From: Aleksa Sarai <cyphar@cyphar.com>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Song Liu <songliubraving@fb.com>,
linux-ia64@vger.kernel.org, linux-doc@vger.kernel.org,
Peter Zijlstra <peterz@infradead.org>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Alexei Starovoitov <ast@kernel.org>,
linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
linux-kselftest@vger.kernel.org, sparclinux@vger.kernel.org,
containers@lists.linux-foundation.org,
Christian Brauner <christian.brauner@ubuntu.com>,
linux-api@vger.kernel.org, Shuah Khan <shuah@kernel.org>,
linux-arch@vger.kernel.org, linux-s390@vger.kernel.org,
Tycho Andersen <tycho@tycho.ws>,
Daniel Borkmann <daniel@iogearbox.net>,
Jonathan Corbet <corbet@lwn.net>, Jiri Olsa <jolsa@redhat.com>,
linux-sh@vger.kernel.org,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Ingo Molnar <mingo@redhat.com>,
linux-arm-kernel@lists.infradead.org, Yonghong Song <yhs@fb.com>,
linux-mips@vger.kernel.org, Andrii Nakryiko <andriin@fb.com>,
bpf@vger.kernel.org, linux-xtensa@linux-xtensa.org,
Kees Cook <keescook@chromium.org>, Arnd Bergmann <arnd@arndb.de>,
Jann Horn <jannh@google.com>,
linuxppc-dev@lists.ozlabs.org, dev@opencontainers.org,
linux-m68k@lists.linux-m68k.org,
Andy Lutomirski <luto@kernel.org>,
Shuah Khan <skhan@linuxfoundation.org>,
Namhyung Kim <namhyung@kernel.org>,
David Drysdale <drysdale@google.com>,
Christian Brauner <christian@brauner.io>,
"J. Bruce Fields" <bfields@fieldses.org>,
libc-alpha@sourceware.org, Aleksa Sarai <asarai@suse.de>,
linux-parisc@vger.kernel.org, netdev@vger.kernel.org,
Chanho Min <chanho.min@lge.com>, Jeff Layton <jlayton@kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
Eric Biederman <ebiederm@xmission.com>,
linux-alpha@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Martin KaFai Lau <kafai@fb.com>
Subject: Re: [PATCH v17 10/13] namei: LOOKUP_{IN_ROOT,BENEATH}: permit limited ".." resolution
Date: Thu, 28 Nov 2019 21:10:23 +1100 [thread overview]
Message-ID: <20191128101023.zozsfq4kbhjyethg@yavin.dot.cyphar.com> (raw)
In-Reply-To: <20191125132145.btaxuurs2w3ldyxf@yavin.dot.cyphar.com>
[-- Attachment #1: Type: text/plain, Size: 3231 bytes --]
On 2019-11-26, Aleksa Sarai <cyphar@cyphar.com> wrote:
> On 2019-11-25, Al Viro <viro@zeniv.linux.org.uk> wrote:
> > On Sun, Nov 17, 2019 at 12:17:10PM +1100, Aleksa Sarai wrote:
> > > + if (unlikely(nd->flags & LOOKUP_IS_SCOPED)) {
> > > + /*
> > > + * If there was a racing rename or mount along our
> > > + * path, then we can't be sure that ".." hasn't jumped
> > > + * above nd->root (and so userspace should retry or use
> > > + * some fallback).
> > > + */
> > > + if (unlikely(read_seqretry(&mount_lock, nd->m_seq)))
> > > + return -EAGAIN;
> > > + if (unlikely(read_seqretry(&rename_lock, nd->r_seq)))
> > > + return -EAGAIN;
> > > + }
> >
> > Looks like excessive barriers to me - it's
> > rmb
> > check mount_lock.sequence
> > rmb
> > check rename_lock.sequence
>
> If you like, I can switch this to
>
> smp_rmb();
> if (unlikely(__read_seqcount_retry(&mount_lock.seqcount, nd->m_seq)))
> return -EAGAIN;
> if (unlikely(__read_seqcount_retry(&rename_lock.seqcount, nd->r_seq)))
> return -EAGAIN;
>
> Though I think it makes it more noisy (and this code-path will only be
> hit for ".." and LOOKUP_IS_SCOPED).
