1. 08 Jan, 2015 2 commits
  2. 30 Oct, 2014 1 commit
    • Chao Yu's avatar
      ecryptfs: avoid to access NULL pointer when write metadata in xattr · f52c88e8
      Chao Yu authored
      commit 35425ea2492175fd39f6116481fe98b2b3ddd4ca upstream.
      
      Christopher Head 2014-06-28 05:26:20 UTC described:
      "I tried to reproduce this on 3.12.21. Instead, when I do "echo hello > foo"
      in an ecryptfs mount with ecryptfs_xattr specified, I get a kernel crash:
      
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
      PGD d7840067 PUD b2c3c067 PMD 0
      Oops: 0002 [#1] SMP
      Modules linked in: nvidia(PO)
      CPU: 3 PID: 3566 Comm: bash Tainted: P           O 3.12.21-gentoo-r1 #2
      Hardware name: ASUSTek Computer Inc. G60JX/G60JX, BIOS 206 03/15/2010
      task: ffff8801948944c0 ti: ffff8800bad70000 task.ti: ffff8800bad70000
      RIP: 0010:[<ffffffff8110eb39>]  [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
      RSP: 0018:ffff8800bad71c10  EFLAGS: 00010246
      RAX: 00000000000181a4 RBX: ffff880198648480 RCX: 0000000000000000
      RDX: 0000000000000004 RSI: ffff880172010450 RDI: 0000000000000000
      RBP: ffff880198490e40 R08: 0000000000000000 R09: 0000000000000000
      R10: ffff880172010450 R11: ffffea0002c51e80 R12: 0000000000002000
      R13: 000000000000001a R14: 0000000000000000 R15: ffff880198490e40
      FS:  00007ff224caa700(0000) GS:ffff88019fcc0000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000000 CR3: 00000000bb07f000 CR4: 00000000000007e0
      Stack:
      ffffffff811826e8 ffff8800a39d8000 0000000000000000 000000000000001a
      ffff8800a01d0000 ffff8800a39d8000 ffffffff81185fd5 ffffffff81082c2c
      00000001a39d8000 53d0abbc98490e40 0000000000000037 ffff8800a39d8220
      Call Trace:
      [<ffffffff811826e8>] ? ecryptfs_setxattr+0x40/0x52
      [<ffffffff81185fd5>] ? ecryptfs_write_metadata+0x1b3/0x223
      [<ffffffff81082c2c>] ? should_resched+0x5/0x23
      [<ffffffff8118322b>] ? ecryptfs_initialize_file+0xaf/0xd4
      [<ffffffff81183344>] ? ecryptfs_create+0xf4/0x142
      [<ffffffff810f8c0d>] ? vfs_create+0x48/0x71
      [<ffffffff810f9c86>] ? do_last.isra.68+0x559/0x952
      [<ffffffff810f7ce7>] ? link_path_walk+0xbd/0x458
      [<ffffffff810fa2a3>] ? path_openat+0x224/0x472
      [<ffffffff810fa7bd>] ? do_filp_open+0x2b/0x6f
      [<ffffffff81103606>] ? __alloc_fd+0xd6/0xe7
      [<ffffffff810ee6ab>] ? do_sys_open+0x65/0xe9
      [<ffffffff8157d022>] ? system_call_fastpath+0x16/0x1b
      RIP  [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
      RSP <ffff8800bad71c10>
      CR2: 0000000000000000
      ---[ end trace df9dba5f1ddb8565 ]---"
      
      If we create a file when we mount with ecryptfs_xattr_metadata option, we will
      encounter a crash in this path:
      ->ecryptfs_create
        ->ecryptfs_initialize_file
          ->ecryptfs_write_metadata
            ->ecryptfs_write_metadata_to_xattr
              ->ecryptfs_setxattr
                ->fsstack_copy_attr_all
      It's because our dentry->d_inode used in fsstack_copy_attr_all is NULL, and it
      will be initialized when ecryptfs_initialize_file finish.
      
      So we should skip copying attr from lower inode when the value of ->d_inode is
      invalid.
      Signed-off-by: default avatarChao Yu <chao2.yu@samsung.com>
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f52c88e8
  3. 13 Nov, 2013 1 commit
  4. 05 Jun, 2013 1 commit
  5. 24 May, 2013 1 commit
  6. 09 May, 2013 2 commits
    • Tyler Hicks's avatar
      eCryptfs: Use the ablkcipher crypto API · 4dfea4f0
      Tyler Hicks authored
      Make the switch from the blkcipher kernel crypto interface to the
      ablkcipher interface.
      
      encrypt_scatterlist() and decrypt_scatterlist() now use the ablkcipher
      interface but, from the eCryptfs standpoint, still treat the crypto
      operation as a synchronous operation. They submit the async request and
      then wait until the operation is finished before they return. Most of
      the changes are contained inside those two functions.
      
      Despite waiting for the completion of the crypto operation, the
      ablkcipher interface provides performance increases in most cases when
      used on AES-NI capable hardware.
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Acked-by: default avatarColin King <colin.king@canonical.com>
      Reviewed-by: default avatarZeev Zilberman <zeev@annapurnaLabs.com>
      Cc: Dustin Kirkland <dustin.kirkland@gazzang.com>
      Cc: Tim Chen <tim.c.chen@intel.com>
      Cc: Ying Huang <ying.huang@intel.com>
      Cc: Thieu Le <thieule@google.com>
      Cc: Li Wang <dragonylffly@163.com>
      Cc: Jarkko Sakkinen <jarkko.sakkinen@iki.fi>
      4dfea4f0
    • Al Viro's avatar
      ecryptfs: don't open-code kernel_read() · 39dfe6c6
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      39dfe6c6
  7. 08 May, 2013 1 commit
  8. 09 Apr, 2013 1 commit
  9. 04 Mar, 2013 2 commits
    • Kees Cook's avatar
      eCryptfs: allow userspace messaging to be disabled · 290502be
      Kees Cook authored
      When the userspace messaging (for the less common case of userspace key
      wrap/unwrap via ecryptfsd) is not needed, allow eCryptfs to build with
      it removed. This saves on kernel code size and reduces potential attack
      surface by removing the /dev/ecryptfs node.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      290502be
    • Eric W. Biederman's avatar
      fs: Limit sys_mount to only request filesystem modules. · 7f78e035
      Eric W. Biederman authored
      Modify the request_module to prefix the file system type with "fs-"
      and add aliases to all of the filesystems that can be built as modules
      to match.
      
      A common practice is to build all of the kernel code and leave code
      that is not commonly needed as modules, with the result that many
      users are exposed to any bug anywhere in the kernel.
      
      Looking for filesystems with a fs- prefix limits the pool of possible
      modules that can be loaded by mount to just filesystems trivially
      making things safer with no real cost.
      
      Using aliases means user space can control the policy of which
      filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf
      with blacklist and alias directives.  Allowing simple, safe,
      well understood work-arounds to known problematic software.
      
      This also addresses a rare but unfortunate problem where the filesystem
      name is not the same as it's module name and module auto-loading
      would not work.  While writing this patch I saw a handful of such
      cases.  The most significant being autofs that lives in the module
      autofs4.
      
      This is relevant to user namespaces because we can reach the request
      module in get_fs_type() without having any special permissions, and
      people get uncomfortable when a user specified string (in this case
      the filesystem type) goes all of the way to request_module.
      
      After having looked at this issue I don't think there is any
      particular reason to perform any filtering or permission checks beyond
      making it clear in the module request that we want a filesystem
      module.  The common pattern in the kernel is to call request_module()
      without regards to the users permissions.  In general all a filesystem
      module does once loaded is call register_filesystem() and go to sleep.
      Which means there is not much attack surface exposed by loading a
      filesytem module unless the filesystem is mounted.  In a user
      namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT,
      which most filesystems do not set today.
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Reported-by: default avatarKees Cook <keescook@google.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      7f78e035
  10. 28 Feb, 2013 1 commit
    • Sasha Levin's avatar
      hlist: drop the node parameter from iterators · b67bfe0d
      Sasha Levin authored
      I'm not sure why, but the hlist for each entry iterators were conceived
      
              list_for_each_entry(pos, head, member)
      
      The hlist ones were greedy and wanted an extra parameter:
      
              hlist_for_each_entry(tpos, pos, head, member)
      
      Why did they need an extra pos parameter? I'm not quite sure. Not only
      they don't really need it, it also prevents the iterator from looking
      exactly like the list iterator, which is unfortunate.
      
