| Message ID | 20240229163011.16248-2-lhenriques@suse.de |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-87088-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:2097:b0:108:e6aa:91d0 with SMTP id
gs23csp521241dyb;
Thu, 29 Feb 2024 08:33:25 -0800 (PST)
X-Forwarded-Encrypted: i=3;
AJvYcCUiVqup5kVYcdEkvfqzQHIrdixGyZiZITAFpHoOylQyAprpbXUKVY4je6iKkzs6erxWSL8KnzOA1itvrGK+VhqLQj3cGg==
X-Google-Smtp-Source:
AGHT+IEyIfgMh48zzS7vUZCzpr5ETpFQ6loNCXrKpheSTIcJwCbXSuicmO5IW6ROhDnj1dXfqeLE
X-Received: by 2002:a05:6102:284f:b0:472:54a1:4c5a with SMTP id
az15-20020a056102284f00b0047254a14c5amr2414570vsb.18.1709224405094;
Thu, 29 Feb 2024 08:33:25 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709224405; cv=pass;
d=google.com; s=arc-20160816;
b=hNoZcm5Uxkm694rAKGHg1Iv/O2ySrBOXVAUXFwgVMrUZ3xHWKciiEzxcOIVdIbm9fA
VnB1S5KWgyRPRC334dQKIf4Im/VAkXri/KUZoIpyL4F8tuB8z5lHRiqVl7pFIAT4Wfew
58gb/pKwlNCnC3zHKKm6gBkgklgrUEWXgc457wW9rV7zxpsCTOtRJT1j0czyv6Cvw71/
IRAjBc6YFhpCXRFPWselJe/D17j3Ty/5eyw/cAWAJGj8U8XzlLtP5KZDTRu7cgo7U4RH
gJfViXEGclty9YvMoKG+sZ2N/FqC2tyOHls9KjoYNvLRBA0fS9JIwSO8CVbZrbf1kRbo
u1lA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-transfer-encoding:mime-version:list-unsubscribe
:list-subscribe:list-id:precedence:references:in-reply-to:message-id
:date:subject:cc:to:from;
bh=GzDIoIzg2qxCxOoijDvz5f8DbHu2S6EY+M5uaRRkgWg=;
fh=jGdaoZ9f8fxaZ4S3XMcGs4Y5Dr6Ro1lg3HBgLAvBHb8=;
b=M18jVFWYzGcJhhjWoKVjEWzWeKUSmWvxaKwVfkimZjQJfwUWNcOQZTuvCRqNQRT+23
iTxEA51PZSwXRjRu5k1/ex0BPmhHsMe1QWVq/U3WUcjcSRRSiOjrriSCN7+0Sf34Fkgl
YGXuExl5+P+aUjvbJTOYtMQc/OH+8+epegECxwZ6/WLlAP4lpAXBKs0JBCwzfGVAJsI3
Vn+RmOE9WmwLKTzUevf/eu+bIpQI/o9dOO1nFpTq1cEbRyrs+ezK9DmrLJ0netnvWpvG
eGNu1yUQbXXddW7t2J+UuCpuM2Jw6Yazke2TNAmy8a0nhf9cNnz3o765r8g8y38SRMaz
LXvg==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
arc=pass (i=1 spf=pass spfdomain=suse.de dmarc=pass
fromdomain=suse.de);
spf=pass (google.com: domain of
linux-kernel+bounces-87088-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-87088-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
[2604:1380:45d1:ec00::1])
by mx.google.com with ESMTPS id
h19-20020a0561023d9300b0046ec92a654fsi290822vsv.778.2024.02.29.08.33.24
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 29 Feb 2024 08:33:25 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-87088-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
arc=pass (i=1 spf=pass spfdomain=suse.de dmarc=pass
fromdomain=suse.de);
spf=pass (google.com: domain of
linux-kernel+bounces-87088-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-87088-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ny.mirrors.kernel.org (Postfix) with ESMTPS id D9C8E1C2355A
for <ouuuleilei@gmail.com>; Thu, 29 Feb 2024 16:33:24 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 618577A12D;
Thu, 29 Feb 2024 16:30:21 +0000 (UTC)
Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id CD41663B9;
Thu, 29 Feb 2024 16:30:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=195.135.223.130
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1709224219; cv=none;
b=J9LAZXBiqWpmHfiXOdGz9P4WjMjUnniMyWa1x94z9PDBSck8HyKkIZR+UM0VFIsieHo0liDjUAqAWxhwLWrrS5AvBYteghLKifXCP1L7eZzKnhWaY8nKEMHOXla/DHnqExbsiXvgKIDPb4VE0ujOrwN91S4pB+EkWsMIh4tSu4Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1709224219; c=relaxed/simple;
bh=Xk9XcUV/m/3qcxL2T7wAJKSjMepPVZ/pH5SeAdJs0Ps=;
h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
MIME-Version;
b=Bze0lyIMrz2HfK5K/SP8NxAoMjq0TeCiXtmbDWtKvYytYgmuUB3XZ8dLZGF7nIdjVOjL3kl4eBmQAiov3TPdOOTyBR6t6H/e8O+WKLm4nJqn4CKaNfUYu853odRD48/saBgpETPnxY83syKC31IpcDCIfjqB6c2txjX3OrS+Dg8=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=suse.de;
spf=pass smtp.mailfrom=suse.de; arc=none smtp.client-ip=195.135.223.130
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=suse.de
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=suse.de
Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org
