Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp281008lqb; Thu, 23 May 2024 19:28:45 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCW8hkT8mHYiVTKbaB5V9fu97/yMW5PAYvfuA16WwlZyo1TlzbM7twQ9RdU7KY/9k2qQ8t1b1Wv4Qak5Bx/2rQqH0fE6LAds9nZV62C1PA== X-Google-Smtp-Source: AGHT+IFNBtZrN6mjsV2V/EhvNby60pkeBkto4Lb7sNsP5bkiEeGJKoWquQoGarAHdRvcRDqxPXSR X-Received: by 2002:a17:906:af92:b0:a61:ac3e:2b4c with SMTP id a640c23a62f3a-a62646d5e73mr83386766b.40.1716517725390; Thu, 23 May 2024 19:28:45 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716517725; cv=pass; d=google.com; s=arc-20160816; b=AB0zhkQBUBP+yJY7d6jhiI3M9z8oYWiQuqyEtuhJ8dwC6lfZL6GOUyMprULXSDN7yp rwVYtS8UYT8TmYPkz5yl8H+bbGJbA5NlKFxPI0U4mjKIuHIj25o0Uslr8TMTC2aEoeQ/ yK+e7471bXRj644DOrF/r1udm5CFh+Q+btt1wPM09o1hQE+/v1ydK1e1Vyg8Paovuqf/ 1wE+UQJyLOrip9j4eSbNK7Aa/S+QV/g5vpFdXlsTtbQPikoPadw6l8h8bPdUi8xeejoB 23Wq7Dy/e4v8aUcEchDivaX7KeXmBmozX+3RUra/FztcWENeC14snh9vDtpkvx13W/z9 O8Ig== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=wP1l0zMaIJ7v58hEhHh0vdSQ4dLNYh3hvXpH/wQHbOs=; fh=KTM4KRr/LvGOw9mWzmUOwc0z5L2jyiG0h/ml8qsSDYc=; b=kb9mtWOIHseYHmydH6I04yfXv/ygjRVFDuZVf7pYrvPxPgu1Z1CtZV+RsNynjUMVWI Rbhg4qjoG9SgK3WC4+AKF7VjvW2qafgkzQHK43YWsKVWiJ1Dm1Sesupaudc6p/LyfytY 9wfcWFlbPbzJMflgfF5sgcNZj31IulhO0Tm2CVB9NDcUTgHx3zBQRwYrVIWScb9xYacB aI/nxjMcyTXeFCb1JGjEOXGPkd6ddv1iT32trWuGmV+PjpHfzmnqkZiaTl3rRcpoC7T6 Mj+E2qU+b2Ib05t4KxfO0PoLz+4UpR3xPB8BKh+1SZOTipK46MQXcSYKkowAA6dv/0Q2 cMrg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-188230-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188230-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id a640c23a62f3a-a626c9185desi27881366b.242.2024.05.23.19.28.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 May 2024 19:28:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-188230-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huaweicloud.com); spf=pass (google.com: domain of linux-kernel+bounces-188230-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-188230-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id F39781F21EB6 for ; Fri, 24 May 2024 02:28:44 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8F8CE2BAEF; Fri, 24 May 2024 02:28:34 +0000 (UTC) Received: from dggsgout11.his.huawei.com (unknown [45.249.212.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9FD683C0D; Fri, 24 May 2024 02:28:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.51 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716517714; cv=none; b=AjTDmmBNdGzVioviQv8F4z1D5bzB5iY6qp275WkG3oSnHLYaokC/kGuWpL6QNyWS8M5RjuqJFRQWqgUXGeVoW8rX2gDhxfbz+LPYOvUcHYFYmasHBheWGRb3SvWCr4rUqfXjQeUHwtdQfTVPdPjwOVuYu6gOqzHwKcasTt0TNB8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716517714; c=relaxed/simple; bh=H8aLNm5MJOA+vX46VpUQmOIxGGBQ5aeql+ZVGLNntL4=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=mWGqKy+vJvAtAkK4lq6syU8bLW+Uws/0WglWeyg5sJDQ5gxdxOo3dwMlfyMGCmYQEWEr/Sj+mtH8MlAAWHxosRcHyCc7xGl0GSYxm4uS9us1wm0nVsmoSOwl8quDsm2ZXF+ebcyQs4HtkmL8DMXLCc5MUpaeND3DNIUmdq5IOXg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=45.249.212.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.19.163.235]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4Vlpqm5pYgz4f3jLy; Fri, 24 May 2024 10:28:20 +0800 (CST) Received: from mail02.huawei.com (unknown [10.116.40.112]) by mail.maildlp.com (Postfix) with ESMTP id A60901A0B56; Fri, 24 May 2024 10:28:26 +0800 (CST) Received: from [10.174.177.174] (unknown [10.174.177.174]) by APP1 (Coremail) with SMTP id cCh0CgAX5g5G+09mNr8LNg--.19950S3; Fri, 24 May 2024 10:28:26 +0800 (CST) Message-ID: Date: Fri, 24 May 2024 10:28:22 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.1.2 Subject: Re: [PATCH v3 06/12] cachefiles: add consistency check for copen/cread To: Jingbo Xu , netfs@lists.linux.dev, dhowells@redhat.com, jlayton@kernel.org Cc: hsiangkao@linux.alibaba.com, zhujia.zj@bytedance.com, linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, yangerkun@huawei.com, houtao1@huawei.com, yukuai3@huawei.com, wozizhi@huawei.com, Baokun Li , libaokun@huaweicloud.com References: <20240522114308.2402121-1-libaokun@huaweicloud.com> <20240522114308.2402121-7-libaokun@huaweicloud.com> <11f10862-9149-49c7-bac4-f0c1e0601b23@linux.alibaba.com> Content-Language: en-US From: Baokun Li In-Reply-To: <11f10862-9149-49c7-bac4-f0c1e0601b23@linux.alibaba.