Received: by 2002:a89:d88:0:b0:1fa:5c73:8e2d with SMTP id eb8csp1606223lqb; Sun, 26 May 2024 08:32:30 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCX8vS4mfDSh4Y/dj8zRIetJGGB4G2j+kAEjrRk1ZzbqHuDK2uFTp4xhN9bp0GX8j63nSK423Ed0F+04qVjiggLV0dw1flIikYdCa6Yn5g== X-Google-Smtp-Source: AGHT+IGYUQD6QSItaQ4KYbCutMd0N5bZu5GHZ8A8LRo+S2HUcbF7wONhjfBvlSONjTQQCSrdiinx X-Received: by 2002:ac2:454f:0:b0:51e:f68b:d266 with SMTP id 2adb3069b0e04-529667cfcf9mr3728650e87.50.1716737550247; Sun, 26 May 2024 08:32:30 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1716737550; cv=pass; d=google.com; s=arc-20160816; b=gfVclnEM6QyRnqeEfP7vhddQlWaLo2yhEW4zVZy50dRUcbagLRSpeL5v9cCy56lN0m vMJ2dAHBlNMJlToSAlYlpqRdqn3hu0ruXDQF3iG/3UAo24YuxgsAHM8pwLqoD8PcdY7b RPb3hVDeEr08TfQRw9m71aavc6TOV0miLaqzpQ8BJyXSJUfTAxIIXAHALHz6uqfT6EuW 3vkTrD/3nOt61gnvHy7oNXVzbF4+XMHdKGCqk/is24SI+jsntYcjw90AclRgJeLIHJjL s4yt5aMJBTlUctQTna4o0/N/Da8DNFo4pzFYnHrp5le2PC0uGUKGVysLliD4at0upLnf UcAQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=2JFYfvBaOODS9yL2D+LtfH9ZP9+hFyaJPRzYMjyfLDA=; fh=up8XzMbMQnzUdzTDrxX0aVGLBCqPvhA2uNHFQ8GHPYQ=; b=tXvSc+AH8fkAd0fb9YKiVUb8Jeu0yghk3BQCfB9E8SAeXUNFFlqgJ/ffXeOM0eqxy3 drHkb4k1mCBH4Vk6bct5ON4U9jPssIJNbmIngmRNn+Aixoq0e6G6Wq8v99B1BYMUYHi4 O4gs/k8KCPfq+LORKL12VIwzQtwLycZalr928KtqtfaeUPBXtfL1D+MDDyg0ihVFIqfL 1279BMan0Axk3q1x24XeucsZwMm6NHFJeLg7IPEZEXdpAtIMzLvnNbCNb908DLc0d0ft hRNMuhbVkMWup1CqK+B9AIgCor+i2mUOzKonPko1kaPcaJvSCWpGwtxANwZO6cAKaPft 15WA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@mit.edu header.s=outgoing header.b=FRJ9qJpH; arc=pass (i=1 spf=pass spfdomain=mit.edu dkim=pass dkdomain=mit.edu dmarc=pass fromdomain=mit.edu); spf=pass (google.com: domain of linux-kernel+bounces-189774-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-189774-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-57862d443c4si2299082a12.261.2024.05.26.08.32.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 May 2024 08:32:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-189774-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@mit.edu header.s=outgoing header.b=FRJ9qJpH; arc=pass (i=1 spf=pass spfdomain=mit.edu dkim=pass dkdomain=mit.edu dmarc=pass fromdomain=mit.edu); spf=pass (google.com: domain of linux-kernel+bounces-189774-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-189774-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id F1C511F211B6 for ; Sun, 26 May 2024 15:32:29 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 80A7717C7B; Sun, 26 May 2024 15:32:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b="FRJ9qJpH" Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E980179BC for ; Sun, 26 May 2024 15:32:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=18.9.28.11 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716737542; cv=none; b=OPb0lsvC/enW5b4EK/Q+B2M0cScqr+GllKYOEdwDSrVi1VUuqP6Olg8qwD2dMVnkh/5Ll2T6AVifwqXNgtvzbIRW1meSzfEG3jFE+KidAA6nBAsYbnYysrD1egMr1270sLEJ6DeYbtMXw5c2ploVkyBUWSfx193wpKLn2Lv+7Mc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716737542; c=relaxed/simple; bh=lQvNSUvSiCfD+RrvE33rDEsdVevKi4vDK/SH0u/rYZ8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=O1UJKdZpFUxm8XjF6A7l2dxL7AVy4fPxAzconqiudDwfavTL7DLTTaHo/mZmIHGEJu+T3fSW1vx9HaxaCS03i01ckf9MJp0Y+cnOmeWsbiZdsUyq/D27xcbWuBe98758MJOnNS9M4pl/TsjFi/S5tff5fbrOb+IKu3bpAwjxAKk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu; spf=pass smtp.mailfrom=mit.edu; dkim=pass (2048-bit key) header.d=mit.edu header.i=@mit.edu header.b=FRJ9qJpH; arc=none smtp.client-ip=18.9.28.11 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=mit.