[IPv6:2a07:de40:b281:104:10:150:64:97])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
SHA256)
(No client certificate requested)
by smtp-out1.suse.de (Postfix) with ESMTPS id E036C21FD4;
Thu, 29 Feb 2024 16:30:15 +0000 (UTC)
Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
SHA256)
(No client certificate requested)
by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 2150613A8B;
Thu, 29 Feb 2024 16:30:15 +0000 (UTC)
Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167])
by imap1.dmz-prg2.suse.org with ESMTPSA
id wNTjBBex4GU0PwAAD6G6ig
(envelope-from <lhenriques@suse.de>); Thu, 29 Feb 2024 16:30:15 +0000
Received: from localhost (brahms.olymp [local])
by brahms.olymp (OpenSMTPD) with ESMTPA id aac9d32e;
Thu, 29 Feb 2024 16:30:14 +0000 (UTC)
From: Luis Henriques <lhenriques@suse.de>
To: Theodore Ts'o <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
Jan Kara <jack@suse.cz>,
Miklos Szeredi <miklos@szeredi.hu>,
Amir Goldstein <amir73il@gmail.com>
Cc: linux-ext4@vger.kernel.org,
linux-fsdevel@vger.kernel.org,
linux-unionfs@vger.kernel.org,
linux-kernel@vger.kernel.org,
Luis Henriques <lhenriques@suse.de>
Subject: [PATCH 1/3] fs_parser: handle parameters that can be empty and don't
have a value
Date: Thu, 29 Feb 2024 16:30:08 +0000
Message-ID: <20240229163011.16248-2-lhenriques@suse.de>
In-Reply-To: <20240229163011.16248-1-lhenriques@suse.de>
References: <20240229163011.16248-1-lhenriques@suse.de>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Level:
Authentication-Results: smtp-out1.suse.de;
none
X-Rspamd-Server: rspamd2.dmz-prg2.suse.org
X-Spamd-Result: default: False [-4.00 / 50.00];
REPLY(-4.00)[]
X-Spam-Score: -4.00
X-Rspamd-Queue-Id: E036C21FD4
X-Spam-Flag: NO
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1792251690199317541
X-GMAIL-MSGID: 1792251690199317541
|
| Series |
fs_parser: handle parameters that can be empty and don't have a value
|
|
Commit Message
Luis Henriques
Feb. 29, 2024, 4:30 p.m. UTC
Currently, only parameters that have the fs_parameter_spec 'type' set to
NULL are handled as 'flag' types. However, parameters that have the
'fs_param_can_be_empty' flag set and their value is NULL should also be
handled as 'flag' type, as their type is set to 'fs_value_is_flag'.
Signed-off-by: Luis Henriques <lhenriques@suse.de>
---
fs/fs_parser.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Comments
On Thu, Feb 29, 2024 at 04:30:08PM +0000, Luis Henriques wrote: > Currently, only parameters that have the fs_parameter_spec 'type' set to > NULL are handled as 'flag' types. However, parameters that have the > 'fs_param_can_be_empty' flag set and their value is NULL should also be > handled as 'flag' type, as their type is set to 'fs_value_is_flag'. > > Signed-off-by: Luis Henriques <lhenriques@suse.de> > --- > fs/fs_parser.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/fs_parser.c b/fs/fs_parser.c > index edb3712dcfa5..53f6cb98a3e0 100644 > --- a/fs/fs_parser.c > +++ b/fs/fs_parser.c > @@ -119,7 +119,8 @@ int __fs_parse(struct p_log *log, > /* Try to turn the type we were given into the type desired by the > * parameter and give an error if we can't. > */ > - if (is_flag(p)) { > + if (is_flag(p) || > + (!param->string && (p->flags & fs_param_can_be_empty))) { > if (param->type != fs_value_is_flag) > return inval_plog(log, "Unexpected value for '%s'", > param->key); If the parameter was derived from FSCONFIG_SET_STRING in fsconfig() then param->string is guaranteed to not be NULL. So really this is only about: FSCONFIG_SET_FD FSCONFIG_SET_BINARY FSCONFIG_SET_PATH FSCONFIG_SET_PATH_EMPTY and those values being used without a value. What filesystem does this? I don't see any. The tempting thing to do here is to to just remove fs_param_can_be_empty from every helper that isn't fs_param_is_string() until we actually have a filesystem that wants to use any of the above as flags. Will lose a lot of code that isn't currently used.
