Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp4842178rwe; Mon, 17 Apr 2023 20:40:33 -0700 (PDT) X-Google-Smtp-Source: AKy350aTIhWEhqvlqRafrTWNQXNKcihqvAaNevvpBl4iNWS7GRAS7lNhjyKOIV8YFGYUWI/0EhHk X-Received: by 2002:a17:902:b101:b0:1a6:52f9:d4c7 with SMTP id q1-20020a170902b10100b001a652f9d4c7mr603120plr.60.1681789233334; Mon, 17 Apr 2023 20:40:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681789233; cv=none; d=google.com; s=arc-20160816; b=uSjHRq2lhngFA1UJ4QErZ+aSuXmhc3wscOfBwW9sAx5fBI7Qdx2lJHgqnwYnQwm6cm 64LJus1S5SgBKaS7wMBkZk7/LodjAsdBvUUqQ0+yKCsocIGvAAH3nj0IwEBGX0ORngbC 6Zx+gCx7AMnK/fKb3EjZVZpSAkfIjs91ToMfAjwHfnp/zLwHdhG/NQsoEaHtMUXhlwoh b7RoEMoDhEGFvCPN8ZcUZC6J0uQlkNZqGhDz38h1msZeSgmB6HHGw+7nPE3hdbvU0Dye iGTBRdjsfAJl1NPldr5n3Q05El13ioyVFtHTw9RlwcgWIWYCUNKAFJFwuGYYV6JGRbNc RcUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:references:to:cc:in-reply-to:date:subject :mime-version:message-id:from:dkim-signature; bh=dc+z8UcT8gLBd7VEIREz6So3ovN0gIJ35zlOxamT89Q=; b=HJuMUIZf6X7EEZt1BuicsLaSgqtR0cpE1hmCXlo5fG4dpu4ON71MaukrypCjyn9I0P IvfgeyL+oFDvliJxuq+seAgqERdnoF/O0kLcnzJC02ukl+uBAGeQVfaiJfDu4VQbmshT v3gANwdz2G0wpc9E+pfd/xxKpsewSMXk5gu83gz1UsFlM5w3phs8AQrkKgjI1IeLZJEN bm2aokQC4iRpJCVHYYUQX90Y93M8rUUTYFgLox+sR8QYulnOIMcjDDNFe+RVaTEDLROn rmH2nvs70ufKDmHr8FZljydqwEjTqCDYDqfzM8Hz3VHnHD8HKhZwR1Uo8aEf+iouIwPf xt1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dilger-ca.20221208.gappssmtp.com header.s=20221208 header.b=3274Yui6; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id nn18-20020a17090b38d200b00247a4bad97esi3148808pjb.52.2023.04.17.20.40.11; Mon, 17 Apr 2023 20:40:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@dilger-ca.20221208.gappssmtp.com header.s=20221208 header.b=3274Yui6; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229517AbjDRDZb (ORCPT + 99 others); Mon, 17 Apr 2023 23:25:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52554 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229872AbjDRDZ3 (ORCPT ); Mon, 17 Apr 2023 23:25:29 -0400 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D3BE211B for ; Mon, 17 Apr 2023 20:25:25 -0700 (PDT) Received: by mail-pl1-x62c.google.com with SMTP id d9443c01a7336-1a68f2345c5so9611605ad.2 for ; Mon, 17 Apr 2023 20:25:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dilger-ca.20221208.gappssmtp.com; s=20221208; t=1681788325; x=1684380325; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=dc+z8UcT8gLBd7VEIREz6So3ovN0gIJ35zlOxamT89Q=; b=3274Yui6rH0Nmf2GNT2U3kKf+v46ad2HN7CSmKxrgcHbVsZjIN2Q0QfJ0MrboMgcsB cXpJK+AMfpuUXzBpsB6OQuZ2kypvD5kKuF/65nyfVt7qZuD/fEB2wagnEE5696Fxlf5M n4nQwYppxsFhl6/oPzSttqtdY/6Kn5R+p03rWJq+4AlSlrh3kbRa00Gd+s4tCNUZJPtq J2bzbOfVx9TOeOp7dpXV5yXY5MHV15Y+qQ0pc+QZtxUlDdJhuXtS8K+Yd8EYy8CrAP+K dANfGVkUWYB0yLp0uaTfUSA/1OGCi5Px66c+U4lVDrsNdxseaeY4u5refNQy2Kn7g6Bl qTJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681788325; x=1684380325; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dc+z8UcT8gLBd7VEIREz6So3ovN0gIJ35zlOxamT89Q=; b=JWogY3DIVMTNHBlkhcda+zRq3L9ntuUQalkJNUJudADm1ALdslr9dn75K6iT1fL7dO mYz9w9OORPHS2zvQC7H/gt9xUULNOC74BcslVTTOvHnGs3qZrxkVFWpSWbhyhJ/voXfz 74hWOXRzAt+ge1qxD2YKgUzuHtnuRTSVvDhyQNxKzzkLwvt5Bgg7LQO/km4wJOwXtmbu pffhJfFZlMQWorYgUPPRz4TowfcqCDuECqYzqjy9gjAd9t3kdt83uQdGehWBV55Cs6SN jvmfDE3wuMZmUTD6gytfRVSKrZDChtTkHXXUuy9O9DZ5g4khAFTcvi5qB6+7JqE3rnTi v2OA== X-Gm-Message-State: AAQBX9eR7C2LkcyREArihzNIosknSGwoBL7ujbWKJzI3MhIHMQDLx2L6 InWKL5AiMRUtVcvEm/L3FNukeA== X-Received: by 2002:a17:903:40cc:b0:1a6:c58e:2d57 with SMTP id t12-20020a17090340cc00b001a6c58e2d57mr655579pld.50.1681788324832; Mon, 17 Apr 2023 20:25:24 -0700 (PDT) Received: from cabot.adilger.int (S01061cabc081bf83.cg.shawcable.net. [70.77.221.9]) by smtp.gmail.com with ESMTPSA id c3-20020a170902724300b001a217a7a11csm8352037pll.131.2023.04.17.20.25.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Apr 2023 20:25:23 -0700 (PDT) From: Andreas Dilger Message-Id: <1AC965F2-BAC6-4D0F-A2A6-C414CDF110AF@dilger.ca> Content-Type: multipart/signed; boundary="Apple-Mail=_581956D5-D9DE-48C3-929B-CAF6060706C3"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [PATCH/RFC] VFS: LOOKUP_MOUNTPOINT should used cached info whenever possible. Date: Mon, 17 Apr 2023 21:25:20 -0600 In-Reply-To: <85774a5de74b2b7828c8b8f7e041f0e9e2bc6094.camel@kernel.org> Cc: Christian Brauner , NeilBrown , Al Viro , Dave Wysochanski , linux-fsdevel , linux-nfs , David Howells , Christoph Hellwig , Karel Zak To: Jeff Layton References: <95ee689c76bf034fa2fe9fade0bccdb311f3a04f.camel@kernel.org> <168168683217.24821.6260957092725278201@noble.neil.brown.name> <20230417-beisein-investieren-360fa20fb68a@brauner> <6c08ad94ca949d0f3525f7e1fc24a72c50affd59.camel@kernel.org> <20230417-relaxen-selektiert-4b4b4143d7f6@brauner> <85774a5de74b2b7828c8b8f7e041f0e9e2bc6094.camel@kernel.org> X-Mailer: Apple Mail (2.3273) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org --Apple-Mail=_581956D5-D9DE-48C3-929B-CAF6060706C3 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii > On Apr 17, 2023, at 9:21 AM, Jeff Layton wrote: > > On Mon, 2023-04-17 at 16:24 +0200, Christian Brauner wrote: >> And I'm curious why is it obvious that we don't want to revalidate _any_ >> path component and not just the last one? Why is that generally safe? >> Why can't this be used to access files and directories the caller >> wouldn't otherwise be able to access? I would like to have this spelled >> out for slow people like me, please. >> >> From my point of view, this would only be somewhat safe _generally_ if >> you'd allow circumvention for revalidation and permission checking if >> MNT_FORCE is specified and the caller has capable(CAP_DAC_READ_SEARCH). >> You'd still mess with overlayfs permission model in this case though. >> >> Plus, there are better options of solving this problem. Again, I'd >> rather build a separate api for unmounting then playing such potentially >> subtle security sensitive games with permission checking during path >> lookup. > > umount(2) is really a special case because the whole intent is to detach > a mount from the local hierarchy and stop using it. The unfortunate bit > is that it is a path-based syscall. > > So usually we have to: > > - determine the path: Maybe stat() it and to validate that it's the > mountpoint we want to drop The stat() itself may hang because a remote server, or USB stick is inaccessible or having media errors. I've just been having a conversation with Karel Zak to change umount(1) to use statx() so that it interacts minimally with the fs. In particular, nfs_getattr() skips revalidate if only minimal attrs are fetched (STATX_TYPE | STATX_INO), and also skips revalidate if locally-cached attrs are still valid (STATX_MODE), so this will avoid yet one more place that unmount can hang. In theory, vfs_getattr() could get all of these attributes directly from the vfs_inode in the unmount case. > - then call umount with that path > > The last thing we want in that case is for the server to decide to > change some intermediate dentry in between the two operations. Best > case, you'll get back ENOENT or something when the pathwalk fails. Worst > case, the server swaps what are two different mountpoints on your client > and you unmount the wrong one. > > If we don't revaliate, then we're no worse off, and may be better off if > something hinky happens to the server of an intermediate dentry in the > path. > -- > Jeff Layton Cheers, Andreas --Apple-Mail=_581956D5-D9DE-48C3-929B-CAF6060706C3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCAAdFiEEDb73u6ZejP5ZMprvcqXauRfMH+AFAmQ+DaAACgkQcqXauRfM H+D9bhAArwx6YZ1JWmKrSRDxkjrjKPXa7tALqsqaRKxRH9Ar2aZNhOsQNH/APN9G +kLPKYXTveRbj2LEvRwkk+O2rpmJ+7u2UFb1/l+gCWnEmlrdS9yQZI4k6cnX/iNW gD6eXO7172P5ZHkOtQTxlRVt0gAk21h97xAkCF4D/+xgqRnTXUzkpsLmy3082cJH WHWoXenHnoVMKA1KXZedMS19wvPuoNsJJvVvXNN4K7q28G+PTbKHIamdXuoshW5N n7EnhCm7CxHpZyLybnrDUWCBDCxWfEv+geBomG/hofsk4IdctfkU0Se92vDtyu9U LchEF8rP1ckwGEX4Kl5mjePRXRn2eNNIi1Y8XpslmKzljQvdvPerM0NZbIxwz+JJ HkjBTC/GHBQ1dFUcxJdLb82fF5Lg7H0uqeEOgLgOhxei6C+YcgqnetXMp+VEMInn ZrqymJhpZWs5WQm3B4aLeA4u5918TBNPknZm1Vk3zl+y2khctkVlF4CE90kkGHC6 fZrPKRk694rFE2l8y5f+tXDPBKsoHYwD6tP9E1bwKNqGatCwXRcX5b3hfqK6Vt0w znGX0sxxKKKM2drEeqJrIOzb5ztwAFca/FH7tnA1zJnxuq4GCeY6dkmKjqDjgVGe kT6dcKfsHNHj58FCFmT/yI/LFQJ+rVhqQTMV0uIhh0QmKqHVgEo= =bL3W -----END PGP SIGNATURE----- --Apple-Mail=_581956D5-D9DE-48C3-929B-CAF6060706C3--