Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp69413ybe;
        Wed, 4 Sep 2019 15:18:46 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxBaHcVyS9dNdljj1HLfaW4Ytl81XKjhzEvfeIVGr+SYJlvH1qTO5R2fjvPCqMA3eLlj0rb
X-Received: by 2002:a17:902:a983:: with SMTP id bh3mr14826plb.311.1567635526827;
        Wed, 04 Sep 2019 15:18:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1567635526; cv=none;
        d=google.com; s=arc-20160816;
        b=QJTWZFR6ZAQGdNjDrHOjNq6M7Cba7kE21sZmqjodpTYRYLrElRD7NTaogjNoEzPyV4
         fruFyf7JZV20wjL1aj3yZrSTKcwtGGm1guey7DJQHgUIsjTPLmIu3tn3ew9tCZULGTy8
         A7mw6/eDU4zhwAWF+4G6BqigTGCkJO/FF0wTQB8d/Ld/4A3WJ3tcOlD9mDC9XRHs39Qs
         o6a+8fRh4zcRuPNBaZ9MxoOWV0U+6Qvqiz/CdVzToWKLMiUZlBWHNxSNThG+H3OgAJ0j
         M4yTGLu4WqTIvkaNaMeWHdPbDzsrYmFYt4il34h3g91iC36Pt1D5kL1HicPqI+nzxTdC
         Soog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=L+6eZ5jXr9FHa9aXBFBl0ghBEbFlLODFrE967a3DFmE=;
        b=g3JMmNKvgaLjagDauPydeS3Per448o7yPTVGuYk8kgzY9lIBmySME4OXVZyF/Y9JmV
         1smL3EsYgo63y/4wlKtZpK35SZBQWhCLm5cEWlmqilTtZSmJiSurA2HGIqlt09QSxeN+
         AddT8t9Mu6mbVZE8lxSeQbnw6qPVlml8QofR+ur9lf0I4wRBxUH6IXFlJPgGj/ZmrR2g
         QgHy4v64Em2bQEBAVaSRMYBW02ykmDzIV7dEMRs2s/72Zh+NqyIe7hE85O6n7cbL6oaH
         YqYkWHYEOYx9FYw9Gd1nJ4x25jtMXb60wMNBwZoCmTdz+I9nm1HQj6DiFMcA6ZkiCADu
         DS4A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=hfyCSdKg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v19si266633pjn.96.2019.09.04.15.18.30;
        Wed, 04 Sep 2019 15:18:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=hfyCSdKg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730960AbfIDWRP (ORCPT <rfc822;busarih159@gmail.com>
        + 99 others); Wed, 4 Sep 2019 18:17:15 -0400
Received: from mail-lf1-f66.google.com ([209.85.167.66]:33397 "EHLO
        mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730936AbfIDWRM (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Sep 2019 18:17:12 -0400
Received: by mail-lf1-f66.google.com with SMTP id d10so297827lfi.0
        for <linux-kernel@vger.kernel.org>; Wed, 04 Sep 2019 15:17:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=L+6eZ5jXr9FHa9aXBFBl0ghBEbFlLODFrE967a3DFmE=;
        b=hfyCSdKgCY/Fe6ZhOgmUuzH+l1Av9MeoieBRJhOHgspd/HlfkJB3tRok9F33ql8Uzt
         YCi53+gSbOv7WH3zYmMiTF0zGBnANwxV7c7oClcZwaNIXXqds0cxD5Xcu535ms7QpKLP
         zDVTwLMuj95aI+DpS0Y7tzdH7BHLTHU6tmSJs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=L+6eZ5jXr9FHa9aXBFBl0ghBEbFlLODFrE967a3DFmE=;
        b=Aziotw/hQ+RqYOZHRR5RYF/KYua8NztJbuj0Uip5/9Te9AkXCrH1E8aeS1umajBYzS
         WYjKkOh3jZOYIgCdH1+sCmRdz+29uImkOimy6MDnO51d3YkBBFYHtPlKV0G80sVrVD6T
         I7rX1/X8dzdMa2DfW5dOU7qpBbvAnSAYkXC+Doyh4b/POF/BCPLMhIJM1AiDUz82mX5J
         bvCqh9KVLUaEjh74+E5HQa6sYq8Sw+tQUbsej2bIvC4YF5JJV7PUN6CX75U1h3O8Veyw
         xdrH5IErh/QG3TVdaczLwkIlDGzw+SfnhkW3FiRV9Z6jLusgITvuSWzFxVjMHKNYmQRY
         TpXA==
X-Gm-Message-State: APjAAAUX4eerQduvi3HYS74Ttt7OdQ+47txv86Vd/HNj8kUWAene74LA
        jSoto6En1NOVivnvrIpVj/X8AjQIX0w=
X-Received: by 2002:a19:c191:: with SMTP id r139mr226439lff.23.1567635429474;
        Wed, 04 Sep 2019 15:17:09 -0700 (PDT)
Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com. [209.85.208.180])
        by smtp.gmail.com with ESMTPSA id y10sm15880ljk.5.2019.09.04.15.17.06
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 04 Sep 2019 15:17:08 -0700 (PDT)
Received: by mail-lj1-f180.google.com with SMTP id e17so255319ljf.13
        for <linux-kernel@vger.kernel.org>; Wed, 04 Sep 2019 15:17:06 -0700 (PDT)
X-Received: by 2002:a2e:9a84:: with SMTP id p4mr24283824lji.52.1567635425244;
 Wed, 04 Sep 2019 15:17:05 -0700 (PDT)
MIME-Version: 1.0