Christian Brauner <brauner@kernel.org> writes: > On Thu, Feb 29, 2024 at 04:30:08PM +0000, Luis Henriques wrote: >> Currently, only parameters that have the fs_parameter_spec 'type' set to >> NULL are handled as 'flag' types. However, parameters that have the >> 'fs_param_can_be_empty' flag set and their value is NULL should also be >> handled as 'flag' type, as their type is set to 'fs_value_is_flag'. >> >> Signed-off-by: Luis Henriques <lhenriques@suse.de> >> --- >> fs/fs_parser.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/fs/fs_parser.c b/fs/fs_parser.c >> index edb3712dcfa5..53f6cb98a3e0 100644 >> --- a/fs/fs_parser.c >> +++ b/fs/fs_parser.c >> @@ -119,7 +119,8 @@ int __fs_parse(struct p_log *log, >> /* Try to turn the type we were given into the type desired by the >> * parameter and give an error if we can't. >> */ >> - if (is_flag(p)) { >> + if (is_flag(p) || >> + (!param->string && (p->flags & fs_param_can_be_empty))) { >> if (param->type != fs_value_is_flag) >> return inval_plog(log, "Unexpected value for '%s'", >> param->key); > > If the parameter was derived from FSCONFIG_SET_STRING in fsconfig() then > param->string is guaranteed to not be NULL. So really this is only > about: > > FSCONFIG_SET_FD > FSCONFIG_SET_BINARY > FSCONFIG_SET_PATH > FSCONFIG_SET_PATH_EMPTY > > and those values being used without a value. What filesystem does this? > I don't see any. > > The tempting thing to do here is to to just remove fs_param_can_be_empty > from every helper that isn't fs_param_is_string() until we actually have > a filesystem that wants to use any of the above as flags. Will lose a > lot of code that isn't currently used. Right, I find it quite confusing and I may be fixing the issue in the wrong place. What I'm seeing with ext4 when I mount a filesystem using the option '-o usrjquota' is that fs_parse() will get: * p->type is set to fs_param_is_string ('p' is a struct fs_parameter_spec, ->type is a function) * param->type is set to fs_value_is_flag ('param' is a struct fs_parameter, ->type is an enum) This is because ext4 will use the __fsparam macro to set define a fs_param_spec as a fs_param_is_string but will also set the fs_param_can_be_empty; and the fsconfig() syscall will get that parameter as a flag. That's why param->string will be NULL in this case. Cheers,
On Fri, Mar 01, 2024 at 03:45:27PM +0000, Luis Henriques wrote: > Christian Brauner <brauner@kernel.org> writes: > > > On Thu, Feb 29, 2024 at 04:30:08PM +0000, Luis Henriques wrote: > >> Currently, only parameters that have the fs_parameter_spec 'type' set to > >> NULL are handled as 'flag' types. However, parameters that have the > >> 'fs_param_can_be_empty' flag set and their value is NULL should also be > >> handled as 'flag' type, as their type is set to 'fs_value_is_flag'. > >> > >> Signed-off-by: Luis Henriques <lhenriques@suse.de> > >> --- > >> fs/fs_parser.c | 3 ++- > >> 1 file changed, 2 insertions(+), 1 deletion(-) > >> > >> diff --git a/fs/fs_parser.c b/fs/fs_parser.c > >> index edb3712dcfa5..53f6cb98a3e0 100644 > >> --- a/fs/fs_parser.c > >> +++ b/fs/fs_parser.c > >> @@ -119,7 +119,8 @@ int __fs_parse(struct p_log *log, > >> /* Try to turn the type we were given into the type desired by the > >> * parameter and give an error if we can't. > >> */ > >> - if (is_flag(p)) { > >> + if (is_flag(p) || > >> + (!param->string && (p->flags & fs_param_can_be_empty))) { > >> if (param->type != fs_value_is_flag) > >> return inval_plog(log, "Unexpected value for '%s'", > >> param->key); > > > > If the parameter was derived from FSCONFIG_SET_STRING in fsconfig() then > > param->string is guaranteed to not be NULL. So really this is only > > about: > > > > FSCONFIG_SET_FD > > FSCONFIG_SET_BINARY > > FSCONFIG_SET_PATH > > FSCONFIG_SET_PATH_EMPTY > > > > and those values being used without a value. What filesystem does this? > > I don't see any. > > > > The tempting thing to do here is to to just remove fs_param_can_be_empty > > from every helper that isn't fs_param_is_string() until we actually have > > a filesystem that wants to use any of the above as flags. Will lose a > > lot of code that isn't currently used. > > Right, I find it quite confusing and I may be fixing the issue in the > wrong place. What I'm seeing with ext4 when I mount a filesystem using > the option '-o usrjquota' is that fs_parse() will get: > > * p->type is set to fs_param_is_string > ('p' is a struct fs_parameter_spec, ->type is a function) > * param->type is set to fs_value_is_flag > ('param' is a struct fs_parameter, ->type is an enum) > > This is because ext4 will use the __fsparam macro to set define a > fs_param_spec as a fs_param_is_string but will also set the > fs_param_can_be_empty; and the fsconfig() syscall will get that parameter > as a flag. That's why param->string will be NULL in this case. Thanks for the details. Let me see if I get this right. So you're saying that someone is doing: fsconfig(..., FSCONFIG_SET_FLAG, "usrjquota", NULL, 0); // [1] ? Is so that is a vital part of the explanation. So please put that in the commit message. Then ext4 defines: fsparam_string_empty ("usrjquota", Opt_usrjquota), So [1] gets us: param->type == fs_value_is_flag param->string == NULL Now we enter into fs_parse() -> __fs_parse() -> fs_lookup_key() for @param and that does: bool want_flag = param->type == fs_value_is_flag; *negated = false; for (p = desc; p->name; p++) { if (strcmp(p->name, name) != 0) continue; if (likely(is_flag(p) == want_flag)) return p; other = p; } So we don't have a flag parameter defined so the only real match we get is @other for: fsparam_string_empty ("usrjquota", Opt_usrjquota), What happens now is that you call p->type == fs_param_is_string() and that rejects it as bad parameter because param->type == fs_value_is_flag != fs_value_is_string as required. So you dont end up getting Opt_userjquota called with param->string NULL, right? So there's not NULL deref or anything, right? You just fail to set usrjquota. Ok, so I think the correct fix is to do something like the following in ext4: fsparam_string_empty ("usrjquota", Opt_usrjquota), fs_param_flag ("usrjquota", Opt_usrjquota_flag), and then in the switch you can do: switch (opt) case Opt_usrjquota: // string thing case Opt_usrjquota_flag: // flag thing And I really think we should kill all empty handling for non-string types and only add that when there's a filesystem that actually needs it.
