On Thu, May 29, 2025 at 9:53 AM Song Liu <song@xxxxxxxxxx> wrote: > > Hi Al and Jan, > > Thanks for your review! > > On Thu, May 29, 2025 at 4:58 AM Jan Kara <jack@xxxxxxx> wrote: > > > > On Wed 28-05-25 23:37:24, Al Viro wrote: > > > On Wed, May 28, 2025 at 03:26:22PM -0700, Song Liu wrote: > > > > Introduce a path iterator, which reliably walk a struct path. > > > > > > No, it does not. If you have no external warranty that mount > > > *and* dentry trees are stable, it's not reliable at all. > > > > I agree that advertising this as "reliable walk" is misleading. It is > > realiable in the sense that it will not dereference freed memory, leak > > references etc. As you say it is also reliable in the sense that without > > external modifications to dentry & mount tree, it will crawl the path to > > root. But in presence of external modifications the only reliability it > > offers is "it will not crash". E.g. malicious parallel modifications can > > arbitrarily prolong the duration of the walk. > > How about we describe this as: > > Introduce a path iterator, which safely (no crash) walks a struct path. > Without malicious parallel modifications, the walk is guaranteed to > terminate. The sequence of dentries maybe surprising in presence > of parallel directory or mount tree modifications and the iteration may > not ever finish in face of parallel malicious directory tree manipulations. Hold on. If it's really the case then is the landlock susceptible to this type of attack already ? landlock may infinitely loop in the kernel ?
