29 Dec, 2018

2 commits

  • commit e58725d51fa8da9133f3f1c54170aa2e43056b91 upstream.

    UBIFS's recovery code strictly assumes that a deleted inode will never
    come back, therefore it removes all data which belongs to that inode
    as soon it faces an inode with link count 0 in the replay list.
    Before O_TMPFILE this assumption was perfectly fine. With O_TMPFILE
    it can lead to data loss upon a power-cut.

    Consider a journal with entries like:
    0: inode X (nlink = 0) /* O_TMPFILE was created */
    1: data for inode X /* Someone writes to the temp file */
    2: inode X (nlink = 0) /* inode was changed, xattr, chmod, … */
    3: inode X (nlink = 1) /* inode was re-linked via linkat() */

    Upon replay of entry #2 UBIFS will drop all data that belongs to inode X,
    this will lead to an empty file after mounting.

    As solution for this problem, scan the replay list for a re-link entry
    before dropping data.

    Fixes: 474b93704f32 ("ubifs: Implement O_TMPFILE")
    Cc: stable@vger.kernel.org # 4.9-4.18
    Cc: Russell Senior
    Cc: Rafał Miłecki
    Reported-by: Russell Senior
    Reported-by: Rafał Miłecki
    Tested-by: Rafał Miłecki
    Signed-off-by: Richard Weinberger
    [rmilecki: update ubifs_assert() calls to compile with 4.18 and older]
    Signed-off-by: Rafał Miłecki
    (cherry picked from commit e58725d51fa8da9133f3f1c54170aa2e43056b91)
    Signed-off-by: Sasha Levin

    Richard Weinberger
     
  • commit 00ee8b60102862f4daf0814d12a2ea2744fc0b9b upstream

    We have to account the name of the symlink and not the target length.

    Fixes: ca7f85be8d6c ("ubifs: Add support for encrypted symlinks")
    Cc:
    Signed-off-by: Richard Weinberger
    Signed-off-by: Sudip Mukherjee
    Signed-off-by: Sasha Levin

    Richard Weinberger
     

13 Oct, 2018

1 commit

  • commit 37f31b6ca4311b94d985fb398a72e5399ad57925 upstream.

    The requested device name can be NULL or an empty string.
    Check for that and refuse to continue. UBIFS has to do this manually
    since we cannot use mount_bdev(), which checks for this condition.

    Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
    Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com
    Signed-off-by: Richard Weinberger
    Signed-off-by: Greg Kroah-Hartman

    Richard Weinberger
     

29 Sep, 2018

1 commit

  • commit f061c1cc404a618858a77aea233fde0aeaad2f2d upstream.

    This reverts commit 11a6fc3dc743e22fb50f2196ec55bee5140d3c52.
    UBIFS wants to assert that xattr operations are only issued on files
    with positive link count. The said patch made this operations return
    -ENOENT for unlinked files such that the asserts will no longer trigger.
    This was wrong since xattr operations are perfectly fine on unlinked
    files.
    Instead the assertions need to be fixed/removed.

    Cc:
    Fixes: 11a6fc3dc743 ("ubifs: xattr: Don't operate on deleted inodes")
    Reported-by: Koen Vandeputte
    Tested-by: Joel Stanley
    Signed-off-by: Richard Weinberger
    Signed-off-by: Greg Kroah-Hartman

    Richard Weinberger
     

10 Sep, 2018

5 commits

  • commit 59965593205fa4044850d35ee3557cf0b7edcd14 upstream.

    In ubifs_jnl_update() we sync parent and child inodes to the flash,
    in case of xattrs, the parent inode (AKA host inode) has a non-zero
    data_len. Therefore we need to adjust synced_i_size too.

    This issue was reported by ubifs self tests unter a xattr related work
    load.
    UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: ui_size is 4, synced_i_size is 0, but inode is clean
    UBIFS error (ubi0:0 pid 1896): dbg_check_synced_i_size: i_ino 65, i_mode 0x81a4, i_size 4

    Cc:
    Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
    Signed-off-by: Richard Weinberger
    Signed-off-by: Greg Kroah-Hartman

    Richard Weinberger
     
  • commit 11a6fc3dc743e22fb50f2196ec55bee5140d3c52 upstream.

    xattr operations can race with unlink and the following assert triggers:
    UBIFS assert failed in ubifs_jnl_change_xattr at 1606 (pid 6256)

    Fix this by checking i_nlink before working on the host inode.

    Cc:
    Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
    Signed-off-by: Richard Weinberger
    Signed-off-by: Greg Kroah-Hartman

    Richard Weinberger
     
  • commit 95a22d2084d72ea067d8323cc85677dba5d97cae upstream.

    Check whether the size is within bounds before using it.
    If the size is not correct, abort and dump the bad data node.

