October 2020 - Linux-stable-mirror

[PATCH 4.19] fscrypt: return -EXDEV for incompatible rename or link into encrypted dir

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> commit f5e55e777cc93eae1416f0fa4908e8846b6d7825 upstream. [Please apply to 4.19-stable. This is an important fix to have, and it will be needed for xfstest generic/398 to pass if https://lkml.kernel.org/r/20201031054141.695517-1-ebiggers@kernel.org is applied. This is a clean cherry-pick to 4.19, but it doesn't apply to 4.14 and earlier; different backports would be needed for that.] Currently, trying to rename or link a regular file, directory, or symlink into an encrypted directory fails with EPERM when the source file is unencrypted or is encrypted with a different encryption policy, and is on the same mountpoint. It is correct for the operation to fail, but the choice of EPERM breaks tools like 'mv' that know to copy rather than rename if they see EXDEV, but don't know what to do with EPERM. Our original motivation for EPERM was to encourage users to securely handle their data. Encrypting files by "moving" them into an encrypted directory can be insecure because the unencrypted data may remain in free space on disk, where it can later be recovered by an attacker. It's much better to encrypt the data from the start, or at least try to securely delete the source data e.g. using the 'shred' program. However, the current behavior hasn't been effective at achieving its goal because users tend to be confused, hack around it, and complain; see e.g. https://github.com/google/fscrypt/issues/76. And in some cases it's actually inconsistent or unnecessary. For example, 'mv'-ing files between differently encrypted directories doesn't work even in cases where it can be secure, such as when in userspace the same passphrase protects both directories. Yet, you *can* already 'mv' unencrypted files into an encrypted directory if the source files are on a different mountpoint, even though doing so is often insecure. There are probably better ways to teach users to securely handle their files. For example, the 'fscrypt' userspace tool could provide a command that migrates unencrypted files into an encrypted directory, acting like 'shred' on the source files and providing appropriate warnings depending on the type of the source filesystem and disk. Receiving errors on unimportant files might also force some users to disable encryption, thus making the behavior counterproductive. It's desirable to make encryption as unobtrusive as possible. Therefore, change the error code from EPERM to EXDEV so that tools looking for EXDEV will fall back to a copy. This, of course, doesn't prevent users from still doing the right things to securely manage their files. Note that this also matches the behavior when a file is renamed between two project quota hierarchies; so there's precedent for using EXDEV for things other than mountpoints. xfstests generic/398 will require an update with this change. [Rewritten from an earlier patch series by Michael Halcrow.] Cc: Michael Halcrow <mhalcrow(a)google.com> Cc: Joe Richey <joerichey(a)google.com> Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- Documentation/filesystems/fscrypt.rst | 12 ++++++++++-- fs/crypto/hooks.c | 6 +++--- fs/crypto/policy.c | 3 +-- include/linux/fscrypt.h | 4 ++-- 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst index cfbc18f0d9c98..5b667ee1242ae 100644 --- a/Documentation/filesystems/fscrypt.rst +++ b/Documentation/filesystems/fscrypt.rst @@ -426,10 +426,18 @@ astute users may notice some differences in behavior: - Unencrypted files, or files encrypted with a different encryption policy (i.e. different key, modes, or flags), cannot be renamed or linked into an encrypted directory; see `Encryption policy - enforcement`_. Attempts to do so will fail with EPERM. However, + enforcement`_. Attempts to do so will fail with EXDEV. However, encrypted files can be renamed within an encrypted directory, or into an unencrypted directory. + Note: "moving" an unencrypted file into an encrypted directory, e.g. + with the `mv` program, is implemented in userspace by a copy + followed by a delete. Be aware that the original unencrypted data + may remain recoverable from free space on the disk; prefer to keep + all files encrypted from the very beginning. The `shred` program + may be used to overwrite the source files but isn't guaranteed to be + effective on all filesystems and storage devices. + - Direct I/O is not supported on encrypted files. Attempts to use direct I/O on such files will fall back to buffered I/O. @@ -516,7 +524,7 @@ not be encrypted. Except for those special files, it is forbidden to have unencrypted files, or files encrypted with a different encryption policy, in an encrypted directory tree. Attempts to link or rename such a file into -an encrypted directory will fail with EPERM. This is also enforced +an encrypted directory will fail with EXDEV. This is also enforced during ->lookup() to provide limited protection against offline attacks that try to disable or downgrade encryption in known locations where applications may later write sensitive data. It is recommended diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c index 926e5df20ec31..56debb1fcf5eb 100644 --- a/fs/crypto/hooks.c +++ b/fs/crypto/hooks.c @@ -58,7 +58,7 @@ int __fscrypt_prepare_link(struct inode *inode, struct inode *dir) return err; if (!fscrypt_has_permitted_context(dir, inode)) - return -EPERM; + return -EXDEV; return 0; } @@ -82,13 +82,13 @@ int __fscrypt_prepare_rename(struct inode *old_dir, struct dentry *old_dentry, if (IS_ENCRYPTED(new_dir) && !fscrypt_has_permitted_context(new_dir, d_inode(old_dentry))) - return -EPERM; + return -EXDEV; if ((flags & RENAME_EXCHANGE) && IS_ENCRYPTED(old_dir) && !fscrypt_has_permitted_context(old_dir, d_inode(new_dentry))) - return -EPERM; + return -EXDEV; } return 0; } diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c index 4288839501e94..e9d975f39f46b 100644 --- a/fs/crypto/policy.c +++ b/fs/crypto/policy.c @@ -153,8 +153,7 @@ EXPORT_SYMBOL(fscrypt_ioctl_get_policy); * malicious offline violations of this constraint, while the link and rename * checks are needed to prevent online violations of this constraint. * - * Return: 1 if permitted, 0 if forbidden. If forbidden, the caller must fail - * the filesystem operation with EPERM. + * Return: 1 if permitted, 0 if forbidden. */ int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) { diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h index 952ab97af325e..9fa48180a1f5f 100644 --- a/include/linux/fscrypt.h +++ b/include/linux/fscrypt.h @@ -89,7 +89,7 @@ static inline int fscrypt_require_key(struct inode *inode) * in an encrypted directory tree use the same encryption policy. * * Return: 0 on success, -ENOKEY if the directory's encryption key is missing, - * -EPERM if the link would result in an inconsistent encryption policy, or + * -EXDEV if the link would result in an inconsistent encryption policy, or * another -errno code. */ static inline int fscrypt_prepare_link(struct dentry *old_dentry, @@ -119,7 +119,7 @@ static inline int fscrypt_prepare_link(struct dentry *old_dentry, * We also verify that the rename will not violate the constraint that all files * in an encrypted directory tree use the same encryption policy. * - * Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the + * Return: 0 on success, -ENOKEY if an encryption key is missing, -EXDEV if the * rename would cause inconsistent encryption policies, or another -errno code. */ static inline int fscrypt_prepare_rename(struct inode *old_dir, -- 2.29.1