On Sat, Mar 02, 2024 at 12:46:41PM +0100, Christian Brauner wrote: > On Fri, Mar 01, 2024 at 03:45:27PM +0000, Luis Henriques wrote: > > Christian Brauner <brauner@kernel.org> writes: > > > > > On Thu, Feb 29, 2024 at 04:30:08PM +0000, Luis Henriques wrote: > > >> Currently, only parameters that have the fs_parameter_spec 'type' set to > > >> NULL are handled as 'flag' types. However, parameters that have the > > >> 'fs_param_can_be_empty' flag set and their value is NULL should also be > > >> handled as 'flag' type, as their type is set to 'fs_value_is_flag'. > > >> > > >> Signed-off-by: Luis Henriques <lhenriques@suse.de> > > >> --- > > >> fs/fs_parser.c | 3 ++- > > >> 1 file changed, 2 insertions(+), 1 deletion(-) > > >> > > >> diff --git a/fs/fs_parser.c b/fs/fs_parser.c > > >> index edb3712dcfa5..53f6cb98a3e0 100644 > > >> --- a/fs/fs_parser.c > > >> +++ b/fs/fs_parser.c > > >> @@ -119,7 +119,8 @@ int __fs_parse(struct p_log *log, > > >> /* Try to turn the type we were given into the type desired by the > > >> * parameter and give an error if we can't. > > >> */ > > >> - if (is_flag(p)) { > > >> + if (is_flag(p) || > > >> + (!param->string && (p->flags & fs_param_can_be_empty))) { > > >> if (param->type != fs_value_is_flag) > > >> return inval_plog(log, "Unexpected value for '%s'", > > >> param->key); > > > > > > If the parameter was derived from FSCONFIG_SET_STRING in fsconfig() then > > > param->string is guaranteed to not be NULL. So really this is only > > > about: > > > > > > FSCONFIG_SET_FD > > > FSCONFIG_SET_BINARY > > > FSCONFIG_SET_PATH > > > FSCONFIG_SET_PATH_EMPTY > > > > > > and those values being used without a value. What filesystem does this? > > > I don't see any. > > > > > > The tempting thing to do here is to to just remove fs_param_can_be_empty > > > from every helper that isn't fs_param_is_string() until we actually have > > > a filesystem that wants to use any of the above as flags. Will lose a > > > lot of code that isn't currently used. > > > > Right, I find it quite confusing and I may be fixing the issue in the > > wrong place. What I'm seeing with ext4 when I mount a filesystem using > > the option '-o usrjquota' is that fs_parse() will get: > > > > * p->type is set to fs_param_is_string > > ('p' is a struct fs_parameter_spec, ->type is a function) > > * param->type is set to fs_value_is_flag > > ('param' is a struct fs_parameter, ->type is an enum) > > > > This is because ext4 will use the __fsparam macro to set define a > > fs_param_spec as a fs_param_is_string but will also set the > > fs_param_can_be_empty; and the fsconfig() syscall will get that parameter > > as a flag. That's why param->string will be NULL in this case. > > Thanks for the details. Let me see if I get this right. So you're saying that > someone is doing: > > fsconfig(..., FSCONFIG_SET_FLAG, "usrjquota", NULL, 0); // [1] > > ? Is so that is a vital part of the explanation. So please put that in the > commit message. > > Then ext4 defines: > > fsparam_string_empty ("usrjquota", Opt_usrjquota), > > So [1] gets us: > > param->type == fs_value_is_flag > param->string == NULL > > Now we enter into > fs_parse() > -> __fs_parse() > -> fs_lookup_key() for @param and that does: > > bool want_flag = param->type == fs_value_is_flag; > > *negated = false; > for (p = desc; p->name; p++) { > if (strcmp(p->name, name) != 0) > continue; > if (likely(is_flag(p) == want_flag)) > return p; > other = p; > } > > So we don't have a flag parameter defined so the only real match we get is > @other for: > > fsparam_string_empty ("usrjquota", Opt_usrjquota), > > What happens now is that you call p->type == fs_param_is_string() and that > rejects it as bad parameter because param->type == fs_value_is_flag != > fs_value_is_string as required. So you dont end up getting Opt_userjquota > called with param->string NULL, right? So there's not NULL deref or anything, > right? > > You just fail to set usrjquota. Ok, so I think the correct fix is to do > something like the following in ext4: > > fsparam_string_empty ("usrjquota", Opt_usrjquota), > fs_param_flag ("usrjquota", Opt_usrjquota_flag), > > and then in the switch you can do: > > switch (opt) > case Opt_usrjquota: > // string thing > case Opt_usrjquota_flag: > // flag thing > > And I really think we should kill all empty handling for non-string types and > only add that when there's a filesystem that actually needs it. So one option is to do the following: From 8bfb142e6caba70704998be072222d6a31d8b97b Mon Sep 17 00:00:00 2001 From: Christian Brauner <brauner@kernel.org> Date: Sat, 2 Mar 2024 18:54:35 +0100 Subject: [PATCH] [UNTESTED] Signed-off-by: Christian Brauner <brauner@kernel.org> --- fs/ext4/super.c | 32 ++++++++++++++++++-------------- include/linux/fs_parser.h | 3 +++ 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index ebd97442d1d4..bd625f06ec0f 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -1724,10 +1724,6 @@ static const struct constant_table ext4_param_dax[] = { {} }; -/* String parameter that