    Cc: Kees Cook
    Cc: Silvio Cesare
    Cc: stable@vger.kernel.org
    Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
    Reported-by: Silvio Cesare
    Signed-off-by: Richard Weinberger
    Reviewed-by: Kees Cook
    Signed-off-by: Richard Weinberger
    Signed-off-by: Greg Kroah-Hartman

    Richard Weinberger
     
  • commit 08acbdd6fd736b90f8d725da5a0de4de2dd6de62 upstream.

    This reverts commit 353748a359f1821ee934afc579cf04572406b420.
    It bypassed the linux-mtd review process and fixes the issue not as it
    should.

    Cc: Kees Cook
    Cc: Silvio Cesare
    Cc: stable@vger.kernel.org
    Signed-off-by: Richard Weinberger
    Signed-off-by: Greg Kroah-Hartman

    Richard Weinberger
     
  • commit eef19816ada3abd56d9f20c88794cc2fea83ebb2 upstream.

    Allocate the buffer after we return early.
    Otherwise memory is being leaked.

    Cc:
    Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
    Signed-off-by: Richard Weinberger
    Signed-off-by: Greg Kroah-Hartman

    Richard Weinberger
     

03 Jul, 2018

1 commit

  • commit 353748a359f1821ee934afc579cf04572406b420 upstream.

    There is potential for the size and len fields in ubifs_data_node to be
    too large causing either a negative value for the length fields or an
    integer overflow leading to an incorrect memory allocation. Likewise,
    when the len field is small, an integer underflow may occur.

    Signed-off-by: Silvio Cesare
    Fixes: 1e51764a3c2ac ("UBIFS: add new flash file system")
    Cc: stable@vger.kernel.org
    Signed-off-by: Kees Cook
    Signed-off-by: Greg Kroah-Hartman

    Silvio Cesare
     

26 Apr, 2018

1 commit

  • [ Upstream commit c877154d307f4a91e0b5b85b75535713dab945ae ]

    fs/ubifs/tnc.c: In function ‘search_dh_cookie’:
    fs/ubifs/tnc.c:1893: warning: ‘err’ is used uninitialized in this function

    Indeed, err is always used uninitialized.

    According to an original review comment from Hyunchul, acknowledged by
    Richard, err should be initialized to -ENOENT to avoid the first call to
    tnc_next(). But we can achieve the same by reordering the code.

    Fixes: 781f675e2d7e ("ubifs: Fix unlink code wrt. double hash lookups")
    Reported-by: Hyunchul Lee
    Signed-off-by: Geert Uytterhoeven
    Signed-off-by: Richard Weinberger
    Signed-off-by: Sasha Levin
    Signed-off-by: Greg Kroah-Hartman

    Geert Uytterhoeven
     

24 Apr, 2018

1 commit

  • commit aac17948a7ce01fb60b9ee6cf902967a47b3ce26 upstream.

    If ubifs_wbuf_sync() fails we must not write a master node with the
    dirty marker cleared.
    Otherwise it is possible that in case of an IO error while syncing we
    mark the filesystem as clean and UBIFS refuses to recover upon next
    mount.

    Cc:
    Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
    Signed-off-by: Richard Weinberger
    Signed-off-by: Greg Kroah-Hartman

    Richard Weinberger
     

17 Feb, 2018

1 commit

  • commit 6b46d444146eb8d0b99562795cea8086639d7282 upstream.

    ubifs_symlink() forgot to free the kmalloc()'ed buffer holding the
    encrypted symlink target, creating a memory leak. Fix it.

    (UBIFS could actually encrypt directly into ui->data, removing the
    temporary buffer, but that is left for the patch that switches to use
    the symlink helper functions.)

    Fixes: ca7f85be8d6c ("ubifs: Add support for encrypted symlinks")
    Signed-off-by: Eric Biggers
    Signed-off-by: Theodore Ts'o
    Signed-off-by: Greg Kroah-Hartman

    Eric Biggers
     

02 Nov, 2017

1 commit

  • Many source files in the tree are missing licensing information, which
    makes it harder for compliance tools to determine the correct license.

    By default all files without license information are under the default
    license of the kernel, which is GPL version 2.

    Update the files which contain no license information with the 'GPL-2.0'
    SPDX license identifier. The SPDX identifier is a legally binding
    shorthand, which can be used instead of the full boiler plate text.

    This patch is based on work done by Thomas Gleixner and Kate Stewart and
    Philippe Ombredanne.

    How this work was done:

    Patches were generated and checked against linux-4.14-rc6 for a subset of
    the use cases:
    - file had no licensing information it it.
    - file was a */uapi/* one with no licensing information in it,
    - file was a */uapi/* one with existing licensing information,

    Further patches will be generated in subsequent months to fix up cases
    where non-standard license headers were used, and references to license
    had to be inferred by heuristics based on keywords.