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-CM-TRANSID:cCh0CgAX5g5G+09mNr8LNg--.19950S3 X-Coremail-Antispam: 1UD129KBjvJXoWxWw4rCr4fWr45tw1xZF4fZrb_yoWrAF4rpF WayayakFy8uF1xKr97JF95W34Fy3s3AFsxWr93ta4UArnxur1Fvryft34UZF1UZwsYgr4I qw42gF9rGr1jv3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9F14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2Y2ka 0xkIwI1lc7I2V7IY0VAS07AlzVAYIcxG8wCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7x kEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E 67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCw CI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6rW3Jr0E 3s1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcS sGvfC2KfnxnUUI43ZEXa7VUbXdbUUUUUU== X-CM-SenderInfo: 5olet0hnxqqx5xdzvxpfor3voofrz/ Hi Jingbo, Thanks for the review! On 2024/5/23 22:28, Jingbo Xu wrote: > > On 5/22/24 7:43 PM, libaokun@huaweicloud.com wrote: >> From: Baokun Li >> >> This prevents malicious processes from completing random copen/cread >> requests and crashing the system. Added checks are listed below: >> >> * Generic, copen can only complete open requests, and cread can only >> complete read requests. >> * For copen, ondemand_id must not be 0, because this indicates that the >> request has not been read by the daemon. >> * For cread, the object corresponding to fd and req should be the same. >> >> Signed-off-by: Baokun Li >> Acked-by: Jeff Layton >> --- >> fs/cachefiles/ondemand.c | 27 ++++++++++++++++++++------- >> 1 file changed, 20 insertions(+), 7 deletions(-) >> >> diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c >> index bb94ef6a6f61..898fab68332b 100644 >> --- a/fs/cachefiles/ondemand.c >> +++ b/fs/cachefiles/ondemand.c >> @@ -82,12 +82,12 @@ static loff_t cachefiles_ondemand_fd_llseek(struct file *filp, loff_t pos, >> } >> >> static long cachefiles_ondemand_fd_ioctl(struct file *filp, unsigned int ioctl, >> - unsigned long arg) >> + unsigned long id) >> { >> struct cachefiles_object *object = filp->private_data; >> struct cachefiles_cache *cache = object->volume->cache; >> struct cachefiles_req *req; >> - unsigned long id; >> + XA_STATE(xas, &cache->reqs, id); >> >> if (ioctl != CACHEFILES_IOC_READ_COMPLETE) >> return -EINVAL; >> @@ -95,10 +95,15 @@ static long cachefiles_ondemand_fd_ioctl(struct file *filp, unsigned int ioctl, >> if (!test_bit(CACHEFILES_ONDEMAND_MODE, &cache->flags)) >> return -EOPNOTSUPP; >> >> - id = arg; >> - req = xa_erase(&cache->reqs, id); >> - if (!req) >> + xa_lock(&cache->reqs); >> + req = xas_load(&xas); >> + if (!req || req->msg.opcode != CACHEFILES_OP_READ || >> + req->object != object) { >> + xa_unlock(&cache->reqs); >> return -EINVAL; >> + } >> + xas_store(&xas, NULL); >> + xa_unlock(&cache->reqs); >> >> trace_cachefiles_ondemand_cread(object, id); >> complete(&req->done); >> @@ -126,6 +131,7 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args) >> unsigned long id; >> long size; >> int ret; >> + XA_STATE(xas, &cache->reqs, 0); >> >> if (!test_bit(CACHEFILES_ONDEMAND_MODE, &cache->flags)) >> return -EOPNOTSUPP; >> @@ -149,9 +155,16 @@ int cachefiles_ondemand_copen(struct cachefiles_cache *cache, char *args) >> if (ret) >> return ret; >> >> - req = xa_erase(&cache->reqs, id); >> - if (!req) >> + xa_lock(&cache->reqs); >> + xas.xa_index = id; >> + req = xas_load(&xas); >> + if (!req || req->msg.opcode != CACHEFILES_OP_OPEN || >> + !req->object->ondemand->ondemand_id) { > For a valid opened object, I think ondemand_id shall > 0. When the > copen is for the object which is in the reopening state, ondemand_id can > be CACHEFILES_ONDEMAND_ID_CLOSED (actually -1)? If ondemand_id is -1, there are two scenarios:  * This could be a restore/reopen request that has not yet get_fd;  * The request is being processed by the daemon but its anonymous     fd has been closed. In the first case, there is no argument for not allowing copen. In the latter case, however, the closing of an anonymous fd may not be malicious, so if a copen delete request fails, the OPEN request will not be processed until RESTORE lets it be processed by the daemon again. However, RESTORE is not a frequent operation, so if only one anonymous fd is accidentally closed, this may result in a hung. So in later patches, we ensure that fd is valid (i.e. ondemand_id > 0) when setting the object to OPEN state and do not prevent it from removing the request here. If ondemand_id is 0, then it can be confirmed that the req has not been initialised, so the copen must be malicious at this point, so it is not allowed to complete the request. This is an instantaneous state, and the request can be processed normally after the daemon has read it properly. So there won't be any side effects here. -- With Best Regards, Baokun Li