d54d35c501
In this round, we've mainly focused on discard, aka unmap, control along with fstrim for Android-specific usage model. In addition, we've fixed writepage flow which returned EAGAIN previously resulting in EIO of fsync(2) due to mapping's error state. In order to avoid old MM bug [1], we decided not to use __GFP_ZERO for the mapping for node and meta page caches. As always, we've cleaned up many places for future fsverity and symbol conflicts. Enhancement: - do discard/fstrim in lower priority considering fs utilization - split large discard commands into smaller ones for better responsiveness - add more sanity checks to address syzbot reports - add a mount option, fsync_mode=nobarrier, which can reduce # of cache flushes - clean up symbol namespace with modified function names - be strict on block allocation and IO control in corner cases Bug fix: - don't use __GFP_ZERO for mappings - fix error reports in writepage to avoid fsync() failure - avoid selinux denial on CAP_RESOURCE on resgid/resuid - fix some subtle race conditions in GC/atomic writes/shutdown - fix overflow bugs in sanity_check_raw_super - fix missing bits on get_flags Clean-up: - prepare the generic flow for future fsverity integration - fix some broken coding standard [1] https://lkml.org/lkml/2018/4/8/661 -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEE00UqedjCtOrGVvQiQBSofoJIUNIFAlsepb8ACgkQQBSofoJI UNJdSw/+IhrYJFkJEN/pV4M5xSjYirl/P2WJ4AGi6HcpjEGmaDiBi2whod1Jw2NE 1auSMiby7K91VAmPvxMmmLhOdC8XgJ8jwY1nEaZMfmMXohlaD3FDY5bzYf5rJDF4 J184P6xUZ2IKlFVA4prwNQgYi3awPthVu1lxbFPp8GUHDbmr5ZXEysxPDzz2O0Em oE7WmklmyCHJPhmg/EcVXfF/Ekf3zMOVR+EI2otcDjnWIQioVetIK8CKi0MM4bkG X8Z318ANjGTd42woupXIzsiTrMRONY7zzkUvE+S6tfUjKZoIdofDM5OIXMdOxpxL DZ53WrwfeB74igD8jDZgqD6OaonIfDfCuKrwUASFAC2Ou4h3apj3ckUzoHtAhEUL z5yTSKTrtfuoSufhBp+nKKs3ijDgms76arw8x/pPdN6D6xDwIJtBPxC2sObPaj35 damv4GyM4+sbhGO/Gbie2q6za55IvYFZc7JNCC2D2K5tnBmUaa7/XdvxcyigniGk AZgkaddHePkAZpa5AYYirZR8bd7IFds0+m6VcybG0/pYb0qPEcI6U4mujBSCIwVy kXuD7su3jNjj6hWnCl5PSQo8yBWS5H8c6/o+5XHozzYA91dsLAmD8entuCreg6Hp NaIFio0qKULweLK86f66qQTsRPMpYRAtqPS0Ew0+3llKMcrlRp4= =JrW7 -----END PGP SIGNATURE----- Merge tag 'f2fs-for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs Pull f2fs updates from Jaegeuk Kim: "In this round, we've mainly focused on discard, aka unmap, control along with fstrim for Android-specific usage model. In addition, we've fixed writepage flow which returned EAGAIN previously resulting in EIO of fsync(2) due to mapping's error state. In order to avoid old MM bug [1], we decided not to use __GFP_ZERO for the mapping for node and meta page caches. As always, we've cleaned up many places for future fsverity and symbol conflicts. Enhancements: - do discard/fstrim in lower priority considering fs utilization - split large discard commands into smaller ones for better responsiveness - add more sanity checks to address syzbot reports - add a mount option, fsync_mode=nobarrier, which can reduce # of cache flushes - clean up symbol namespace with modified function names - be strict on block allocation and IO control in corner cases Bug fixes: - don't use __GFP_ZERO for mappings - fix error reports in writepage to avoid fsync() failure - avoid selinux denial on CAP_RESOURCE on resgid/resuid - fix some subtle race conditions in GC/atomic writes/shutdown - fix overflow bugs in sanity_check_raw_super - fix missing bits on get_flags Clean-ups: - prepare the generic flow for future fsverity integration - fix some broken coding standard" [1] https://lkml.org/lkml/2018/4/8/661 * tag 'f2fs-for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs: (79 commits) f2fs: fix to clear FI_VOLATILE_FILE correctly f2fs: let sync node IO interrupt async one f2fs: don't change wbc->sync_mode f2fs: fix to update mtime correctly fs: f2fs: insert space around that ':' and ', ' fs: f2fs: add missing blank lines after declarations fs: f2fs: changed variable type of offset "unsigned" to "loff_t" f2fs: clean up symbol namespace f2fs: make set_de_type() static f2fs: make __f2fs_write_data_pages() static f2fs: fix to avoid accessing cross the boundary f2fs: fix to let caller retry allocating block address disable loading f2fs module on PAGE_SIZE > 4KB f2fs: fix error path of move_data_page f2fs: don't drop dentry pages after fs shutdown f2fs: fix to avoid race during access gc_thread pointer f2fs: clean up with clear_radix_tree_dirty_tag f2fs: fix to don't trigger writeback during recovery f2fs: clear discard_wake earlier f2fs: let discard thread wait a little longer if dev is busy ...
204 lines
7.2 KiB
C
204 lines
7.2 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* fscrypt_supp.h
|
|
*
|
|
* Do not include this file directly. Use fscrypt.h instead!
|
|
*/
|
|
#ifndef _LINUX_FSCRYPT_H
|
|
#error "Incorrect include of linux/fscrypt_supp.h!"
|
|
#endif
|
|
|
|
#ifndef _LINUX_FSCRYPT_SUPP_H
|
|
#define _LINUX_FSCRYPT_SUPP_H
|
|
|
|
#include <linux/mm.h>
|
|
#include <linux/slab.h>
|
|
|
|
/*
|
|
* fscrypt superblock flags
|
|
*/
|
|
#define FS_CFLG_OWN_PAGES (1U << 1)
|
|
|
|
/*
|
|
* crypto operations for filesystems
|
|
*/
|
|
struct fscrypt_operations {
|
|
unsigned int flags;
|
|
const char *key_prefix;
|
|
int (*get_context)(struct inode *, void *, size_t);
|
|
int (*set_context)(struct inode *, const void *, size_t, void *);
|
|
bool (*dummy_context)(struct inode *);
|
|
bool (*empty_dir)(struct inode *);
|
|
unsigned int max_namelen;
|
|
};
|
|
|
|
struct fscrypt_ctx {
|
|
union {
|
|
struct {
|
|
struct page *bounce_page; /* Ciphertext page */
|
|
struct page *control_page; /* Original page */
|
|
} w;
|
|
struct {
|
|
struct bio *bio;
|
|
struct work_struct work;
|
|
} r;
|
|
struct list_head free_list; /* Free list */
|
|
};
|
|
u8 flags; /* Flags */
|
|
};
|
|
|
|
static inline bool fscrypt_has_encryption_key(const struct inode *inode)
|
|
{
|
|
return (inode->i_crypt_info != NULL);
|
|
}
|
|
|
|
static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
|
|
{
|
|
return inode->i_sb->s_cop->dummy_context &&
|
|
inode->i_sb->s_cop->dummy_context(inode);
|
|
}
|
|
|
|
/* crypto.c */
|
|
extern void fscrypt_enqueue_decrypt_work(struct work_struct *);
|
|
extern struct fscrypt_ctx *fscrypt_get_ctx(const struct inode *, gfp_t);
|
|
extern void fscrypt_release_ctx(struct fscrypt_ctx *);
|
|
extern struct page *fscrypt_encrypt_page(const struct inode *, struct page *,
|
|
unsigned int, unsigned int,
|
|
u64, gfp_t);
|
|
extern int fscrypt_decrypt_page(const struct inode *, struct page *, unsigned int,
|
|
unsigned int, u64);
|
|
|
|
static inline struct page *fscrypt_control_page(struct page *page)
|
|
{
|
|
return ((struct fscrypt_ctx *)page_private(page))->w.control_page;
|
|
}
|
|
|
|
extern void fscrypt_restore_control_page(struct page *);
|
|
|
|
/* policy.c */
|
|
extern int fscrypt_ioctl_set_policy(struct file *, const void __user *);
|
|
extern int fscrypt_ioctl_get_policy(struct file *, void __user *);
|
|
extern int fscrypt_has_permitted_context(struct inode *, struct inode *);
|
|
extern int fscrypt_inherit_context(struct inode *, struct inode *,
|
|
void *, bool);
|
|
/* keyinfo.c */
|
|
extern int fscrypt_get_encryption_info(struct inode *);
|
|
extern void fscrypt_put_encryption_info(struct inode *);
|
|
|
|
/* fname.c */
|
|
extern int fscrypt_setup_filename(struct inode *, const struct qstr *,
|
|
int lookup, struct fscrypt_name *);
|
|
|
|
static inline void fscrypt_free_filename(struct fscrypt_name *fname)
|
|
{
|
|
kfree(fname->crypto_buf.name);
|
|
}
|
|
|
|
extern int fscrypt_fname_alloc_buffer(const struct inode *, u32,
|
|
struct fscrypt_str *);
|
|
extern void fscrypt_fname_free_buffer(struct fscrypt_str *);
|
|
extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32,
|
|
const struct fscrypt_str *, struct fscrypt_str *);
|
|
|
|
#define FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE 32
|
|
|
|
/* Extracts the second-to-last ciphertext block; see explanation below */
|
|
#define FSCRYPT_FNAME_DIGEST(name, len) \
|
|
((name) + round_down((len) - FS_CRYPTO_BLOCK_SIZE - 1, \
|
|
FS_CRYPTO_BLOCK_SIZE))
|
|
|
|
#define FSCRYPT_FNAME_DIGEST_SIZE FS_CRYPTO_BLOCK_SIZE
|
|
|
|
/**
|
|
* fscrypt_digested_name - alternate identifier for an on-disk filename
|
|
*
|
|
* When userspace lists an encrypted directory without access to the key,
|
|
* filenames whose ciphertext is longer than FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE
|
|
* bytes are shown in this abbreviated form (base64-encoded) rather than as the
|
|
* full ciphertext (base64-encoded). This is necessary to allow supporting
|
|
* filenames up to NAME_MAX bytes, since base64 encoding expands the length.