    The analysis to determine which SPDX License Identifier to be applied to
    a file was done in a spreadsheet of side by side results from of the
    output of two independent scanners (ScanCode & Windriver) producing SPDX
    tag:value files created by Philippe Ombredanne. Philippe prepared the
    base worksheet, and did an initial spot review of a few 1000 files.

    The 4.13 kernel was the starting point of the analysis with 60,537 files
    assessed. Kate Stewart did a file by file comparison of the scanner
    results in the spreadsheet to determine which SPDX license identifier(s)
    to be applied to the file. She confirmed any determination that was not
    immediately clear with lawyers working with the Linux Foundation.

    Criteria used to select files for SPDX license identifier tagging was:
    - Files considered eligible had to be source code files.
    - Make and config files were included as candidates if they contained >5
    lines of source
    - File already had some variant of a license header in it (even if
    Reviewed-by: Philippe Ombredanne
    Reviewed-by: Thomas Gleixner
    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     

15 Sep, 2017

1 commit

  • Pull mount flag updates from Al Viro:
    "Another chunk of fmount preparations from dhowells; only trivial
    conflicts for that part. It separates MS_... bits (very grotty
    mount(2) ABI) from the struct super_block ->s_flags (kernel-internal,
    only a small subset of MS_... stuff).

    This does *not* convert the filesystems to new constants; only the
    infrastructure is done here. The next step in that series is where the
    conflicts would be; that's the conversion of filesystems. It's purely
    mechanical and it's better done after the merge, so if you could run
    something like

    list=$(for i in MS_RDONLY MS_NOSUID MS_NODEV MS_NOEXEC MS_SYNCHRONOUS MS_MANDLOCK MS_DIRSYNC MS_NOATIME MS_NODIRATIME MS_SILENT MS_POSIXACL MS_KERNMOUNT MS_I_VERSION MS_LAZYTIME; do git grep -l $i fs drivers/staging/lustre drivers/mtd ipc mm include/linux; done|sort|uniq|grep -v '^fs/namespace.c$')

    sed -i -e 's/\/SB_RDONLY/g' \
    -e 's/\/SB_NOSUID/g' \
    -e 's/\/SB_NODEV/g' \
    -e 's/\/SB_NOEXEC/g' \
    -e 's/\/SB_SYNCHRONOUS/g' \
    -e 's/\/SB_MANDLOCK/g' \
    -e 's/\/SB_DIRSYNC/g' \
    -e 's/\/SB_NOATIME/g' \
    -e 's/\/SB_NODIRATIME/g' \
    -e 's/\/SB_SILENT/g' \
    -e 's/\/SB_POSIXACL/g' \
    -e 's/\/SB_KERNMOUNT/g' \
    -e 's/\/SB_I_VERSION/g' \
    -e 's/\/SB_LAZYTIME/g' \
    $list

    and commit it with something along the lines of 'convert filesystems
    away from use of MS_... constants' as commit message, it would save a
    quite a bit of headache next cycle"

    * 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
    VFS: Differentiate mount flags (MS_*) from internal superblock flags
    VFS: Convert sb->s_flags & MS_RDONLY to sb_rdonly(sb)
    vfs: Add sb_rdonly(sb) to query the MS_RDONLY flag on s_flags

    Linus Torvalds
     

09 Sep, 2017

1 commit

  • Introduce a new migration mode that allow to offload the copy to a device
    DMA engine. This changes the workflow of migration and not all
    address_space migratepage callback can support this.

    This is intended to be use by migrate_vma() which itself is use for thing
    like HMM (see include/linux/hmm.h).

    No additional per-filesystem migratepage testing is needed. I disables
    MIGRATE_SYNC_NO_COPY in all problematic migratepage() callback and i
    added comment in those to explain why (part of this patch). The commit
    message is unclear it should say that any callback that wish to support
    this new mode need to be aware of the difference in the migration flow
    from other mode.

    Some of these callbacks do extra locking while copying (aio, zsmalloc,
    balloon, ...) and for DMA to be effective you want to copy multiple
    pages in one DMA operations. But in the problematic case you can not
    easily hold the extra lock accross multiple call to this callback.

    Usual flow is:

    For each page {
    1 - lock page
    2 - call migratepage() callback
    3 - (extra locking in some migratepage() callback)
    4 - migrate page state (freeze refcount, update page cache, buffer
    head, ...)
    5 - copy page
    6 - (unlock any extra lock of migratepage() callback)
    7 - return from migratepage() callback
    8 - unlock page
    }

    The new mode MIGRATE_SYNC_NO_COPY:
    1 - lock multiple pages
    For each page {
    2 - call migratepage() callback
    3 - abort in all problematic migratepage() callback
    4 - migrate page state (freeze refcount, update page cache, buffer
    head, ...)
    } // finished all calls to migratepage() callback
    5 - DMA copy multiple pages
    6 - unlock all the pages

    To support MIGRATE_SYNC_NO_COPY in the problematic case we would need a
    new callback migratepages() (for instance) that deals with multiple
    pages in one transaction.

