On Wed, Nov 11, 2020 at 8:42 AM Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote: > > Miklos Szeredi <miklos@xxxxxxxxxx> writes: > > Okay, so the problem with making the wait_event() at the end of > > request_wait_answer() killable is that it would allow compromising the > > server's integrity by unlocking the VFS level lock (which protects the > > fs) while the server hasn't yet finished the request. > > > > The way this would be solvable is to add a fuse level lock for each > > VFS level lock. That lock would be taken before the request is sent > > to userspace and would be released when the answer is received. > > Normally there would be zero contention on these shadow locks, but if > > a request is forcibly killed, then the VFS lock is released and the > > shadow lock now protects the filesystem. > > > > This wouldn't solve the case where a fuse fs is deadlocked on a VFS > > lock (e.g. task B), but would allow tasks blocked directly on a fuse > > filesystem to be killed (e.g. task A or C, both of which would unwind > > the deadlock). > > Are we just talking the inode lock here? > > I am trying to figure out if this is a straight forward change. > Or if it will take a fair amount of work. Inode lock and cross directory rename lock should suffice, I think. One issue is that we are losing normal ref on dentry+mount, so in case the process is killed we need to take a ref on the inode. Since multiple inode locks can be held for one op, we need to take care of ordering the shadow locks as well. It's not a trivial change, but I'd be much happier if we would take this instead of the hackish one. Thanks, Miklos