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mit.edu Received: from cwcc.thunk.org (pool-173-48-102-77.bstnma.fios.verizon.net [173.48.102.77]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 44QFVbf9008400 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 26 May 2024 11:31:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1716737501; bh=2JFYfvBaOODS9yL2D+LtfH9ZP9+hFyaJPRzYMjyfLDA=; h=Date:From:Subject:Message-ID:MIME-Version:Content-Type; b=FRJ9qJpHApsfGhTO3lvx+a5j3cyc55jMAmzhN3ZjnnH9cuCwqce0Ig24EqXEfs9Vx McVEI24Rw8PDTgFhgtJT9zYIj32LdW7xAoSMvtXHRfJqp36ljsgRdynIo1zoQ/pahl weU7tiRkKJWCegr5pTV7AUjxVsNzwtWmuV/BWVM4LIu+McjG4p47QfFGEq+KTA2Xx3 6MxGXqyxBg/I+8z6dVpp7SXaRUNHjIAUGW6KoGE5YEaXxauyWsbD/t25QQQa0a/BG8 9K4MN7KfPJxbzfPee6cOTnWOzJUnmoz+vrmoWwt0X8zNrbspuFXYdZdV6pDLd2CDgA 4/R08q1a7JYow== Received: by cwcc.thunk.org (Postfix, from userid 15806) id 31D5D15C0225; Sun, 26 May 2024 11:31:37 -0400 (EDT) Date: Sun, 26 May 2024 11:31:37 -0400 From: "Theodore Ts'o" To: Jeff Layton Cc: Alexander Viro , Christian Brauner , Jan Kara , Linus Torvalds , Matthew Wilcox , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH RFC] fs: turn inode->i_ctime into a ktime_t Message-ID: <20240526153137.GI65648@mit.edu> References: <20240526-ctime-ktime-v1-1-016ca6c1e19a@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240526-ctime-ktime-v1-1-016ca6c1e19a@kernel.org> On Sun, May 26, 2024 at 08:20:16AM -0400, Jeff Layton wrote: > > Switch the __i_ctime fields to a single ktime_t. Move the i_generation > down above i_fsnotify_mask and then move the i_version into the > resulting 8 byte hole. This shrinks struct inode by 8 bytes total, and > should improve the cache footprint as the i_version and __i_ctime are > usually updated together. So first of all, this patch is a bit confusing because the patch doens't change __i_ctime, but rather i_ctime_sec and i_ctime_nsec, and Linus's tree doesn't have those fields. That's because the base commit in the patch, a6f48ee9b741, isn't in Linus's tree, and apparently this patch is dependent on "fs: switch timespec64 fields in inode to discrete integers"[1]. [1] https://lore.kernel.org/all/20240517-amtime-v1-1-7b804ca4be8f@kernel.org/ > The one downside I can see to switching to a ktime_t is that if someone > has a filesystem with files on it that has ctimes outside the ktime_t > range (before ~1678 AD or after ~2262 AD), we won't be able to display > them properly in stat() without some special treatment. I'm operating > under the assumption that this is not a practical problem. There are two additional possible problems with this. The first is that if there is a maliciously fuzzed file system with timestamp outside of ctimes outside of the ktime_t range, this will almost certainly trigger UBSAN warnings, which will result in Syzkaller security bugs reported to file system developers. This can be fixed by explicitly and clamping ranges whenever converting to ktime_t in include/linux/fs.h, but that leads to another problem. The second problem is if the file system converts their on-disk inode to the in-memory struct inode, and then converts it from the in-memory to the on-disk inode format, and the timestamp is outside of the ktime_t range, this could result the on-disk inode having its ctime field getting corrupted. Now, *most* of the time, whenver the inode needs to be written back to disk, the ctime field will be changed anyway. However, if there are changes that don't result userspace-visible changes, but involves internal file system changes (for example, in case of an online repair or defrag, or a COW snap), where the file system doesn't set ctime --- and in it's possible that this might result in the ctime field messed. We could argue that ctime fields outside of the ktime_t range should never, ever happen (except for malicious fuzz testing by systems like syzkaller), and so it could be argued that we don't care(tm), but it's worth at least a mention in the comments and commit description. Of course, a file system which *did* care could work around the problem by having their own copy of ctime in the file-specific inode, but this would come at the cost of space saving benefits of this commit. I'd suspect what I'd do is to add a manual check for an out of range ctime on-disk, log a warning, and then clamp the ctime to the maximum ktime_t value, which is what would be returned by stat(2), and then write that clamped value back to disk if the ctime field doesn't get set to the current time before it needs to be written back to disk. Cheers, - Ted