    Because the problematic cases are not important for current usage I did
    not wanted to complexify this patchset even more for no good reason.

    Link: http://lkml.kernel.org/r/20170817000548.32038-14-jglisse@redhat.com
    Signed-off-by: Jérôme Glisse
    Cc: Aneesh Kumar
    Cc: Balbir Singh
    Cc: Benjamin Herrenschmidt
    Cc: Dan Williams
    Cc: David Nellans
    Cc: Evgeny Baskakov
    Cc: Johannes Weiner
    Cc: John Hubbard
    Cc: Kirill A. Shutemov
    Cc: Mark Hairgrove
    Cc: Michal Hocko
    Cc: Paul E. McKenney
    Cc: Ross Zwisler
    Cc: Sherry Cheung
    Cc: Subhash Gutti
    Cc: Vladimir Davydov
    Cc: Bob Liu
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Jérôme Glisse
     

01 Aug, 2017

1 commit

  • This patch converts most of the in-kernel filesystems that do writeback
    out of the pagecache to report errors using the errseq_t-based
    infrastructure that was recently added. This allows them to report
    errors once for each open file description.

    Most filesystems have a fairly straightforward fsync operation. They
    call filemap_write_and_wait_range to write back all of the data and
    wait on it, and then (sometimes) sync out the metadata.

    For those filesystems this is a straightforward conversion from calling
    filemap_write_and_wait_range in their fsync operation to calling
    file_write_and_wait_range.

    Acked-by: Jan Kara
    Acked-by: Dave Kleikamp
    Signed-off-by: Jeff Layton

    Jeff Layton
     

17 Jul, 2017

1 commit

  • Firstly by applying the following with coccinelle's spatch:

    @@ expression SB; @@
    -SB->s_flags & MS_RDONLY
    +sb_rdonly(SB)

    to effect the conversion to sb_rdonly(sb), then by applying:

    @@ expression A, SB; @@
    (
    -(!sb_rdonly(SB)) && A
    +!sb_rdonly(SB) && A
    |
    -A != (sb_rdonly(SB))
    +A != sb_rdonly(SB)
    |
    -A == (sb_rdonly(SB))
    +A == sb_rdonly(SB)
    |
    -!(sb_rdonly(SB))
    +!sb_rdonly(SB)
    |
    -A && (sb_rdonly(SB))
    +A && sb_rdonly(SB)
    |
    -A || (sb_rdonly(SB))
    +A || sb_rdonly(SB)
    |
    -(sb_rdonly(SB)) != A
    +sb_rdonly(SB) != A
    |
    -(sb_rdonly(SB)) == A
    +sb_rdonly(SB) == A
    |
    -(sb_rdonly(SB)) && A
    +sb_rdonly(SB) && A
    |
    -(sb_rdonly(SB)) || A
    +sb_rdonly(SB) || A
    )

    @@ expression A, B, SB; @@
    (
    -(sb_rdonly(SB)) ? 1 : 0
    +sb_rdonly(SB)
    |
    -(sb_rdonly(SB)) ? A : B
    +sb_rdonly(SB) ? A : B
    )

    to remove left over excess bracketage and finally by applying:

    @@ expression A, SB; @@
    (
    -(A & MS_RDONLY) != sb_rdonly(SB)
    +(bool)(A & MS_RDONLY) != sb_rdonly(SB)
    |
    -(A & MS_RDONLY) == sb_rdonly(SB)
    +(bool)(A & MS_RDONLY) == sb_rdonly(SB)
    )

    to make comparisons against the result of sb_rdonly() (which is a bool)
    work correctly.

    Signed-off-by: David Howells

    David Howells
     

15 Jul, 2017

18 commits

  • We developed RENAME_EXCHANGE and UBIFS_FLG_DOUBLE_HASH more or less in
    parallel and this case was forgotten. :-(

    Cc: stable@vger.kernel.org
    Fixes: d63d61c16972 ("ubifs: Implement UBIFS_FLG_DOUBLE_HASH")
    Signed-off-by: Richard Weinberger

    Richard Weinberger
     
  • The inode is not locked in init_xattrs when creating a new inode.

    Without this patch, there will occurs assert when booting or creating
    a new file, if the kernel config CONFIG_SECURITY_SMACK is enabled.