4 years, 2 months

2
1
0 0

v4.9.241 build failures

by Guenter Roeck

Building powerpc:defconfig ... failed Building powerpc:allmodconfig ... failed -------------- Error log: arch/powerpc/platforms/powernv/opal-dump.c: In function ‘process_dump’: arch/powerpc/platforms/powernv/opal-dump.c:409:7: error: void value not ignored as it ought to be dump = create_dump_obj(dump_id, dump_size, dump_type);

4 years, 2 months

2
2
0 0

[GIT PULL] vhost,vdpa: fixes

by Michael S. Tsirkin

The following changes since commit 88a0d60c6445f315fbcfff3db792021bb3a67b28: MAINTAINERS: add URL for virtio-mem (2020-10-21 10:48:11 -0400) are available in the Git repository at: https://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost.git tags/for_linus for you to fetch changes up to 0c86d774883fa17e7c81b0c8838b88d06c2c911e: vdpasim: allow to assign a MAC address (2020-10-30 04:04:35 -0400) ---------------------------------------------------------------- vhost,vdpa: fixes Fixes all over the place. A new UAPI is borderline: can also be considered a new feature but also seems to be the only way we could come up with to fix addressing for userspace - and it seems important to switch to it now before userspace making assumptions about addressing ability of devices is set in stone. Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> ---------------------------------------------------------------- Dan Carpenter (1): vhost_vdpa: Return -EFAULT if copy_from_user() fails Jason Wang (3): vdpa: introduce config op to get valid iova range vhost: vdpa: report iova range vdpa_sim: implement get_iova_range() Jing Xiangfeng (1): vdpa/mlx5: Fix error return in map_direct_mr() Laurent Vivier (3): vdpa_sim: Fix DMA mask vdpasim: fix MAC address configuration vdpasim: allow to assign a MAC address Michael S. Tsirkin (1): Revert "vhost-vdpa: fix page pinning leakage in error path" Zhu Lingshan (1): vdpa: handle irq bypass register failure case drivers/vdpa/mlx5/core/mr.c | 5 +- drivers/vdpa/vdpa_sim/vdpa_sim.c | 33 +++++++- drivers/vhost/vdpa.c | 167 ++++++++++++++++++++++----------------- include/linux/vdpa.h | 15 ++++ include/uapi/linux/vhost.h | 4 + include/uapi/linux/vhost_types.h | 9 +++ 6 files changed, 154 insertions(+), 79 deletions(-)

4 years, 2 months

2
1
0 0

[PATCH 4.4 000/149] 4.4.233-rc1 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.233 release. There are 149 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 22 Aug 2020 09:21:01 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.233-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.233-rc1 WANG Cong <xiyou.wangcong(a)gmail.com> ipv6: check skb->protocol before lookup for nexthop Denis Efremov <efremov(a)linux.com> drm/radeon: fix fb_div check in ni_init_smc_spll_table() Geert Uytterhoeven <geert+renesas(a)glider.be> sh: landisk: Add missing initialization of sh_io_port_base Dinghao Liu <dinghao.liu(a)zju.edu.cn> ALSA: echoaudio: Fix potential Oops in snd_echo_resume() Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> mfd: dln2: Run event handler loop under spinlock Colin Ian King <colin.king(a)canonical.com> fs/ufs: avoid potential u32 multiplication overflow Jeffrey Mitchell <jeffrey.mitchell(a)starlab.io> nfs: Fix getxattr kernel panic and memory overflow Dan Carpenter <dan.carpenter(a)oracle.com> drm/vmwgfx: Fix two list_for_each loop exit tests Colin Ian King <colin.king(a)canonical.com> Input: sentelic - fix error return when fsp_reg_write fails Xu Wang <vulab(a)iscas.ac.cn> clk: clk-atlas6: fix return value check in atlas6_clk_init() Wolfram Sang <wsa+renesas(a)sang-engineering.com> i2c: rcar: slave: only send STOP event when we have been addressed Liu Yi L <yi.l.liu(a)intel.com> iommu/vt-d: Enforce PASID devTLB field mask Colin Ian King <colin.king(a)canonical.com> iommu/omap: Check for failure of a call to omap_iommu_dump_ctx Johan Hovold <johan(a)kernel.org> USB: serial: ftdi_sio: fix break and sysrq handling Johan Hovold <johan(a)kernel.org> USB: serial: ftdi_sio: clean up receive processing Johan Hovold <johan(a)kernel.org> USB: serial: ftdi_sio: make process-packet buffer unsigned Anton Blanchard <anton(a)ozlabs.org> pseries: Fix 64 bit logical memory block panic Muchun Song <songmuchun(a)bytedance.com> kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler Junxiao Bi <junxiao.bi(a)oracle.com> ocfs2: change slot number type s16 to u16 Mikulas Patocka <mpatocka(a)redhat.com> ext2: fix missing percpu_counter_inc Huacai Chen <chenhc(a)lemote.com> MIPS: CPU#0 is not hotpluggable Johannes Berg <johannes.berg(a)intel.com> mac80211: fix misplaced while instead of if Coly Li <colyli(a)suse.de> bcache: allocate meta data pages as compound pages ChangSyun Peng <allenpeng(a)synology.com> md/raid5: Fix Force reconstruct-write io stuck in degraded raid5 Jonathan McDowell <noodles(a)earth.li> net: stmmac: dwmac1000: provide multicast filter fallback Jonathan McDowell <noodles(a)earth.li> net: ethernet: stmmac: Disable hardware multicast filter Michael Ellerman <mpe(a)ellerman.id.au> powerpc: Fix circular dependency between percpu.h and mmu.h Filipe Manana <fdmanana(a)suse.com> btrfs: fix memory leaks after failure to lookup checksums during inode logging Josef Bacik <josef(a)toxicpanda.com> btrfs: only search for left_info if there is no right_info in try_merge_free_space Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context() Roger Pau Monne <roger.pau(a)citrix.com> xen/balloon: make the balloon wait interruptible Roger Pau Monne <roger.pau(a)citrix.com> xen/balloon: fix accounting in alloc_xenballooned_pages error path Nathan Huckleberry <nhuck(a)google.com> ARM: 8992/1: Fix unwind_frame for clang-built kernels Sven Schnelle <svens(a)stackframe.org> parisc: mask out enable and reserved bits from sba imask Zheng Bin <zhengbin13(a)huawei.com> 9p: Fix memory leak in v9fs_mount Hector Martin <marcan(a)marcan.st> ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109 Eric Biggers <ebiggers(a)google.com> fs/minix: reject too-large maximum file size Eric Biggers <ebiggers(a)google.com> fs/minix: don't allow getting deleted inodes Eric Biggers <ebiggers(a)google.com> fs/minix: check return value of sb_getblk() Tom Rix <trix(a)redhat.com> crypto: qat - fix double free in qat_uclo_create_batch_init_list Hector Martin <marcan(a)marcan.st> ALSA: usb-audio: add quirk for Pioneer DDJ-RB Hector Martin <marcan(a)marcan.st> ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109 Mirko Dietrich <buzz(a)l4m1.de> ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support Miaohe Lin <linmiaohe(a)huawei.com> net: Set fput_needed iff FDPUT_FPUT is set Qingyu Li <ieatmuttonchuan(a)gmail.com> net/nfc/rawsock.c: add CAP_NET_RAW check. Xie He <xie.he.0141(a)gmail.com> drivers/net/wan/lapbether: Added needed_headroom and a skb->len check Drew Fustini <drew(a)beagleboard.org> pinctrl-single: fix pcs_parse_pinconf() return value Wang Hai <wanghai38(a)huawei.com> dlm: Fix kobject memleak Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> net: spider_net: Fix the size used in a 'dma_free_coherent()' call Wang Hai <wanghai38(a)huawei.com> wl1251: fix always return 0 error Julian Wiedmann <jwi(a)linux.ibm.com> s390/qeth: don't process empty bridge port events Tom Rix <trix(a)redhat.com> power: supply: check if calc_soc succeeded in pm860x_init_battery Dan Carpenter <dan.carpenter(a)oracle.com> Smack: prevent underflow in smk_set_cipso() Dan Carpenter <dan.carpenter(a)oracle.com> Smack: fix another vsscanf out of bounds Finn Thain <fthain(a)telegraphics.com.au> scsi: mesh: Fix panic after host or bus reset Marek Szyprowski <m.szyprowski(a)samsung.com> usb: dwc2: Fix error path in gadget registration Xiongfeng Wang <wangxiongfeng2(a)huawei.com> PCI/ASPM: Add missing newline in sysfs 'policy' Milton Miller <miltonm(a)us.ibm.com> powerpc/vdso: Fix vdso cpu truncation Dan Carpenter <dan.carpenter(a)oracle.com> mwifiex: Prevent memory corruption handling keys Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> drm: panel: simple: Fix bpc for LG LB070WV8 panel Chuhong Yuan <hslester96(a)gmail.com> media: exynos4-is: Add missed check for pinctrl_lookup_state() Dan Carpenter <dan.carpenter(a)oracle.com> media: firewire: Using uninitialized values in node_probe() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> scsi: eesox: Fix different dev_id between request_irq() and free_irq() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> scsi: powertec: Fix different dev_id between request_irq() and free_irq() Colin Ian King <colin.king(a)canonical.com> drm/radeon: fix array out-of-bounds read and write issues Wang Hai <wanghai38(a)huawei.com> cxl: Fix kobject memleak Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> scsi: cumana_2: Fix different dev_id between request_irq() and free_irq() Chuhong Yuan <hslester96(a)gmail.com> media: omap3isp: Add missed v4l2_ctrl_handler_free() for preview_init_entities() Arnd Bergmann <arnd(a)arndb.de> leds: lm355x: avoid enum conversion warning Tomasz Duszynski <tomasz.duszynski(a)octakon.com> iio: improve IIO_CONCENTRATION channel type description Dejin Zheng <zhengdejin5(a)gmail.com> console: newport_con: fix an issue about leak related system resources Dejin Zheng <zhengdejin5(a)gmail.com> video: fbdev: sm712fb: fix an issue about iounmap for a wrong address Qiushi Wu <wu000273(a)umn.edu> agp/intel: Fix a memory leak on module initialisation failure Erik Kaneda <erik.kaneda(a)intel.com> ACPICA: Do not increment operation_region reference counts for field units Coly Li <colyli(a)suse.de> bcache: fix super block seq numbers comparision in register_cache_set() Jim Cromie <jim.cromie(a)gmail.com> dyndbg: fix a BUG_ON in ddebug_describe_flags Sasi Kumar <sasi.kumar(a)broadcom.com> bdc: Fix bug causing crash after multiple disconnects Evgeny Novikov <novikov(a)ispras.ru> usb: gadget: net2280: fix memory leak on probe error handling paths Bolarinwa Olayemi Saheed <refactormyself(a)gmail.com> iwlegacy: Check the return value of pcie_capability_read_*() Prasanna Kerekoppa <prasanna.kerekoppa(a)cypress.com> brcmfmac: To fix Bss Info flag definition Bug Paul E. McKenney <paulmck(a)kernel.org> mm/mmap.c: Add cond_resched() for exit_mmap() CPU stalls Michael Tretter <m.tretter(a)pengutronix.de> drm/debugfs: fix plain echo to connector "force" attribute Aditya Pakki <pakki001(a)umn.edu> drm/nouveau: fix multiple instances of reference count leaks Evgeny Novikov <novikov(a)ispras.ru> video: fbdev: neofb: fix memory leak in neo_scan_monitor() Aditya Pakki <pakki001(a)umn.edu> drm/radeon: Fix reference count leaks caused by pm_runtime_get_sync Paul E. McKenney <paulmck(a)kernel.org> fs/btrfs: Add cond_resched() for try_release_extent_mapping() stalls Lihong Kou <koulihong(a)huawei.com> Bluetooth: add a mutex lock to avoid UAF in do_enale_set Tomi Valkeinen <tomi.valkeinen(a)ti.com> drm/tilcdc: fix leak & null ref in panel_connector_get_modes Yu Kuai <yukuai3(a)huawei.com> ARM: socfpga: PM: add missing put_device() call in socfpga_setup_ocram_self_refresh() yu kuai <yukuai3(a)huawei.com> ARM: at91: pm: add missing put_device() call in at91_pm_sram_init() Finn Thain <fthain(a)telegraphics.com.au> m68k: mac: Fix IOP status/control register writes Finn Thain <fthain(a)telegraphics.com.au> m68k: mac: Don't send IOP message until channel is idle Qiushi Wu <wu000273(a)umn.edu> EDAC: Fix reference count leaks Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> gpio: fix oops resulting from calling of_get_named_gpio(NULL, ...) Dexuan Cui <decui(a)microsoft.com> udp: drop corrupt packets earlier to avoid data corruption Nick Desaulniers <ndesaulniers(a)google.com> tracepoint: Mark __tracepoint_string's __used Eric Biggers <ebiggers(a)google.com> Smack: fix use-after-free in smk_write_relabel_self() Ido Schimmel <idosch(a)mellanox.com> vxlan: Ensure FDB dump is performed under RCU Rustam Kovhaev <rkovhaev(a)gmail.com> usb: hso: check for return value in hso_serial_common_create() Johan Hovold <johan(a)kernel.org> net: lan78xx: replace bogus endpoint lookup Hangbin Liu <liuhangbin(a)gmail.com> Revert "vxlan: fix tos value before xmit" Cong Wang <xiyou.wangcong(a)gmail.com> ipv6: fix memory leaks on IPV6_ADDRFORM path Ido Schimmel <idosch(a)mellanox.com> ipv4: Silence suspicious RCU usage warning Jann Horn <jannh(a)google.com> binder: Prevent context manager from incrementing ref 0 Philippe Duplessis-Guindon <pduplessis(a)efficios.com> tools lib traceevent: Fix memory leak in process_dynamic_array_len Xin Xiong <xiongx18(a)fudan.edu.cn> atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent Francesco Ruggeri <fruggeri(a)arista.com> igb: reinit_locked() should be called with rtnl_lock Julian Squires <julian(a)cipht.net> cfg80211: check vendor command doit pointer before use Ben Skeggs <bskeggs(a)redhat.com> drm/nouveau/fbcon: fix module unload when fbcon init has failed for some reason Christoph Hellwig <hch(a)lst.de> net/9p: validate fds in p9_fd_open Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> mtd: properly check all write ioctls for permissions Yunhai Zhang <zhangyunhai(a)nsfocus.com> vgacon: Fix for missing check in scrollback handling Peilin Ye <yepeilin.cs(a)gmail.com> Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt() Peilin Ye <yepeilin.cs(a)gmail.com> Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt() Peilin Ye <yepeilin.cs(a)gmail.com> Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() Takashi Iwai <tiwai(a)suse.de> ALSA: seq: oss: Serialize ioctls Erik Ekman <erik(a)kryo.se> USB: serial: qcserial: add EM7305 QDL product ID Jiang Ying <jiangying8582(a)126.com> ext4: fix direct I/O read error Linus Torvalds <torvalds(a)linux-foundation.org> random32: move the pseudo-random 32-bit definitions to prandom.h Linus Torvalds <torvalds(a)linux-foundation.org> random32: remove net_rand_state from the latent entropy gcc plugin Willy Tarreau <w(a)1wt.eu> random: fix circular include dependency on arm64 after addition of percpu.h Grygorii Strashko <grygorii.strashko(a)ti.com> ARM: percpu.h: fix build error Willy Tarreau <w(a)1wt.eu> random32: update the net random state on interrupt and activity Thomas Gleixner <tglx(a)linutronix.de> x86/i8259: Use printk_deferred() to prevent deadlock Andrea Righi <andrea.righi(a)canonical.com> xen-netfront: fix potential deadlock in xennet_remove() Raviteja Narayanam <raviteja.narayanam(a)xilinx.com> Revert "i2c: cadence: Fix the hold bit setting" Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> net: ethernet: ravb: exit if re-initialization fails in tx timeout Navid Emamdoost <navid.emamdoost(a)gmail.com> nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame Remi Pommarel <repk(a)triplefau.lt> mac80211: mesh: Free ie data when leaving mesh Ido Schimmel <idosch(a)mellanox.com> mlxsw: core: Increase scope of RCU read-side critical section Johan Hovold <johan(a)kernel.org> net: lan78xx: fix transfer-buffer memory leak Johan Hovold <johan(a)kernel.org> net: lan78xx: add missing endpoint sanity check Michael Karcher <kernel(a)mkarcher.dialup.fu-berlin.de> sh: Fix validation of system call number YueHaibing <yuehaibing(a)huawei.com> net/x25: Fix null-ptr-deref in x25_disconnect Xiyu Yang <xiyuyang19(a)fudan.edu.cn> net/x25: Fix x25_neigh refcnt leak when x25 disconnect Peilin Ye <yepeilin.cs(a)gmail.com> rds: Prevent kernel-infoleak in rds_notify_queue_get() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. Will Deacon <will(a)kernel.org> ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints Sheng Yong <shengyong1(a)huawei.com> f2fs: check if file namelen exceeds max value Jaegeuk Kim <jaegeuk(a)kernel.org> f2fs: check memory boundary by insane namelen Steve Cohen <cohens(a)codeaurora.org> drm: hold gem reference until object is no longer accessed Peilin Ye <yepeilin.cs(a)gmail.com> drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() Robert Hancock <hancockrwd(a)gmail.com> PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge Andreas Gruenbacher <agruenba(a)redhat.com> nfs: Move call to security_inode_listsecurity into nfs_listxattr Navid Emamdoost <navid.emamdoost(a)gmail.com> ath9k: release allocated buffer if timed out Navid Emamdoost <navid.emamdoost(a)gmail.com> ath9k_htc: release allocated buffer if timed out Navid Emamdoost <navid.emamdoost(a)gmail.com> media: rc: prevent memory leak in cx23888_ir_probe Wei Yongjun <weiyongjun1(a)huawei.com> net: phy: mdio-bcm-unimac: fix potential NULL dereference in unimac_mdio_probe() Eric Sandeen <sandeen(a)sandeen.net> xfs: don't call xfs_da_shrink_inode with NULL bp ------------- Diffstat: Documentation/ABI/testing/sysfs-bus-iio | 3 +- Makefile | 4 +- arch/arm/include/asm/percpu.h | 2 + arch/arm/kernel/hw_breakpoint.c | 27 ++++- arch/arm/kernel/stacktrace.c | 24 +++++ arch/arm/mach-at91/pm.c | 11 +- arch/arm/mach-socfpga/pm.c | 8 +- arch/m68k/mac/iop.c | 21 ++-- arch/mips/kernel/topology.c | 2 +- arch/powerpc/include/asm/percpu.h | 4 +- arch/powerpc/kernel/vdso.c | 2 +- arch/powerpc/platforms/pseries/hotplug-memory.c | 2 +- arch/sh/boards/mach-landisk/setup.c | 3 + arch/sh/kernel/entry-common.S | 6 +- arch/x86/kernel/i8259.c | 2 +- drivers/acpi/acpica/exprep.c | 4 - drivers/acpi/acpica/utdelete.c | 6 +- drivers/android/binder.c | 9 ++ drivers/atm/atmtcp.c | 10 +- drivers/char/agp/intel-gtt.c | 4 +- drivers/char/random.c | 1 + drivers/clk/sirf/clk-atlas6.c | 2 +- drivers/crypto/qat/qat_common/qat_uclo.c | 9 +- drivers/edac/edac_device_sysfs.c | 1 + drivers/edac/edac_pci_sysfs.c | 2 +- drivers/gpio/gpiolib-of.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 3 +- drivers/gpu/drm/drm_debugfs.c | 8 +- drivers/gpu/drm/drm_gem.c | 10 +- drivers/gpu/drm/nouveau/nouveau_drm.c | 8 +- drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +- drivers/gpu/drm/panel/panel-simple.c | 2 +- drivers/gpu/drm/radeon/ci_dpm.c | 2 +- drivers/gpu/drm/radeon/ni_dpm.c | 2 +- drivers/gpu/drm/radeon/radeon_display.c | 4 +- drivers/gpu/drm/radeon/radeon_drv.c | 4 +- drivers/gpu/drm/radeon/radeon_kms.c | 4 +- drivers/gpu/drm/tilcdc/tilcdc_panel.c | 6 +- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 8 +- drivers/i2c/busses/i2c-cadence.c | 9 +- drivers/i2c/busses/i2c-rcar.c | 7 +- drivers/input/mouse/sentelic.c | 2 +- drivers/iommu/omap-iommu-debug.c | 3 + drivers/leds/leds-lm355x.c | 7 +- drivers/md/bcache/bset.c | 2 +- drivers/md/bcache/btree.c | 2 +- drivers/md/bcache/journal.c | 4 +- drivers/md/bcache/super.c | 11 +- drivers/md/raid5.c | 3 +- drivers/media/firewire/firedtv-fw.c | 2 + drivers/media/pci/cx23885/cx23888-ir.c | 5 +- drivers/media/platform/exynos4-is/media-dev.c | 3 + drivers/media/platform/omap3isp/isppreview.c | 4 +- drivers/mfd/dln2.c | 4 + drivers/misc/cxl/sysfs.c | 5 +- drivers/mtd/mtdchar.c | 56 +++++++++-- drivers/net/ethernet/intel/igb/igb_main.c | 9 ++ drivers/net/ethernet/mellanox/mlxsw/core.c | 6 +- drivers/net/ethernet/renesas/ravb_main.c | 26 ++++- .../net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 1 + .../net/ethernet/stmicro/stmmac/dwmac1000_core.c | 3 + drivers/net/ethernet/toshiba/spider_net.c | 4 +- drivers/net/phy/mdio-bcm-unimac.c | 2 + drivers/net/usb/hso.c | 5 +- drivers/net/usb/lan78xx.c | 112 ++++++--------------- drivers/net/vxlan.c | 8 +- drivers/net/wan/lapbether.c | 10 +- drivers/net/wireless/ath/ath9k/htc_hst.c | 3 + drivers/net/wireless/ath/ath9k/wmi.c | 1 + .../net/wireless/brcm80211/brcmfmac/fwil_types.h | 2 +- drivers/net/wireless/iwlegacy/common.c | 4 +- drivers/net/wireless/mwifiex/sta_cmdresp.c | 22 ++-- drivers/net/wireless/ti/wl1251/event.c | 2 +- drivers/net/xen-netfront.c | 64 ++++++++---- drivers/nfc/s3fwrn5/core.c | 1 + drivers/parisc/sba_iommu.c | 2 +- drivers/pci/hotplug/acpiphp_glue.c | 14 ++- drivers/pci/pcie/aspm.c | 1 + drivers/pci/quirks.c | 13 +++ drivers/pinctrl/pinctrl-single.c | 11 +- drivers/power/88pm860x_battery.c | 6 +- drivers/s390/net/qeth_l2_main.c | 4 + drivers/scsi/arm/cumana_2.c | 2 +- drivers/scsi/arm/eesox.c | 2 +- drivers/scsi/arm/powertec.c | 2 +- drivers/scsi/mesh.c | 8 +- drivers/usb/dwc2/platform.c | 4 +- drivers/usb/gadget/udc/bdc/bdc_core.c | 4 + drivers/usb/gadget/udc/bdc/bdc_ep.c | 16 +-- drivers/usb/gadget/udc/net2280.c | 4 +- drivers/usb/serial/ftdi_sio.c | 57 ++++++----- drivers/usb/serial/qcserial.c | 1 + drivers/video/console/bitblit.c | 4 +- drivers/video/console/fbcon_ccw.c | 4 +- drivers/video/console/fbcon_cw.c | 4 +- drivers/video/console/fbcon_ud.c | 4 +- drivers/video/console/newport_con.c | 12 ++- drivers/video/console/vgacon.c | 4 + drivers/video/fbdev/neofb.c | 1 + drivers/video/fbdev/sm712fb.c | 2 + drivers/xen/balloon.c | 12 ++- fs/9p/v9fs.c | 5 +- fs/btrfs/extent_io.c | 2 + fs/btrfs/free-space-cache.c | 4 +- fs/btrfs/tree-log.c | 8 +- fs/dlm/lockspace.c | 6 +- fs/ext2/ialloc.c | 3 +- fs/ext4/inode.c | 7 ++ fs/f2fs/dir.c | 12 ++- fs/minix/inode.c | 36 ++++++- fs/minix/itree_common.c | 8 +- fs/nfs/nfs4proc.c | 55 ++++++---- fs/nfs/nfs4xdr.c | 6 +- fs/ocfs2/ocfs2.h | 4 +- fs/ocfs2/suballoc.c | 4 +- fs/ocfs2/super.c | 4 +- fs/ufs/super.c | 2 +- fs/xattr.c | 4 + fs/xfs/libxfs/xfs_attr_leaf.c | 5 +- include/linux/intel-iommu.h | 4 +- include/linux/prandom.h | 78 ++++++++++++++ include/linux/random.h | 63 +----------- include/linux/tracepoint.h | 2 +- include/net/addrconf.h | 1 + kernel/kprobes.c | 7 ++ kernel/time/timer.c | 8 ++ lib/dynamic_debug.c | 23 ++--- lib/random32.c | 2 +- mm/mmap.c | 1 + net/9p/trans_fd.c | 24 +++-- net/bluetooth/6lowpan.c | 5 + net/bluetooth/hci_event.c | 11 +- net/ipv4/fib_trie.c | 2 +- net/ipv4/udp.c | 3 +- net/ipv6/anycast.c | 17 +++- net/ipv6/ip6_tunnel.c | 32 +++--- net/ipv6/ipv6_sockglue.c | 1 + net/ipv6/udp.c | 6 +- net/mac80211/cfg.c | 1 + net/mac80211/sta_info.c | 2 +- net/nfc/rawsock.c | 7 +- net/rds/recv.c | 3 +- net/socket.c | 2 +- net/wireless/nl80211.c | 6 +- net/x25/x25_subr.c | 6 ++ security/smack/smack_lsm.c | 2 - security/smack/smackfs.c | 19 +++- sound/core/seq/oss/seq_oss.c | 8 +- sound/pci/echoaudio/echoaudio.c | 2 - sound/usb/card.h | 1 + sound/usb/mixer_quirks.c | 1 + sound/usb/pcm.c | 6 ++ sound/usb/quirks-table.h | 64 +++++++++++- sound/usb/quirks.c | 3 + sound/usb/stream.c | 1 + tools/lib/traceevent/event-parse.c | 1 + 157 files changed, 973 insertions(+), 476 deletions(-)

4 years, 2 months

7
163
0 0

+ mm-gup-use-unpin_user_pages-in-check_and_migrate_cma_pages.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/gup: use unpin_user_pages() in check_and_migrate_cma_pages() has been added to the -mm tree. Its filename is mm-gup-use-unpin_user_pages-in-check_and_migrate_cma_pages.patch This patch should soon appear at https://ozlabs.org/~akpm/mmots/broken-out/mm-gup-use-unpin_user_pages-in-ch… and later at https://ozlabs.org/~akpm/mmotm/broken-out/mm-gup-use-unpin_user_pages-in-ch… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Jason Gunthorpe <jgg(a)nvidia.com> Subject: mm/gup: use unpin_user_pages() in check_and_migrate_cma_pages() When FOLL_PIN is passed to __get_user_pages() the page list must be put back using unpin_user_pages() otherwise the page pin reference persists in a corrupted state. Link: https://lkml.kernel.org/r/0-v1-976effcd4468+d4-gup_cma_fix_jgg@nvidia.com Fixes: 3faa52c03f44 ("mm/gup: track FOLL_PIN pages") Signed-off-by: Jason Gunthorpe <jgg(a)nvidia.com> Cc: Aneesh Kumar K.V <aneesh.kumar(a)linux.ibm.com> Cc: Claudio Imbrenda <imbrenda(a)linux.ibm.com> Cc: Ira Weiny <ira.weiny(a)intel.com> Cc: Jan Kara <jack(a)suse.cz> Cc: John Hubbard <jhubbard(a)nvidia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/mm/gup.c~mm-gup-use-unpin_user_pages-in-check_and_migrate_cma_pages +++ a/mm/gup.c @@ -1647,8 +1647,11 @@ check_again: /* * drop the above get_user_pages reference. */ - for (i = 0; i < nr_pages; i++) - put_page(pages[i]); + if (gup_flags & FOLL_PIN) + unpin_user_pages(pages, nr_pages); + else + for (i = 0; i < nr_pages; i++) + put_page(pages[i]); if (migrate_pages(&cma_page_list, alloc_migration_target, NULL, (unsigned long)&mtc, MIGRATE_SYNC, MR_CONTIG_RANGE)) { _ Patches currently in -mm which might be from jgg(a)nvidia.com are mm-always-have-io_remap_pfn_range-set-pgprot_decrypted.patch mm-gup-use-unpin_user_pages-in-check_and_migrate_cma_pages.patch

