Re: [RESEND PATCH v3] fuse: Abort waiting for a response if the daemon receives a fatal signal

[Miklos Szeredi]

On Wed, Nov 11, 2020 at 8:42 AM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
>
> Miklos Szeredi <miklos@xxxxxxxxxx> writes:

> > Okay, so the problem with making the wait_event() at the end of
> > request_wait_answer() killable is that it would allow compromising the
> > server's integrity by unlocking the VFS level lock (which protects the
> > fs) while the server hasn't yet finished the request.
> >
> > The way this would be solvable is to add a fuse level lock for each
> > VFS level lock.   That lock would be taken before the request is sent
> > to userspace and would be released when the answer is received.
> > Normally there would be zero contention on these shadow locks, but if
> > a request is forcibly killed, then the VFS lock is released and the
> > shadow lock now protects the filesystem.
> >
> > This wouldn't solve the case where a fuse fs is deadlocked on a VFS
> > lock (e.g. task B), but would allow tasks blocked directly on a fuse
> > filesystem to be killed (e.g. task A or C, both of which would unwind
> > the deadlock).
>
> Are we just talking the inode lock here?
>
> I am trying to figure out if this is a straight forward change.
> Or if it will take a fair amount of work.

Inode lock and cross directory rename lock should suffice, I think.

One issue is that we are losing normal ref on dentry+mount, so in case
the process is killed we need to take a ref on the inode.

Since multiple inode locks can be held for one op, we need to take
care of ordering the shadow locks as well.

It's not a trivial change, but I'd be much happier if we would take
this instead of the hackish one.

Thanks,
Miklos