References: <20190904201933.10736-1-cyphar@cyphar.com> <20190904201933.10736-11-cyphar@cyphar.com>
 <CAHk-=wiod1rQMU+6Zew=cLE8uX4tUdf42bM5eKngMnNVS2My7g@mail.gmail.com> <20190904214856.vnvom7h5xontvngq@yavin.dot.cyphar.com>
In-Reply-To: <20190904214856.vnvom7h5xontvngq@yavin.dot.cyphar.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed, 4 Sep 2019 15:16:49 -0700
X-Gmail-Original-Message-ID: <CAHk-=wgcJq21Hydh7Tx5-o8empoPp7ULDBw0Am-du_Pa+fcftQ@mail.gmail.com>
Message-ID: <CAHk-=wgcJq21Hydh7Tx5-o8empoPp7ULDBw0Am-du_Pa+fcftQ@mail.gmail.com>
Subject: Re: [PATCH v12 10/12] namei: aggressively check for nd->root escape
 on ".." resolution
To:     Aleksa Sarai <cyphar@cyphar.com>
Cc:     Al Viro <viro@zeniv.linux.org.uk>,
        Jeff Layton <jlayton@kernel.org>,
        "J. Bruce Fields" <bfields@fieldses.org>,
        Arnd Bergmann <arnd@arndb.de>,
        David Howells <dhowells@redhat.com>,
        Shuah Khan <shuah@kernel.org>,
        Shuah Khan <skhan@linuxfoundation.org>,
        Ingo Molnar <mingo@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Christian Brauner <christian@brauner.io>,
        Jann Horn <jannh@google.com>,
        Kees Cook <keescook@chromium.org>,
        Eric Biederman <ebiederm@xmission.com>,
        Andy Lutomirski <luto@kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Tycho Andersen <tycho@tycho.ws>,
        David Drysdale <drysdale@google.com>,
        Chanho Min <chanho.min@lge.com>,
        Oleg Nesterov <oleg@redhat.com>,
        Rasmus Villemoes <linux@rasmusvillemoes.dk>,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>,
        Jiri Olsa <jolsa@redhat.com>,
        Namhyung Kim <namhyung@kernel.org>,
        Aleksa Sarai <asarai@suse.de>,
        Linux Containers <containers@lists.linux-foundation.org>,
        alpha <linux-alpha@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        linux-ia64@vger.kernel.org,
        Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@vger.kernel.org>,
        linux-m68k <linux-m68k@lists.linux-m68k.org>,
        linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org,
        linuxppc-dev@lists.ozlabs.org,
        linux-s390 <linux-s390@vger.kernel.org>,
        Linux-sh list <linux-sh@vger.kernel.org>,
        linux-xtensa@linux-xtensa.org, sparclinux@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Sep 4, 2019 at 2:49 PM Aleksa Sarai <cyphar@cyphar.com> wrote:
>
> Hinting to userspace to do a retry (with -EAGAIN as you mention in your
> other mail) wouldn't be a bad thing at all, though you'd almost
> certainly get quite a few spurious -EAGAINs -- &{mount,rename}_lock are
> global for the entire machine, after all.

I'd hope that we have some future (possibly very long-term)
alternative that is not quite system-global, but yes, right now they
are.

Which is one reason I'd rather see EAGAIN in user space - yes, it
probably makes it even easier to trigger, but it also means that user
space might be able to do something about it when it does trigger.

For example, maybe user space can first just use an untrusted path
as-is, and if it gets EAGAIN or EXDEV, it may be that user space can
simplify the path (ie turn "xyz/.../abc" into just "abc".

And even if user space doesn't do anything like that, I suspect a
performance problem is going to be a whole lot easier to debug and
report when somebody ends up seeing excessive retries happening. As a
developer you'll see it in profiles or in system call traces, rather
than it resulting in very odd possible slowdowns for the kernel.

And yeah, it would probably be best to then at least delay doing
option 3 indefinitely, just to make sure user space knows about and
actually has a test-case for that EAGAIN happening.

              Linus