From: Carlos Maiolino <cem@kernel.org>
To: Christian Brauner <brauner@kernel.org>
Cc: linux-fsdevel@vger.kernel.org, jack@suse.cz,
akpm@linux-foundation.org, viro@zeniv.linux.org.uk,
linux-mm@kvack.org, djwong@kernel.org, hughd@google.com,
mcgrof@kernel.org
Subject: Re: [PATCH 5/6] shmem: quota support
Date: Fri, 14 Jul 2023 12:40:42 +0200 [thread overview]
Message-ID: <20230714104042.ooih4eqd2t7wjkoc@andromeda> (raw)
In-Reply-To: <20230714-messtechnik-knieprobleme-5d0a3abb4413@brauner>
Hi Christian.
> > @@ -3736,6 +3853,18 @@ static int shmem_parse_one(struct fs_context *fc, struct fs_parameter *param)
> > ctx->noswap = true;
> > ctx->seen |= SHMEM_SEEN_NOSWAP;
> > break;
> > + case Opt_quota:
> > + ctx->seen |= SHMEM_SEEN_QUOTA;
> > + ctx->quota_types |= (QTYPE_MASK_USR | QTYPE_MASK_GRP);
> > + break;
> > + case Opt_usrquota:
> > + ctx->seen |= SHMEM_SEEN_QUOTA;
> > + ctx->quota_types |= QTYPE_MASK_USR;
> > + break;
> > + case Opt_grpquota:
> > + ctx->seen |= SHMEM_SEEN_QUOTA;
> > + ctx->quota_types |= QTYPE_MASK_GRP;
> > + break;
> > }
> > return 0;
>
> I mentioned this in an earlier review; following the sequence:
Ok, my apologies, I should have lost it in the noise.
>
> if (ctx->seen & SHMEM_SEEN_QUOTA)
> -> shmem_enable_quotas()
> -> dquot_load_quota_sb()
>
> to then figure out that in dquot_load_quota_sb() we fail if
> sb->s_user_ns != &init_user_ns is too subtle for a filesystem that's
> mountable by unprivileged users. Every few months someone will end up
> stumbling upon this code and wonder where it's blocked. There isn't even
> a comment in the code.
>
> Aside from that it's also really unfriendly to users because they may go
> through setting up a tmpfs instances in the following way:
>
> fd_fs = fsopen("tmpfs");
>
> User now enables quota:
>
> fsconfig(fd_fs, ..., "quota", ...) = 0
>
> and goes on to set a bunch of other options:
>
> fsconfig(fd_fs, ..., "inode64", ...) = 0
> fsconfig(fd_fs, ..., "nr_inodes", ...) = 0
> fsconfig(fd_fs, ..., "nr_blocks", ...) = 0
> fsconfig(fd_fs, ..., "huge", ...) = 0
> fsconfig(fd_fs, ..., "mode", ...) = 0
> fsconfig(fd_fs, ..., "gid", ...) = 0
>
> everything seems dandy and they create the superblock:
>
> fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...) = -EINVAL
>
> which fails.
>
> The user has not just performed 9 useless system calls they also have
> zero clue what mount option caused the failure.
>
> What this code really really should do is fail at:
>
> fsconfig(fd_fs, ..., "quota", ...) = -EINVAL
>
> and log an error that the user can retrieve from the fs context. IOW,
>
> diff --git a/mm/shmem.c b/mm/shmem.c
> index 083ce6b478e7..baca8bf44569 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -3863,14 +3863,20 @@ static int shmem_parse_one(struct fs_context *fc, struct fs_parameter *param)
> ctx->seen |= SHMEM_SEEN_NOSWAP;
> break;
> case Opt_quota:
> + if (fc->user_ns != &init_user_ns)
> + return invalfc(fc, "Quotas in unprivileged tmpfs mounts unsupported");
> ctx->seen |= SHMEM_SEEN_QUOTA;
> ctx->quota_types |= (QTYPE_MASK_USR | QTYPE_MASK_GRP);
> break;
> case Opt_usrquota:
> + if (fc->user_ns != &init_user_ns)
> + return invalfc(fc, "Quotas in unprivileged tmpfs mounts unsupported");
> ctx->seen |= SHMEM_SEEN_QUOTA;
> ctx->quota_types |= QTYPE_MASK_USR;
> break;
> case Opt_grpquota:
> + if (fc->user_ns != &init_user_ns)
> + return invalfc(fc, "Quotas in unprivileged tmpfs mounts unsupported");
> ctx->seen |= SHMEM_SEEN_QUOTA;
> ctx->quota_types |= QTYPE_MASK_GRP;
> break;
>
> This exactly what we already to for the "noswap" option btw.
