diff options
author | Darrick J. Wong <djwong@kernel.org> | 2021-09-01 11:14:48 -0700 |
---|---|---|
committer | Darrick J. Wong <djwong@kernel.org> | 2021-10-22 16:40:51 -0700 |
commit | 0c20a38103bdcd61e89a38cec79991dd5ef956fd (patch) | |
tree | d4282295e1cc556549f3c86d76a04a3b9de4c025 | |
parent | 2ecc920abb07a43a7d15500fb10452e12461a3ba (diff) |
xfs: hide metadata inodes from everyone because they are special
Metadata inodes are private files and therefore cannot be exposed to
userspace. This means no bulkstat, no open-by-handle, no linking them
into the directory tree, and no feeding them to LSMs. As such, we mark
them S_PRIVATE, which stops all that.
While we're at it, put them in a separate lockdep class so that it won't
get confused by "recursive" i_rwsem locking such as what happens when we
write to a rt file and need to allocate from the rt bitmap file.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
-rw-r--r-- | fs/xfs/xfs_iops.c | 34 |
1 files changed, 32 insertions, 2 deletions
diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c index 28f2ea1999c9..1f7c275ec894 100644 --- a/fs/xfs/xfs_iops.c +++ b/fs/xfs/xfs_iops.c @@ -42,6 +42,15 @@ static struct lock_class_key xfs_nondir_ilock_class; static struct lock_class_key xfs_dir_ilock_class; +/* + * Metadata directories and files are not exposed to userspace, which means + * that they never access any of the VFS IO locks and never experience page + * faults. Give them separate locking classes so that lockdep will not + * complain about conflicts that cannot happen. + */ +static struct lock_class_key xfs_metadata_file_ilock_class; +static struct lock_class_key xfs_metadata_dir_ilock_class; + static int xfs_initxattrs( struct inode *inode, @@ -1358,6 +1367,7 @@ xfs_setup_inode( { struct inode *inode = &ip->i_vnode; gfp_t gfp_mask; + bool is_meta = xfs_is_metadata_inode(ip); inode->i_ino = ip->i_ino; inode->i_state |= I_NEW; @@ -1369,6 +1379,16 @@ xfs_setup_inode( i_size_write(inode, ip->i_disk_size); xfs_diflags_to_iflags(ip, true); + /* + * Mark our metadata files as private so that LSMs and the ACL code + * don't try to add their own metadata or reason about these files, + * and users cannot ever obtain file handles to them. + */ + if (is_meta) { + inode->i_flags |= S_PRIVATE; + inode->i_opflags &= ~IOP_XATTR; + } + if (S_ISDIR(inode->i_mode)) { /* * We set the i_rwsem class here to avoid potential races with @@ -1378,9 +1398,19 @@ xfs_setup_inode( */ lockdep_set_class(&inode->i_rwsem, &inode->i_sb->s_type->i_mutex_dir_key); - lockdep_set_class(&ip->i_lock.mr_lock, &xfs_dir_ilock_class); + if (is_meta) + lockdep_set_class(&ip->i_lock.mr_lock, + &xfs_metadata_dir_ilock_class); + else + lockdep_set_class(&ip->i_lock.mr_lock, + &xfs_dir_ilock_class); } else { - lockdep_set_class(&ip->i_lock.mr_lock, &xfs_nondir_ilock_class); + if (is_meta) + lockdep_set_class(&ip->i_lock.mr_lock, + &xfs_metadata_file_ilock_class); + else + lockdep_set_class(&ip->i_lock.mr_lock, + &xfs_nondir_ilock_class); } /* |