>
> > > @@ -2266,6 +2274,10 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
> > > nd->last_type = LAST_ROOT; /* if there are only slashes... */
> > > nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
> > > nd->depth = 0;
> > > +
> > > + nd->m_seq = read_seqbegin(&mount_lock);
> > > + nd->r_seq = read_seqbegin(&rename_lock);
> >
> > Same here, pretty much (fetch/rmb/fetch/rmb)
>
> Unless I'm mistaken, wouldn't we have to do
> seqcount_lockdep_reader_access() explicitly -- so it would end up
> looking something like:
>
> seqcount_lockdep_reader_access(&mount_lock.seqcount);
> nd->m_seq = __read_seqcount_begin(&mount_lock.seqcount);
> seqcount_lockdep_reader_access(&mount_lock.seqcount);
> nd->r_seq = __read_seqcount_begin(&rename_lock.seqcount);
> smp_rmb();
Actually, looking it again (unless I'm mistaken) the following should be
acceptable and it also avoids the extra fetch+rmb of mount_lock for
LOOKUP_ROOT. The only downside is that we don't get lockdep information
but path_init() already ignores lockdep when grabbing d_seq.
I will include the following in v18, but let me know if I'm missing
something obvious:
>> nd->m_seq = __read_seqcount_begin(&mount_lock);
>> nd->r_seq = __read_seqcount_begin(&rename_lock);
>> smp_rmb();
if (flags & LOOKUP_ROOT) {
struct dentry *root = nd->root.dentry;
struct inode *inode = root->d_inode;
if (*s && unlikely(!d_can_lookup(root)))
return ERR_PTR(-ENOTDIR);
nd->path = nd->root;
nd->inode = inode;
if (flags & LOOKUP_RCU) {
>> nd->seq = raw_read_seqcount_begin(&nd->path.dentry->d_seq);
nd->root_seq = nd->seq;
} else {
path_get(&nd->path);
}
return s;
}
I could also move the smp_rmb() to after LOOKUP_ROOT (and add an
smp_rmb() at the end of LOOKUP_ROOT) which would avoid a double-rmb for
LOOKUP_ROOT -- but it makes it harder to read IMHO.
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next prev parent reply other threads:[~2019-11-28 10:13 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-17 1:17 [PATCH v17 00/13] open: introduce openat2(2) syscall Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 01/13] namei: only return -ECHILD from follow_dotdot_rcu() Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 02/13] nsfs: clean-up ns_get_path() signature to return int Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 03/13] namei: allow nd_jump_link() to produce errors Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 04/13] namei: allow set_root() " Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 05/13] namei: LOOKUP_NO_SYMLINKS: block symlink resolution Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 06/13] namei: LOOKUP_NO_MAGICLINKS: block magic-link resolution Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 07/13] namei: LOOKUP_NO_XDEV: block mountpoint crossing Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 08/13] namei: LOOKUP_BENEATH: O_BENEATH-like scoped resolution Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-25 0:26 ` Al Viro
2019-11-25 6:03 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 09/13] namei: LOOKUP_IN_ROOT: chroot-like " Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 10/13] namei: LOOKUP_{IN_ROOT, BENEATH}: permit limited ".." resolution Aleksa Sarai
2019-11-17 1:17 ` [PATCH v17 10/13] namei: LOOKUP_{IN_ROOT,BENEATH}: " Aleksa Sarai
2019-11-25 0:35 ` Al Viro
2019-11-25 13:21 ` Aleksa Sarai
2019-11-28 10:10 ` Aleksa Sarai [this message]
2019-11-17 1:17 ` [PATCH v17 11/13] open: introduce openat2(2) syscall Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-25 0:37 ` Al Viro
2019-11-17 1:17 ` [PATCH v17 12/13] selftests: add openat2(2) selftests Aleksa Sarai
2019-11-17 1:17 ` Aleksa Sarai
2019-11-17 1:28 ` [PATCH v17 13/13] Documentation: path-lookup: include new LOOKUP flags Aleksa Sarai
2019-11-17 1:28 ` Aleksa Sarai
2019-11-25 0:39 ` [PATCH v17 00/13] open: introduce openat2(2) syscall Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191128101023.zozsfq4kbhjyethg@yavin.dot.cyphar.com \
--to=cyphar@cyphar.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=andriin@fb.com \
--cc=arnd@arndb.de \
--cc=asarai@suse.de \
--cc=ast@kernel.org \
--cc=bfields@fieldses.org \
--cc=bpf@vger.kernel.org \
--cc=chanho.min@lge.com \
--cc=christian.brauner@ubuntu.com \
--cc=christian@brauner.io \
--cc=containers@lists.linux-foundation.org \
--cc=corbet@lwn.net \
--cc=daniel@iogearbox.net \
--cc=dev@opencontainers.org \
--cc=dhowells@redhat.com \
--cc=drysdale@google.com \
--cc=ebiederm@xmission.com \
--cc=jannh@google.com \
--cc=jlayton@kernel.org \
--cc=jolsa@redhat.com \
--cc=kafai@fb.com \
--cc=keescook@chromium.org \
--cc=libc-alpha@sourceware.org \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=linux-xtensa@linux-xtensa.org \
--cc=linux@rasmusvillemoes.dk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=shuah@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=songliubraving@fb.com \
--cc=sparclinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tycho@tycho.ws \
--cc=viro@zeniv.linux.org.uk \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).