>
> Could you fold these changes into the patch and resend, please?
> I synced with Andrew earlier and I'll be taking this series.
Thanks! I will sure do it, I'll update the patch, build, test and send it again
in a few minutes.
>
> ---
>
> And btw, the *_SEEN_* logic for mount options is broken - but that's not
> specific to your patch. Imagine:
>
> fd_fs = fsopen("tmpfs");
> fsconfig(fd_fs, ..., "nr_inodes", 0, "1000") = 0
>
> Now ctx->inodes == 1000 and ctx->seen |= SHMEM_SEEN_INODES.
>
> Now the user does:
>
> fsconfig(fd_fs, ..., "nr_inodes", 0, "-1234") = -EINVAL
>
> This fails, but:
>
> ctx->inodes = memparse(param->string, &rest);
> if (*rest)
> goto bad_value;
>
> will set ctx->inodes to whatever memparse returns but leaves
> SHMEM_SEEN_INODES raised in ctx->seen. Now superblock creation may
> succeed with a garbage inode limit. This should affect other mount
> options as well.
Interesting. Thanks for the heads up. I'll look in more details into it when I
start working for namespace support for quotas (as we spoke previously).
Cheers.
--
Carlos
next prev parent reply other threads:[~2023-07-14 10:40 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-13 13:48 [PATCH RESEND V4 0/6] shmem: Add user and group quota support for tmpfs cem
2023-07-13 13:48 ` [PATCH 1/6] shmem: make shmem_inode_acct_block() return error cem
2023-07-13 13:48 ` [PATCH 2/6] shmem: make shmem_get_inode() return ERR_PTR instead of NULL cem
2023-07-13 13:48 ` [PATCH 3/6] quota: Check presence of quota operation structures instead of ->quota_read and ->quota_write callbacks cem
2023-07-13 13:48 ` [PATCH 4/6] shmem: prepare shmem quota infrastructure cem
2023-07-13 13:48 ` [PATCH 5/6] shmem: quota support cem
2023-07-14 9:54 ` Christian Brauner
2023-07-14 10:40 ` Carlos Maiolino [this message]
2023-07-14 12:26 ` Carlos Maiolino
2023-07-14 13:48 ` Christian Brauner
2023-07-14 14:47 ` Carlos Maiolino
2023-07-13 13:48 ` [PATCH 6/6] Add default quota limit mount options cem
-- strict thread matches above, loose matches on Subject: below --
2023-07-17 11:52 [PATCH V5 0/6] shmem: Add user and group quota support for tmpfs cem
2023-07-17 11:52 ` [PATCH 5/6] shmem: quota support cem
2023-04-26 10:20 [PATCH V4 0/6] shmem: Add user and group quota support for tmpfs cem
2023-04-26 10:20 ` [PATCH 5/6] shmem: quota support cem
2023-04-03 8:47 [PATCH 0/6] shmem: Add user and group quota support for tmpfs cem
2023-04-03 8:47 ` [PATCH 5/6] shmem: quota support cem
2023-04-03 14:31 ` kernel test robot
2023-04-03 18:46 ` Darrick J. Wong
2023-04-04 13:41 ` Carlos Maiolino
2023-04-04 16:45 ` Darrick J. Wong
2023-04-03 22:03 ` kernel test robot
2023-04-04 6:22 ` kernel test robot
2023-04-05 11:42 ` Jan Kara
2023-04-11 9:37 ` Carlos Maiolino
2023-04-11 13:03 ` Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230714104042.ooih4eqd2t7wjkoc@andromeda \
--to=cem@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=djwong@kernel.org \
--cc=hughd@google.com \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mcgrof@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox