public inbox for [email protected]
 help / color / mirror / Atom feed
From: Al Viro <[email protected]>
To: [email protected]
Cc: "Christian Brauner" <[email protected]>,
	[email protected],
	"Christian Göttsche" <[email protected]>
Subject: [RFC][PATCHES] xattr stuff and interactions with io_uring
Date: Wed, 2 Oct 2024 02:10:11 +0100	[thread overview]
Message-ID: <20241002011011.GB4017910@ZenIV> (raw)

	The series below is a small-scale attempt at sanitizing the
interplay between io_uring and normal syscalls.  It is limited to
xattr-related syscalls and I would like to have a similar approach taken
a lot further than that.

	Right now we have an ad-hoc mess, with io_uring stuff hooked
at different layers to syscall guts.  And it keeps growing and getting
messier.

	As far as I can tell, the general rules are

* we want arguments copied in when request is submitted to io_uring.
Rationale: userland caller should be able to have that stuff on his
stack frame, rather than keeping it around until the request completion.
Fair enough.

* destination for the stuff we want copied _out_ (results of read(),
etc.)  has to stay around until the IO completion.  In other words, such
references remain as userland pointers until the request is executed.
Fair enough.

* the things get less clear-cut where we are talking about bulk data
copied _in_ - write() arguments, for example.  In some cases we do
handle that at request execution time, in some we do not (setsockopt
vs. setxattr vs. write, for example).  Decided on individual basis?

* some argument validation is done when request is submitted; however,
anything related to resolving pathnames (at least - there may be other
such areas) is done only at the time request is processed.  Rationale:
previous requests might alter the state in question and we want the
effects of such changes visible to our request.

* pathnames are copied in at submission time and resolved at execution
time; descriptors are resolved at submission time, except when used in
dirfd role.

	What I propose for xattr stuff (and what could serve as a model
for other cases) is two families of helpers; one takes struct file
reference + whatever other arguments we want, another - dfd + filename +
lookup_flags + other arguments; filename is passed as a struct filename
reference, which is consumed by the helper.

	Normal syscalls are easily expressed via those; io_uring side is
also apparently OK.  Not sure if it's flexible enough, though - e.g.
IORING_OP_MKDIRAT et.al. end up resolving the descriptor _twice_
and can't have it coming from io_uring analogue of descriptor table.
It might make more sense to allow a variant that would have dirfd already
resolved to file reference.  It's not that hard to do on fs/namei.c side
(set_nameidata() and path_init() would have to be taught about that,
and that's more of less it), but... we need to figure out whether it
makes better sense to have descriptor resolution prompt or delayed on
the io_uring side - i.e. at submission or at execution time.

	Anyway, for now I'm following the model we have for do_mkdirat()
et.al.  It's definitely flexible enough on the syscall side; in particular,
rebasing ...xattrat(2) patch on top of that had been trivial.  It also
promises some fairly nice simplifications wrt struct filename vs. audit,
but that's a separate story.

	Currently the branch lives in
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs.git #work.xattr
Individual patches in followups.

1/9)	switch to CLASS(fd) use.  Obvious.

2/9)	rename struct xattr_ctx to kernel_xattr_ctx
prep from the ...xattrat() series, to reduce the PITA for rebase

3/9)	io_[gs]etxattr_prep(): just use getname()
getname_flags(_, LOOKUP_FOLLOW) is ridiculous.

4/9)	new helper: import_xattr_name()
exact same logics for copying the xattr name in, dealing with
overflows, etc. in a lot of places.  

5/9)	replace do_setxattr() with saner helpers
file_setxattr(file, ctx) and filename_setxattr(dfd, filename, lookup_flags, ctx).
Don't mess with do_setxattr() directly - use those.  In particular, don't
bother with the ESTALE loop in io_uring - it doesn't belong there.

6/9)	replace do_getxattr() with saner helpers
Same on getxattr() side.

7/9)	new helpers: file_listxattr(), filename_listxattr()
Same, except that io_uring doesn't use those, so the helpers are left static.

8/9)	new helpers: file_removexattr(), filename_removexattr()
Ditto

9/9)	fs/xattr: add *at family syscalls
Rebased patch introducing those, with a bunch of fixes folded in so we don't
create bisect hazard there.  Potentially interesting bit is the pathname-handling
logics - getname_xattr(pathname, flags) returns a struct filename reference
if no AT_EMPTY_PATH had been given or if the pathname was non-NULL and turned out
to be non-empty.  With (NULL,AT_EMPTY_PATH) or (empty string, AT_EMPTY_PATH) it
returns NULL (and it tries to skip the allocation using the same trick with
get_user() that vfs_empty_path() uses).  That helper simplifies a lot of things,
and it should be cheap enough to convert fsetxattr(2) et.al. to the unified
path_setxattrat() and its ilk.  IF we get a slowdown on those, we can always
expand and simplify the calls in fsetxattr(2) and friends.

