tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ecryptfs/ecryptfs-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ecryptfs/ecryptfs-2.6:
eCryptfs: write lock requested keys
eCryptfs: move ecryptfs_find_auth_tok_for_sig() call before mutex_lock
eCryptfs: verify authentication tokens before their use
eCryptfs: modified size of keysig in the ecryptfs_key_sig structure
eCryptfs: removed num_global_auth_toks from ecryptfs_mount_crypt_stat
eCryptfs: ecryptfs_keyring_auth_tok_for_sig() bug fix
eCryptfs: Unlock page in write_begin error path
ecryptfs: modify write path to encrypt page in writepage
eCryptfs: Remove ECRYPTFS_NEW_FILE crypt stat flag
eCryptfs: Remove unnecessary grow_file() function

Linus Torvalds 7f5fe3ec 212a17ab

+235 -188
unified split
+1 -1
fs/ecryptfs/crypto.c
··· 266 &mount_crypt_stat->global_auth_tok_list, 267 mount_crypt_stat_list) { 268 list_del(&auth_tok->mount_crypt_stat_list); 269 - mount_crypt_stat->num_global_auth_toks--; 270 if (auth_tok->global_auth_tok_key 271 && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID)) 272 key_put(auth_tok->global_auth_tok_key); ··· 1388 rc = -ENOMEM; 1389 goto out; 1390 } 1391 rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat, 1392 ecryptfs_dentry); 1393 if (unlikely(rc)) {
··· 266 &mount_crypt_stat->global_auth_tok_list, 267 mount_crypt_stat_list) { 268 list_del(&auth_tok->mount_crypt_stat_list); 269 if (auth_tok->global_auth_tok_key 270 && !(auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID)) 271 key_put(auth_tok->global_auth_tok_key); ··· 1389 rc = -ENOMEM; 1390 goto out; 1391 } 1392 + /* Zeroed page ensures the in-header unencrypted i_size is set to 0 */ 1393 rc = ecryptfs_write_headers_virt(virt, virt_len, &size, crypt_stat, 1394 ecryptfs_dentry); 1395 if (unlikely(rc)) {
+13 -17
fs/ecryptfs/ecryptfs_kernel.h
··· 233 234 struct ecryptfs_key_sig { 235 struct list_head crypt_stat_list; 236 - char keysig[ECRYPTFS_SIG_SIZE_HEX]; 237 }; 238 239 struct ecryptfs_filename { ··· 257 struct ecryptfs_crypt_stat { 258 #define ECRYPTFS_STRUCT_INITIALIZED 0x00000001 259 #define ECRYPTFS_POLICY_APPLIED 0x00000002 260 - #define ECRYPTFS_NEW_FILE 0x00000004 261 - #define ECRYPTFS_ENCRYPTED 0x00000008 262 - #define ECRYPTFS_SECURITY_WARNING 0x00000010 263 - #define ECRYPTFS_ENABLE_HMAC 0x00000020 264 - #define ECRYPTFS_ENCRYPT_IV_PAGES 0x00000040 265 - #define ECRYPTFS_KEY_VALID 0x00000080 266 - #define ECRYPTFS_METADATA_IN_XATTR 0x00000100 267 - #define ECRYPTFS_VIEW_AS_ENCRYPTED 0x00000200 268 - #define ECRYPTFS_KEY_SET 0x00000400 269 - #define ECRYPTFS_ENCRYPT_FILENAMES 0x00000800 270 - #define ECRYPTFS_ENCFN_USE_MOUNT_FNEK 0x00001000 271 - #define ECRYPTFS_ENCFN_USE_FEK 0x00002000 272 - #define ECRYPTFS_UNLINK_SIGS 0x00004000 273 u32 flags; 274 unsigned int file_version; 275 size_t iv_bytes; ··· 296 struct inode vfs_inode; 297 struct inode *wii_inode; 298 struct file *lower_file; 299 - struct mutex lower_file_mutex; 300 struct ecryptfs_crypt_stat crypt_stat; 301 }; 302 ··· 331 u32 flags; 332 struct list_head mount_crypt_stat_list; 333 struct key *global_auth_tok_key; 334 - struct ecryptfs_auth_tok *global_auth_tok; 335 unsigned char sig[ECRYPTFS_SIG_SIZE_HEX + 1]; 336 }; 337 ··· 377 u32 flags; 378 struct list_head global_auth_tok_list; 379 struct mutex global_auth_tok_list_mutex; 380 - size_t num_global_auth_toks; 381 size_t global_default_cipher_key_size; 382 size_t global_default_fn_cipher_key_bytes; 383 unsigned char global_default_cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE
··· 233 234 struct ecryptfs_key_sig { 235 struct list_head crypt_stat_list; 236 + char keysig[ECRYPTFS_SIG_SIZE_HEX + 1]; 237 }; 238 239 struct ecryptfs_filename { ··· 257 struct ecryptfs_crypt_stat { 258 #define ECRYPTFS_STRUCT_INITIALIZED 0x00000001 259 #define ECRYPTFS_POLICY_APPLIED 0x00000002 260 + #define ECRYPTFS_ENCRYPTED 0x00000004 261 + #define ECRYPTFS_SECURITY_WARNING 0x00000008 262 + #define ECRYPTFS_ENABLE_HMAC 0x00000010 263 + #define ECRYPTFS_ENCRYPT_IV_PAGES 0x00000020 264 + #define ECRYPTFS_KEY_VALID 0x00000040 265 + #define ECRYPTFS_METADATA_IN_XATTR 0x00000080 266 + #define ECRYPTFS_VIEW_AS_ENCRYPTED 0x00000100 267 + #define ECRYPTFS_KEY_SET 0x00000200 268 + #define ECRYPTFS_ENCRYPT_FILENAMES 0x00000400 269 + #define ECRYPTFS_ENCFN_USE_MOUNT_FNEK 0x00000800 270 + #define ECRYPTFS_ENCFN_USE_FEK 0x00001000 271 + #define ECRYPTFS_UNLINK_SIGS 0x00002000 272 u32 flags; 273 unsigned int file_version; 274 size_t iv_bytes; ··· 297 struct inode vfs_inode; 298 struct inode *wii_inode; 299 struct file *lower_file; 300 struct ecryptfs_crypt_stat crypt_stat; 301 }; 302 ··· 333 u32 flags; 334 struct list_head mount_crypt_stat_list; 335 struct key *global_auth_tok_key; 336 unsigned char sig[ECRYPTFS_SIG_SIZE_HEX + 1]; 337 }; 338 ··· 380 u32 flags; 381 struct list_head global_auth_tok_list; 382 struct mutex global_auth_tok_list_mutex; 383 size_t global_default_cipher_key_size; 384 size_t global_default_fn_cipher_key_bytes; 385 unsigned char global_default_cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE
+8 -1
fs/ecryptfs/file.c
··· 273 static int 274 ecryptfs_fsync(struct file *file, int datasync) 275 { 276 - return vfs_fsync(ecryptfs_file_to_lower(file), datasync); 277 } 278 279 static int ecryptfs_fasync(int fd, struct file *file, int flag)
··· 273 static int 274 ecryptfs_fsync(struct file *file, int datasync) 275 { 276 + int rc = 0; 277 + 278 + rc = generic_file_fsync(file, datasync); 279 + if (rc) 280 + goto out; 281 + rc = vfs_fsync(ecryptfs_file_to_lower(file), datasync); 282 + out: 283 + return rc; 284 } 285 286 static int ecryptfs_fasync(int fd, struct file *file, int flag)
-24
fs/ecryptfs/inode.c
··· 143 } 144 145 /** 146 - * grow_file 147 - * @ecryptfs_dentry: the eCryptfs dentry 148 - * 149 - * This is the code which will grow the file to its correct size. 150 - */ 151 - static int grow_file(struct dentry *ecryptfs_dentry) 152 - { 153 - struct inode *ecryptfs_inode = ecryptfs_dentry->d_inode; 154 - char zero_virt[] = { 0x00 }; 155 - int rc = 0; 156 - 157 - rc = ecryptfs_write(ecryptfs_inode, zero_virt, 0, 1); 158 - i_size_write(ecryptfs_inode, 0); 159 - rc = ecryptfs_write_inode_size_to_metadata(ecryptfs_inode); 160 - ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat.flags |= 161 - ECRYPTFS_NEW_FILE; 162 - return rc; 163 - } 164 - 165 - /** 166 * ecryptfs_initialize_file 167 * 168 * Cause the file to be changed from a basic empty file to an ecryptfs ··· 161 crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED); 162 goto out; 163 } 164 - crypt_stat->flags |= ECRYPTFS_NEW_FILE; 165 ecryptfs_printk(KERN_DEBUG, "Initializing crypto context\n"); 166 rc = ecryptfs_new_file_context(ecryptfs_dentry); 167 if (rc) { ··· 181 printk(KERN_ERR "Error writing headers; rc = [%d]\n", rc); 182 goto out; 183 } 184 - rc = grow_file(ecryptfs_dentry); 185 - if (rc) 186 - printk(KERN_ERR "Error growing file; rc = [%d]\n", rc); 187 out: 188 return rc; 189 }