|
|
*
|
|
* To make it possible for filesystems to still find the correct directory entry
|
|
* despite not knowing the full on-disk name, we encode any filesystem-specific
|
|
* 'hash' and/or 'minor_hash' which the filesystem may need for its lookups,
|
|
* followed by the second-to-last ciphertext block of the filename. Due to the
|
|
* use of the CBC-CTS encryption mode, the second-to-last ciphertext block
|
|
* depends on the full plaintext. (Note that ciphertext stealing causes the
|
|
* last two blocks to appear "flipped".) This makes accidental collisions very
|
|
* unlikely: just a 1 in 2^128 chance for two filenames to collide even if they
|
|
* share the same filesystem-specific hashes.
|
|
*
|
|
* However, this scheme isn't immune to intentional collisions, which can be
|
|
* created by anyone able to create arbitrary plaintext filenames and view them
|
|
* without the key. Making the "digest" be a real cryptographic hash like
|
|
* SHA-256 over the full ciphertext would prevent this, although it would be
|
|
* less efficient and harder to implement, especially since the filesystem would
|
|
* need to calculate it for each directory entry examined during a search.
|
|
*/
|
|
struct fscrypt_digested_name {
|
|
u32 hash;
|
|
u32 minor_hash;
|
|
u8 digest[FSCRYPT_FNAME_DIGEST_SIZE];
|
|
};
|
|
|
|
/**
|
|
* fscrypt_match_name() - test whether the given name matches a directory entry
|
|
* @fname: the name being searched for
|
|
* @de_name: the name from the directory entry
|
|
* @de_name_len: the length of @de_name in bytes
|
|
*
|
|
* Normally @fname->disk_name will be set, and in that case we simply compare
|
|
* that to the name stored in the directory entry. The only exception is that
|
|
* if we don't have the key for an encrypted directory and a filename in it is
|
|
* very long, then we won't have the full disk_name and we'll instead need to
|
|
* match against the fscrypt_digested_name.
|
|
*
|
|
* Return: %true if the name matches, otherwise %false.
|
|
*/
|
|
static inline bool fscrypt_match_name(const struct fscrypt_name *fname,
|
|
const u8 *de_name, u32 de_name_len)
|
|
{
|
|
if (unlikely(!fname->disk_name.name)) {
|
|
const struct fscrypt_digested_name *n =
|
|
(const void *)fname->crypto_buf.name;
|
|
if (WARN_ON_ONCE(fname->usr_fname->name[0] != '_'))
|
|
return false;
|
|
if (de_name_len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE)
|
|
return false;
|
|
return !memcmp(FSCRYPT_FNAME_DIGEST(de_name, de_name_len),
|
|
n->digest, FSCRYPT_FNAME_DIGEST_SIZE);
|
|
}
|
|
|
|
if (de_name_len != fname->disk_name.len)
|
|
return false;
|
|
return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len);
|
|
}
|
|
|
|
/* bio.c */
|
|
extern void fscrypt_decrypt_bio(struct bio *);
|
|
extern void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx,
|
|
struct bio *bio);
|
|
extern void fscrypt_pullback_bio_page(struct page **, bool);
|
|
extern int fscrypt_zeroout_range(const struct inode *, pgoff_t, sector_t,
|
|
unsigned int);
|
|
|
|
/* hooks.c */
|
|
extern int fscrypt_file_open(struct inode *inode, struct file *filp);
|
|
extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir);
|
|
extern int __fscrypt_prepare_rename(struct inode *old_dir,
|
|
struct dentry *old_dentry,
|
|
struct inode *new_dir,
|
|
struct dentry *new_dentry,
|
|
unsigned int flags);
|
|
extern int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry);
|
|
extern int __fscrypt_prepare_symlink(struct inode *dir, unsigned int len,
|
|
unsigned int max_len,
|
|
struct fscrypt_str *disk_link);
|
|
extern int __fscrypt_encrypt_symlink(struct inode *inode, const char *target,
|
|
unsigned int len,
|
|
struct fscrypt_str *disk_link);
|
|
extern const char *fscrypt_get_symlink(struct inode *inode, const void *caddr,
|
|
unsigned int max_size,
|
|
struct delayed_call *done);
|
|
|
|
#endif /* _LINUX_FSCRYPT_SUPP_H */
|