From: Al Viro <viro@zeniv.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-fsdevel@vger.kernel.org, brauner@kernel.org, jack@suse.cz,
mjguzik@gmail.com, paul@paul-moore.com, axboe@kernel.dk,
audit@vger.kernel.org, io-uring@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH v3 00/59] struct filename work
Date: Tue, 16 Dec 2025 05:23:06 +0000 [thread overview]
Message-ID: <20251216052306.GO1712166@ZenIV> (raw)
In-Reply-To: <CAHk-=wi4j0+zDZPTr4-fyEE4qzHwNdVOwCSuPoJ4w0fpDZcDRQ@mail.gmail.com>
On Tue, Dec 16, 2025 at 04:32:03PM +1200, Linus Torvalds wrote:
> So I like the whole series, but..
>
> On Tue, 16 Dec 2025 at 15:56, Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > struct filename ->refcnt doesn't need to be atomic
>
> Does ->refcnt need to exist _at_all_ if audit isn't enabled?
>
> Are there any other users of it? Maybe I missed some?
>
> Because I'm wondering if we could just encapsulate the thing entirely
> in some #ifdef CONFIG_AUDIT check.
>
> Now, I think absolutely everybody does enable audit, so it's not
> because I'd try to save one word of memory and a few tests, it's more
> of a "could we make it very explicit that all that code is purely
> about the audit case"?
Umm... Not exactly. I mean, yes, at the moment we never increment the
refcount outside of kernel/auditsc.c, so it'll always be 1 if that thing
is disabled.
But if you mean to store it on caller's stack, that's another kettle of
fish - anything async with io_uring won't be able to do that, even we
ignore the stack footprint issues. In configs without audit we end up
1) allocating it and copying the pathname from userland on
request submission; pointer is stashed into request.
2) picking it in processing thread and doing the operation
there By that point submitted might have not just left the kernel,
but overwritten the pathname contents in userland.
3) either stashing it back into request or freeing it.
With audit (2) might become "... and have an extra ref stashed in audit
context" with (3) becoming "either stashing it back into request, if no
extra ref has appeared, or making a copy, stashing it back into request
and dropping the reference on the original"
So refcount may be audit-only thing, at least at the moment, but the
need to outlive the syscall where getname() had been called is very much
not audit-only.
And stack footprint is not trivial either, unless you limit embedded
case to something very short - even an extra hundred bytes (or two,
e.g. in case of rename()) is not something I'd be entirely comfortable
grabbing for pathname-related syscalls.
prev parent reply other threads:[~2025-12-16 5:22 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-16 3:54 [RFC PATCH v3 00/59] struct filename work Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 01/59] do_faccessat(): import pathname only once Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 02/59] do_fchmodat(): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 03/59] do_fchownat(): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 04/59] do_utimes_path(): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 05/59] chdir(2): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 06/59] chroot(2): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 07/59] user_statfs(): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 08/59] do_sys_truncate(): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 09/59] do_readlinkat(): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 10/59] get rid of audit_reusename() Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 11/59] ntfs: ->d_compare() must not block Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 12/59] getname_flags() massage, part 1 Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 13/59] getname_flags() massage, part 2 Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 14/59] struct filename: use names_cachep only for getname() and friends Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 15/59] struct filename: saner handling of long names Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 16/59] fs: hide names_cache behind runtime const machinery Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 17/59] allow incomplete imports of filenames Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 18/59] struct filename ->refcnt doesn't need to be atomic Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 19/59] allow to use CLASS() for struct filename * Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 20/59] file_getattr(): filename_lookup() accepts ERR_PTR() as filename Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 21/59] file_setattr(): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 22/59] move_mount(): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 23/59] ksmbd_vfs_path_lookup(): vfs_path_parent_lookup() accepts ERR_PTR() as name Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 24/59] ksmbd_vfs_rename(): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 25/59] do_filp_open(): DTRT when getting ERR_PTR() as pathname Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 26/59] rename do_filp_open() to do_file_open() Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 27/59] do_sys_openat2(): get rid of useless check, switch to CLASS(filename) Al Viro
2025-12-16 20:08 ` Askar Safin
2025-12-16 20:29 ` Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 28/59] simplify the callers of file_open_name() Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 29/59] simplify the callers of do_open_execat() Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 30/59] simplify the callers of alloc_bprm() Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 31/59] switch {alloc,free}_bprm() to CLASS() Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 32/59] file_[gs]etattr(2): switch to CLASS(filename_maybe_null) Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 33/59] mount_setattr(2): don't mess with LOOKUP_EMPTY Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 34/59] do_open_execat(): don't care about LOOKUP_EMPTY Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 35/59] vfs_open_tree(): use CLASS(filename_uflags) Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 36/59] name_to_handle_at(): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 37/59] fspick(2): use CLASS(filename_flags) Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 38/59] do_fchownat(): unspaghettify a bit Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 39/59] chdir(2): " Al Viro
2025-12-16 3:54 ` [RFC PATCH v3 40/59] do_utimes_path(): switch to CLASS(filename_uflags) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 41/59] do_sys_truncate(): switch to CLASS(filename) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 42/59] do_readlinkat(): switch to CLASS(filename_flags) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 43/59] do_f{chmod,chown,access}at(): use CLASS(filename_uflags) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 44/59] io_openat2(): use CLASS(filename_complete_delayed) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 45/59] io_statx(): " Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 46/59] do_{renameat2,linkat,symlinkat}(): use CLASS(filename_consume) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 47/59] do_{mknodat,mkdirat,unlinkat,rmdir}(): " Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 48/59] namei.c: convert getname_kernel() callers to CLASS(filename_kernel) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 49/59] namei.c: switch user pathname imports to CLASS(filename{,_flags}) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 50/59] filename_...xattr(): don't consume filename reference Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 51/59] move_mount(2): switch to CLASS(filename_maybe_null) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 52/59] chroot(2): switch to CLASS(filename) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 53/59] quotactl_block(): " Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 54/59] statx: switch to CLASS(filename_maybe_null) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 55/59] user_statfs(): switch to CLASS(filename) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 56/59] mqueue: " Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 57/59] ksmbd: use CLASS(filename_kernel) Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 58/59] alpha: switch osf_mount() to strndup_user() Al Viro
2025-12-16 3:55 ` [RFC PATCH v3 59/59] sysfs(2): fs_index() argument is _not_ a pathname Al Viro
2025-12-16 4:32 ` [RFC PATCH v3 00/59] struct filename work Linus Torvalds
2025-12-16 5:23 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251216052306.GO1712166@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=audit@vger.kernel.org \
--cc=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=io-uring@vger.kernel.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjguzik@gmail.com \
--cc=paul@paul-moore.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox