Message ID | 4D6221B8.9040303@gmail.com |
---|---|
State | Superseded, archived |
Headers | show |
On Mon, Feb 21, 2011 at 09:26:32AM +0100, Marco Stornelli wrote: > From: Marco Stornelli <marco.stornelli@gmail.com> > > All fs must check for the immutable flag in their fallocate callback. > It's possible to have a race condition in this scenario: an application > open a file in read/write and it does something, meanwhile root set the > immutable flag on the file, the application at that point can call > fallocate with success. Only Ocfs2 check for the immutable flag at the > moment. Please add the check in fs/open.c:do_fallocate() so that it covers all filesystems. -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
2011/2/21 Christoph Hellwig <hch@infradead.org>: > On Mon, Feb 21, 2011 at 09:26:32AM +0100, Marco Stornelli wrote: >> From: Marco Stornelli <marco.stornelli@gmail.com> >> >> All fs must check for the immutable flag in their fallocate callback. >> It's possible to have a race condition in this scenario: an application >> open a file in read/write and it does something, meanwhile root set the >> immutable flag on the file, the application at that point can call >> fallocate with success. Only Ocfs2 check for the immutable flag at the >> moment. > > Please add the check in fs/open.c:do_fallocate() so that it covers all > filesystems. > > The check should be done after the fs got the inode mutex lock. Marco -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Il 21/02/2011 09:26, Marco Stornelli ha scritto: > From: Marco Stornelli <marco.stornelli@gmail.com> > > All fs must check for the immutable flag in their fallocate callback. > It's possible to have a race condition in this scenario: an application > open a file in read/write and it does something, meanwhile root set the > immutable flag on the file, the application at that point can call > fallocate with success. Only Ocfs2 check for the immutable flag at the > moment. > > Signed-off-by: Marco Stornelli <marco.stornelli@gmail.com> no comments? -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Feb 21, 2011 at 05:50:21PM +0100, Marco Stornelli wrote: > 2011/2/21 Christoph Hellwig <hch@infradead.org>: > > On Mon, Feb 21, 2011 at 09:26:32AM +0100, Marco Stornelli wrote: > >> From: Marco Stornelli <marco.stornelli@gmail.com> > >> > >> All fs must check for the immutable flag in their fallocate callback. > >> It's possible to have a race condition in this scenario: an application > >> open a file in read/write and it does something, meanwhile root set the > >> immutable flag on the file, the application at that point can call > >> fallocate with success. Only Ocfs2 check for the immutable flag at the > >> moment. > > > > Please add the check in fs/open.c:do_fallocate() so that it covers all > > filesystems. > > > > > > The check should be done after the fs got the inode mutex lock. Why? None of the other places which check the IMMUTABLE flag do so under the inode mutex lock. Yes, it's true that we're not properly doing proper locking when updating i_flags from the ioctl (this is true for all file systems), but this has been true for quite some time, and using a mutex to protect bit set/clear/test operations would be like using a sledgehammer to kill a fly. A proper fix if we want to be completely correct about updates to i_flags would involve using test_bit, set_bit, and clear_bit, which is guaranteed to be atomic. This is how we update the ext4_inode_info->i_flags (which is different from inode->i_flags) (see the definition and use of EXT4_INODE_BIT_FNS in fs/ext4/ext4.h). At some point, it would be good to fix how we set/get i_flags values, but that's independent of the change that's being discussed here. - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
2011/2/27 Ted Ts'o <tytso@mit.edu>: > On Mon, Feb 21, 2011 at 05:50:21PM +0100, Marco Stornelli wrote: >> 2011/2/21 Christoph Hellwig <hch@infradead.org>: >> > On Mon, Feb 21, 2011 at 09:26:32AM +0100, Marco Stornelli wrote: >> >> From: Marco Stornelli <marco.stornelli@gmail.com> >> >> >> >> All fs must check for the immutable flag in their fallocate callback. >> >> It's possible to have a race condition in this scenario: an application >> >> open a file in read/write and it does something, meanwhile root set the >> >> immutable flag on the file, the application at that point can call >> >> fallocate with success. Only Ocfs2 check for the immutable flag at the >> >> moment. >> > >> > Please add the check in fs/open.c:do_fallocate() so that it covers all >> > filesystems. >> > >> > >> >> The check should be done after the fs got the inode mutex lock. > > Why? None of the other places which check the IMMUTABLE flag do so > under the inode mutex lock. Yes, it's true that we're not properly > doing proper locking when updating i_flags from the ioctl (this is > true for all file systems), but this has been true for quite some > time, and using a mutex to protect bit set/clear/test operations would > be like using a sledgehammer to kill a fly. > > A proper fix if we want to be completely correct about updates to > i_flags would involve using test_bit, set_bit, and clear_bit, which is > guaranteed to be atomic. This is how we update the > ext4_inode_info->i_flags (which is different from inode->i_flags) (see > the definition and use of EXT4_INODE_BIT_FNS in fs/ext4/ext4.h). > > At some point, it would be good to fix how we set/get i_flags values, > but that's independent of the change that's being discussed here. > > - Ted > I was thinking to the possible race with setattr callback. Marco -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Il 27/02/2011 23:49, Ted Ts'o ha scritto: > On Mon, Feb 21, 2011 at 05:50:21PM +0100, Marco Stornelli wrote: >> 2011/2/21 Christoph Hellwig <hch@infradead.org>: >>> On Mon, Feb 21, 2011 at 09:26:32AM +0100, Marco Stornelli wrote: >>>> From: Marco Stornelli <marco.stornelli@gmail.com> >>>> >>>> All fs must check for the immutable flag in their fallocate callback. >>>> It's possible to have a race condition in this scenario: an application >>>> open a file in read/write and it does something, meanwhile root set the >>>> immutable flag on the file, the application at that point can call >>>> fallocate with success. Only Ocfs2 check for the immutable flag at the >>>> moment. >>> >>> Please add the check in fs/open.c:do_fallocate() so that it covers all >>> filesystems. >>> >>> >> >> The check should be done after the fs got the inode mutex lock. > > Why? None of the other places which check the IMMUTABLE flag do so I add to my previous response an other point: IMHO each fs should check for it because after the inclusion of punch hole patch, the fs can/cannot check for the append-only flag. So XFS (it supports the "unreserve") should check even for append. I think we don't want to allow this operation for an append-only file, isn't it? About this point I'll update and resend my patch. Marco -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- linux-2.6.38-rc5-orig/fs/ext4/extents.c 2011-02-16 04:23:45.000000000 +0100 +++ linux-2.6.38-rc5/fs/ext4/extents.c 2011-02-21 08:43:37.000000000 +0100 @@ -3670,6 +3670,12 @@ long ext4_fallocate(struct file *file, i */ credits = ext4_chunk_trans_blocks(inode, max_blocks); mutex_lock(&inode->i_mutex); + + if (IS_IMMUTABLE(inode)) { + mutex_unlock(&inode->i_mutex); + return -EPERM; + } + ret = inode_newsize_ok(inode, (len + offset)); if (ret) { mutex_unlock(&inode->i_mutex); --- linux-2.6.38-rc5-orig/fs/btrfs/file.c 2011-02-16 04:23:45.000000000 +0100 +++ linux-2.6.38-rc5/fs/btrfs/file.c 2011-02-21 08:55:58.000000000 +0100 @@ -1289,6 +1289,12 @@ static long btrfs_fallocate(struct file btrfs_wait_ordered_range(inode, alloc_start, alloc_end - alloc_start); mutex_lock(&inode->i_mutex); + + if (IS_IMMUTABLE(inode)) { + ret = -EPERM; + goto out; + } + ret = inode_newsize_ok(inode, alloc_end); if (ret) goto out; --- linux-2.6.38-rc5-orig/fs/xfs/linux-2.6/xfs_file.c 2011-02-16 04:23:45.000000000 +0100 +++ linux-2.6.38-rc5/fs/xfs/linux-2.6/xfs_file.c 2011-02-21 09:07:46.000000000 +0100 @@ -909,6 +909,11 @@ xfs_file_fallocate( if (mode & FALLOC_FL_PUNCH_HOLE) cmd = XFS_IOC_UNRESVSP; + if (IS_IMMUTABLE(inode)) { + error = -EPERM; + goto out_unlock; + } + /* check the new inode size is valid before allocating */ if (!(mode & FALLOC_FL_KEEP_SIZE) && offset + len > i_size_read(inode)) { --- linux-2.6.38-rc5-orig/fs/gfs2/file.c 2011-02-16 04:23:45.000000000 +0100 +++ linux-2.6.38-rc5/fs/gfs2/file.c 2011-02-21 09:09:17.000000000 +0100 @@ -797,6 +797,11 @@ static long gfs2_fallocate(struct file * if (unlikely(error)) goto out_uninit; + if (IS_IMMUTABLE(inode)) { + error = -EPERM; + goto out_unlock; + } + if (!gfs2_write_alloc_required(ip, offset, len)) goto out_unlock;