From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B2D4C13C3F2 for ; Thu, 19 Dec 2024 01:47:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.177 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734572840; cv=none; b=L+9Fwy3XLywKaXRolpym04UOCgDvz7iBHz+LDBpBkTj/DjLZM3bfBYpNVLumcZmYQP0XlEBgT/R4KoPGu06CZBX/fniQBHunrepwhR1GDp1OczBWblCCbHxsHAolKUb1dhN6b4te93KXwWSw3ToOz9aw0QhQNesTcyLxAdxmBlM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734572840; c=relaxed/simple; bh=QoEtvf7G0kC0x/Wl3nJ0XIYl2HZa0Re3rk+nGV30jwk=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=iORA5ubmllRAZAp8l5zXQJGfTvHqqFpTIbzAuOGBpcpckI8Cx58wQdnMTa2KYTd71uyjtPiNaQNrm0obQ353zdhcnNICCD9k0LRNm18TW4xh5vTNmhd3f3ufZAJ8wRrGfNBKqKdabSQSa51S5hB0cuKFYlJ2v7MSt4wcWTjGEXE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=fromorbit.com; spf=pass smtp.mailfrom=fromorbit.com; dkim=pass (2048-bit key) header.d=fromorbit-com.20230601.gappssmtp.com header.i=@fromorbit-com.20230601.gappssmtp.com header.b=sBTgTpaZ; arc=none smtp.client-ip=209.85.214.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=fromorbit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fromorbit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=fromorbit-com.20230601.gappssmtp.com header.i=@fromorbit-com.20230601.gappssmtp.com header.b="sBTgTpaZ" Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-21636268e43so3279375ad.2 for ; Wed, 18 Dec 2024 17:47:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fromorbit-com.20230601.gappssmtp.com; s=20230601; t=1734572837; x=1735177637; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=nFHEfXVHBOjseorucBg5TQ9yn5KG0rfffOIvw+zi84o=; b=sBTgTpaZ8mVD4iBQgBXOlDPLUcA5D4ujZK+4p/HUNST3Ta9ntAVCPRnVoYkIbRgbwj BxAi5U3Kfw7qQvfqcPkVo4P6RsG56qd9I9pFjG8p0wkGGZJZwXdXUDKpxUf9maop46i/ AbPkuAuyhFSmGz6HZ0ZhQEjEcjzc08AiDx2hC30agh/yco9b77JUDOHTv0F8V5GWaPiF fc77ZlyF6VTKe2YM3h85tATwMlj0NU45kEZ06niLjkXDkxTtcl440PwxVSuPb+AQg8e9 WbwbGBfbyy3wNrbd5CNivDXmZH3H/6RrwbTb9JyvPI51sXy3+lyOj2n8OQEFaN+ys4Xa UOig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734572837; x=1735177637; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=nFHEfXVHBOjseorucBg5TQ9yn5KG0rfffOIvw+zi84o=; b=luuAZd6f3nO81l3Ll8tkBpNuLpElKS+bvejJYSVBvflx2PtWRrZ5zcU4PJ1tNyzCpt bHChVJWakktehc5pQG/m4qZvxYg7BcoFckF/3fpU+yhMVZtILA+cdbuysnmMufTGqbuN pQfjiGWt2ADnausYpUqq/yZ1BZlb05vcDZ0XvCDNB0u5VMHot45xt8gR8aeTZQwIqN3Y 50thiOSEgEZQBVo/7nphEi2e6hjEJa4XIyse+lRETFkDgvYW2r7ENeVfpo5Onod6B/GU lVntyQ7NJq5UC3rD3ewYhQ13jAwC/7ZzNm46YfCbpdcSueQO5pMOg02NM5Uj9FbaNgg+ K+Wg== X-Forwarded-Encrypted: i=1; AJvYcCVcfAhA772FNdfBsOHko1tSR7N5sqQy5BanNmOUIn3RjP3VGOe0sycg+BtxmcqZiRZJKVELBVN9Qji9uE6PMcRL+J91Z2A=@vger.kernel.org X-Gm-Message-State: AOJu0YyFmzSLVFqpZA5U4dOuHQzVttVtW64D12iYSzyJH88dhRDjtYB1 YdIgpe1SjYxsGQSHVm6TA2iy8tet+MVHAnOLagtj2792vr0FIiD9yyzeN16DseM= X-Gm-Gg: ASbGncvMTtXSNS7gUQdxdEI5IpFzyRuqfRkJ+HWxpwaGCnz3tFnTVgbLZI57DUzjueH d1+I8fkCs2gFQbFJFn8XfGrd95GlOYiwID+Fw04ZuEaMKG4iUybft3XDRW0RSt+k0kuJrnYAnjq GhJ2eoSVwPgn2bWPhOiO873i3k73opOyG5UsWqF7QCoS0IITMgYA2CGvtVV1fUqs7LkllZcBcrp 1vNZ6tuHOJDH0OyuUgnQ6nP4PxsL1hEu1sS1FDfy5ImmPvheKrrPo/Syl/Zs96TwwnGaBPjXyT8 