| Message ID | 20241126155444.2556-1-cel@kernel.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | Improve simple directory offset wrap behavior | expand |
On Tue, Nov 26, 2024 at 10:54:39AM -0500, cel@kernel.org wrote: > From: Chuck Lever <chuck.lever@oracle.com> > > This series attempts to narrow some gaps in the current tmpfs > directory offset mechanism that relate to misbehaviors reported by > Yu Kuai <yukuai3@huawei.com> and Yang Erkun <yangerkun@huawei.com>. Any chance you could write xfstests test cases to exercise these corner cases?
> On Nov 26, 2024, at 11:24 AM, Christoph Hellwig <hch@infradead.org> wrote: > > On Tue, Nov 26, 2024 at 10:54:39AM -0500, cel@kernel.org wrote: >> From: Chuck Lever <chuck.lever@oracle.com> >> >> This series attempts to narrow some gaps in the current tmpfs >> directory offset mechanism that relate to misbehaviors reported by >> Yu Kuai <yukuai3@huawei.com> and Yang Erkun <yangerkun@huawei.com>. > > Any chance you could write xfstests test cases to exercise these > corner cases? generic/736 exercises the readdir loop after rename. Kuai's test requires kernel code changes to reduce the range of directory offset values that tmpfs can assign. Triggering an offset value wrap with the mtree offset allocator is not possible in millions of years. I'll have to think about how that can be made into an automatible test. -- Chuck Lever
From: Chuck Lever <chuck.lever@oracle.com> This series attempts to narrow some gaps in the current tmpfs directory offset mechanism that relate to misbehaviors reported by Yu Kuai <yukuai3@huawei.com> and Yang Erkun <yangerkun@huawei.com>. This series replaces the v1 mechanism I posted last week. It reverts offset_readdir() to use the directory's d_children list, instead of its mtree, for finding the next entry, as readdir did before v6.6. Directory offset values continue to be allocated via an mtree. The purpose of this change is to enable readdir results to continue to appear after a directory offset/cookie value wrap, while not regressing generic/736. That should enable this fix to be backported (manually) to v6.6 to address CVE-2024-46701. These are still a little unpolished. I expect review to find opportunities for further code reuse. These patches pass xfstests except for generic/013, generic/637, and generic/650. There appears to be a problem with WHITEOUT renames which I am still looking into. The series has been pushed to: https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/log/?h=tmpfs-fixes Chuck Lever (5): libfs: Return ENOSPC when the directory offset range is exhausted libfs: Check dentry before locking in simple_offset_empty() Revert "libfs: fix infinite directory reads for offset dir" libfs: Refactor end-of-directory detection for simple_offset directories libfs: Refactor offset_iterate_dir() fs/libfs.c | 145 ++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 109 insertions(+), 36 deletions(-)