      Besides the semantic patch, there was some manual work required:
      
       - Fix up the actual hlist iterators in linux/list.h
       - Fix up the declaration of other iterators based on the hlist ones.
       - A very small amount of places were using the 'node' parameter, this
       was modified to use 'obj->member' instead.
       - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
       properly, so those had to be fixed up manually.
      
      The semantic patch which is mostly the work of Peter Senna Tschudin is here:
      
      @@
      iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
      
      type T;
      expression a,c,d,e;
      identifier b;
      statement S;
      @@
      
      -T b;
          <+... when != b
      (
      hlist_for_each_entry(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue(a,
      - b,
      c) S
      |
      hlist_for_each_entry_from(a,
      - b,
      c) S
      |
      hlist_for_each_entry_rcu(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_rcu_bh(a,
      - b,
      c, d) S
      |
      hlist_for_each_entry_continue_rcu_bh(a,
      - b,
      c) S
      |
      for_each_busy_worker(a, c,
      - b,
      d) S
      |
      ax25_uid_for_each(a,
      - b,
      c) S
      |
      ax25_for_each(a,
      - b,
      c) S
      |
      inet_bind_bucket_for_each(a,
      - b,
      c) S
      |
      sctp_for_each_hentry(a,
      - b,
      c) S
      |
      sk_for_each(a,
      - b,
      c) S
      |
      sk_for_each_rcu(a,
      - b,
      c) S
      |
      sk_for_each_from
      -(a, b)
      +(a)
      S
      + sk_for_each_from(a) S
      |
      sk_for_each_safe(a,
      - b,
      c, d) S
      |
      sk_for_each_bound(a,
      - b,
      c) S
      |
      hlist_for_each_entry_safe(a,
      - b,
      c, d, e) S
      |
      hlist_for_each_entry_continue_rcu(a,
      - b,
      c) S
      |
      nr_neigh_for_each(a,
      - b,
      c) S
      |
      nr_neigh_for_each_safe(a,
      - b,
      c, d) S
      |
      nr_node_for_each(a,
      - b,
      c) S
      |
      nr_node_for_each_safe(a,
      - b,
      c, d) S
      |
      - for_each_gfn_sp(a, c, d, b) S
      + for_each_gfn_sp(a, c, d) S
      |
      - for_each_gfn_indirect_valid_sp(a, c, d, b) S
      + for_each_gfn_indirect_valid_sp(a, c, d) S
      |
      for_each_host(a,
      - b,
      c) S
      |
      for_each_host_safe(a,
      - b,
      c, d) S
      |
      for_each_mesh_entry(a,
      - b,
      c, d) S
      )
          ...+>
      
      [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
      [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
      [akpm@linux-foundation.org: checkpatch fixes]
      [akpm@linux-foundation.org: fix warnings]
      [akpm@linux-foudnation.org: redo intrusive kvm changes]
      Tested-by: default avatarPeter Senna Tschudin <peter.senna@gmail.com>
      Acked-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Cc: Gleb Natapov <gleb@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b67bfe0d
  11. 27 Feb, 2013 1 commit
  12. 26 Feb, 2013 2 commits
  13. 23 Feb, 2013 1 commit
  14. 12 Feb, 2013 2 commits
  15. 29 Jan, 2013 1 commit
  16. 17 Jan, 2013 3 commits
  17. 11 Jan, 2013 1 commit
  18. 18 Dec, 2012 2 commits
  19. 08 Nov, 2012 1 commit
    • Li Wang's avatar
      eCryptfs: Avoid unnecessary disk read and data decryption during writing · e4bc6522
      Li Wang authored
      ecryptfs_write_begin grabs a page from page cache for writing.
      If the page contains invalid data, or data older than the
      counterpart on the disk, eCryptfs will read out the
      corresponing data from the disk into the page, decrypt them,
      then perform writing. However, for this page, if the length
      of the data to be written into is equal to page size,
      that means the whole page of data will be overwritten,
      in which case, it does not matter whatever the data were before,
      it is beneficial to perform writing directly rather than bothering
      to read and decrypt first.
      