djC/zsLBI6lTOAKCm8pGuEDvqN2jrA== X-Google-Smtp-Source: AGHT+IHoM9BuzRwWE3UvBbujRjFPqKOpZTGf3EdvmaxlJ9Nm6SjjQJoIghbJbF3BGqAvlV3zRrZEww== X-Received: by 2002:a17:902:fc4e:b0:20c:6399:d637 with SMTP id d9443c01a7336-219d96d213emr29814395ad.40.1734572837007; Wed, 18 Dec 2024 17:47:17 -0800 (PST) Received: from dread.disaster.area (pa49-195-9-235.pa.nsw.optusnet.com.au. [49.195.9.235]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-219dc962940sm1898825ad.34.2024.12.18.17.47.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Dec 2024 17:47:16 -0800 (PST) Received: from dave by dread.disaster.area with local (Exim 4.98) (envelope-from ) id 1tO5dB-0000000CUAL-2X1s; Thu, 19 Dec 2024 12:47:13 +1100 Date: Thu, 19 Dec 2024 12:47:13 +1100 From: Dave Chinner To: Song Liu Cc: linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-btrfs@vger.kernel.org, linux-xfs@vger.kernel.org, linux-security-module@vger.kernel.org, willy@infradead.org, corbet@lwn.net, clm@fb.com, josef@toxicpanda.com, dsterba@suse.com, brauner@kernel.org, jack@suse.cz, cem@kernel.org, djwong@kernel.org, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com, fdmanana@suse.com, johannes.thumshirn@wdc.com, kernel-team@meta.com Subject: Re: [RFC v2] lsm: fs: Use inode_free_callback to free i_security in RCU callback Message-ID: References: <20241218211615.506095-1-song@kernel.org> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20241218211615.506095-1-song@kernel.org> On Wed, Dec 18, 2024 at 01:16:15PM -0800, Song Liu wrote: > inode->i_security needes to be freed from RCU callback. A rcu_head was > added to i_security to call the RCU callback. However, since struct inode > already has i_rcu, the extra rcu_head is wasteful. Specifically, when any > LSM uses i_security, a rcu_head (two pointers) is allocated for each > inode. > > Rename i_callback to inode_free_callback and call security_inode_free_rcu > from it to free i_security so that a rcu_head is saved for each inode. > Special care are needed for file systems that provide a destroy_inode() > callback, but not a free_inode() callback. Specifically, the following > logic are added to handle such cases: > > - XFS recycles inode after destroy_inode. The inodes are freed from > recycle logic. Let xfs_inode_free_callback() call inode_free_callback. NACK. That's a massive layering violation. LSMs are VFS layer functionality. They *must* be removed from the VFS inode before ->destroy_inode() is called. If a filesystem supplies ->destroy_inode(), then it -owns- the inode exclusively from that point onwards. All VFS and 3rd party stuff hanging off the inode must be removed from the inode before ->destroy_inode() is called. Them's the rules, and hacking around LSM object allocation/freeing to try to handle how filesystems manage inodes -underneath- the VFS is just asking for problems. LSM object management needs to be handled entirely by the generic LSM VFS hooks, not tightly coupled to VFS and/or low level filesystem inode lifecycle management. -Dave. -- Dave Chinner david@fromorbit.com