1. 26 10月, 2017 4 次提交
  2. 12 9月, 2017 1 次提交
  3. 08 7月, 2017 1 次提交
  4. 04 5月, 2017 3 次提交
    • E
      f2fs: switch to using fscrypt_match_name() · 1f73d491
      Eric Biggers 提交于
      Switch f2fs directory searches to use the fscrypt_match_name() helper
      function.  There should be no functional change.
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Acked-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      1f73d491
    • E
      fscrypt: avoid collisions when presenting long encrypted filenames · 6b06cdee
      Eric Biggers 提交于
      When accessing an encrypted directory without the key, userspace must
      operate on filenames derived from the ciphertext names, which contain
      arbitrary bytes.  Since we must support filenames as long as NAME_MAX,
      we can't always just base64-encode the ciphertext, since that may make
      it too long.  Currently, this is solved by presenting long names in an
      abbreviated form containing any needed filesystem-specific hashes (e.g.
      to identify a directory block), then the last 16 bytes of ciphertext.
      This needs to be sufficient to identify the actual name on lookup.
      
      However, there is a bug.  It seems to have been assumed that due to the
      use of a CBC (ciphertext block chaining)-based encryption mode, the last
      16 bytes (i.e. the AES block size) of ciphertext would depend on the
      full plaintext, preventing collisions.  However, we actually use CBC
      with ciphertext stealing (CTS), which handles the last two blocks
      specially, causing them to appear "flipped".  Thus, it's actually the
      second-to-last block which depends on the full plaintext.
      
      This caused long filenames that differ only near the end of their
      plaintexts to, when observed without the key, point to the wrong inode
      and be undeletable.  For example, with ext4:
      
          # echo pass | e4crypt add_key -p 16 edir/
          # seq -f "edir/abcdefghijklmnopqrstuvwxyz012345%.0f" 100000 | xargs touch
          # find edir/ -type f | xargs stat -c %i | sort | uniq | wc -l
          100000
          # sync
          # echo 3 > /proc/sys/vm/drop_caches
          # keyctl new_session
          # find edir/ -type f | xargs stat -c %i | sort | uniq | wc -l
          2004
          # rm -rf edir/
          rm: cannot remove 'edir/_A7nNFi3rhkEQlJ6P,hdzluhODKOeWx5V': Structure needs cleaning
          ...
      
      To fix this, when presenting long encrypted filenames, encode the
      second-to-last block of ciphertext rather than the last 16 bytes.
      
      Although it would be nice to solve this without depending on a specific
      encryption mode, that would mean doing a cryptographic hash like SHA-256
      which would be much less efficient.  This way is sufficient for now, and
      it's still compatible with encryption modes like HEH which are strong
      pseudorandom permutations.  Also, changing the presented names is still
      allowed at any time because they are only provided to allow applications
      to do things like delete encrypted directories.  They're not designed to
      be used to persistently identify files --- which would be hard to do
      anyway, given that they're encrypted after all.
      
      For ease of backports, this patch only makes the minimal fix to both
      ext4 and f2fs.  It leaves ubifs as-is, since ubifs doesn't compare the
      ciphertext block yet.  Follow-on patches will clean things up properly
      and make the filesystems use a shared helper function.
      
      Fixes: 5de0b4d0 ("ext4 crypto: simplify and speed up filename encryption")
      Reported-by: NGwendal Grignou <gwendal@chromium.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      6b06cdee
    • J
      f2fs: check entire encrypted bigname when finding a dentry · 6332cd32
      Jaegeuk Kim 提交于
      If user has no key under an encrypted dir, fscrypt gives digested dentries.
      Previously, when looking up a dentry, f2fs only checks its hash value with
      first 4 bytes of the digested dentry, which didn't handle hash collisions fully.
      This patch enhances to check entire dentry bytes likewise ext4.
      
      Eric reported how to reproduce this issue by:
      
       # seq -f "edir/abcdefghijklmnopqrstuvwxyz012345%.0f" 100000 | xargs touch
       # find edir -type f | xargs stat -c %i | sort | uniq | wc -l
      100000
       # sync
       # echo 3 > /proc/sys/vm/drop_caches
       # keyctl new_session
       # find edir -type f | xargs stat -c %i | sort | uniq | wc -l
      99999
      
      Cc: <stable@vger.kernel.org>
      Reported-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      (fixed f2fs_dentry_hash() to work even when the hash is 0)
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      6332cd32
  5. 26 4月, 2017 1 次提交
  6. 06 4月, 2017 1 次提交
  7. 22 3月, 2017 1 次提交
    • K
      f2fs: cleanup the disk level filename updating · d03ba4cc
      Kinglong Mee 提交于
      As discuss with Jaegeuk and Chao,
      "Once checkpoint is done, f2fs doesn't need to update there-in filename at all."
      