4 years, 2 months

1
0
0 0

+ mm-compaction-stop-isolation-if-too-many-pages-are-isolated-and-we-have-pages-to-migrate.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/compaction: stop isolation if too many pages are isolated and we have pages to migrate has been added to the -mm tree. Its filename is mm-compaction-stop-isolation-if-too-many-pages-are-isolated-and-we-have-pages-to-migrate.patch This patch should soon appear at https://ozlabs.org/~akpm/mmots/broken-out/mm-compaction-stop-isolation-if-t… and later at https://ozlabs.org/~akpm/mmotm/broken-out/mm-compaction-stop-isolation-if-t… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Zi Yan <ziy(a)nvidia.com> Subject: mm/compaction: stop isolation if too many pages are isolated and we have pages to migrate In isolate_migratepages_block, if we have too many isolated pages and nr_migratepages is not zero, we should try to migrate what we have without wasting time on isolating. Link: https://lkml.kernel.org/r/20201030183809.3616803-2-zi.yan@sent.com Fixes: 1da2f328fa64 (“mm,thp,compaction,cma: allow THP migration for CMA allocations”) Signed-off-by: Zi Yan <ziy(a)nvidia.com> Suggested-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Michal Hocko <mhocko(a)kernel.org> Cc: Rik van Riel <riel(a)surriel.com> Cc: Yang Shi <shy828301(a)gmail.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/compaction.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/mm/compaction.c~mm-compaction-stop-isolation-if-too-many-pages-are-isolated-and-we-have-pages-to-migrate +++ a/mm/compaction.c @@ -817,6 +817,10 @@ isolate_migratepages_block(struct compac * delay for some time until fewer pages are isolated */ while (unlikely(too_many_isolated(pgdat))) { + /* stop isolation if there are still pages not migrated */ + if (cc->nr_migratepages) + return 0; + /* async migration should just abort */ if (cc->mode == MIGRATE_ASYNC) return 0; _ Patches currently in -mm which might be from ziy(a)nvidia.com are mm-compaction-count-pages-and-stop-correctly-during-page-isolation.patch mm-compaction-count-pages-and-stop-correctly-during-page-isolation-v3.patch mm-compaction-stop-isolation-if-too-many-pages-are-isolated-and-we-have-pages-to-migrate.patch

4 years, 2 months

1
0
0 0

[PATCH 4.4] fscrypt: return -EXDEV for incompatible rename or link into encrypted dir

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> commit f5e55e777cc93eae1416f0fa4908e8846b6d7825 upstream. [Please apply to 4.4-stable. This is an important fix to have, and it will be needed for xfstest generic/398 to pass if https://lkml.kernel.org/r/20201031054141.695517-1-ebiggers@kernel.org is applied. Note, this commit had to be reworked to apply to 4.4.] Currently, trying to rename or link a regular file, directory, or symlink into an encrypted directory fails with EPERM when the source file is unencrypted or is encrypted with a different encryption policy, and is on the same mountpoint. It is correct for the operation to fail, but the choice of EPERM breaks tools like 'mv' that know to copy rather than rename if they see EXDEV, but don't know what to do with EPERM. Our original motivation for EPERM was to encourage users to securely handle their data. Encrypting files by "moving" them into an encrypted directory can be insecure because the unencrypted data may remain in free space on disk, where it can later be recovered by an attacker. It's much better to encrypt the data from the start, or at least try to securely delete the source data e.g. using the 'shred' program. However, the current behavior hasn't been effective at achieving its goal because users tend to be confused, hack around it, and complain; see e.g. https://github.com/google/fscrypt/issues/76. And in some cases it's actually inconsistent or unnecessary. For example, 'mv'-ing files between differently encrypted directories doesn't work even in cases where it can be secure, such as when in userspace the same passphrase protects both directories. Yet, you *can* already 'mv' unencrypted files into an encrypted directory if the source files are on a different mountpoint, even though doing so is often insecure. There are probably better ways to teach users to securely handle their files. For example, the 'fscrypt' userspace tool could provide a command that migrates unencrypted files into an encrypted directory, acting like 'shred' on the source files and providing appropriate warnings depending on the type of the source filesystem and disk. Receiving errors on unimportant files might also force some users to disable encryption, thus making the behavior counterproductive. It's desirable to make encryption as unobtrusive as possible. Therefore, change the error code from EPERM to EXDEV so that tools looking for EXDEV will fall back to a copy. This, of course, doesn't prevent users from still doing the right things to securely manage their files. Note that this also matches the behavior when a file is renamed between two project quota hierarchies; so there's precedent for using EXDEV for things other than mountpoints. xfstests generic/398 will require an update with this change. [Rewritten from an earlier patch series by Michael Halcrow.] Cc: Michael Halcrow <mhalcrow(a)google.com> Cc: Joe Richey <joerichey(a)google.com> Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- fs/ext4/namei.c | 6 +++--- fs/f2fs/namei.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 061b026e464c5..96d77a42ecdea 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -3218,7 +3218,7 @@ static int ext4_link(struct dentry *old_dentry, return -EMLINK; if (ext4_encrypted_inode(dir) && !ext4_is_child_context_consistent_with_parent(dir, inode)) - return -EPERM; + return -EXDEV; err = dquot_initialize(dir); if (err) return err; @@ -3537,7 +3537,7 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry, ext4_encrypted_inode(new.dir) && !ext4_is_child_context_consistent_with_parent(new.dir, old.inode)) { - retval = -EPERM; + retval = -EXDEV; goto end_rename; } @@ -3718,7 +3718,7 @@ static int ext4_cross_rename(struct inode *old_dir, struct dentry *old_dentry, old.inode) || !ext4_is_child_context_consistent_with_parent(old_dir, new.inode))) - return -EPERM; + return -EXDEV; retval = dquot_initialize(old.dir); if (retval) diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c index e5553cd8fe4ed..1475a00ae7c8e 100644 --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -169,7 +169,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir, if (f2fs_encrypted_inode(dir) && !f2fs_is_child_context_consistent_with_parent(dir, inode)) - return -EPERM; + return -EXDEV; f2fs_balance_fs(sbi); @@ -597,7 +597,7 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry, if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) && !f2fs_is_child_context_consistent_with_parent(new_dir, old_inode)) { - err = -EPERM; + err = -EXDEV; goto out; } @@ -758,7 +758,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, old_inode) || !f2fs_is_child_context_consistent_with_parent(old_dir, new_inode))) - return -EPERM; + return -EXDEV; f2fs_balance_fs(sbi); -- 2.29.1

4 years, 2 months

1
0
0 0

[PATCH 4.9] fscrypt: return -EXDEV for incompatible rename or link into encrypted dir

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> commit f5e55e777cc93eae1416f0fa4908e8846b6d7825 upstream. [Please apply to 4.9-stable. This is an important fix to have, and it will be needed for xfstest generic/398 to pass if https://lkml.kernel.org/r/20201031054141.695517-1-ebiggers@kernel.org is applied. Note, this commit had to be reworked to apply to 4.9.] Currently, trying to rename or link a regular file, directory, or symlink into an encrypted directory fails with EPERM when the source file is unencrypted or is encrypted with a different encryption policy, and is on the same mountpoint. It is correct for the operation to fail, but the choice of EPERM breaks tools like 'mv' that know to copy rather than rename if they see EXDEV, but don't know what to do with EPERM. Our original motivation for EPERM was to encourage users to securely handle their data. Encrypting files by "moving" them into an encrypted directory can be insecure because the unencrypted data may remain in free space on disk, where it can later be recovered by an attacker. It's much better to encrypt the data from the start, or at least try to securely delete the source data e.g. using the 'shred' program. However, the current behavior hasn't been effective at achieving its goal because users tend to be confused, hack around it, and complain; see e.g. https://github.com/google/fscrypt/issues/76. And in some cases it's actually inconsistent or unnecessary. For example, 'mv'-ing files between differently encrypted directories doesn't work even in cases where it can be secure, such as when in userspace the same passphrase protects both directories. Yet, you *can* already 'mv' unencrypted files into an encrypted directory if the source files are on a different mountpoint, even though doing so is often insecure. There are probably better ways to teach users to securely handle their files. For example, the 'fscrypt' userspace tool could provide a command that migrates unencrypted files into an encrypted directory, acting like 'shred' on the source files and providing appropriate warnings depending on the type of the source filesystem and disk. Receiving errors on unimportant files might also force some users to disable encryption, thus making the behavior counterproductive. It's desirable to make encryption as unobtrusive as possible. Therefore, change the error code from EPERM to EXDEV so that tools looking for EXDEV will fall back to a copy. This, of course, doesn't prevent users from still doing the right things to securely manage their files. Note that this also matches the behavior when a file is renamed between two project quota hierarchies; so there's precedent for using EXDEV for things other than mountpoints. xfstests generic/398 will require an update with this change. [Rewritten from an earlier patch series by Michael Halcrow.] Cc: Michael Halcrow <mhalcrow(a)google.com> Cc: Joe Richey <joerichey(a)google.com> Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- fs/crypto/policy.c | 3 +-- fs/ext4/namei.c | 6 +++--- fs/f2fs/namei.c | 6 +++--- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c index 57a97b38a2fa2..51f4463718e84 100644 --- a/fs/crypto/policy.c +++ b/fs/crypto/policy.c @@ -180,8 +180,7 @@ EXPORT_SYMBOL(fscrypt_get_policy); * malicious offline violations of this constraint, while the link and rename * checks are needed to prevent online violations of this constraint. * - * Return: 1 if permitted, 0 if forbidden. If forbidden, the caller must fail - * the filesystem operation with EPERM. + * Return: 1 if permitted, 0 if forbidden. */ int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) { diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 157dbbe235f90..8ded38ac4cdef 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -3259,7 +3259,7 @@ static int ext4_link(struct dentry *old_dentry, return -EMLINK; if (ext4_encrypted_inode(dir) && !fscrypt_has_permitted_context(dir, inode)) - return -EPERM; + return -EXDEV; if ((ext4_test_inode_flag(dir, EXT4_INODE_PROJINHERIT)) && (!projid_eq(EXT4_I(dir)->i_projid, @@ -3597,7 +3597,7 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry, if ((old.dir != new.dir) && ext4_encrypted_inode(new.dir) && !fscrypt_has_permitted_context(new.dir, old.inode)) { - retval = -EPERM; + retval = -EXDEV; goto end_rename; } @@ -3776,7 +3776,7 @@ static int ext4_cross_rename(struct inode *old_dir, struct dentry *old_dentry, (old_dir != new_dir) && (!fscrypt_has_permitted_context(new_dir, old.inode) || !fscrypt_has_permitted_context(old_dir, new.inode))) - return -EPERM; + return -EXDEV; if ((ext4_test_inode_flag(new_dir, EXT4_INODE_PROJINHERIT) && !projid_eq(EXT4_I(new_dir)->i_projid, diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c index ccb99d5cfd8b0..ce0957318771c 100644 --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -177,7 +177,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir, if (f2fs_encrypted_inode(dir) && !fscrypt_has_permitted_context(dir, inode)) - return -EPERM; + return -EXDEV; f2fs_balance_fs(sbi, true); @@ -667,7 +667,7 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry, if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) && !fscrypt_has_permitted_context(new_dir, old_inode)) { - err = -EPERM; + err = -EXDEV; goto out; } @@ -855,7 +855,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, (old_dir != new_dir) && (!fscrypt_has_permitted_context(new_dir, old_inode) || !fscrypt_has_permitted_context(old_dir, new_inode))) - return -EPERM; + return -EXDEV; old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page); if (!old_entry) { -- 2.29.1

4 years, 2 months

1
0
0 0

[PATCH 4.14] fscrypt: return -EXDEV for incompatible rename or link into encrypted dir