allows empty argument */ -#define fsparam_string_empty(NAME, OPT) \ - __fsparam(fs_param_is_string, NAME, OPT, fs_param_can_be_empty, NULL) - /* * Mount option specification * We don't use fsparam_flag_no because of the way we set the @@ -1768,10 +1764,8 @@ static const struct fs_parameter_spec ext4_param_specs[] = { fsparam_enum ("data", Opt_data, ext4_param_data), fsparam_enum ("data_err", Opt_data_err, ext4_param_data_err), - fsparam_string_empty - ("usrjquota", Opt_usrjquota), - fsparam_string_empty - ("grpjquota", Opt_grpjquota), + fsparam_string_or_flag ("usrjquota", Opt_usrjquota), + fsparam_string_or_flag ("grpjquota", Opt_grpjquota), fsparam_enum ("jqfmt", Opt_jqfmt, ext4_param_jqfmt), fsparam_flag ("grpquota", Opt_grpquota), fsparam_flag ("quota", Opt_quota), @@ -2183,15 +2177,25 @@ static int ext4_parse_param(struct fs_context *fc, struct fs_parameter *param) switch (token) { #ifdef CONFIG_QUOTA case Opt_usrjquota: - if (!param->string) - return unnote_qf_name(fc, USRQUOTA); - else + if (param->type == fs_value_is_string) { + if (!*param->string) + return unnote_qf_name(fc, USRQUOTA); + return note_qf_name(fc, USRQUOTA, param); + } + + // param->type == fs_value_is_flag + return note_qf_name(fc, USRQUOTA, param); case Opt_grpjquota: - if (!param->string) - return unnote_qf_name(fc, GRPQUOTA); - else + if (param->type == fs_value_is_string) { + if (!*param->string) + return unnote_qf_name(fc, GRPQUOTA); + return note_qf_name(fc, GRPQUOTA, param); + } + + // param->type == fs_value_is_flag + return note_qf_name(fc, GRPQUOTA, param); #endif case Opt_sb: if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE) { diff --git a/include/linux/fs_parser.h b/include/linux/fs_parser.h index 01542c4b87a2..4f45141bea95 100644 --- a/include/linux/fs_parser.h +++ b/include/linux/fs_parser.h @@ -131,5 +131,8 @@ static inline bool fs_validate_description(const char *name, #define fsparam_bdev(NAME, OPT) __fsparam(fs_param_is_blockdev, NAME, OPT, 0, NULL) #define fsparam_path(NAME, OPT) __fsparam(fs_param_is_path, NAME, OPT, 0, NULL) #define fsparam_fd(NAME, OPT) __fsparam(fs_param_is_fd, NAME, OPT, 0, NULL) +#define fsparam_string_or_flag(NAME, OPT) \ + __fsparam(fs_param_is_string, NAME, OPT, fs_param_can_be_empty, NULL), \ + fsparam_flag(NAME, OPT) #endif /* _LINUX_FS_PARSER_H */
Christian Brauner <brauner@kernel.org> writes: > On Fri, Mar 01, 2024 at 03:45:27PM +0000, Luis Henriques wrote: >> Christian Brauner <brauner@kernel.org> writes: >> >> > On Thu, Feb 29, 2024 at 04:30:08PM +0000, Luis Henriques wrote: >> >> Currently, only parameters that have the fs_parameter_spec 'type' set to >> >> NULL are handled as 'flag' types. However, parameters that have the >> >> 'fs_param_can_be_empty' flag set and their value is NULL should also be >> >> handled as 'flag' type, as their type is set to 'fs_value_is_flag'. >> >> >> >> Signed-off-by: Luis Henriques <lhenriques@suse.de> >> >> --- >> >> fs/fs_parser.c | 3 ++- >> >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> >> >> diff --git a/fs/fs_parser.c b/fs/fs_parser.c >> >> index edb3712dcfa5..53f6cb98a3e0 100644 >> >> --- a/fs/fs_parser.c >> >> +++ b/fs/fs_parser.c >> >> @@ -119,7 +119,8 @@ int __fs_parse(struct p_log *log, >> >> /* Try to turn the type we were given into the type desired by the >> >> * parameter and give an error if we can't. >> >> */ >> >> - if (is_flag(p)) { >> >> + if (is_flag(p) || >> >> + (!param->string && (p->flags & fs_param_can_be_empty))) { >> >> if (param->type != fs_value_is_flag) >> >> return inval_plog(log, "Unexpected value for '%s'", >> >> param->key); >> > >> > If the parameter was derived from FSCONFIG_SET_STRING in fsconfig() then >> > param->string is guaranteed to not be NULL. So really this is only >> > about: >> > >> > FSCONFIG_SET_FD >> > FSCONFIG_SET_BINARY >> > FSCONFIG_SET_PATH >> > FSCONFIG_SET_PATH_EMPTY >> > >> > and those values being used without a value. What filesystem does this? >> > I don't see any. >> > >> > The tempting thing to do here is to to just remove fs_param_can_be_empty >> > from every helper that isn't fs_param_is_string() until we actually have >> > a filesystem that wants to use any of the above as flags. Will lose a >> > lot of code that isn't currently used. >> >> Right, I find it quite confusing and I may be fixing the issue in the >> wrong place. What I'm seeing with ext4 when I mount a filesystem using >> the option '-o usrjquota' is that fs_parse() will get: >> >> * p->type is set to fs_param_is_string >> ('p' is a struct fs_parameter_spec, ->type is a function) >> * param->type is set to fs_value_is_flag >> ('param' is a struct fs_parameter, ->type is an enum) >> >> This is because ext4 will use the __fsparam macro to set define a >> fs_param_spec as a fs_param_is_string but will also set the >> fs_param_can_be_empty; and the fsconfig() syscall will get that parameter >> as a flag. That's why param->string will be NULL in this case. > > Thanks for the details. Let me see if I get this right. So you're saying that > someone is