Anyway, comments, review and testing would be very welcome.

             reply	other threads:[~2024-10-02  1:10 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-02  1:10 Al Viro [this message]
2024-10-02  1:22 ` [PATCH 1/9] xattr: switch to CLASS(fd) Al Viro
2024-10-02  1:22   ` [PATCH 2/9] fs: rename struct xattr_ctx to kernel_xattr_ctx Al Viro
2024-10-02  5:56     ` Christian Brauner
2024-10-02  1:22   ` [PATCH 3/9] io_[gs]etxattr_prep(): just use getname() Al Viro
2024-10-02  5:57     ` Christian Brauner
2024-10-02  1:22   ` [PATCH 4/9] new helper: import_xattr_name() Al Viro
2024-10-02  5:57     ` Christian Brauner
2024-10-02  1:22   ` [PATCH 5/9] replace do_setxattr() with saner helpers Al Viro
2024-10-02  1:34     ` Jens Axboe
2024-10-02  2:08       ` Al Viro
2024-10-02 18:00         ` Jens Axboe
2024-10-02 21:19           ` Al Viro
2024-10-02 22:55             ` Jens Axboe
2024-10-06  5:28               ` Al Viro
2024-10-07 18:09                 ` Jens Axboe
2024-10-07 18:20                   ` Jens Axboe
2024-10-07 21:20                     ` Al Viro
2024-10-07 22:29                       ` Jens Axboe
2024-10-07 23:58                         ` Al Viro
2024-10-08  1:58                           ` Jens Axboe
2024-10-08  4:08                             ` Al Viro
2024-10-02  1:22   ` [PATCH 6/9] replace do_getxattr() " Al Viro
2024-10-02  5:59     ` Christian Brauner
2024-10-02  1:22   ` [PATCH 7/9] new helpers: file_listxattr(), filename_listxattr() Al Viro
2024-10-02  6:00     ` Christian Brauner
2024-10-02  1:22   ` [PATCH 8/9] new helpers: file_removexattr(), filename_removexattr() Al Viro
2024-10-02  6:01     ` Christian Brauner
2024-10-02  1:22   ` [PATCH 9/9] fs/xattr: add *at family syscalls Al Viro
2024-10-02  6:03     ` Christian Brauner
2024-10-02  5:56   ` [PATCH 1/9] xattr: switch to CLASS(fd) Christian Brauner
2024-11-02  7:28 ` [RFC][PATCHES v2] xattr stuff and interactions with io_uring Al Viro
2024-11-02  7:31   ` [PATCH v2 01/13] teach filename_lookup() to treat NULL filename as "" Al Viro
2024-11-02  7:31     ` [PATCH v2 02/13] getname_maybe_null() - the third variant of pathname copy-in Al Viro
2024-11-02  7:31     ` [PATCH v2 03/13] io_uring: IORING_OP_F[GS]ETXATTR is fine with REQ_F_FIXED_FILE Al Viro
2024-11-02  7:31     ` [PATCH v2 04/13] io_[gs]etxattr_prep(): just use getname() Al Viro
2024-11-02 14:44       ` Jens Axboe
2024-11-02  7:31     ` [PATCH v2 05/13] xattr: switch to CLASS(fd) Al Viro
2024-11-02  7:31     ` [PATCH v2 06/13] fs: rename struct xattr_ctx to kernel_xattr_ctx Al Viro
2024-11-02  7:31     ` [PATCH v2 07/13] new helper: import_xattr_name() Al Viro
2024-11-02  7:31     ` [PATCH v2 08/13] replace do_setxattr() with saner helpers Al Viro
2024-11-02  7:31     ` [PATCH v2 09/13] replace do_getxattr() " Al Viro
2024-11-02  7:31     ` [PATCH v2 10/13] new helpers: file_listxattr(), filename_listxattr() Al Viro
2024-11-02  7:31     ` [PATCH v2 11/13] new helpers: file_removexattr(), filename_removexattr() Al Viro
2024-11-02  7:31     ` [PATCH v2 12/13] fs/xattr: add *at family syscalls Al Viro
2024-11-02  7:31     ` [PATCH v2 13/13] xattr: remove redundant check on variable err Al Viro
2024-11-02 14:43   ` [RFC][PATCHES v2] xattr stuff and interactions with io_uring Jens Axboe
2024-11-03  6:51     ` Al Viro
2024-11-03 13:57       ` Arnd Bergmann
2024-11-03 18:32         ` Al Viro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241002011011.GB4017910@ZenIV \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox