On Wed 28-05-25 23:37:24, Al Viro wrote: > On Wed, May 28, 2025 at 03:26:22PM -0700, Song Liu wrote: > > Introduce a path iterator, which reliably walk a struct path. > > No, it does not. If you have no external warranty that mount > *and* dentry trees are stable, it's not reliable at all. I agree that advertising this as "reliable walk" is misleading. It is realiable in the sense that it will not dereference freed memory, leak references etc. As you say it is also reliable in the sense that without external modifications to dentry & mount tree, it will crawl the path to root. But in presence of external modifications the only reliability it offers is "it will not crash". E.g. malicious parallel modifications can arbitrarily prolong the duration of the walk. > And I'm extremely suspicious regarding the validity of anything > that pokes around in mount trees. There is a very good reason > struct mount is *not* visible in include/linux/*.h Well, but looking at the actual code I don't see anything problematic there. It does not export any new functionality from the VFS AFAICT. It just factors out some parent lookup details from Landlock into generic code and exposes it as a helper to fetch parent dentry. But overall any kernel module can do what's in the helper already today and exposing the functionality of looking up dentry parent to BPF as well seems OK to me. So I have only reservations against calling it "reliable walk". It should rather come with warnings like "The sequence of dentries may be rather surprising in presence of parallel directory or mount tree modifications and the iteration need not ever finish in face of parallel malicious directory tree manipulations." Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