doing: > > fsconfig(..., FSCONFIG_SET_FLAG, "usrjquota", NULL, 0); // [1] > > ? Is so that is a vital part of the explanation. So please put that in the > commit message. Right, I guess I should have added a simple usecase for that in the commit message. I.e. add a simple 'mount' command with this parameter without any value. > Then ext4 defines: > > fsparam_string_empty ("usrjquota", Opt_usrjquota), > > So [1] gets us: > > param->type == fs_value_is_flag > param->string == NULL > > Now we enter into > fs_parse() > -> __fs_parse() > -> fs_lookup_key() for @param and that does: > > bool want_flag = param->type == fs_value_is_flag; > > *negated = false; > for (p = desc; p->name; p++) { > if (strcmp(p->name, name) != 0) > continue; > if (likely(is_flag(p) == want_flag)) > return p; > other = p; > } > > So we don't have a flag parameter defined so the only real match we get is > @other for: > > fsparam_string_empty ("usrjquota", Opt_usrjquota), > > What happens now is that you call p->type == fs_param_is_string() and that > rejects it as bad parameter because param->type == fs_value_is_flag != > fs_value_is_string as required. So you dont end up getting Opt_userjquota > called with param->string NULL, right? So there's not NULL deref or anything, > right? > > You just fail to set usrjquota. Ok, so I think the correct fix is to do > something like the following in ext4: > > fsparam_string_empty ("usrjquota", Opt_usrjquota), > fs_param_flag ("usrjquota", Opt_usrjquota_flag), > > and then in the switch you can do: > > switch (opt) > case Opt_usrjquota: > // string thing > case Opt_usrjquota_flag: > // flag thing > > And I really think we should kill all empty handling for non-string types and > only add that when there's a filesystem that actually needs it. Yeah, that looks like the right fix. I see you sent out a patch doing something like this, so I'll comment there instead. Cheers,
Christian Brauner <brauner@kernel.org> writes: > On Sat, Mar 02, 2024 at 12:46:41PM +0100, Christian Brauner wrote: >> On Fri, Mar 01, 2024 at 03:45:27PM +0000, Luis Henriques wrote: >> > Christian Brauner <brauner@kernel.org> writes: >> > >> > > On Thu, Feb 29, 2024 at 04:30:08PM +0000, Luis Henriques wrote: >> > >> Currently, only parameters that have the fs_parameter_spec 'type' set to >> > >> NULL are handled as 'flag' types. However, parameters that have the >> > >> 'fs_param_can_be_empty' flag set and their value is NULL should also be >> > >> handled as 'flag' type, as their type is set to 'fs_value_is_flag'. >> > >> >> > >> Signed-off-by: Luis Henriques <lhenriques@suse.de> >> > >> --- >> > >> fs/fs_parser.c | 3 ++- >> > >> 1 file changed, 2 insertions(+), 1 deletion(-) >> > >> >> > >> diff --git a/fs/fs_parser.c b/fs/fs_parser.c >> > >> index edb3712dcfa5..53f6cb98a3e0 100644 >> > >> --- a/fs/fs_parser.c >> > >> +++ b/fs/fs_parser.c >> > >> @@ -119,7 +119,8 @@ int __fs_parse(struct p_log *log, >> > >> /* Try to turn the type we were given into the type desired by the >> > >> * parameter and give an error if we can't. >> > >> */ >> > >> - if (is_flag(p)) { >> > >> + if (is_flag(p) || >> > >> + (!param->string && (p->flags & fs_param_can_be_empty))) { >> > >> if (param->type != fs_value_is_flag) >> > >> return inval_plog(log, "Unexpected value for '%s'", >> > >> param->key); >> > > >> > > If the parameter was derived from FSCONFIG_SET_STRING in fsconfig() then >> > > param->string is guaranteed to not be NULL. So really this is only >> > > about: >> > > >> > > FSCONFIG_SET_FD >> > > FSCONFIG_SET_BINARY >> > > FSCONFIG_SET_PATH >> > > FSCONFIG_SET_PATH_EMPTY >> > > >> > > and those values being used without a value. What filesystem does this? >> > > I don't see any. >> > > >> > > The tempting thing to do here is to to just remove fs_param_can_be_empty >> > > from every helper that isn't fs_param_is_string() until we actually have >> > > a filesystem that wants to use any of the above as flags. Will lose a >> > > lot of code that isn't currently used. >> > >> > Right, I find it quite confusing and I may be fixing the issue in the >> > wrong place. What I'm seeing with ext4 when I mount a filesystem using >> > the option '-o usrjquota' is that fs_parse() will get: >> > >> > * p->type is set to fs_param_is_string >> > ('p' is a struct fs_parameter_spec, ->type is a function) >> > * param->type is set to fs_value_is_flag >> > ('param' is a struct fs_parameter, ->type is an enum) >> > >> > This is because ext4 will use the __fsparam macro to set define a >> > fs_param_spec as a fs_param_is_string but will also set the >> > fs_param_can_be_empty; and the fsconfig() syscall will get that parameter >> > as a flag. That's why param->string will be NULL in this case. >> >> Thanks for the details. Let me see if I get this right. So you're saying that >> someone is doing: >> >> fsconfig(..., FSCONFIG_SET_FLAG, "usrjquota", NULL, 0); // [1] >> >> ? Is so that is a vital part of the explanation. So please put that in the >> commit message. >> >> Then ext4 defines: >> >> fsparam_string_empty ("usrjquota", Opt_usrjquota), >> >> So [1] gets us: >> >> param->type == fs_value_is_flag >> param->string == NULL >> >> Now we enter into >> fs_parse() >> -> __fs_parse() >> -> fs_lookup_key() for @param and that does: >> >> bool want_flag = param->type == fs_value_is_flag; >> >> *negated = false; >> for (p = desc; p->name; p++) { >> if (strcmp(p->name, name) != 0) >> continue; >> if (likely(is_flag(p) == want_flag)) >> return p; >> other = p; >> } >> >> So we don't have a flag parameter defined so the only real match we get is >> @other for: >> >> fsparam_string_empty ("usrjquota", Opt_usrjquota), >> >> What happens now is that you call p->type == fs_param_is_string() and that >> rejects it as bad parameter because param->type == fs_value_is_flag != >> fs_value_is_string as required. So you dont end up getting Opt_userjquota >> called with param->string NULL, right? So there's not NULL deref or anything, >> right? >> >> You just fail to set usrjquota. Ok, so I think the correct fix is to do >> something like the following in ext4: >> >> fsparam_string_empty ("usrjquota", Opt_usrjquota), >> fs_param_flag ("usrjquota", Opt_usrjquota_flag), >> >> and then in the switch you can do: >> >> switch (opt) >> case Opt_usrjquota: >> // string thing >> case Opt_usrjquota_flag: >> // flag thing >> >> And I really think we should kill all empty handling for non-string types and >> only add that when there's a filesystem that actually needs it. > > So one option is to do the following: Thanks a lot of your review (I forgot to thank you in my other reply!). Now, I haven't yet tested this properly, but I think that's a much simpler and cleaner way of fixing this issue. Now, although it needs some testing, I think the patch has one problem (see comment below). Do you want me to send out a cleaned-up version[*] of it after some testing (+ a similar fix for overlayfs)? Or would you rather handle this yourself? (I'll probably won't be able to look into it until mid-week.) [*] Obviously, keeping a notice that you were the original author. > From 8bfb142e6caba70704998be072222d6a31d8b97b Mon Sep 17 00:00:00 2001 > From: Christian Brauner <brauner@kernel.org> > Date: Sat, 2 Mar 2024 18:54:35 +0100 > Subject: [PATCH] [UNTESTED] > > Signed-off-by: Christian Brauner <brauner@kernel.org> > --- > fs/ext4/super.c | 32 ++++++++++++++++++-------------- > include/linux/fs_parser.h | 3 +++ > 2 files changed, 21 insertions(+), 14 deletions(-) > > diff --git a/fs/ext4/super.c b/fs/ext4/super.c > index ebd97442d1d4..bd625f06ec0f 100644 > --- a/fs/ext4/super.c > +++ b/fs/ext4/super.c > @@ -1724,10 +1724,6 @@ static const struct constant_table ext4_param_dax[] = { > {} > }; > > -/* String parameter that allows empty argument */ > -#define fsparam_string_empty(NAME, OPT) \ > - __fsparam(fs_param_is_string, NAME, OPT, fs_param_can_be_empty, NULL) > - > /* > * Mount option specification > * We don't use fsparam_flag_no because of the way we set the > @@ -1768,10 +1764,8 @@ static const struct fs_parameter_spec ext4_param_specs[] = { > fsparam_enum ("data", Opt_data, ext4_param_data), > fsparam_enum ("data_err", Opt_data_err, > ext4_param_data_err), > - fsparam_string_empty > - ("usrjquota", Opt_usrjquota), > - fsparam_string_empty > - ("grpjquota", Opt_grpjquota), > + fsparam_string_or_flag ("usrjquota", Opt_usrjquota), > + fsparam_string_or_flag ("grpjquota", Opt_grpjquota), > fsparam_enum ("jqfmt", Opt_jqfmt, ext4_param_jqfmt), > fsparam_flag ("grpquota", Opt_grpquota), > fsparam_flag ("quota", Opt_quota), > @@ -2183,15 +2177,25 @@ static int ext4_parse_param(struct fs_context *fc, struct fs_parameter *param) > switch (token) { > #ifdef CONFIG_QUOTA > case Opt_usrjquota: > - if (!param->string) > - return unnote_qf_name(fc, USRQUOTA); > - else > + if (param->type == fs_value_is_string) { > + if (!*param->string) > + return unnote_qf_name(fc, USRQUOTA); > + > return note_qf_name(fc, USRQUOTA, param); > + } > + > + // param->type == fs_value_is_flag > + return note_qf_name(fc, USRQUOTA, param); ^^^^^^^^^^^^ I think this isn't correct -- the correct function to call in this case is unnote_qf_name(), not note_qf_name(). The same comment applies to the grpjquota parameter handling. Cheers,
On Sun, Mar 03, 2024 at 09:31:42PM +0000, Luis Henriques wrote: > Christian Brauner <brauner@kernel.org> writes: > > > On Sat, Mar 02, 2024 at 12:46:41PM +0100, Christian Brauner wrote: > >> On Fri, Mar 01, 2024 at 03:45:27PM +0000, Luis Henriques wrote: > >> > Christian Brauner <brauner@kernel.org> writes: > >> > > >> > > On Thu, Feb 29, 2024 at 04:30:08PM +0000, Luis Henriques wrote: > >> > >> Currently, only parameters that have the fs_parameter_spec 'type' set to > >> > >> NULL are handled as 'flag' types. However, parameters that have the > >> > >> 'fs_param_can_be_empty' flag set and their value is NULL should also be > >> > >> handled as 'flag' type, as their type is set to 'fs_value_is_flag'. > >> > >> > >> > >> Signed-off-by: Luis Henriques <lhenriques@suse.de> > >> > >> --- > >> > >> fs/fs_parser.c | 3 ++- > >> > >> 1 file changed, 2 insertions(+), 1 deletion(-) > >> > >> > >> > >> diff --git a/fs/fs_parser.c b/fs/fs_parser.c > >> > >> index edb3712dcfa5..53f6cb98a3e0 100644 > >> > >> --- a/fs/fs_parser.c > >> > >> +++ b/fs/fs_parser.c > >> > >> @@ -119,7 +119,8 @@ int __fs_parse(struct p_log *log, > >> > >> /* Try to turn the type we were given into the type desired by the > >> > >> * parameter and give an error if we can't. > >> > >> */ > >> > >> - if (is_flag(p)) { > >> > >> + if (is_flag(p) || > >> > >> + (!param->string && (p->flags & fs_param_can_be_empty))) { > >> > >> if (param->type != fs_value_is_flag) > >> > >> return inval_plog(log, "Unexpected value for '%s'", > >> > >> param->key); > >> > > > >> > > If the parameter was derived from FSCONFIG_SET_STRING in fsconfig() then > >> > > param->string is guaranteed to not be NULL. So really this is only > >> > > about: > >> > > > >> > > FSCONFIG_SET_FD > >> > > FSCONFIG_SET_BINARY > >> > > FSCONFIG_SET_PATH > >> > > FSCONFIG_SET_PATH_EMPTY > >> > > > >> > > and those values being used without a value. What filesystem does this? > >> > > I don't see any. > >> > > > >> > > The tempting thing to do here is to to just remove fs_param_can_be_empty > >> > > from every helper that isn't fs_param_is_string() until we actually have > >> > > a filesystem that wants to use any of the above as flags. Will lose a > >> > > lot of code that isn't currently used. > >> > > >> > Right, I find it quite confusing and I may be fixing the issue in the > >> > wrong place. What I'm seeing with ext4 when I mount a filesystem using > >> > the option '-o usrjquota' is that fs_parse() will get: > >> > > >> > * p->type is set to fs_param_is_string > >> > ('p' is a struct fs_parameter_spec, ->type is a function) > >> > * param->type is set to fs_value_is_flag > >> > ('param' is a struct fs_parameter, ->type is an enum) > >> > > >> > This is because ext4 will use the __fsparam macro to set define a > >> > fs_param_spec as a fs_param_is_string but will also set the > >> > fs_param_can_be_empty; and the fsconfig() syscall will get that parameter > >> > as a flag. That's why param->string will be NULL in this case. > >> > >> Thanks for the details. Let me see if I get this right. So you're saying that > >> someone is doing: > >> > >> fsconfig(..., FSCONFIG_SET_FLAG, "usrjquota", NULL, 0); // [1] > >> > >> ? Is so that is a vital part of the explanation. So please put that in the > >> commit message. > >> > >> Then ext4 defines: > >> > >> fsparam_string_empty ("usrjquota", Opt_usrjquota), > >> > >> So [1] gets us: > >> > >> param->type == fs_value_is_flag > >> param->string == NULL > >> > >> Now we enter into > >> fs_parse() > >> -> __fs_parse() > >> -> fs_lookup_key() for @param and that does: > >> > >> bool want_flag = param->type == fs_value_is_flag; > >> > >> *negated = false; > >> for (p = desc; p->name; p++) { > >> if (strcmp(p->name, name) != 0) > >> continue; > >> if (likely(is_flag(p) == want_flag)) > >> return p; > >> other = p; > >> } > >> > >> So we don't have a flag parameter defined so the only real match we get is > >> @other for: > >> > >> fsparam_string_empty ("usrjquota", Opt_usrjquota), > >> > >> What happens now is that you call p->type == fs_param_is_string() and that > >> rejects it as bad parameter because param->type == fs_value_is_flag != > >> fs_value_is_string as required. So you dont end up getting Opt_userjquota > >> called with param->string NULL, right? So there's not NULL deref or anything, > >> right? > >> > >> You just fail to set usrjquota. Ok, so I think the correct fix is to do > >> something like the following in ext4: > >> > >> fsparam_string_empty ("usrjquota", Opt_usrjquota), > >> fs_param_flag ("usrjquota", Opt_usrjquota_flag), > >> > >> and then in the switch you can do: > >> > >> switch (opt) > >> case Opt_usrjquota: > >> // string thing > >> case Opt_usrjquota_flag: > >> // flag thing > >> > >> And I really think we should kill all empty handling for non-string types and > >> only add that when there's a filesystem that actually needs it. > > > > So one option is to do the following: > > Thanks a lot of your review (I forgot to thank you in my other reply!). > > Now, I haven't yet tested this properly, but I think that's a much simpler > and cleaner way of fixing this issue. Now, although it needs some > testing, I think the patch has one problem (see comment below). > > Do you want me to send out a cleaned-up version[*] of it after some Yes, please. That would be great!
diff --git a/fs/fs_parser.c b/fs/fs_parser.c index edb3712dcfa5..53f6cb98a3e0 100644 --- a/fs/fs_parser.c +++ b/fs/fs_parser.c @@ -119,7 +119,8 @@ int __fs_parse(struct p_log *log, /* Try to turn the type we were given into the type desired by the * parameter and give an error if we can't. */ - if (is_flag(p)) { + if (is_flag(p) || + (!param->string && (p->flags & fs_param_can_be_empty))) { if (param->type != fs_value_is_flag) return inval_plog(log, "Unexpected value for '%s'", param->key);