From: Yu Kuai <yukuai1@huaweicloud.com>
To: Chuck Lever III <chuck.lever@oracle.com>,
Yu Kuai <yukuai1@huaweicloud.com>
Cc: Greg KH <gregkh@linuxfoundation.org>,
linux-stable <stable@vger.kernel.org>,
"harry.wentland@amd.com" <harry.wentland@amd.com>,
"sunpeng.li@amd.com" <sunpeng.li@amd.com>,
"Rodrigo.Siqueira@amd.com" <Rodrigo.Siqueira@amd.com>,
"alexander.deucher@amd.com" <alexander.deucher@amd.com>,
"christian.koenig@amd.com" <christian.koenig@amd.com>,
"Xinhui.Pan@amd.com" <Xinhui.Pan@amd.com>,
"airlied@gmail.com" <airlied@gmail.com>,
Daniel Vetter <daniel@ffwll.ch>,
Al Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
Liam Howlett <liam.howlett@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Hugh Dickins <hughd@google.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
Sasha Levin <sashal@kernel.org>,
"srinivasan.shanmugam@amd.com" <srinivasan.shanmugam@amd.com>,
"chiahsuan.chung@amd.com" <chiahsuan.chung@amd.com>,
"mingo@kernel.org" <mingo@kernel.org>,
"mgorman@techsingularity.net" <mgorman@techsingularity.net>,
"chengming.zhou@linux.dev" <chengming.zhou@linux.dev>,
"zhangpeng.00@bytedance.com" <zhangpeng.00@bytedance.com>,
"amd-gfx@lists.freedesktop.org" <amd-gfx@lists.freedesktop.org>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux FS Devel <linux-fsdevel@vger.kernel.org>,
"maple-tree@lists.infradead.org" <maple-tree@lists.infradead.org>,
linux-mm <linux-mm@kvack.org>,
"yi.zhang@huawei.com" <yi.zhang@huawei.com>,
yangerkun <yangerkun@huawei.com>,
"yukuai (C)" <yukuai3@huawei.com>
Subject: Re: [PATCH 6.6 00/28] fix CVE-2024-46701
Date: Sat, 9 Nov 2024 09:30:50 +0800 [thread overview]
Message-ID: <a223b1dd-9699-5f6c-2b71-98e9cd377007@huaweicloud.com> (raw)
In-Reply-To: <D2A4C13B-3B50-4BA7-A5CC-C16E98944D55@oracle.com>
Hi,
在 2024/11/08 21:23, Chuck Lever III 写道:
>
>
>> On Nov 7, 2024, at 8:19 PM, Yu Kuai <yukuai1@huaweicloud.com> wrote:
>>
>> Hi,
>>
>> 在 2024/11/07 22:41, Chuck Lever 写道:
>>> On Thu, Nov 07, 2024 at 08:57:23AM +0800, Yu Kuai wrote:
>>>> Hi,
>>>>
>>>> 在 2024/11/06 23:19, Chuck Lever III 写道:
>>>>>
>>>>>
>>>>>> On Nov 6, 2024, at 1:16 AM, Greg KH <gregkh@linuxfoundation.org> wrote:
>>>>>>
>>>>>> On Thu, Oct 24, 2024 at 09:19:41PM +0800, Yu Kuai wrote:
>>>>>>> From: Yu Kuai <yukuai3@huawei.com>
>>>>>>>
>>>>>>> Fix patch is patch 27, relied patches are from:
>>>>>
>>>>> I assume patch 27 is:
>>>>>
>>>>> libfs: fix infinite directory reads for offset dir
>>>>>
>>>>> https://lore.kernel.org/stable/20241024132225.2271667-12-yukuai1@huaweicloud.com/
>>>>>
>>>>> I don't think the Maple tree patches are a hard
>>>>> requirement for this fix. And note that libfs did
>>>>> not use Maple tree originally because I was told
>>>>> at that time that Maple tree was not yet mature.
>>>>>
>>>>> So, a better approach might be to fit the fix
>>>>> onto linux-6.6.y while sticking with xarray.
>>>>
>>>> The painful part is that using xarray is not acceptable, the offet
>>>> is just 32 bit and if it overflows, readdir will read nothing. That's
>>>> why maple_tree has to be used.
>>> A 32-bit range should be entirely adequate for this usage.
>>> - The offset allocator wraps when it reaches the maximum, it
>>> doesn't overflow unless there are actually billions of extant
>>> entries in the directory, which IMO is not likely.
>>
>> Yes, it's not likely, but it's possible, and not hard to trigger for
>> test.
>
> I question whether such a test reflects any real-world
> workload.
>
> Besides, there are a number of other limits that will impact
> the ability to create that many entries in one directory.
> The number of inodes in one tmpfs instance is limited, for
> instance.
>
>
>> And please notice that the offset will increase for each new file,
>> and file can be removed, while offset stays the same.
Did you see the above explanation? files can be removed, you don't have
to store that much files to triggger the offset to overflow.
>>> - The offset values are dense, so the directory can use all 2- or
>>> 4- billion in the 32-bit integer range before wrapping.
>>
>> A simple math, if user create and remove 1 file in each seconds, it will
>> cost about 130 years to overflow. And if user create and remove 1000
>> files in each second, it will cost about 1 month to overflow.
>
> The question is what happens when there are no more offset
> values available. xa_alloc_cyclic should fail, and file
> creation is supposed to fail at that point. If it doesn't,
> that's a bug that is outside of the use of xarray or Maple.
Can you show me the code that xa_alloc_cyclic should fail? At least
according to the commets, it will return 1 if the allocation succeeded
after wrapping.
