Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3900373imm; Mon, 30 Jul 2018 05:34:06 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcbo6FYmUIv4qdPb1lioXOm9enk+DY0Y8mQxPpQRodVFK52ue+wyKiYNeTx+bMRyXEM3yjM X-Received: by 2002:a63:704f:: with SMTP id a15-v6mr16270148pgn.443.1532954046700; Mon, 30 Jul 2018 05:34:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532954046; cv=none; d=google.com; s=arc-20160816; b=XiKBOZZ5DlZYSbcbZgdWr1PI3zyTko6hgc7ERKvbju7FiMCm3o7WS86S9Dq8H5QfCp DYOhRcU0bdYDxyWRwdfBZ7VzuG23kk+My53+YRkGtB/pf0a62ZC6UZn+yezuW1RqbLa0 llUWTNXe1O4UeHdUnAgSl6I6qi3jXtH0/xopYc/4+1Dsu4gJkVhCmI8vovjCe4dxW6gA AubFhKvB70ZGq+92aEN7ab/zG9XQCEb/nOsfrUE0Fkue8L8NglALOSzYUYpH8Wq00fec H2fObbzggoALrC2NQskWqZe7EmIUu5MtJF5fg9OHOIhQk+NCKm0UlzcExde0DfzRA+er H30Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-transfer-encoding :content-id:mime-version:subject:cc:to:references:in-reply-to:from :organization:arc-authentication-results; bh=7ywf7BJ7bW/dCWVGEsO+ehAO9RKq/0fB+/57Pbykh+U=; b=jqiklJnNKnmn+GnJf18683+sPx1XMrIp497h7vPIhW1/utFrOn503sjY1/7AHVFqMZ PRjDnD+6Xh0lYJpOl9CfOZajtJEk18lOVv+rW/1+LN3CtD4uCWqyeEExqma1IB+LMSBp Te8aatNxLwWCa9ceV9grdT2+2hi+QQfUJgS8pKCJDCAn1jL71Je0U/V36i/9GILqUTHr od799Oo/+WK7T7O5QK0hYqkhbbRqO8hbrAwGOoE9aOi0tU6G7J1AqfyhZZ7849aTw6f2 DWcZjcC2O7NGder3/jHL1ur32cXdhk8OvBFOvxC1CqpdG3PCjWgIrU4rWt9rGKnNBpS9 3/SA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n6-v6si10011819pla.398.2018.07.30.05.33.51; Mon, 30 Jul 2018 05:34:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729231AbeG3OHX convert rfc822-to-8bit (ORCPT + 99 others); Mon, 30 Jul 2018 10:07:23 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:47746 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728740AbeG3OHX (ORCPT ); Mon, 30 Jul 2018 10:07:23 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8F1F2CFB44; Mon, 30 Jul 2018 12:32:36 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-116.rdu2.redhat.com [10.10.120.116]) by smtp.corp.redhat.com (Postfix) with ESMTP id AD03F2026D68; Mon, 30 Jul 2018 12:32:35 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <153271267980.9458.7640156373438016898.stgit@warthog.procyon.org.uk> <153271287586.9458.6001928723332685410.stgit@warthog.procyon.org.uk> <19865.1532854200@warthog.procyon.org.uk> To: Jann Horn Cc: dhowells@redhat.com, Al Viro , Linux API , Linus Torvalds , linux-fsdevel@vger.kernel.org, kernel list Subject: Re: [PATCH 29/38] vfs: syscall: Add fsconfig() for configuring and managing a context [ver #10] MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <26454.1532953955.1@warthog.procyon.org.uk> Content-Transfer-Encoding: 8BIT Date: Mon, 30 Jul 2018 13:32:35 +0100 Message-ID: <26455.1532953955@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Mon, 30 Jul 2018 12:32:36 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Mon, 30 Jul 2018 12:32:36 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Jann Horn wrote: > > > This means that a namespace admin (iow, an unprivileged user) can > > > allocate 1MB of unswappable kmalloc memory per userspace task, right? > > > Using userfaultfd or FUSE, you can then stall the task as long as you > > > want while it has that allocation. Is that problematic, or is that > > > normal? > > > > That's not exactly the case. A userspace task can make a temporary > > allocation, but unless the filesystem grabs it, it's released again on exit > > from the system call. > > That's what I said. Sorry, I wasn't clear what you meant. I assumed you were thinking it was then automatically attached to the context, say: fd = fsopen("fuse", 0); fsconfig(fd, fsconfig_set_binary, "foo", buffer, size); > Each userspace task can make a 1MB allocation by calling this syscall, and > this temporary allocation stays allocated until the end of the syscall. But > the runtime of the syscall is unbounded - even just the memdup_user_nul() > can stall forever if the copy_from_user() call inside it faults on e.g. a > userfault region or a memory-mapped file from a FUSE filesystem. Okay, I see what you're getting at. Note that this affects other syscalls too, keyctl, module loading and read() with readahead for example. Not sure what the answer should be. David