      The disk-level filename is used only one case,
      1. create a file A under a dir
      2. sync A
      3. godown
      4. umount
      5. mount (roll_forward)
      
      Only the rename/cross_rename changes the filename, if it happens,
      a. between step 1 and 2, the sync A will caused checkpoint, so that,
         the roll_forward at step 5 never happens.
      b. after step 2, the roll_forward happens, file A will roll forward
         to the result as after step 1.
      
      So that, any updating the disk filename is useless, just cleanup it.
      Signed-off-by: NKinglong Mee <kinglongmee@gmail.com>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      d03ba4cc
  8. 20 3月, 2017 1 次提交
  9. 28 2月, 2017 1 次提交
  10. 24 2月, 2017 1 次提交
    • J
      f2fs: fix multiple f2fs_add_link() calls having same name · 88c5c13a
      Jaegeuk Kim 提交于
      It turns out a stakable filesystem like sdcardfs in AOSP can trigger multiple
      vfs_create() to lower filesystem. In that case, f2fs will add multiple dentries
      having same name which breaks filesystem consistency.
      
      Until upper layer fixes, let's work around by f2fs, which shows actually not
      much performance regression.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      88c5c13a
  11. 01 1月, 2017 1 次提交
    • E
      fscrypt: use ENOKEY when file cannot be created w/o key · 54475f53
      Eric Biggers 提交于
      As part of an effort to clean up fscrypt-related error codes, make
      attempting to create a file in an encrypted directory that hasn't been
      "unlocked" fail with ENOKEY.  Previously, several error codes were used
      for this case, including ENOENT, EACCES, and EPERM, and they were not
      consistent between and within filesystems.  ENOKEY is a better choice
      because it expresses that the failure is due to lacking the encryption
      key.  It also matches the error code returned when trying to open an
      encrypted regular file without the key.
      
      I am not aware of any users who might be relying on the previous
      inconsistent error codes, which were never documented anywhere.
      
      This failure case will be exercised by an xfstest.
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      54475f53
  12. 24 11月, 2016 4 次提交
  13. 01 10月, 2016 1 次提交
    • C
      f2fs: support configuring fault injection per superblock · 1ecc0c5c
      Chao Yu 提交于
      Previously, we only support global fault injection configuration, so that
      when we configure type/rate of fault injection through sysfs, mount
      option, it will influence all f2fs partition which is being used.
      
      It is not make sence, since it will be not convenient if developer want
      to test separated partitions with different fault injection rate/type
      simultaneously, also it's not possible to enable fault injection in one
      partition and disable fault injection in other one.
      
      >From now on, we move global configuration of fault injection in module
      into per-superblock, hence injection testing can be more flexible.
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      1ecc0c5c
  14. 28 9月, 2016 1 次提交
  15. 23 9月, 2016 1 次提交
  16. 16 9月, 2016 1 次提交
    • E
      fscrypto: make filename crypto functions return 0 on success · ef1eb3aa
      Eric Biggers 提交于
      Several filename crypto functions: fname_decrypt(),
      fscrypt_fname_disk_to_usr(), and fscrypt_fname_usr_to_disk(), returned
      the output length on success or -errno on failure.  However, the output
      length was redundant with the value written to 'oname->len'.  It is also
      potentially error-prone to make callers have to check for '< 0' instead
      of '!= 0'.
      
      Therefore, make these functions return 0 instead of a length, and make
      the callers who cared about the return value being a length use
      'oname->len' instead.  For consistency also make other callers check for
      a nonzero result rather than a negative result.
      
      This change also fixes the inconsistency of fname_encrypt() actually
      already returning 0 on success, not a length like the other filename
      crypto functions and as documented in its function comment.
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: NAndreas Dilger <adilger@dilger.ca>
      Acked-by: NJaegeuk Kim <jaegeuk@kernel.org>
      ef1eb3aa
  17. 08 9月, 2016 4 次提交
  18. 30 8月, 2016 1 次提交
  19. 31 7月, 2016 1 次提交
  20. 21 7月, 2016 1 次提交
  21. 09 7月, 2016 1 次提交
  22. 07 7月, 2016 1 次提交
  23. 16 6月, 2016 1 次提交
  24. 14 6月, 2016 1 次提交
    • J
      f2fs: fix deadlock in add_link failure · c92737ce
      Jaegeuk Kim 提交于
      mkdir                        sync_dirty_inode
       - init_inode_metadata
         - lock_page(node)
         - make_empty_dir
                                   - filemap_fdatawrite()
                                    - do_writepages
                                    - lock_page(data)
                                    - write_page(data)
                                     - lock_page(node)
         - f2fs_init_acl
          - error
         - truncate_inode_pages
          - lock_page(data)
      
      So, we don't need to truncate data pages in this error case, which will
      be done by f2fs_evict_inode.
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      c92737ce
  25. 08 6月, 2016 1 次提交
  26. 03 6月, 2016 4 次提交