From: Al Viro <viro@zeniv.linux.org.uk>
To: Jan Kara <jack@suse.cz>
Cc: linux-fsdevel@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Christian Brauner <brauner@kernel.org>,
Amir Goldstein <amir73il@gmail.com>,
Chuck Lever <chuck.lever@oracle.com>,
Namjae Jeon <linkinjeon@kernel.org>,
John Johansen <john@apparmor.net>,
Mark Brown <broonie@kernel.org>
Subject: Re: [PATCH 1/2] kernel/acct.c: saner struct file treatment
Date: Thu, 25 Sep 2025 20:09:44 +0100 [thread overview]
Message-ID: <20250925190944.GA39973@ZenIV> (raw)
In-Reply-To: <20250925185630.GZ39973@ZenIV>
On Thu, Sep 25, 2025 at 07:56:30PM +0100, Al Viro wrote:
> On Thu, Sep 25, 2025 at 02:28:16PM +0200, Jan Kara wrote:
>
> > This is mostly harmless (just the returned error code changed) but it is a
> > side effect of one thing I'd like to discuss: The original code uses
> > file_open_name(O_WRONLY|O_APPEND|O_LARGEFILE) to open the file to write
> > data to. The new code uses dentry_open() for that. Now one important
> > difference between these two is that dentry_open() doesn't end up calling
> > may_open() on the path and hence now acct_on() fails to check file
> > permissions which looks like a bug? Am I missing something Al?
>
> You are not; a bug it is. FWIW, I suspect that the right approach would
> be to keep file_open_name(), do all checks on result of that, then use
> mnt = mnt_clone_internal(&original_file->f_path);
> and from that point on same as now - opening the file to be used with
> dentry_open(), etc. Original file would get dropped in the end of acct_on().
> I'll put together something along those lines and post it.
Something like this for incremental (completely untested at that point):
diff --git a/kernel/acct.c b/kernel/acct.c
index 30ae403ee322..61630110e29d 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -218,19 +218,21 @@ static int acct_on(const char __user *name)
/* Difference from BSD - they don't do O_APPEND */
const int open_flags = O_WRONLY|O_APPEND|O_LARGEFILE;
struct pid_namespace *ns = task_active_pid_ns(current);
- struct path path __free(path_put) = {}; // in that order
+ struct filename *pathname __free(putname) = getname(name);
+ struct file *original_file __free(fput) = NULL; // in that order
struct path internal __free(path_put) = {}; // in that order
struct file *file __free(fput_sync) = NULL; // in that order
struct bsd_acct_struct *acct;
struct vfsmount *mnt;
struct fs_pin *old;
- int err;
- err = user_path_at(AT_FDCWD, name, LOOKUP_FOLLOW, &path);
- if (err)
- return err;
+ if (IS_ERR(pathname))
+ return PTR_ERR(pathname);
+ original_file = file_open_name(pathname, open_flags, 0);
+ if (IS_ERR(original_file))
+ return PTR_ERR(original_file);
- mnt = mnt_clone_internal(&path);
+ mnt = mnt_clone_internal(&original_file->f_path);
if (IS_ERR(mnt))
return PTR_ERR(mnt);
@@ -268,7 +270,7 @@ static int acct_on(const char __user *name)
INIT_WORK(&acct->work, close_work);
init_completion(&acct->done);
mutex_lock_nested(&acct->lock, 1); /* nobody has seen it yet */
- pin_insert(&acct->pin, path.mnt);
+ pin_insert(&acct->pin, original_file->f_path.mnt);
rcu_read_lock();
old = xchg(&ns->bacct, &acct->pin);
next prev parent reply other threads:[~2025-09-25 19:09 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-06 9:07 [PATCHES] file->f_path safety and struct path constifications Al Viro
2025-09-06 9:11 ` [PATCH 01/21] backing_file_user_path(): constify struct path * Al Viro
2025-09-06 9:11 ` [PATCH 02/21] constify path argument of vfs_statx_path() Al Viro
2025-09-08 9:38 ` Jan Kara
2025-09-15 12:01 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 03/21] filename_lookup(): constify root argument Al Viro
2025-09-08 9:39 ` Jan Kara
2025-09-15 12:00 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 04/21] done_path_create(): constify path argument Al Viro
2025-09-08 9:40 ` Jan Kara
2025-09-15 12:01 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 05/21] bpf...d_path(): " Al Viro
2025-09-08 9:41 ` Jan Kara
2025-09-15 12:01 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 06/21] nfs: constify path argument of __vfs_getattr() Al Viro
2025-09-08 9:41 ` Jan Kara
2025-09-15 12:02 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 07/21] rqst_exp_get_by_name(): constify path argument Al Viro
2025-09-06 15:16 ` Chuck Lever
2025-09-15 12:02 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 08/21] export_operations->open(): " Al Viro
2025-09-08 9:42 ` Jan Kara
2025-09-15 12:03 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 09/21] check_export(): " Al Viro
2025-09-08 9:43 ` Jan Kara
2025-09-15 12:03 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 10/21] ksmbd_vfs_path_lookup_locked(): root_share_path can be const struct path * Al Viro
2025-09-07 1:45 ` Namjae Jeon
2025-09-15 12:03 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 11/21] ksmbd_vfs_kern_path_unlock(): constify path argument Al Viro
2025-09-07 1:44 ` Namjae Jeon
2025-09-15 12:04 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 12/21] ksmbd_vfs_inherit_posix_acl(): " Al Viro
2025-09-07 1:44 ` Namjae Jeon
2025-09-15 12:04 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 13/21] ksmbd_vfs_set_init_posix_acl(): " Al Viro
2025-09-07 1:44 ` Namjae Jeon
2025-09-15 12:04 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 14/21] ovl_ensure_verity_loaded(): constify datapath argument Al Viro
2025-09-15 12:04 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 15/21] ovl_validate_verity(): constify {meta,data}path arguments Al Viro
2025-09-15 12:05 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 16/21] ovl_get_verity_digest(): constify path argument Al Viro
2025-09-15 12:05 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 17/21] ovl_lower_dir(): " Al Viro
2025-09-15 12:05 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 18/21] ovl_sync_file(): " Al Viro
2025-09-15 12:05 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 19/21] ovl_is_real_file: constify realpath argument Al Viro
2025-09-15 12:06 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 20/21] apparmor/af_unix: constify struct path * arguments Al Viro
2025-09-08 9:46 ` Jan Kara
2025-09-15 12:06 ` Christian Brauner
2025-09-06 9:11 ` [PATCH 21/21] configfs:get_target() - release path as soon as we grab configfs_item reference Al Viro
2025-09-08 9:46 ` Jan Kara
2025-09-15 12:07 ` Christian Brauner
2025-09-08 9:38 ` [PATCH 01/21] backing_file_user_path(): constify struct path * Jan Kara
2025-09-15 11:59 ` Christian Brauner
2025-09-06 9:13 ` [PATCH 1/2] kernel/acct.c: saner struct file treatment Al Viro
2025-09-25 11:40 ` Mark Brown
2025-09-25 12:28 ` Jan Kara
2025-09-25 18:56 ` Al Viro
2025-09-25 19:09 ` Al Viro [this message]
2025-09-25 19:36 ` Al Viro
2025-09-25 20:56 ` Al Viro
2025-09-26 9:13 ` Jan Kara
2025-09-06 9:14 ` [PATCH 2/2] Have cc(1) catch attempts to modify ->f_path Al Viro
2025-09-08 9:52 ` Jan Kara
2025-09-15 12:00 ` Christian Brauner
2025-09-06 9:16 ` [PATCHES] file->f_path safety and struct path constifications Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250925190944.GA39973@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=broonie@kernel.org \
--cc=chuck.lever@oracle.com \
--cc=jack@suse.cz \
--cc=john@apparmor.net \
--cc=linkinjeon@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.