Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <20220225234339.2386398-1-haoluo@google.com> <20220225234339.2386398-2-haoluo@google.com>
 <YiwXnSGf9Nb79wnm@zeniv-ca.linux.org.uk> <CA+khW7g+T2sAkP1aycmts_82JKWgYk5Y0ZJp+EvjFUyNY8W_5w@mail.gmail.com>
 <Yi/LaZ5id4ZjqFmL@zeniv-ca.linux.org.uk> <CA+khW7jhD0+s9kivrd6PsNEaxmDCewhk_egrsxwdHPZNkubJYA@mail.gmail.com>
 <CAADnVQJSMqcv3GPmUDcNKs23veqU-HWQQA5ECqdriMtjTpdv3w@mail.gmail.com>
In-Reply-To: <CAADnVQJSMqcv3GPmUDcNKs23veqU-HWQQA5ECqdriMtjTpdv3w@mail.gmail.com>
From:   Alexei Starovoitov <alexei.starovoitov@gmail.com>
Date:   Tue, 15 Mar 2022 12:03:04 -0700
Message-ID: <CAADnVQKttOMcfYdnCVtEm1HVYUf8ed-jMoTkeu1XgGMzW342Ww@mail.gmail.com>
Subject: Re: [PATCH bpf-next v1 1/9] bpf: Add mkdir, rmdir, unlink syscalls
 for prog_bpf_syscall
To:     Hao Luo <haoluo@google.com>
Cc:     Al Viro <viro@zeniv.linux.org.uk>,
        Alexei Starovoitov <ast@kernel.org>,
        Andrii Nakryiko <andrii@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Martin KaFai Lau <kafai@fb.com>,
        Song Liu <songliubraving@fb.com>, Yonghong Song <yhs@fb.com>,
        KP Singh <kpsingh@kernel.org>,
        Shakeel Butt <shakeelb@google.com>,
        Joe Burton <jevburton.kernel@gmail.com>,
        Tejun Heo <tj@kernel.org>, Josh Don <joshdon@google.com>,
        Stanislav Fomichev <sdf@google.com>, bpf <bpf@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Tue, Mar 15, 2022 at 11:59 AM Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
>
> On Tue, Mar 15, 2022 at 10:27 AM Hao Luo <haoluo@google.com> wrote:
> >
> > On Mon, Mar 14, 2022 at 4:12 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
> > >
> > > On Mon, Mar 14, 2022 at 10:07:31AM -0700, Hao Luo wrote:
> > > > Hello Al,
> > >
> > > > > In which contexts can those be called?
> > > > >
> > > >
> > > > In a sleepable context. The plan is to introduce a certain tracepoints
> > > > as sleepable, a program that attaches to sleepable tracepoints is
> > > > allowed to call these functions. In particular, the first sleepable
> > > > tracepoint introduced in this patchset is one at the end of
> > > > cgroup_mkdir(). Do you have any advices?
> > >
> > > Yes - don't do it, unless you really want a lot of user-triggerable
> > > deadlocks.
> > >
> > > Pathname resolution is not locking-agnostic.  In particular, you can't
> > > do it if you are under any ->i_rwsem, whether it's shared or exclusive.
> > > That includes cgroup_mkdir() callchains.  And if the pathname passed
> > > to these functions will have you walk through the parent directory,
> > > you would get screwed (e.g. if the next component happens to be
> > > inexistent, triggering a lookup, which takes ->i_rwsem shared).
> >
> > I'm thinking of two options, let's see if either can work out:
> >
> > Option 1: We can put restrictions on the pathname passed into this
> > helper. We can explicitly require the parameter dirfd to be in bpffs
> > (we can verify). In addition, we check pathname to be not containing
> > any dot or dotdot, so the resolved path will end up inside bpffs,
> > therefore won't take ->i_rwsem that is in the callchain of
> > cgroup_mkdir().
> >
> > Option 2: We can avoid pathname resolution entirely. Like above, we
> > can adjust the semantics of this helper to be: making an immediate
> > directory under the dirfd passed in. In particular, like above, we can
> > enforce the dirfd to be in bpffs and pathname to consist of only
> > alphabet and numbers. With these restrictions, we call vfs_mkdir() to
> > create directories.
> >
> > Being able to mkdir from bpf has useful use cases, let's try to make
> > it happen even with many limitations.
>
> Option 3. delegate vfs_mkdir to a worker and wait in the helper.

I meant _dont_ wait, of course.