    Log likes:

    UBIFS assert failed in ubifs_xattr_set at 298 (pid 1156)
    CPU: 1 PID: 1156 Comm: ldconfig Tainted: G S 4.12.0-rc1-207440-g1e70b02 #2
    Hardware name: MediaTek MT2712 evaluation board (DT)
    Call trace:
    [] dump_backtrace+0x0/0x238
    [] show_stack+0x14/0x20
    [] dump_stack+0x9c/0xc0
    [] ubifs_xattr_set+0x374/0x5e0
    [] init_xattrs+0x5c/0xb8
    [] security_inode_init_security+0x110/0x190
    [] ubifs_init_security+0x30/0x68
    [] ubifs_mkdir+0x100/0x200
    [] vfs_mkdir+0x11c/0x1b8
    [] SyS_mkdirat+0x74/0xd0
    [] __sys_trace_return+0x0/0x4

    Signed-off-by: Xiaolei Li
    Signed-off-by: Richard Weinberger

    Xiaolei Li
     
  • When UBIFS prepares data structures which will be written to the MTD it
    ensues that their lengths are multiple of 8. Since it uses kmalloc() the
    padded bytes are left uninitialized and we leak a few bytes of kernel
    memory to the MTD.
    To make sure that all bytes are initialized, let's switch to kzalloc().
    Kzalloc() is fine in this case because the buffers are not huge and in
    the IO path the performance bottleneck is anyway the MTD.

    Cc: stable@vger.kernel.org
    Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
    Signed-off-by: Richard Weinberger
    Reviewed-by: Boris Brezillon
    Signed-off-by: Richard Weinberger

    Richard Weinberger
     
  • In low memory situations, page allocations for bulk read
    can kill applications for reclaiming memory, and print an
    failure message when allocations are failed.
    Because bulk read is just an optimization, we don't have
    to do these and can stop page allocations.

    Though this siutation happens rarely, add __GFP_NORETRY
    to prevent from excessive memory reclaim and killing
    applications, and __GFP_WARN to suppress this failure
    message.

    For this, Use readahead_gfp_mask for gfp flags when
    allocating pages.

    Signed-off-by: Hyunchul Lee
    Signed-off-by: Richard Weinberger

    Hyunchul Lee
     
  • When remounting with the no_bulk_read option,
    there is a problem accessing the "bulk_read buffer(bu.buf)"
    which has already been freed.

    If the bulk_read option is enabled,
    ubifs_tnc_bulk_read uses the pre-allocated bu.buf.

    While bu.buf is being used by ubifs_tnc_bulk_read,
    remounting with no_bulk_read frees bu.buf.

    So I added code to check the use of "bu.buf" to avoid this situation.

    ------
    I tested as follows(kernel v3.18) :

    Use the script to repeat "no_bulk_read bulk_read"
    remount.sh
    #!/bin/sh
    while true do;
    mount -o remount,no_bulk_read ${MOUNT_POINT};
    sleep 1;
    mount -o remount,bulk_read ${MOUNT_POINT};
    sleep 1;
    done

    Perform read operation
    cat ${MOUNT_POINT}/* > /dev/null

    The problem is reproduced immediately.

