mirror of
https://github.com/hardkernel/linux.git
synced 2026-04-01 18:53:02 +09:00
d919765758
Pull f2fs update from Jaegeuk Kim: "In this round, we've mainly focused on performance tuning and critical bug fixes occurred in low-end devices. Sheng Yong introduced lost_found feature to keep missing files during recovery instead of thrashing them. We're preparing coming fsverity implementation. And, we've got more features to communicate with users for better performance. In low-end devices, some memory-related issues were fixed, and subtle race condtions and corner cases were addressed as well. Enhancements: - large nat bitmaps for more free node ids - add three block allocation policies to pass down write hints given by user - expose extension list to user and introduce hot file extension - tune small devices seamlessly for low-end devices - set readdir_ra by default - give more resources under gc_urgent mode regarding to discard and cleaning - introduce fsync_mode to enforce posix or not - nowait aio support - add lost_found feature to keep dangling inodes - reserve bits for future fsverity feature - add test_dummy_encryption for FBE Bug fixes: - don't use highmem for dentry pages - align memory boundary for bitops - truncate preallocated blocks in write errors - guarantee i_times on fsync call - clear CP_TRIMMED_FLAG correctly - prevent node chain loop during recovery - avoid data race between atomic write and background cleaning - avoid unnecessary selinux violation warnings on resgid option - GFP_NOFS to avoid deadlock in quota and read paths - fix f2fs_skip_inode_update to allow i_size recovery In addition to the above, there are several minor bug fixes and clean-ups" Cherry-pick from origin/upstream-f2fs-stable-linux-4.9.y: ac389af190fb f2fs: remain written times to update inode during fsync 270deeb87125 f2fs: make assignment of t->dentry_bitmap more readable a4fa11c8da10 f2fs: truncate preallocated blocks in error case 4478970f0e73 f2fs: fix a wrong condition in f2fs_skip_inode_update 29cead58f5ea f2fs: reserve bits for fs-verity 848b293a5d95 f2fs: Add a segment type check in inplace write 2dc8f5a3a640 f2fs: no need to initialize zero value for GFP_F2FS_ZERO 83b9bb95a628 f2fs: don't track new nat entry in nat set a33ce03ac477 f2fs: clean up with F2FS_BLK_ALIGN a3f8ec8082e3 f2fs: check blkaddr more accuratly before issue a bio 034f11eadb16 f2fs: Set GF_NOFS in read_cache_page_gfp while doing f2fs_quota_read aa5bcfd8f488 f2fs: introduce a new mount option test_dummy_encryption 9b880fe6e6e2 f2fs: introduce F2FS_FEATURE_LOST_FOUND feature 80d6489a08c1 f2fs: release locks before return in f2fs_ioc_gc_range() 9f1896c490eb f2fs: align memory boundary for bitops c7930ee88334 f2fs: remove unneeded set_cold_node() 355d2346409a f2fs: add nowait aio support e9a50e6b9479 f2fs: wrap all options with f2fs_sb_info.mount_opt b6d2ec83e0c0 f2fs: Don't overwrite all types of node to keep node chain 9a954816298c f2fs: introduce mount option for fsync mode 4ce4eb697068 f2fs: fix to restore old mount option in ->remount_fs 8f711c344e61 f2fs: wrap sb_rdonly with f2fs_readonly c07478ee84bf f2fs: avoid selinux denial on CAP_SYS_RESOURCE ac734c416fa9 f2fs: support hot file extension f4f10221accc f2fs: fix to avoid race in between atomic write and background GC e87b13ec160b f2fs: do gc in greedy mode for whole range if gc_urgent mode is set e9878588de94 f2fs: issue discard aggressively in the gc_urgent mode ad3ce479e6e4 f2fs: set readdir_ra by default 5aae2026bbd2 f2fs: add auto tuning for small devices 78c1fc2d8f27 f2fs: add mount option for segment allocation policy ecd02f564631 f2fs: don't stop GC if GC is contended 1e72cb27d2d6 f2fs: expose extension_list sysfs entry 061839d178ab f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range 4951ebcbc4e2 f2fs: introduce sb_lock to make encrypt pwsalt update exclusive 939f6be0420f f2fs: remove redundant initialization of pointer 'p' 39bea4bc8ef2 f2fs: flush cp pack except cp pack 2 page at first 770611eb2ab4 f2fs: clean up f2fs_sb_has_xxx functions 4d8e4a8965f9 f2fs: remove redundant check of page type when submit bio e9878588de94 f2fs: issue discard aggressively in the gc_urgent mode ad3ce479e6e4 f2fs: set readdir_ra by default 5aae2026bbd2 f2fs: add auto tuning for small devices 78c1fc2d8f27 f2fs: add mount option for segment allocation policy ecd02f564631 f2fs: don't stop GC if GC is contended 1e72cb27d2d6 f2fs: expose extension_list sysfs entry 061839d178ab f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range 4951ebcbc4e2 f2fs: introduce sb_lock to make encrypt pwsalt update exclusive 939f6be0420f f2fs: remove redundant initialization of pointer 'p' 39bea4bc8ef2 f2fs: flush cp pack except cp pack 2 page at first 770611eb2ab4 f2fs: clean up f2fs_sb_has_xxx functions 4d8e4a8965f9 f2fs: remove redundant check of page type when submit bio b57a37f01fda f2fs: fix to handle looped node chain during recovery 9ac5b8c54083 f2fs: handle quota for orphan inodes 87c18066016a f2fs: support passing down write hints to block layer with F2FS policy bcdc571e8d8b f2fs: support passing down write hints given by users to block layer 92413bc12e32 f2fs: fix to clear CP_TRIMMED_FLAG a1afb55f9784 f2fs: support large nat bitmap 636039140493 f2fs: fix to check extent cache in f2fs_drop_extent_tree 7de4fccdbce1 f2fs: restrict inline_xattr_size configuration aae506a8b704 f2fs: fix heap mode to reset it back 8fa455bb6ea0 f2fs: fix potential corruption in area before F2FS_SUPER_OFFSET 9d9cb0ef73f9 fscrypt: fix build with pre-4.6 gcc versions 401052ffc6b4 fscrypt: remove 'ci' parameter from fscrypt_put_encryption_info() 549b2061b3b5 fscrypt: fix up fscrypt_fname_encrypted_size() for internal use c440b5091a0c fscrypt: define fscrypt_fname_alloc_buffer() to be for presented names 7d82f0e1c39a ext4: switch to fscrypt ->symlink() helper functions ba4efe560438 ext4: switch to fscrypt_get_symlink() b0edc2f22d24 fscrypt: calculate NUL-padding length in one place only 62cfdd9868c7 fscrypt: move fscrypt_symlink_data to fscrypt_private.h e4e6776522bc fscrypt: remove fscrypt_fname_usr_to_disk() 45028b5aaa4e f2fs: switch to fscrypt_get_symlink() f62d3d31e0c7 f2fs: switch to fscrypt ->symlink() helper functions da32a1633ad3 fscrypt: new helper function - fscrypt_get_symlink() a7e05c731d11 fscrypt: new helper functions for ->symlink() eb9c5fd896de fscrypt: trim down fscrypt.h includes 0a02472d8ae2 fscrypt: move fscrypt_is_dot_dotdot() to fs/crypto/fname.c 9d51ca80274c fscrypt: move fscrypt_valid_enc_modes() to fscrypt_private.h efbfa8c6a056 fscrypt: move fscrypt_operations declaration to fscrypt_supp.h 616dbd2bdc6a fscrypt: split fscrypt_dummy_context_enabled() into supp/notsupp versions f0c472bcbf1c fscrypt: move fscrypt_ctx declaration to fscrypt_supp.h bc76f39109b1 fscrypt: move fscrypt_info_cachep declaration to fscrypt_private.h b67b07ec4964 fscrypt: move fscrypt_control_page() to supp/notsupp headers d8dfb89961d0 fscrypt: move fscrypt_has_encryption_key() to supp/notsupp headers Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
271 lines
7.4 KiB
C
271 lines
7.4 KiB
C
/*
|
|
* fs/crypto/hooks.c
|
|
*
|
|
* Encryption hooks for higher-level filesystem operations.
|
|
*/
|
|
|
|
#include <linux/ratelimit.h>
|
|
#include "fscrypt_private.h"
|
|
|
|
/**
|
|
* fscrypt_file_open - prepare to open a possibly-encrypted regular file
|
|
* @inode: the inode being opened
|
|
* @filp: the struct file being set up
|
|
*
|
|
* Currently, an encrypted regular file can only be opened if its encryption key
|
|
* is available; access to the raw encrypted contents is not supported.
|
|
* Therefore, we first set up the inode's encryption key (if not already done)
|
|
* and return an error if it's unavailable.
|
|
*
|
|
* We also verify that if the parent directory (from the path via which the file
|
|
* is being opened) is encrypted, then the inode being opened uses the same
|
|
* encryption policy. This is needed as part of the enforcement that all files
|
|
* in an encrypted directory tree use the same encryption policy, as a
|
|
* protection against certain types of offline attacks. Note that this check is
|
|
* needed even when opening an *unencrypted* file, since it's forbidden to have
|
|
* an unencrypted file in an encrypted directory.
|
|
*
|
|
* Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
|
|
*/
|
|
int fscrypt_file_open(struct inode *inode, struct file *filp)
|
|
{
|
|
int err;
|
|
struct dentry *dir;
|
|
|
|
err = fscrypt_require_key(inode);
|
|
if (err)
|
|
return err;
|
|
|
|
dir = dget_parent(file_dentry(filp));
|
|
if (IS_ENCRYPTED(d_inode(dir)) &&
|
|
!fscrypt_has_permitted_context(d_inode(dir), inode)) {
|
|
pr_warn_ratelimited("fscrypt: inconsistent encryption contexts: %lu/%lu",
|
|
d_inode(dir)->i_ino, inode->i_ino);
|
|
err = -EPERM;
|
|
}
|
|
dput(dir);
|
|
return err;
|
|
}
|
|
EXPORT_SYMBOL_GPL(fscrypt_file_open);
|
|
|
|
int __fscrypt_prepare_link(struct inode *inode, struct inode *dir)
|
|
{
|
|
int err;
|
|
|
|
err = fscrypt_require_key(dir);
|
|
if (err)
|
|
return err;
|
|
|
|
if (!fscrypt_has_permitted_context(dir, inode))
|
|
return -EPERM;
|
|
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(__fscrypt_prepare_link);
|
|
|
|
int __fscrypt_prepare_rename(struct inode *old_dir, struct dentry *old_dentry,
|
|
struct inode *new_dir, struct dentry *new_dentry,
|
|
unsigned int flags)
|
|
{
|
|
int err;
|
|
|
|
err = fscrypt_require_key(old_dir);
|
|
if (err)
|
|
return err;
|
|
|
|
err = fscrypt_require_key(new_dir);
|
|
if (err)
|
|
return err;
|
|
|
|
if (old_dir != new_dir) {
|
|
if (IS_ENCRYPTED(new_dir) &&
|
|
!fscrypt_has_permitted_context(new_dir,
|
|
d_inode(old_dentry)))
|
|
return -EPERM;
|
|
|
|
if ((flags & RENAME_EXCHANGE) &&
|
|
IS_ENCRYPTED(old_dir) &&
|
|
!fscrypt_has_permitted_context(old_dir,
|
|
d_inode(new_dentry)))
|
|
return -EPERM;
|
|
}
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(__fscrypt_prepare_rename);
|
|
|
|
int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry)
|
|
{
|
|
int err = fscrypt_get_encryption_info(dir);
|
|
|
|
if (err)
|
|
return err;
|
|
|
|
if (fscrypt_has_encryption_key(dir)) {
|
|
spin_lock(&dentry->d_lock);
|
|
dentry->d_flags |= DCACHE_ENCRYPTED_WITH_KEY;
|
|
spin_unlock(&dentry->d_lock);
|
|
}
|
|
|
|
d_set_d_op(dentry, &fscrypt_d_ops);
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(__fscrypt_prepare_lookup);
|
|
|
|
int __fscrypt_prepare_symlink(struct inode *dir, unsigned int len,
|
|
unsigned int max_len,
|
|
struct fscrypt_str *disk_link)
|
|
{
|
|
int err;
|
|
|
|
/*
|
|
* To calculate the size of the encrypted symlink target we need to know
|
|
* the amount of NUL padding, which is determined by the flags set in
|
|
* the encryption policy which will be inherited from the directory.
|
|
* The easiest way to get access to this is to just load the directory's
|
|
* fscrypt_info, since we'll need it to create the dir_entry anyway.
|
|
*
|
|
* Note: in test_dummy_encryption mode, @dir may be unencrypted.
|
|
*/
|
|
err = fscrypt_get_encryption_info(dir);
|
|
if (err)
|
|
return err;
|
|
if (!fscrypt_has_encryption_key(dir))
|
|
return -ENOKEY;
|
|
|
|
/*
|
|
* Calculate the size of the encrypted symlink and verify it won't
|
|
* exceed max_len. Note that for historical reasons, encrypted symlink
|
|
* targets are prefixed with the ciphertext length, despite this
|
|
* actually being redundant with i_size. This decreases by 2 bytes the
|
|
* longest symlink target we can accept.
|
|
*
|
|
* We could recover 1 byte by not counting a null terminator, but
|
|
* counting it (even though it is meaningless for ciphertext) is simpler
|
|
* for now since filesystems will assume it is there and subtract it.
