linux.git/fs/orangefs/devorangefs-req.c, branch v4.8 Linux kernel source tree orangefs: fix namespace handling 2016-07-05T19:47:43+00:00 Jann Horn jannh@google.com 2016-06-24T23:51:52+00:00 78fee0b6846f27872321338db6afe280f059ae99 In orangefs_inode_getxattr(), an fsuid is written to dmesg. The kuid is converted to a userspace uid via from_kuid(current_user_ns(), [...]), but since dmesg is global, init_user_ns should be used here instead. In copy_attributes_from_inode(), op_alloc() and fill_default_sys_attrs(), upcall structures are populated with uids/gids that have been mapped into the caller's namespace. However, those upcall structures are read by another process (the userspace filesystem driver), and that process might be running in another namespace. This effectively lets any user spoof its uid and gid as seen by the userspace filesystem driver. To fix the second issue, I just construct the opcall structures with init_user_ns uids/gids and require the filesystem server to run in the init namespace. Since orangefs is full of global state anyway (as the error message in DUMP_DEVICE_ERROR explains, there can only be one userspace orangefs filesystem driver at once), that shouldn't be a problem. [ Why does orangefs even exist in the kernel if everything does upcalls into userspace? What does orangefs do that couldn't be done with the FUSE interface? If there is no good answer to those questions, I'd prefer to see orangefs kicked out of the kernel. Can that be done for something that shipped in a release? According to commit f7ab093f74bf ("Orangefs: kernel client part 1"), they even already have a FUSE daemon, and the only rational reason (apart from "but most of our users report preferring to use our kernel module instead") given for not wanting to use FUSE is one "in-the-works" feature that could probably be integated into FUSE instead. ] This patch has been compile-tested. Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Mike Marshall <hubcap@omnibond.com> 
In orangefs_inode_getxattr(), an fsuid is written to dmesg. The kuid is
converted to a userspace uid via from_kuid(current_user_ns(), [...]), but
since dmesg is global, init_user_ns should be used here instead.

In copy_attributes_from_inode(), op_alloc() and fill_default_sys_attrs(),
upcall structures are populated with uids/gids that have been mapped into
the caller's namespace. However, those upcall structures are read by
another process (the userspace filesystem driver), and that process might
be running in another namespace. This effectively lets any user spoof its
uid and gid as seen by the userspace filesystem driver.

To fix the second issue, I just construct the opcall structures with
init_user_ns uids/gids and require the filesystem server to run in the
init namespace. Since orangefs is full of global state anyway (as the error
message in DUMP_DEVICE_ERROR explains, there can only be one userspace
orangefs filesystem driver at once), that shouldn't be a problem.

[
Why does orangefs even exist in the kernel if everything does upcalls into
userspace? What does orangefs do that couldn't be done with the FUSE
interface? If there is no good answer to those questions, I'd prefer to see
orangefs kicked out of the kernel. Can that be done for something that
shipped in a release?

According to commit f7ab093f74bf ("Orangefs: kernel client part 1"), they
even already have a FUSE daemon, and the only rational reason (apart from
"but most of our users report preferring to use our kernel module instead")
given for not wanting to use FUSE is one "in-the-works" feature that could
probably be integated into FUSE instead.
]