    [ 234.256845][kernel.0]Internal error: Oops: 17 [#1] PREEMPT ARM
    [ 234.258557][kernel.0]CPU: 0 PID: 2752 Comm: cat Tainted: G W O 3.18.31+ #51
    [ 234.259531][kernel.0]task: cbff8580 ti: cbd66000 task.ti: cbd66000
    [ 234.260306][kernel.0]PC is at validate_data_node+0x10/0x264
    [ 234.260994][kernel.0]LR is at ubifs_tnc_bulk_read+0x388/0x3ec
    [ 234.261712][kernel.0]pc : [] lr : [] psr: 80000013
    [ 234.261712][kernel.0]sp : cbd67ba0 ip : 00000001 fp : 00000000
    [ 234.263337][kernel.0]r10: cd3e0260 r9 : c0df2008 r8 : 00000000
    [ 234.264087][kernel.0]r7 : cd3e0000 r6 : 00000000 r5 : cd3e0278 r4 : cd3e0000
    [ 234.264999][kernel.0]r3 : 00000003 r2 : cd3e0280 r1 : 00000000 r0 : cd3e0000
    [ 234.265910][kernel.0]Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
    [ 234.266896][kernel.0]Control: 10c53c7d Table: 8c40c059 DAC: 00000015
    [ 234.267711][kernel.0]Process cat (pid: 2752, stack limit = 0xcbd66400)
    [ 234.268525][kernel.0]Stack: (0xcbd67ba0 to 0xcbd68000)
    [ 234.269169][kernel.0]7ba0: cd7c3940 c03d8650 0001bfe0 00002ab2 00000000 cbd67c5c cbd67c58 0001bfe0
    [ 234.270287][kernel.0]7bc0: cd3e0000 00002ab2 0001bfe0 00000014 cbd66000 cd3e0260 00000000 c01d6660
    [ 234.271403][kernel.0]7be0: 00002ab2 00000000 c82a5800 ffffffff cd3e0298 cd3e0278 00000000 cd3e0000
    [ 234.272520][kernel.0]7c00: 00000000 00000000 cd3e0260 c01dc300 00002ab2 00000000 60000013 d663affa
    [ 234.273639][kernel.0]7c20: cd3e01f0 cd3e01f0 60000013 c09397ec 00000000 cd3e0278 00002ab2 00000000
    [ 234.274755][kernel.0]7c40: cd3e0000 c01dbf48 00000014 00000003 00000160 00000015 00000004 d663affa
    [ 234.275874][kernel.0]7c60: ccdaa978 cd3e0278 cd3e0000 cf32a5f4 ccdaa820 00000044 cbd66000 cd3e0260
    [ 234.276992][kernel.0]7c80: 00000003 c01cec84 ccdaa8dc cbd67cc4 cbd67ec0 00000010 ccdaa978 00000000
    [ 234.278108][kernel.0]7ca0: 0000015e ccdaa8dc 00000000 00000000 cf32a5d0 00000000 0000015f ccdaa8dc
    [ 234.279228][kernel.0]7cc0: 00000000 c8488300 0009e5a4 0000000e cbd66000 0000015e cf32a5f4 c0113c04
    [ 234.280346][kernel.0]7ce0: 0000009f 0000003c c00098c4 ffffffff 00001000 00000000 000000ad 00000010
    [ 234.281463][kernel.0]7d00: 00000038 cd68f580 00000150 c8488360 00000000 cbd67d30 cbd67d70 0000000e
    [ 234.282579][kernel.0]7d20: 00000010 00000000 c0951874 c0112a9c cf379b60 cf379b84 cf379890 cf3798b4
    [ 234.283699][kernel.0]7d40: cf379578 cf37959c cf379380 cf3793a4 cf3790b0 cf3790d4 cf378fd8 cf378ffc
    [ 234.284814][kernel.0]7d60: cf378f48 cf378f6c cf32a5f4 cf32a5d0 00000000 00001000 00000018 00000000
    [ 234.285932][kernel.0]7d80: 00001000 c0050da4 00000000 00001000 cec04c00 00000000 00001000 c0e11328
    [ 234.287049][kernel.0]7da0: 00000000 00001000 cbd66000 00000000 00001000 c0012a60 00000000 00001000
    [ 234.288166][kernel.0]7dc0: cbd67dd4 00000000 00001000 80000013 00000000 00001000 cd68f580 00000000
    [ 234.289285][kernel.0]7de0: 00001000 c915d600 00000000 00001000 cbd67e48 00000000 00001000 00000018
    [ 234.290402][kernel.0]7e00: 00000000 00001000 00000000 00000000 00001000 c915d768 c915d768 c0113550
    [ 234.291522][kernel.0]7e20: cd68f580 cbd67e48 cd68f580 cb6713c0 00010000 000ac5a4 00000000 001fc5a4
    [ 234.292637][kernel.0]7e40: 00000000 c8488300 cbd67ec0 00eb0000 cd68f580 c0113ee4 00000000 cbd67ec0
    [ 234.293754][kernel.0]7e60: cd68f580 c8488300 cbd67ec0 00eb0000 cd68f580 00150000 c8488300 00eb0000
    [ 234.294874][kernel.0]7e80: 00010000 c0112fd0 00000000 cbd67ec0 cd68f580 00150000 00000000 cd68f580
    [ 234.295991][kernel.0]7ea0: cbd67ef0 c011308c 00000000 00000002 cd768850 00010000 00000000 c01133fc
    [ 234.297110][kernel.0]7ec0: 00150000 00000000 cbd67f50 00000000 00000000 cb6713c0 01000000 cbd67f48
    [ 234.298226][kernel.0]7ee0: cbd67f50 c8488300 00000000 c0113204 00010000 01000000 00000000 cb6713c0
    [ 234.299342][kernel.0]7f00: 00150000 00000000 cbd67f50 00000000 00000000 00000000 00000000 00000000
    [ 234.300462][kernel.0]7f20: cbd67f50 01000000 01000000 cb6713c0 c8488300 c00ebba8 01000000 00000000
    [ 234.301577][kernel.0]7f40: c8488300 cb6713c0 00000000 00000000 00000000 00000000 ccdaa820 00000000
    [ 234.302697][kernel.0]7f60: 00000000 01000000 00000003 00000001 cbd66000 00000000 00000001 c00ec678
    [ 234.303813][kernel.0]7f80: 00000000 00000200 00000000 01000000 01000000 00000000 00000000 000000ef
    [ 234.304933][kernel.0]7fa0: c000e904 c000e780 01000000 00000000 00000001 00000003 00000000 01000000
    [ 234.306049][kernel.0]7fc0: 01000000 00000000 00000000 000000ef 00000001 00000003 01000000 00000001
    [ 234.307165][kernel.0]7fe0: 00000000 beafb78c 0000ad08 00128d1c 60000010 00000001 00000000 00000000
    [ 234.308292][kernel.0][] (validate_data_node) from [] (ubifs_tnc_bulk_read+0x388/0x3ec)
    [ 234.309493][kernel.0][] (ubifs_tnc_bulk_read) from [] (ubifs_readpage+0x1dc/0x46c)
    [ 234.310656][kernel.0][] (ubifs_readpage) from [] (__generic_file_splice_read+0x29c/0x4cc)
    [ 234.311890][kernel.0][] (__generic_file_splice_read) from [] (generic_file_splice_read+0xb0/0xf4)
    [ 234.313214][kernel.0][] (generic_file_splice_read) from [] (do_splice_to+0x68/0x7c)
    [ 234.314386][kernel.0][] (do_splice_to) from [] (splice_direct_to_actor+0xa8/0x190)
    [ 234.315544][kernel.0][] (splice_direct_to_actor) from [] (do_splice_direct+0x90/0xb8)
    [ 234.316741][kernel.0][] (do_splice_direct) from [] (do_sendfile+0x17c/0x2b8)
    [ 234.317838][kernel.0][] (do_sendfile) from [] (SyS_sendfile64+0xc4/0xcc)
    [ 234.318890][kernel.0][] (SyS_sendfile64) from [] (ret_fast_syscall+0x0/0x38)
    [ 234.319983][kernel.0]Code: e92d47f0 e24dd050 e59f9228 e1a04000 (e5d18014)

    Signed-off-by: karam.lee
    Signed-off-by: Richard Weinberger

    karam.lee
     
  • A reference to LEB 0 or with length 0 in the TNC
    is never correct and could be caused by a memory corruption.
    Don't write such a bad index node to the MTD.
    Instead fail the commit which will turn UBIFS into read-only mode.

    This is less painful than having the bad reference on the MTD
    from where UBFIS has no chance to recover.

    Signed-off-by: Richard Weinberger

    Richard Weinberger
     
  • There currently appears to be no way for userspace to find out the
    underlying volume number for a mounted ubifs file system, since ubifs
    uses anonymous block devices. The volume name is present in
    /proc/mounts but UBI volumes can be renamed after the volume has been
    mounted.

    To remedy this, show the UBI number and UBI volume number as part of the
    options visible under /proc/mounts.

    Also, accept and ignore the ubi= vol= options if they are used mounting
    (patch from Richard Weinberger).

    # mount -t ubifs ubi:baz x
    # mount
    ubi:baz on /root/x type ubifs (rw,relatime,ubi=0,vol=2)
    # ubirename /dev/ubi0 baz bazz
    # mount
    ubi:baz on /root/x type ubifs (rw,relatime,ubi=0,vol=2)
    # ubinfo -d 0 -n 2
    Volume ID: 2 (on ubi0)
    Type: dynamic
    Alignment: 1
    Size: 67 LEBs (1063424 bytes, 1.0 MiB)
    State: OK
    Name: bazz
    Character device major/minor: 254:3

    Signed-off-by: Rabin Vincent
    Signed-off-by: Richard Weinberger

    Rabin Vincent
     
  • statx() can report what flags a file has, expose flags that UBIFS
    supports. Especially STATX_ATTR_COMPRESSED and STATX_ATTR_ENCRYPTED
    can be interesting for userspace.

    Signed-off-by: Richard Weinberger

    Richard Weinberger
     
  • We check the length already, no need to check later
    again for an empty string.

    Signed-off-by: Richard Weinberger

    Richard Weinberger
     
  • If file names are encrypted we can no longer print them.
    That's why we have to change these prints or remove them completely.

    Signed-off-by: Richard Weinberger

    Richard Weinberger
     
  • ...to make sure that we don't use it for double hashed lookups
    instead of dent_key_init_hash().

    Signed-off-by: Richard Weinberger

    Richard Weinberger
     
  • When removing an encrypted file with a long name and without having
    the key we have to be able to locate and remove the directory entry
    via a double hash. This corner case was simply forgotten.

    Fixes: 528e3d178f25 ("ubifs: Add full hash lookup support")
    Reported-by: David Oberhollenzer
    Signed-off-by: Richard Weinberger

    Richard Weinberger
     
  • Currently, the function truncate_data_node only updates the
    destination data node size if compression is used. For
    uncompressed nodes, the old length is incorrectly retained.

    This patch makes sure that the length is correctly set when
    compression is disabled.

    Fixes: 7799953b34d1 ("ubifs: Implement encrypt/decrypt for all IO")
    Signed-off-by: David Oberhollenzer
    Signed-off-by: Richard Weinberger

    David Oberhollenzer
     
  • When a new inode is created, we check if the containing folder has a encryption
    policy set and inherit that. This should however only be done for regular
    files, links and subdirectories. Not for sockes fifos etc.

    Fixes: d475a507457b ("ubifs: Add skeleton for fscrypto")
    Cc: stable@vger.kernel.org
    Signed-off-by: David Gstir
    Signed-off-by: Richard Weinberger

    David Gstir
     
  • in RENAME_WHITEOUT error path, fscrypt_name should be freed.

    Signed-off-by: Hyunchul Lee
    Signed-off-by: Richard Weinberger

    Hyunchul Lee
     
  • Assign inode data budget to budget request correctly.

    Signed-off-by: Hyunchul Lee
    Signed-off-by: Richard Weinberger

    Hyunchul Lee
     
  • UBIFS handles extended attributes just like files, as consequence of
    that, they also have inodes.
    Therefore UBIFS does all the inode machinery also for xattrs. Since new
    inodes have i_nlink of 1, a file or xattr inode will be evicted
    if i_nlink goes down to 0 after an unlink. UBIFS assumes this model also
    for xattrs, which is not correct.
    One can create a file "foo" with xattr "user.test". By reading
    "user.test" an inode will be created, and by deleting "user.test" it
    will get evicted later. The assumption breaks if the file "foo", which
    hosts the xattrs, will be removed. VFS nor UBIFS does not remove each
    xattr via ubifs_xattr_remove(), it just removes the host inode from
    the TNC and all underlying xattr nodes too and the inode will remain
    in the cache and wastes memory.

    To solve this problem, remove xattr inodes from the VFS inode cache in
    ubifs_xattr_remove() to make sure that they get evicted.

    Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system")
    Cc:
    Signed-off-by: Richard Weinberger

    Richard Weinberger
     
  • This SLAB is only being used in super.c, there is no need to expose
    it into the global namespace.

    Signed-off-by: Richard Weinberger

    Richard Weinberger
     

06 Jul, 2017

2 commits

  • Since only an open file can be mmap'ed, and we only allow open()ing an
    encrypted file when its key is available, there is no need to check for
    the key again before permitting each mmap().

    Signed-off-by: Eric Biggers
    Acked-by: Richard Weinberger
    Signed-off-by: Richard Weinberger

    Eric Biggers
     
  • Currently, filesystems allow truncate(2) on an encrypted file without
    the encryption key. However, it's impossible to correctly handle the
    case where the size being truncated to is not a multiple of the
    filesystem block size, because that would require decrypting the final
    block, zeroing the part beyond i_size, then encrypting the block.

    As other modifications to encrypted file contents are prohibited without
    the key, just prohibit truncate(2) as well, making it fail with ENOKEY.

    Signed-off-by: Eric Biggers
    Signed-off-by: Richard Weinberger

    Eric Biggers
     

14 May, 2017

1 commit

  • Pull UBI/UBIFS updates from Richard Weinberger:

    - new config option CONFIG_UBIFS_FS_SECURITY

    - minor improvements

    - random fixes

    * tag 'upstream-4.12-rc1' of git://git.infradead.org/linux-ubifs:
    ubi: Add debugfs file for tracking PEB state
    ubifs: Fix a typo in comment of ioctl2ubifs & ubifs2ioctl
    ubifs: Remove unnecessary assignment
    ubifs: Fix cut and paste error on sb type comparisons
    ubi: fastmap: Fix slab corruption
    ubifs: Add CONFIG_UBIFS_FS_SECURITY to disable/enable security labels
    ubi: Make mtd parameter readable
    ubi: Fix section mismatch

    Linus Torvalds
     

09 May, 2017

1 commit

  • Merge more updates from Andrew Morton:

    - the rest of MM

    - various misc things

    - procfs updates

    - lib/ updates

    - checkpatch updates

    - kdump/kexec updates

    - add kvmalloc helpers, use them

    - time helper updates for Y2038 issues. We're almost ready to remove
    current_fs_time() but that awaits a btrfs merge.

    - add tracepoints to DAX

    * emailed patches from Andrew Morton : (114 commits)
    drivers/staging/ccree/ssi_hash.c: fix build with gcc-4.4.4
    selftests/vm: add a test for virtual address range mapping
    dax: add tracepoint to dax_insert_mapping()
    dax: add tracepoint to dax_writeback_one()
    dax: add tracepoints to dax_writeback_mapping_range()
    dax: add tracepoints to dax_load_hole()
    dax: add tracepoints to dax_pfn_mkwrite()
    dax: add tracepoints to dax_iomap_pte_fault()
    mtd: nand: nandsim: convert to memalloc_noreclaim_*()
    treewide: convert PF_MEMALLOC manipulations to new helpers
    mm: introduce memalloc_noreclaim_{save,restore}
    mm: prevent potential recursive reclaim due to clearing PF_MEMALLOC
    mm/huge_memory.c: deposit a pgtable for DAX PMD faults when required
    mm/huge_memory.c: use zap_deposited_table() more
    time: delete CURRENT_TIME_SEC and CURRENT_TIME
    gfs2: replace CURRENT_TIME with current_time
    apparmorfs: replace CURRENT_TIME with current_time()
    lustre: replace CURRENT_TIME macro
    fs: ubifs: replace CURRENT_TIME_SEC with current_time
    fs: ufs: use ktime_get_real_ts64() for birthtime
    ...

    Linus Torvalds