Hello. Someone please take care of this patch.
W/o that patch unprivileged user may abuse system resources simply by spawning
wast number of unkilable busyloops (works on ext2/ext3):
truncate --size 1T test
for ((i=0;i<1024;i++))
do
filefrag test > /dev/null &
done
Dmitry Monakhov <[email protected]> writes:
> Andrew can you please get this patch. IMHO it is simple and clean.
> BTW:
>
>> __generic_block_fiemap may spin very long time for large sparse files.
>>
>> Signed-off-by: Dmitry Monakhov <[email protected]>
>> ---
>> fs/ioctl.c | 5 +++++
>> 1 files changed, 5 insertions(+), 0 deletions(-)
>>
>> diff --git a/fs/ioctl.c b/fs/ioctl.c
>> index 8ac3fad..6fbeb68 100644
>> --- a/fs/ioctl.c
>> +++ b/fs/ioctl.c
>> @@ -379,6 +379,11 @@ int __generic_block_fiemap(struct inode *inode,
>> past_eof = true;
>> }
>> cond_resched();
>> + if (fatal_signal_pending(current)) {
>> + ret = -EINTR;
>> + break;
>> + }
>> +
>> } while (1);
>>
>> /* If ret is 1 then we just hit the end of the extent array */
>> --
>> 1.7.1
On Wed, 10 Dec 2014 16:49:18 +0300 Dmitry Monakhov <[email protected]> wrote:
>
> Hello. Someone please take care of this patch.
>
> W/o that patch unprivileged user may abuse system resources simply by spawning
> wast number of unkilable busyloops (works on ext2/ext3):
>
> truncate --size 1T test
> for ((i=0;i<1024;i++))
> do
> filefrag test > /dev/null &
> done
>
> >> --- a/fs/ioctl.c
> >> +++ b/fs/ioctl.c
> >> @@ -379,6 +379,11 @@ int __generic_block_fiemap(struct inode *inode,
> >> past_eof = true;
> >> }
> >> cond_resched();
> >> + if (fatal_signal_pending(current)) {
> >> + ret = -EINTR;
> >> + break;
> >> + }
> >> +
> >> } while (1);
> >>
Is FIEMAP documented anywhere (manpage)? If so, that will need an
update.
Andrew Morton <[email protected]> writes:
> On Wed, 10 Dec 2014 16:49:18 +0300 Dmitry Monakhov <[email protected]> wrote:
>
>>
>> Hello. Someone please take care of this patch.
>>
>> W/o that patch unprivileged user may abuse system resources simply by spawning
>> wast number of unkilable busyloops (works on ext2/ext3):
>>
>> truncate --size 1T test
>> for ((i=0;i<1024;i++))
>> do
>> filefrag test > /dev/null &
>> done
>>
>> >> --- a/fs/ioctl.c
>> >> +++ b/fs/ioctl.c
>> >> @@ -379,6 +379,11 @@ int __generic_block_fiemap(struct inode *inode,
>> >> past_eof = true;
>> >> }
>> >> cond_resched();
>> >> + if (fatal_signal_pending(current)) {
>> >> + ret = -EINTR;
>> >> + break;
>> >> + }
>> >> +
>> >> } while (1);
>> >>
>
> Is FIEMAP documented anywhere (manpage)? If so, that will need an
> update.
Yes you right. I just thought that it is assumed by default.
The only place I know is Documentation/filesystems/fiemap.txt
Please fold patch attached to original one.
On Fri, 19 Dec 2014 12:13:50 +0300 Dmitry Monakhov <[email protected]> wrote:
> --- a/Documentation/filesystems/fiemap.txt
> +++ b/Documentation/filesystems/fiemap.txt
> @@ -196,7 +196,8 @@ struct fiemap_extent_info {
> };
>
> It is intended that the file system should not need to access any of this
> -structure directly.
> +structure directly. Filesystem handlers should be tolerant to signals and return
> +EINTR once fatal signal received.
Thanks. I was concerned about userspace effects and back-compatibility
issues, because I'd misread fatal_signal_pending() as signal_pending().
Because it uses fatal_signal_pending(), the effects of this change
should be indiscernible to userspace, yes?
I'm now wondering if the above doc update is unneeded and incorrect.
Is it likely that the fs handler (fiemap_fill_next_extent) will ever
consume a large amount of time? If not then we can leave the logic in
__generic_block_fiemap() and not bother callees.
The fix only addresses filesystems which use generic_block_fiemap().
Presumably ocfs2, btrfs, nilfs2, lustre and xfs remain vulnerable to
the problem you identified?
On Dec 19, 2014, at 2:33 PM, Andrew Morton <[email protected]> wrote:
>
> On Fri, 19 Dec 2014 12:13:50 +0300 Dmitry Monakhov <[email protected]> wrote:
>
>> --- a/Documentation/filesystems/fiemap.txt
>> +++ b/Documentation/filesystems/fiemap.txt
>> @@ -196,7 +196,8 @@ struct fiemap_extent_info {
>> };
>>
>> It is intended that the file system should not need to access any of this
>> -structure directly.
>> +structure directly. Filesystem handlers should be tolerant to signals and return
>> +EINTR once fatal signal received.
>
> Thanks. I was concerned about userspace effects and back-compatibility
> issues, because I'd misread fatal_signal_pending() as signal_pending().
>
> Because it uses fatal_signal_pending(), the effects of this change
> should be indiscernible to userspace, yes?
>
> I'm now wondering if the above doc update is unneeded and incorrect.
> Is it likely that the fs handler (fiemap_fill_next_extent) will ever
> consume a large amount of time? If not then we can leave the logic in
> __generic_block_fiemap() and not bother callees.
>
>
>
> The fix only addresses filesystems which use generic_block_fiemap().
> Presumably ocfs2, btrfs, nilfs2, lustre and xfs remain vulnerable to
> the problem you identified?
I don't think they are - those filesystems generate the FIEMAP mapping
by walking the extent tree directly, while the "compat" code for block
based filesystems are (or were) essentially walking every possible
block offset to see if there was anything mapped at that position.
Cheers, Andreas