Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3292040pxb;
        Mon, 9 Nov 2020 07:31:24 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwlJUpWVFB9gRXPfl9ywEF43xvrmMtY7iF3N1GUPA/1etJUt/h3CUm1SCXOSdVnEsBY+rtQ
X-Received: by 2002:a50:f0d4:: with SMTP id a20mr16170576edm.303.1604935884778;
        Mon, 09 Nov 2020 07:31:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1604935884; cv=none;
        d=google.com; s=arc-20160816;
        b=lUB3fqXG7BUgDqZ5KQf3P5DAWVKOgfxDcmsk7AUrYSVE9r8HSsslRtd63h2z1egIKE
         fy4SHmwxTGv0aJYAQQ8/5A9/GaQFXdk61WkY+swjDay/a5uvQeloZwNqZ/N4WLEcyb2q
         gxsFdAB5cl793FirNwKvhk11eohVRT/PkTcU/Zp9sp3H8lDBeHp4EHz+W/LFi63Wpqgl
         +kb1yBgsyES+nkT1cl6ZEWVct6pC8ODiZYfEGw2X/ShpHs1uSaxwEfD/AlgzOcxGe3pL
         vXPraknLCvLlnGlaE3dGyU4VqSZ3+xknbXeEO2cqK2t+T9xrUOaFoo7gpEph6/mWGjy9
         n53g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:dkim-signature;
        bh=QC5FHZ1X1/PZam+NsCeIUtWUr/OiX3u5F7vj8wTQSIo=;
        b=pkeWZ5EMCVPLuGapF2S0txcrVQfsGvhBRK7G4Akh+GNExEM/ZmDyBS0xsQBe7MK+8a
         274R15/QJ/EXoP0cmxjku29tT5DS7ZVv86ZssTa/BHl7BlYYiZAcrY2B3d3xtX1GD2U3
         tWMEnx/wy4tECUbk4PGTTS/Qpu02iw9RYM3cchqGWcMZYc3NoFGgyBXx4XB7XHImQBdw
         12OyY06wU9FBSDA6pjhT6AJLMmJyDynSoe5H/v4oeEs7crpTJrc6blUA0mnBd+OnfZMy
         seRPbMyCPl09q447+h799j4Jcpt02btn0xqhWaocLWTP0P5oW/1/KH4H8dyxF3FtgtnF
         S9LA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=TZWdpaXR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x18si8616107ejd.193.2020.11.09.07.31.01;
        Mon, 09 Nov 2020 07:31:24 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=TZWdpaXR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727077AbgKIP1R (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Mon, 9 Nov 2020 10:27:17 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43814 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729776AbgKIP1R (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Nov 2020 10:27:17 -0500
Received: from mail-ua1-x941.google.com (mail-ua1-x941.google.com [IPv6:2607:f8b0:4864:20::941])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 41F77C0613D3
        for <linux-kernel@vger.kernel.org>; Mon,  9 Nov 2020 07:27:17 -0800 (PST)
Received: by mail-ua1-x941.google.com with SMTP id p12so2900289uam.1
        for <linux-kernel@vger.kernel.org>; Mon, 09 Nov 2020 07:27:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=szeredi.hu; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=QC5FHZ1X1/PZam+NsCeIUtWUr/OiX3u5F7vj8wTQSIo=;
        b=TZWdpaXR4wUJwMonwNlSo3OTC/qsDxggW35onf1TCvbd0i4foe92Hz3iCpRVYUSeML
         N3TQ+m24KYVG0TZnSUuP+yGO7twvVzionzcpAQgM3GSDOF9RyxFKEA6C/RWvtJ2Fp0zs
         VY0A4waw4GTL53Ka756yCaYI6rHyKvxTC0XGI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=QC5FHZ1X1/PZam+NsCeIUtWUr/OiX3u5F7vj8wTQSIo=;
        b=m1v1zepTa+6SPpV9yY//jOM7N3JzcPnAGuu4h6nJfZrracpaH05/WnFYXfclvC5dT/
         z3+aKBvS2b/tiEYqwgnhs+MDavGS0tSC7BFPm7xR4bq/xa3GUapbYEvLpJ4dIDqrzdfH
         g5LGZqeaidVVKxKH4uu3SGp1n12YzJmtG5qaPymFm/Z7g+TVGUwJx34iJkmkGS+7o6Qe
         DdVyk4N6hVYh9Hd+mTbbnS4mEAABJKylXrI1eT5g87JIPcGUskOMgLkhbKF6FrpZlG6c
         LK4S/mF7nGFJnh0+DGfTYyz6iaX7VBsGj8P46QOo1nOpOLV5jnWoeGRs4kY7u8YqTz6i
         b5uQ==
X-Gm-Message-State: AOAM531JodMnVl6OBCqA+XrIN0dqGj/WhMSb59L55Xi1x1tYbAwcsszL
        1t+xsYvh/t7MBU4NbrM42CQcd3eYoyPz1mbCBidZWg==
X-Received: by 2002:ab0:2a11:: with SMTP id o17mr7023753uar.8.1604935636368;
 Mon, 09 Nov 2020 07:27:16 -0800 (PST)
MIME-Version: 1.0
References: <1e796f9e008fb78fb96358ff74f39bd4865a7c88.1604926010.git.gladkov.alexey@gmail.com>
In-Reply-To: <1e796f9e008fb78fb96358ff74f39bd4865a7c88.1604926010.git.gladkov.alexey@gmail.com>
From:   Miklos Szeredi <miklos@szeredi.hu>
Date:   Mon, 9 Nov 2020 16:27:05 +0100
Message-ID: <CAJfpegua_ahmNa4p0me6R10wtcPpQVKNiKQOVKjuNW67RHFOOA@mail.gmail.com>
Subject: Re: [RESEND PATCH v3] fuse: Abort waiting for a response if the
 daemon receives a fatal signal
To:     Alexey Gladkov <gladkov.alexey@gmail.com>
Cc:     LKML <linux-kernel@vger.kernel.org>, linux-fsdevel@vger.kernel.org,
        Alexey Gladkov <legion@kernel.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Nov 9, 2020 at 1:48 PM Alexey Gladkov <gladkov.alexey@gmail.com> wrote:
>
> This patch removes one kind of the deadlocks inside the fuse daemon. The
> problem appear when the fuse daemon itself makes a file operation on its
> filesystem and receives a fatal signal.
>
> This deadlock can be interrupted via fusectl filesystem. But if you have
> many fuse mountpoints, it will be difficult to figure out which
> connection to break.
>
> This patch aborts the connection if the fuse server receives a fatal
> signal.

The patch itself might be acceptable, but I have some questions.

To logic of this patch says:

"If a task having the fuse device open in it's fd table receives
SIGKILL (and filesystem was initially mounted in a non-init user
namespace), then abort the filesystem operation"

You just say "server" instead of "task having the fuse device open in
it's fd table" which is sloppy to say the least.  It might also lead
to regressions, although I agree that it's unlikely.

Also how is this solving any security issue?   Just create the request
loop using two fuse filesystems and the deadlock avoidance has just
been circumvented.   So AFAICS "selling" this as a CVE fix is not
appropriate.

What's the reason for making this user-ns only?   If we drop the
security aspect, then I don't see any reason not to do this
unconditionally.

Also note, there's a proper solution for making fuse requests always
killable, and that is to introduce a shadow locking that ensures
correct fs operation in the face of requests that have returned and
released their respective VFS locks.   Now this would be a much more
complex solution, but also a much more correct one, not having issues
with correctly defining what a server is (which is not a solvable
problem).

Thanks,
Miklos