* Context: Any context. Takes and releases the xa_lock. May sleep if
* the @gfp flags permit.
* Return: 0 if the allocation succeeded without wrapping. 1 if the
* allocation succeeded after wrapping, -ENOMEM if memory could not be
* allocated or -EBUSY if there are no free entries in @limit.
*/
static inline int xa_alloc_cyclic(struct xarray *xa, u32 *id, void *entry,
struct xa_limit limit, u32 *next, gfp_t gfp)
>
>
>> maple tree use 64 bit value for the offset, which is impossible to
>> overflow for the rest of our lifes.
>>> - No-one complained about this limitation when offset_readdir() was
>>> first merged. The xarray was replaced for performance reasons,
>>> not because of the 32-bit range limit.
>>> It is always possible that I have misunderstood your concern!
>>
>> The problem is that if the next_offset overflows to 0, then after patch
>> 27, offset_dir_open() will record the 0, and later offset_readdir will
>> return directly, while there can be many files.
>
> That's a separate bug that has nothing to do with the maximum
> number of entries one directory can have. Again, you don't
> need Maple tree to address that.
>
> My understanding from Liam is that backporting Maple into
> v6.6 is just not practical to do. We must explore alternate
> ways to address these concerns.
Like I said, I'll just give up for this cve for v6.6.
>
>
> --
> Chuck Lever
>
>
next prev parent reply other threads:[~2024-11-09 1:31 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-24 13:19 Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 01/28] maple_tree: add mt_free_one() and mt_attr() helpers Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 02/28] maple_tree: introduce {mtree,mas}_lock_nested() Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 03/28] maple_tree: introduce interfaces __mt_dup() and mtree_dup() Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 04/28] maple_tree: skip other tests when BENCH is enabled Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 05/28] maple_tree: preserve the tree attributes when destroying maple tree Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 06/28] maple_tree: remove unnecessary default labels from switch statements Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 07/28] maple_tree: make mas_erase() more robust Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 08/28] maple_tree: move debug check to __mas_set_range() Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 09/28] maple_tree: add end of node tracking to the maple state Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 10/28] maple_tree: use cached node end in mas_next() Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 11/28] maple_tree: use cached node end in mas_destroy() Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 12/28] maple_tree: clean up inlines for some functions Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 13/28] maple_tree: add test for mtree_dup() Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 14/28] maple_tree: separate ma_state node from status Yu Kuai
2024-10-24 13:19 ` [PATCH 6.6 15/28] maple_tree: remove mas_searchable() Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 16/28] Revert "maple_tree: correct tree corruption on spanning store" Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 17/28] maple_tree: use maple state end for write operations Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 18/28] maple_tree: don't find node end in mtree_lookup_walk() Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 19/28] maple_tree: mtree_range_walk() clean up Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 20/28] lib/maple_tree.c: fix build error due to hotfix alteration Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 21/28] maple_tree: avoid checking other gaps after getting the largest gap Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 22/28] libfs: Re-arrange locking in offset_iterate_dir() Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 23/28] libfs: Define a minimum directory offset Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 24/28] libfs: Add simple_offset_empty() Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 25/28] maple_tree: Add mtree_alloc_cyclic() Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 26/28] libfs: Convert simple directory offsets to use a Maple Tree Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 27/28] libfs: fix infinite directory reads for offset dir Yu Kuai
2024-10-24 13:22 ` [PATCH 6.6 28/28] maple_tree: correct tree corruption on spanning store Yu Kuai
2024-11-06 15:02 ` Lorenzo Stoakes
2024-11-07 1:22 ` Yu Kuai
2024-11-06 6:16 ` [PATCH 6.6 00/28] fix CVE-2024-46701 Greg KH
2024-11-06 14:44 ` Liam R. Howlett
2024-11-06 15:19 ` Chuck Lever III
2024-11-06 16:21 ` James Bottomley
2024-11-07 0:57 ` Yu Kuai
2024-11-07 14:41 ` Chuck Lever
2024-11-08 1:19 ` Yu Kuai
2024-11-08 13:23 ` Chuck Lever III
2024-11-08 17:03 ` Liam R. Howlett
2024-11-09 1:38 ` Yu Kuai
2024-11-09 1:30 ` Yu Kuai [this message]
2024-11-09 16:58 ` Chuck Lever III
2024-11-11 0:56 ` Yu Kuai
2024-11-07 14:44 ` Liam R. Howlett
2024-11-06 14:43 ` Lorenzo Stoakes
2024-11-07 1:43 ` Yu Kuai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a223b1dd-9699-5f6c-2b71-98e9cd377007@huaweicloud.com \
--to=yukuai1@huaweicloud.com \
--cc=Rodrigo.Siqueira@amd.com \
--cc=Xinhui.Pan@amd.com \
--cc=airlied@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=brauner@kernel.org \
--cc=chengming.zhou@linux.dev \
--cc=chiahsuan.chung@amd.com \
--cc=christian.koenig@amd.com \
--cc=chuck.lever@oracle.com \
--cc=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=gregkh@linuxfoundation.org \
--cc=harry.wentland@amd.com \
--cc=hughd@google.com \
--cc=liam.howlett@oracle.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=maple-tree@lists.infradead.org \
--cc=mgorman@techsingularity.net \
--cc=mingo@kernel.org \
--cc=sashal@kernel.org \
--cc=srinivasan.shanmugam@amd.com \
--cc=stable@vger.kernel.org \
--cc=sunpeng.li@amd.com \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=yangerkun@huawei.com \
--cc=yi.zhang@huawei.com \
--cc=yukuai3@huawei.com \
--cc=zhangpeng.00@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox