19:27 ` J. Bruce Fields
2019-10-02 20:35 ` Jeff Layton
2019-10-03 8:43 ` Jan Kara
2019-10-03 15:37 ` J. Bruce Fields
2020-01-21 0:56 ` Steve French
2019-10-03 9:01 ` Jan Kara
2019-10-03 17:05 ` Ira Weiny [this message]
2019-09-23 22:26 ` Dave Chinner
2019-09-25 23:46 ` Ira Weiny
2019-09-26 11:29 ` Jeff Layton
2019-09-30 8:42 ` Dave Chinner
2019-10-01 21:01 ` Ira Weiny
2019-10-02 13:07 ` Dan Williams
2019-10-10 10:39 ` Dave Chinner
2019-10-04 7:51 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191003170523.GC31174@iweiny-DESK2.sc.intel.com \
--to=ira.weiny@intel.com \
--cc=david@fromorbit.com \
--cc=jack@suse.cz \
--cc=jgg@ziepe.ca \
--cc=jhubbard@nvidia.com \
--cc=jlayton@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-nvdimm@lists.01.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).