|
|
*/
|
|
if (!fscrypt_fname_encrypted_size(dir, len,
|
|
max_len - sizeof(struct fscrypt_symlink_data),
|
|
&disk_link->len))
|
|
return -ENAMETOOLONG;
|
|
disk_link->len += sizeof(struct fscrypt_symlink_data);
|
|
|
|
disk_link->name = NULL;
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(__fscrypt_prepare_symlink);
|
|
|
|
int __fscrypt_encrypt_symlink(struct inode *inode, const char *target,
|
|
unsigned int len, struct fscrypt_str *disk_link)
|
|
{
|
|
int err;
|
|
struct qstr iname = QSTR_INIT(target, len);
|
|
struct fscrypt_symlink_data *sd;
|
|
unsigned int ciphertext_len;
|
|
|
|
err = fscrypt_require_key(inode);
|
|
if (err)
|
|
return err;
|
|
|
|
if (disk_link->name) {
|
|
/* filesystem-provided buffer */
|
|
sd = (struct fscrypt_symlink_data *)disk_link->name;
|
|
} else {
|
|
sd = kmalloc(disk_link->len, GFP_NOFS);
|
|
if (!sd)
|
|
return -ENOMEM;
|
|
}
|
|
ciphertext_len = disk_link->len - sizeof(*sd);
|
|
sd->len = cpu_to_le16(ciphertext_len);
|
|
|
|
err = fname_encrypt(inode, &iname, sd->encrypted_path, ciphertext_len);
|
|
if (err) {
|
|
if (!disk_link->name)
|
|
kfree(sd);
|
|
return err;
|
|
}
|
|
/*
|
|
* Null-terminating the ciphertext doesn't make sense, but we still
|
|
* count the null terminator in the length, so we might as well
|
|
* initialize it just in case the filesystem writes it out.
|
|
*/
|
|
sd->encrypted_path[ciphertext_len] = '\0';
|
|
|
|
if (!disk_link->name)
|
|
disk_link->name = (unsigned char *)sd;
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(__fscrypt_encrypt_symlink);
|
|
|
|
/**
|
|
* fscrypt_get_symlink - get the target of an encrypted symlink
|
|
* @inode: the symlink inode
|
|
* @caddr: the on-disk contents of the symlink
|
|
* @max_size: size of @caddr buffer
|
|
* @done: if successful, will be set up to free the returned target
|
|
*
|
|
* If the symlink's encryption key is available, we decrypt its target.
|
|
* Otherwise, we encode its target for presentation.
|
|
*
|
|
* This may sleep, so the filesystem must have dropped out of RCU mode already.
|
|
*
|
|
* Return: the presentable symlink target or an ERR_PTR()
|
|
*/
|
|
const char *fscrypt_get_symlink(struct inode *inode, const void *caddr,
|
|
unsigned int max_size,
|
|
struct delayed_call *done)
|
|
{
|
|
const struct fscrypt_symlink_data *sd;
|
|
struct fscrypt_str cstr, pstr;
|
|
int err;
|
|
|
|
/* This is for encrypted symlinks only */
|
|
if (WARN_ON(!IS_ENCRYPTED(inode)))
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
/*
|
|
* Try to set up the symlink's encryption key, but we can continue
|
|
* regardless of whether the key is available or not.
|
|
*/
|
|
err = fscrypt_get_encryption_info(inode);
|
|
if (err)
|
|
return ERR_PTR(err);
|
|
|
|
/*
|
|
* For historical reasons, encrypted symlink targets are prefixed with
|
|
* the ciphertext length, even though this is redundant with i_size.
|
|
*/
|
|
|
|
if (max_size < sizeof(*sd))
|
|
return ERR_PTR(-EUCLEAN);
|
|
sd = caddr;
|
|
cstr.name = (unsigned char *)sd->encrypted_path;
|
|
cstr.len = le16_to_cpu(sd->len);
|
|
|
|
if (cstr.len == 0)
|
|
return ERR_PTR(-EUCLEAN);
|
|
|
|
if (cstr.len + sizeof(*sd) - 1 > max_size)
|
|
return ERR_PTR(-EUCLEAN);
|
|
|
|
err = fscrypt_fname_alloc_buffer(inode, cstr.len, &pstr);
|
|
if (err)
|
|
return ERR_PTR(err);
|
|
|
|
err = fscrypt_fname_disk_to_usr(inode, 0, 0, &cstr, &pstr);
|
|
if (err)
|
|
goto err_kfree;
|
|
|
|
err = -EUCLEAN;
|
|
if (pstr.name[0] == '\0')
|
|
goto err_kfree;
|
|
|
|
pstr.name[pstr.len] = '\0';
|
|
set_delayed_call(done, kfree_link, pstr.name);
|
|
return pstr.name;
|
|
|
|
err_kfree:
|
|
kfree(pstr.name);
|
|
return ERR_PTR(err);
|
|
}
|
|
EXPORT_SYMBOL_GPL(fscrypt_get_symlink);
|