This patch has been compile-tested.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
orangefs: fix orangefs_superblock locking 2016-03-26T11:22:00+00:00 Al Viro viro@zeniv.linux.org.uk 2016-03-25T23:56:34+00:00 45996492e5c85aa0ac93a95d1b2d1ed56851c865 * switch orangefs_remount() to taking ORANGEFS_SB(sb) instead of sb * remove from the list _before_ orangefs_unmount() - request_mutex in the latter will make sure that nothing observed in the loop in ORANGEFS_DEV_REMOUNT_ALL handling will get freed until the end of loop * on removal, keep the forward pointer and zero the back one. That way we can drop and regain the spinlock in the loop body (again, ORANGEFS_DEV_REMOUNT_ALL one) and still be able to get to the rest of the list. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Mike Marshall <hubcap@omnibond.com> 
* switch orangefs_remount() to taking ORANGEFS_SB(sb) instead of sb
* remove from the list _before_ orangefs_unmount() - request_mutex
in the latter will make sure that nothing observed in the loop in
ORANGEFS_DEV_REMOUNT_ALL handling will get freed until the end
of loop
* on removal, keep the forward pointer and zero the back one.  That
way we can drop and regain the spinlock in the loop body (again,
ORANGEFS_DEV_REMOUNT_ALL one) and still be able to get to the
rest of the list.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Orangefs: Extra sanity insurance on buffer before using string functions on it. 2016-03-14T19:48:28+00:00 Mike Marshall hubcap@omnibond.com 2016-03-14T19:28:34+00:00 53f57fef43f5b9586c7a78acdeae27e206eae48b Signed-off-by: Mike Marshall <hubcap@omnibond.com> 
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
orangefs: make fs_mount_pending static 2016-03-09T18:26:39+00:00 Martin Brandenburg martin@omnibond.com 2016-03-05T18:17:39+00:00 acfcbaf1925f2dc5c46c61de69d756dec92a2ff8 Signed-off-by: Martin Brandenburg <martin@omnibond.com> Signed-off-by: Mike Marshall <hubcap@omnibond.com> 
Signed-off-by: Martin Brandenburg <martin@omnibond.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Orangefs: improve gossip statements 2016-03-03T18:46:48+00:00 Mike Marshall hubcap@omnibond.com 2016-03-03T18:46:48+00:00 9d9e7ba9ee8f304c4608f3c81aa5e7fb3bddd251 Signed-off-by: Mike Marshall <hubcap@omnibond.com> 
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Orangefs: update orangefs.txt 2016-02-26T19:39:08+00:00 Mike Marshall hubcap@omnibond.com 2016-02-26T19:39:08+00:00 9f08cfe94417f782393330cbfc95617c04f051c2 Al Viro has cleaned up the way ops are processed and waited for, now orangefs.txt has an overview of how it works. Several recent related commits have added to the comments in the code as well. Signed-off-by: Mike Marshall <hubcap@omnibond.com> 
Al Viro has cleaned up the way ops are processed and waited for,
now orangefs.txt has an overview of how it works. Several recent
related commits have added to the comments in the code as well.

Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Orangefs: code sanitation. 2016-02-26T15:21:12+00:00 Mike Marshall hubcap@omnibond.com 2016-02-26T15:21:12+00:00 ca9f518eadeb7edd8e438a6542d3caec9bc3bb74 Signed-off-by: Mike Marshall <hubcap@omnibond.com> 
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Orangefs: code sanitation 2016-02-24T21:54:27+00:00 Mike Marshall hubcap@omnibond.com 2016-02-24T21:54:27+00:00 adcf34a2893386c99e80feee36e30a782b3815e7 Signed-off-by: Mike Marshall <hubcap@omnibond.com> 
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
orangefs: have ..._clean_interrupted_...() wait for copy to/from daemon 2016-02-19T18:45:56+00:00 Al Viro viro@zeniv.linux.org.uk 2016-02-18T23:59:44+00:00 05a50a5be897004b6c1399645256bcf2e768b4ef * turn all those list_del(&op->list) into list_del_init() * don't pick ops that are already given up in control device ->read()/->write_iter(). * have orangefs_clean_interrupted_operation() notice if op is currently being copied to/from daemon (by said ->read()/->write_iter()) and wait for that to finish. * when we are done copying to/from daemon and find that it had been given up while we were doing that, wake the waiting ..._clean_interrupted_... As the result, we are guaranteed that orangefs_clean_interrupted_operation(op) doesn't return until nobody else can see op. Moreover, we don't need to play with op refcounts anymore. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Mike Marshall <hubcap@omnibond.com> 
* turn all those list_del(&op->list) into list_del_init()
* don't pick ops that are already given up in control device
  ->read()/->write_iter().
* have orangefs_clean_interrupted_operation() notice if op is currently
  being copied to/from daemon (by said ->read()/->write_iter()) and
  wait for that to finish.
* when we are done copying to/from daemon and find that it had been
  given up while we were doing that, wake the waiting ..._clean_interrupted_...

As the result, we are guaranteed that orangefs_clean_interrupted_operation(op)
doesn't return until nobody else can see op.  Moreover, we don't need to play
with op refcounts anymore.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
orangefs: set correct ->downcall.status on failing to copy reply from daemon 2016-02-19T18:45:55+00:00 Al Viro viro@zeniv.linux.org.uk 2016-02-18T23:53:41+00:00 5964c1b83912dd5052f66ceb50634df958129981 ... and clean the end of control device ->write_iter() while we are at it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Mike Marshall <hubcap@omnibond.com> 
... and clean the end of control device ->write_iter() while we are at it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>