From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: Dominique Martinet <asmadeus@codewreck.org>,
Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Schoenebeck <linux_oss@crudebyte.com>,
Eric Van Hensbergen <ericvh@gmail.com>,
Latchesar Ionkov <lucho@ionkov.net>,
syzbot <syzbot+8b41a1365f1106fd0f33@syzkaller.appspotmail.com>,
v9fs-developer@lists.sourceforge.net,
syzkaller-bugs@googlegroups.com, netdev@vger.kernel.org,
linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH v2] 9p/trans_fd: perform read/write with TIF_SIGPENDING set
Date: Fri, 7 Oct 2022 20:52:44 +0900 [thread overview]
Message-ID: <0362d03f-9332-0b37-02e0-2b1b169f4c6f@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <Yz+Di8tJiyPPJUaK@codewreck.org>
On 2022/10/07 10:40, Dominique Martinet wrote:
> Tetsuo Handa wrote on Sun, Sep 04, 2022 at 09:27:22AM +0900:
>> On 2022/09/04 8:39, Dominique Martinet wrote:
>>> Is there any reason you spent time working on v2, or is that just
>>> theorical for not messing with userland fd ?
>>
>> Just theoretical for not messing with userland fd, for programs generated
>> by fuzzers might use fds passed to the mount() syscall. I imagined that
>> syzbot again reports this problem when it started playing with fcntl().
>>
>> For robustness, not messing with userland fd is the better. ;-)
>
> By the way digging this back made me think about this a bit again.
> My opinion hasn't really changed that if you want to shoot yourself in
> the foot I don't think we're crossing any priviledge boundary here, but
> we could probably prevent it by saying the mount call with close that fd
> and somehow steal it? (drop the fget, close_fd after get_file perhaps?)
>
> That should address your concern about robustess and syzbot will no
> longer be able to play with fcntl on "our" end of the pipe. I think it's
> fair to say that once you pass it to the kernel all bets are off, so
> closing it for the userspace application could make sense, and the mount
> already survives when short processes do the mount call and immediately
> exit so it's not like we need that fd to be open...
>
>
> What do you think?
I found that pipe is using alloc_file_clone() which allocates "struct file"
instead of just incrementing "struct file"->f_count.
Then, can we add EXPORT_SYMBOL_GPL(alloc_file_clone) to fs/file_table.c and
use it like
struct file *f;
ts->rd = fget(rfd);
if (!ts->rd)
goto out_free_ts;
if (!(ts->rd->f_mode & FMODE_READ))
goto out_put_rd;
f = alloc_file_clone(ts->rd, ts->rd->f_flags | O_NONBLOCK, ts->rd->f_op);
if (IS_ERR(f))
goto out_put_rd;
fput(ts->rd);
ts->rd = f;
ts->wr = fget(wfd);
if (!ts->wr)
goto out_put_rd;
if (!(ts->wr->f_mode & FMODE_WRITE))
goto out_put_wr;
f = alloc_file_clone(ts->wr, ts->wr->f_flags | O_NONBLOCK, ts->wr->f_op);
if (IS_ERR(f))
goto out_put_wr;
fput(ts->wr);
ts->wr = f;
from p9_fd_open() for cloning "struct file" with O_NONBLOCK flag added?
Just an idea. I don't know whether alloc_file_clone() arguments are correct...
next prev parent reply other threads:[~2022-10-07 11:53 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-30 19:28 INFO: task hung in p9_fd_close syzbot
2019-09-21 16:19 ` syzbot
2022-08-26 15:27 ` [PATCH] 9p/trans_fd: always use O_NONBLOCK read/write Tetsuo Handa
2022-08-27 6:11 ` [PATCH v2] 9p/trans_fd: perform read/write with TIF_SIGPENDING set Tetsuo Handa
2022-09-01 15:23 ` Christian Schoenebeck
2022-09-01 22:25 ` Tetsuo Handa
2022-09-03 23:39 ` Dominique Martinet
2022-09-04 0:27 ` Tetsuo Handa
2022-10-07 1:40 ` Dominique Martinet
2022-10-07 11:52 ` Tetsuo Handa [this message]
2022-10-06 14:55 ` [PATCH] 9p/trans_fd: always use O_NONBLOCK read/write Christian Schoenebeck
2022-10-07 1:03 ` Dominique Martinet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0362d03f-9332-0b37-02e0-2b1b169f4c6f@I-love.SAKURA.ne.jp \
--to=penguin-kernel@i-love.sakura.ne.jp \
--cc=asmadeus@codewreck.org \
--cc=ericvh@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux_oss@crudebyte.com \
--cc=lucho@ionkov.net \
--cc=netdev@vger.kernel.org \
--cc=syzbot+8b41a1365f1106fd0f33@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=v9fs-developer@lists.sourceforge.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).