From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8126C32792 for ; Thu, 3 Oct 2019 17:05:27 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B7C1B20673 for ; Thu, 3 Oct 2019 17:05:27 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B7C1B20673 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 501166B0005; Thu, 3 Oct 2019 13:05:27 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 48B446B0006; Thu, 3 Oct 2019 13:05:27 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3516F6B0007; Thu, 3 Oct 2019 13:05:27 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0251.hostedemail.com [216.40.44.251]) by kanga.kvack.org (Postfix) with ESMTP id 0D8626B0005 for ; Thu, 3 Oct 2019 13:05:27 -0400 (EDT) Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with SMTP id 90D8D877D for ; Thu, 3 Oct 2019 17:05:26 +0000 (UTC) X-FDA: 76003099452.27.line66_2f50721d29c00 X-HE-Tag: line66_2f50721d29c00 X-Filterd-Recvd-Size: 4806 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by imf08.hostedemail.com (Postfix) with ESMTP for ; Thu, 3 Oct 2019 17:05:24 +0000 (UTC) X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Oct 2019 10:05:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.67,253,1566889200"; d="scan'208";a="392014697" Received: from iweiny-desk2.sc.intel.com ([10.3.52.157]) by fmsmga005.fm.intel.com with ESMTP; 03 Oct 2019 10:05:23 -0700 Date: Thu, 3 Oct 2019 10:05:23 -0700 From: Ira Weiny To: Jan Kara Cc: Jeff Layton , linux-fsdevel@vger.kernel.org, linux-xfs@vger.kernel.org, linux-ext4@vger.kernel.org, linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, linux-nvdimm@lists.01.org, linux-mm@kvack.org, Dave Chinner , Theodore Ts'o , John Hubbard , Dan Williams , Jason Gunthorpe Subject: Re: Lease semantic proposal Message-ID: <20191003170523.GC31174@iweiny-DESK2.sc.intel.com> References: <20190923190853.GA3781@iweiny-DESK2.sc.intel.com> <5d5a93637934867e1b3352763da8e3d9f9e6d683.camel@kernel.org> <20191001181659.GA5500@iweiny-DESK2.sc.intel.com> <20191003090110.GC17911@quack2.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191003090110.GC17911@quack2.suse.cz> User-Agent: Mutt/1.11.1 (2018-12-01) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Oct 03, 2019 at 11:01:10AM +0200, Jan Kara wrote: > On Tue 01-10-19 11:17:00, Ira Weiny wrote: > > On Mon, Sep 23, 2019 at 04:17:59PM -0400, Jeff Layton wrote: > > > On Mon, 2019-09-23 at 12:08 -0700, Ira Weiny wrote: > > > > > > Will userland require any special privileges in order to set an > > > F_UNBREAK lease? This seems like something that could be used for DoS. I > > > assume that these will never time out. > > > > Dan and I discussed this some more and yes I think the uid of the process needs > > to be the owner of the file. I think that is a reasonable mechanism. > > Honestly, I'm not convinced anything more than open-for-write should be > required. Sure unbreakable lease may result in failing truncate and other > ops but as we discussed at LFS/MM, this is not hugely different from > executing a file resulting in ETXTBUSY for any truncate attempt (even from > root). So sufficiently priviledged user has to be able to easily find which > process(es) owns the lease so that he can kill it / take other > administrative action to release the lease. But that's about it. Well that was kind of what I was thinking. However I wanted to be careful about requiring write permission when doing a F_RDLCK. I think that it has to be clearly documented _why_ write permission is required. > > > > How will we deal with the case where something is is squatting on an > > > F_UNBREAK lease and isn't letting it go? > > > > That is a good question. I had not considered someone taking the UNBREAK > > without pinning the file. > > IMHO the same answer as above - sufficiently priviledged user should be > able to easily find the process holding the lease and kill it. Given the > lease owner has to have write access to the file, he better should be from > the same "security domain"... > > > > Leases are technically "owned" by the file description -- we can't > > > necessarily trace it back to a single task in a threaded program. The > > > kernel task that set the lease may have exited by the time we go > > > looking. > > > > > > Will we be content trying to determine this using /proc/locks+lsof, etc, > > > or will we need something better? > > > > I think using /proc/locks is our best bet. Similar to my intention to report > > files being pinned.[1] > > > > In fact should we consider files with F_UNBREAK leases "pinned" and just report > > them there? > > As Jeff wrote later, /proc/locks is not enough. You need PID(s) which have > access to the lease and hold it alive. Your /proc// files you had in your > patches should do that, shouldn't they? Maybe they were not tied to the > right structure... They really need to be tied to the existence of a lease. Yes, sorry. I misspoke above. Right now /proc//file_pins indicates that the file is pinned by GUP. I think it may be reasonable to extend that to any file which has F_UNBREAK specified. 'file_pins' may be the wrong name when we include F_UNBREAK'ed leased files, so I will think on the name. But I think this is possible and desired. Ira