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> commit f5e55e777cc93eae1416f0fa4908e8846b6d7825 upstream. [Please apply to 4.14-stable. This is an important fix to have, and it will be needed for xfstest generic/398 to pass if https://lkml.kernel.org/r/20201031054141.695517-1-ebiggers@kernel.org is applied. Note, this commit had to be reworked to apply to 4.14.] Currently, trying to rename or link a regular file, directory, or symlink into an encrypted directory fails with EPERM when the source file is unencrypted or is encrypted with a different encryption policy, and is on the same mountpoint. It is correct for the operation to fail, but the choice of EPERM breaks tools like 'mv' that know to copy rather than rename if they see EXDEV, but don't know what to do with EPERM. Our original motivation for EPERM was to encourage users to securely handle their data. Encrypting files by "moving" them into an encrypted directory can be insecure because the unencrypted data may remain in free space on disk, where it can later be recovered by an attacker. It's much better to encrypt the data from the start, or at least try to securely delete the source data e.g. using the 'shred' program. However, the current behavior hasn't been effective at achieving its goal because users tend to be confused, hack around it, and complain; see e.g. https://github.com/google/fscrypt/issues/76. And in some cases it's actually inconsistent or unnecessary. For example, 'mv'-ing files between differently encrypted directories doesn't work even in cases where it can be secure, such as when in userspace the same passphrase protects both directories. Yet, you *can* already 'mv' unencrypted files into an encrypted directory if the source files are on a different mountpoint, even though doing so is often insecure. There are probably better ways to teach users to securely handle their files. For example, the 'fscrypt' userspace tool could provide a command that migrates unencrypted files into an encrypted directory, acting like 'shred' on the source files and providing appropriate warnings depending on the type of the source filesystem and disk. Receiving errors on unimportant files might also force some users to disable encryption, thus making the behavior counterproductive. It's desirable to make encryption as unobtrusive as possible. Therefore, change the error code from EPERM to EXDEV so that tools looking for EXDEV will fall back to a copy. This, of course, doesn't prevent users from still doing the right things to securely manage their files. Note that this also matches the behavior when a file is renamed between two project quota hierarchies; so there's precedent for using EXDEV for things other than mountpoints. xfstests generic/398 will require an update with this change. [Rewritten from an earlier patch series by Michael Halcrow.] Cc: Michael Halcrow <mhalcrow(a)google.com> Cc: Joe Richey <joerichey(a)google.com> Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- fs/crypto/policy.c | 3 +-- fs/ext4/namei.c | 6 +++--- fs/f2fs/namei.c | 6 +++--- fs/ubifs/dir.c | 6 +++--- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c index d13a154c84240..4cda0e960bc26 100644 --- a/fs/crypto/policy.c +++ b/fs/crypto/policy.c @@ -153,8 +153,7 @@ EXPORT_SYMBOL(fscrypt_ioctl_get_policy); * malicious offline violations of this constraint, while the link and rename * checks are needed to prevent online violations of this constraint. * - * Return: 1 if permitted, 0 if forbidden. If forbidden, the caller must fail - * the filesystem operation with EPERM. + * Return: 1 if permitted, 0 if forbidden. */ int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) { diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 3f999053457b6..6936de30fcf0d 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -3280,7 +3280,7 @@ static int ext4_link(struct dentry *old_dentry, return -EMLINK; if (ext4_encrypted_inode(dir) && !fscrypt_has_permitted_context(dir, inode)) - return -EPERM; + return -EXDEV; if ((ext4_test_inode_flag(dir, EXT4_INODE_PROJINHERIT)) && (!projid_eq(EXT4_I(dir)->i_projid, @@ -3618,7 +3618,7 @@ static int ext4_rename(struct inode *old_dir, struct dentry *old_dentry, if ((old.dir != new.dir) && ext4_encrypted_inode(new.dir) && !fscrypt_has_permitted_context(new.dir, old.inode)) { - retval = -EPERM; + retval = -EXDEV; goto end_rename; } @@ -3798,7 +3798,7 @@ static int ext4_cross_rename(struct inode *old_dir, struct dentry *old_dentry, (old_dir != new_dir) && (!fscrypt_has_permitted_context(new_dir, old.inode) || !fscrypt_has_permitted_context(old_dir, new.inode))) - return -EPERM; + return -EXDEV; if ((ext4_test_inode_flag(new_dir, EXT4_INODE_PROJINHERIT) && !projid_eq(EXT4_I(new_dir)->i_projid, diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c index b13383948fca3..9fb98fce70965 100644 --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -222,7 +222,7 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir, if (f2fs_encrypted_inode(dir) && !fscrypt_has_permitted_context(dir, inode)) - return -EPERM; + return -EXDEV; if (is_inode_flag_set(dir, FI_PROJ_INHERIT) && (!projid_eq(F2FS_I(dir)->i_projid, @@ -746,7 +746,7 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry, if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) && !fscrypt_has_permitted_context(new_dir, old_inode)) { - err = -EPERM; + err = -EXDEV; goto out; } @@ -942,7 +942,7 @@ static int f2fs_cross_rename(struct inode *old_dir, struct dentry *old_dentry, (old_dir != new_dir) && (!fscrypt_has_permitted_context(new_dir, old_inode) || !fscrypt_has_permitted_context(old_dir, new_inode))) - return -EPERM; + return -EXDEV; if ((is_inode_flag_set(new_dir, FI_PROJ_INHERIT) && !projid_eq(F2FS_I(new_dir)->i_projid, diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c index 358abc26dbc0b..9d5face7fdc01 100644 --- a/fs/ubifs/dir.c +++ b/fs/ubifs/dir.c @@ -747,7 +747,7 @@ static int ubifs_link(struct dentry *old_dentry, struct inode *dir, if (ubifs_crypt_is_encrypted(dir) && !fscrypt_has_permitted_context(dir, inode)) - return -EPERM; + return -EXDEV; err = fscrypt_setup_filename(dir, &dentry->d_name, 0, &nm); if (err) @@ -1357,7 +1357,7 @@ static int do_rename(struct inode *old_dir, struct dentry *old_dentry, if (old_dir != new_dir) { if (ubifs_crypt_is_encrypted(new_dir) && !fscrypt_has_permitted_context(new_dir, old_inode)) - return -EPERM; + return -EXDEV; } if (unlink && is_dir) { @@ -1579,7 +1579,7 @@ static int ubifs_xrename(struct inode *old_dir, struct dentry *old_dentry, (old_dir != new_dir) && (!fscrypt_has_permitted_context(new_dir, fst_inode) || !fscrypt_has_permitted_context(old_dir, snd_inode))) - return -EPERM; + return -EXDEV; err = fscrypt_setup_filename(old_dir, &old_dentry->d_name, 0, &fst_nm); if (err) -- 2.29.1

4 years, 2 months

1
0
0 0

stable-rc/queue/4.9 baseline: 135 runs, 1 regressions (v4.9.241-11-g04b990a9881a)

by kernelci.org bot

stable-rc/queue/4.9 baseline: 135 runs, 1 regressions (v4.9.241-11-g04b990a9881a) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ---------+------+---------------+----------+---------------------+------------ panda | arm | lab-collabora | gcc-8 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/job/stable-rc/branch/queue%2F4.9/kernel/v4.9.241-… Test: baseline Tree: stable-rc Branch: queue/4.9 Describe: v4.9.241-11-g04b990a9881a URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git SHA: 04b990a9881ae9d88501e81eb6999063636e9f18 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ---------+------+---------------+----------+---------------------+------------ panda | arm | lab-collabora | gcc-8 | omap2plus_defconfig | 1 Details: https://kernelci.org/test/plan/id/5f9d7d3fbfee3f911c3fe7f1 Results: 3 PASS, 1 FAIL, 1 SKIP Full config: omap2plus_defconfig Compiler: gcc-8 (arm-linux-gnueabihf-gcc (Debian 8.3.0-2) 8.3.0) Plain log: https://storage.kernelci.org//stable-rc/queue-4.9/v4.9.241-11-g04b990a9881a… HTML log: https://storage.kernelci.org//stable-rc/queue-4.9/v4.9.241-11-g04b990a9881a… Rootfs: http://storage.kernelci.org/images/rootfs/buildroot/kci-2020.05-4-g97706c5d… * baseline.dmesg.emerg: https://kernelci.org/test/case/id/5f9d7d40bfee3f911c3fe7f8 failing since 0 day (last pass: v4.9.241-4-g8d9cc85ab09b, first fail: v4.9.241-4-g40bcb1fe569e) 2 lines 2020-10-31 15:05:32.176000+00:00 kern :emerg : BUG: spinlock bad magic on CPU#0, udevd/128 2020-10-31 15:05:32.185000+00:00 kern :emerg : lock: emif_lock+0x0/0xfffff234 [emif], .magic: dead4ead, .owner: <none>/-1, .owner_cpu: -1

4 years, 2 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2020