      With this optimization, according to our test on a machine with
      Intel Core 2 Duo processor, iozone 'write' operation on an existing
      file with write size being multiple of page size will enjoy a steady
      3x speedup.
      Signed-off-by: default avatarLi Wang <wangli@kylinos.com.cn>
      Signed-off-by: default avatarYunchuan Wen <wenyunchuan@kylinos.com.cn>
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      e4bc6522
  20. 03 Oct, 2012 1 commit
  21. 21 Sep, 2012 1 commit
  22. 14 Sep, 2012 3 commits
    • Tyler Hicks's avatar
      eCryptfs: Copy up attributes of the lower target inode after rename · 8335eafc
      Tyler Hicks authored
      After calling into the lower filesystem to do a rename, the lower target
      inode's attributes were not copied up to the eCryptfs target inode. This
      resulted in the eCryptfs target inode staying around, rather than being
      evicted, because i_nlink was not updated for the eCryptfs inode. This
      also meant that eCryptfs didn't do the final iput() on the lower target
      inode so it stayed around, as well. This would result in a failure to
      free up space occupied by the target file in the rename() operation.
      Both target inodes would eventually be evicted when the eCryptfs
      filesystem was unmounted.
      
      This patch calls fsstack_copy_attr_all() after the lower filesystem
      does its ->rename() so that important inode attributes, such as i_nlink,
      are updated at the eCryptfs layer. ecryptfs_evict_inode() is now called
      and eCryptfs can drop its final reference on the lower inode.
      
      http://launchpad.net/bugs/561129Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Tested-by: default avatarColin Ian King <colin.king@canonical.com>
      Cc: <stable@vger.kernel.org> [2.6.39+]
      8335eafc
    • Tyler Hicks's avatar
      eCryptfs: Call lower ->flush() from ecryptfs_flush() · 64e6651d
      Tyler Hicks authored
      Since eCryptfs only calls fput() on the lower file in
      ecryptfs_release(), eCryptfs should call the lower filesystem's
      ->flush() from ecryptfs_flush().
      
      If the lower filesystem implements ->flush(), then eCryptfs should try
      to flush out any dirty pages prior to calling the lower ->flush(). If
      the lower filesystem does not implement ->flush(), then eCryptfs has no
      need to do anything in ecryptfs_flush() since dirty pages are now
      written out to the lower filesystem in ecryptfs_release().
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      64e6651d
    • Tyler Hicks's avatar
      eCryptfs: Write out all dirty pages just before releasing the lower file · 7149f255
      Tyler Hicks authored
      Fixes a regression caused by:
      
      821f7494 eCryptfs: Revert to a writethrough cache model
      
      That patch reverted some code (specifically, 32001d6f) that was
      necessary to properly handle open() -> mmap() -> close() -> dirty pages
      -> munmap(), because the lower file could be closed before the dirty
      pages are written out.
      
      Rather than reapplying 32001d6f, this approach is a better way of
      ensuring that the lower file is still open in order to handle writing
      out the dirty pages. It is called from ecryptfs_release(), while we have
      a lock on the lower file pointer, just before the lower file gets the
      final fput() and we overwrite the pointer.
      
      https://launchpad.net/bugs/1047261Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Reported-by: default avatarArtemy Tregubenko <me@arty.name>
      Tested-by: default avatarArtemy Tregubenko <me@arty.name>
      Tested-by: default avatarColin Ian King <colin.king@canonical.com>
      7149f255
  23. 29 Jul, 2012 2 commits
  24. 22 Jul, 2012 3 commits
  25. 14 Jul, 2012 3 commits