··· 143 } 144 145 /** 146 * ecryptfs_initialize_file 147 * 148 * Cause the file to be changed from a basic empty file to an ecryptfs ··· 181 crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED); 182 goto out; 183 } 184 ecryptfs_printk(KERN_DEBUG, "Initializing crypto context\n"); 185 rc = ecryptfs_new_file_context(ecryptfs_dentry); 186 if (rc) { ··· 202 printk(KERN_ERR "Error writing headers; rc = [%d]\n", rc); 203 goto out; 204 } 205 out: 206 return rc; 207 }
+171 -101
fs/ecryptfs/keystore.c
··· 65 return rc; 66 } 67 68 /** 69 * ecryptfs_parse_packet_length 70 * @data: Pointer to memory containing length at offset ··· 421 return rc; 422 } 423 424 static int 425 ecryptfs_find_global_auth_tok_for_sig( 426 - struct ecryptfs_global_auth_tok **global_auth_tok, 427 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig) 428 { 429 struct ecryptfs_global_auth_tok *walker; 430 int rc = 0; 431 432 - (*global_auth_tok) = NULL; 433 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 434 list_for_each_entry(walker, 435 &mount_crypt_stat->global_auth_tok_list, 436 mount_crypt_stat_list) { 437 - if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX) == 0) { 438 - rc = key_validate(walker->global_auth_tok_key); 439 - if (!rc) 440 - (*global_auth_tok) = walker; 441 goto out; 442 } 443 } 444 - rc = -EINVAL; 445 out: 446 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 447 return rc; ··· 562 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, 563 char *sig) 564 { 565 - struct ecryptfs_global_auth_tok *global_auth_tok; 566 int rc = 0; 567 568 - (*auth_tok_key) = NULL; 569 - (*auth_tok) = NULL; 570 - if (ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, 571 - mount_crypt_stat, sig)) { 572 - 573 /* if the flag ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY is set in the 574 * mount_crypt_stat structure, we prevent to use auth toks that 575 * are not inserted through the ecryptfs_add_global_auth_tok ··· 578 579 rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok, 580 sig); 581 - } else 582 - (*auth_tok) = global_auth_tok->global_auth_tok; 583 return rc; 584 } 585 ··· 638 } 639 s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; 640 (*packet_size) = 0; 641 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name( 642 &s->desc.tfm, 643 &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name); ··· 733 goto out_free_unlock; 734 } 735 dest[s->i++] = s->cipher_code; 736 - rc = ecryptfs_find_auth_tok_for_sig( 737 - &auth_tok_key, 738 - &s->auth_tok, mount_crypt_stat, 739 - mount_crypt_stat->global_default_fnek_sig); 740 - if (rc) { 741 - printk(KERN_ERR "%s: Error attempting to find auth tok for " 742 - "fnek sig [%s]; rc = [%d]\n", __func__, 743 - mount_crypt_stat->global_default_fnek_sig, rc); 744 - goto out_free_unlock; 745 - } 746 /* TODO: Support other key modules than passphrase for 747 * filename encryption */ 748 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { ··· 872 out_unlock: 873 mutex_unlock(s->tfm_mutex); 874 out: 875 - if (auth_tok_key) 876 key_put(auth_tok_key); 877 kfree(s); 878 return rc; 879 } ··· 988 __func__, s->cipher_code); 989 goto out; 990 } 991 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm, 992 &s->tfm_mutex, 993 s->cipher_string); ··· 1043 * >= ECRYPTFS_MAX_IV_BYTES. */ 1044 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); 1045 s->desc.info = s->iv; 1046 - rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, 1047 - &s->auth_tok, mount_crypt_stat, 1048 - s->fnek_sig_hex); 1049 - if (rc) { 1050 - printk(KERN_ERR "%s: Error attempting to find auth tok for " 1051 - "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex, 1052 - rc); 1053 - goto out_free_unlock; 1054 - } 1055 /* TODO: Support other key modules than passphrase for 1056 * filename encryption */ 1057 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { ··· 1111 (*filename_size) = 0; 1112 (*filename) = NULL; 1113 } 1114 - if (auth_tok_key) 1115 key_put(auth_tok_key); 1116 kfree(s); 1117 return rc; 1118 } ··· 1631 return rc; 1632 } 1633 1634 - /** 1635 - * ecryptfs_verify_version 1636 - * @version: The version number to confirm 1637 - * 1638 - * Returns zero on good version; non-zero otherwise 1639 - */ 1640 - static int ecryptfs_verify_version(u16 version) 1641 - { 1642 - int rc = 0; 1643 - unsigned char major; 1644 - unsigned char minor; 1645 - 1646 - major = ((version >> 8) & 0xFF); 1647 - minor = (version & 0xFF); 1648 - if (major != ECRYPTFS_VERSION_MAJOR) { 1649 - ecryptfs_printk(KERN_ERR, "Major version number mismatch. " 1650 - "Expected [%d]; got [%d]\n", 1651 - ECRYPTFS_VERSION_MAJOR, major); 1652 - rc = -EINVAL; 1653 - goto out; 1654 - } 1655 - if (minor != ECRYPTFS_VERSION_MINOR) { 1656 - ecryptfs_printk(KERN_ERR, "Minor version number mismatch. " 1657 - "Expected [%d]; got [%d]\n", 1658 - ECRYPTFS_VERSION_MINOR, minor); 1659 - rc = -EINVAL; 1660 - goto out; 1661 - } 1662 - out: 1663 - return rc; 1664 - } 1665 - 1666 int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, 1667 struct ecryptfs_auth_tok **auth_tok, 1668 char *sig) ··· 1642 printk(KERN_ERR "Could not find key with description: [%s]\n", 1643 sig); 1644 rc = process_request_key_err(PTR_ERR(*auth_tok_key)); 1645 goto out; 1646 } 1647 - (*auth_tok) = ecryptfs_get_key_payload_data(*auth_tok_key); 1648 - if (ecryptfs_verify_version((*auth_tok)->version)) { 1649 - printk(KERN_ERR 1650 - "Data structure version mismatch. " 1651 - "Userspace tools must match eCryptfs " 1652 - "kernel module with major version [%d] " 1653 - "and minor version [%d]\n", 1654 - ECRYPTFS_VERSION_MAJOR, 1655 - ECRYPTFS_VERSION_MINOR); 1656 - rc = -EINVAL; 1657 - goto out_release_key; 1658 - } 1659 - if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD 1660 - && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { 1661 - printk(KERN_ERR "Invalid auth_tok structure " 1662 - "returned from key query\n"); 1663 - rc = -EINVAL; 1664 - goto out_release_key; 1665 - } 1666 - out_release_key: 1667 if (rc) { 1668 key_put(*auth_tok_key); 1669 (*auth_tok_key) = NULL; 1670 } 1671 out: 1672 return rc; ··· 1873 find_next_matching_auth_tok: 1874 found_auth_tok = 0; 1875 if (auth_tok_key) { 1876 key_put(auth_tok_key); 1877 auth_tok_key = NULL; 1878 } ··· 1960 out_wipe_list: 1961 wipe_auth_tok_list(&auth_tok_list); 1962 out: 1963 - if (auth_tok_key) 1964 key_put(auth_tok_key); 1965 return rc; 1966 } 1967 ··· 2391 size_t max) 2392 { 2393 struct ecryptfs_auth_tok *auth_tok; 2394 - struct ecryptfs_global_auth_tok *global_auth_tok; 2395 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 2396 &ecryptfs_superblock_to_private( 2397 ecryptfs_dentry->d_sb)->mount_crypt_stat; ··· 2410 list_for_each_entry(key_sig, &crypt_stat->keysig_list, 2411 crypt_stat_list) { 2412 memset(key_rec, 0, sizeof(*key_rec)); 2413 - rc = ecryptfs_find_global_auth_tok_for_sig(&global_auth_tok, 2414 mount_crypt_stat, 2415 key_sig->keysig); 2416 if (rc) { 2417 - printk(KERN_ERR "Error attempting to get the global " 2418 - "auth_tok; rc = [%d]\n", rc); 2419 goto out_free; 2420 } 2421 - if (global_auth_tok->flags & ECRYPTFS_AUTH_TOK_INVALID) { 2422 - printk(KERN_WARNING 2423 - "Skipping invalid auth tok with sig = [%s]\n", 2424 - global_auth_tok->sig); 2425 - continue; 2426 - } 2427 - auth_tok = global_auth_tok->global_auth_tok; 2428 if (auth_tok->token_type == ECRYPTFS_PASSWORD) { 2429 rc = write_tag_3_packet((dest_base + (*len)), 2430 &max, auth_tok, ··· 2457 rc = -EINVAL; 2458 goto out_free; 2459 } 2460 } 2461 if (likely(max > 0)) { 2462 dest_base[(*len)] = 0x00; ··· 2472 out: 2473 if (rc) 2474 (*len) = 0; 2475 mutex_unlock(&crypt_stat->keysig_list_mutex); 2476 return rc; 2477 } ··· 2494 return -ENOMEM; 2495 } 2496 memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX); 2497 /* Caller must hold keysig_list_mutex */ 2498 list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list); 2499 ··· 2524 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 2525 list_add(&new_auth_tok->mount_crypt_stat_list, 2526 &mount_crypt_stat->global_auth_tok_list); 2527 - mount_crypt_stat->num_global_auth_toks++; 2528 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 2529 out: 2530 return rc;
··· 65 return rc; 66 } 67 68 + static int process_find_global_auth_tok_for_sig_err(int err_code) 69 + { 70 + int rc = err_code; 71 + 72 + switch (err_code) { 73 + case -ENOENT: 74 + ecryptfs_printk(KERN_WARNING, "Missing auth tok\n"); 75 + break; 76 + case -EINVAL: 77 + ecryptfs_printk(KERN_WARNING, "Invalid auth tok\n"); 78 + break; 79 + default: 80 + rc = process_request_key_err(err_code); 81 + break; 82 + } 83 + return rc; 84 + } 85 + 86 /** 87 * ecryptfs_parse_packet_length 88 * @data: Pointer to memory containing length at offset ··· 403 return rc; 404 } 405 406 + /** 407 + * ecryptfs_verify_version 408 + * @version: The version number to confirm 409 + * 410 + * Returns zero on good version; non-zero otherwise 411 + */ 412 + static int ecryptfs_verify_version(u16 version) 413 + { 414 + int rc = 0; 415 + unsigned char major; 416 + unsigned char minor; 417 + 418 + major = ((version >> 8) & 0xFF); 419 + minor = (version & 0xFF); 420 + if (major != ECRYPTFS_VERSION_MAJOR) { 421 + ecryptfs_printk(KERN_ERR, "Major version number mismatch. " 422 + "Expected [%d]; got [%d]\n", 423 + ECRYPTFS_VERSION_MAJOR, major); 424 + rc = -EINVAL; 425 + goto out; 426 + } 427 + if (minor != ECRYPTFS_VERSION_MINOR) { 428 + ecryptfs_printk(KERN_ERR, "Minor version number mismatch. " 429 + "Expected [%d]; got [%d]\n", 430 + ECRYPTFS_VERSION_MINOR, minor); 431 + rc = -EINVAL; 432 + goto out; 433 + } 434 + out: 435 + return rc; 436 + } 437 + 438 + /** 439 + * ecryptfs_verify_auth_tok_from_key 440 + * @auth_tok_key: key containing the authentication token 441 + * @auth_tok: authentication token 442 + * 443 + * Returns zero on valid auth tok; -EINVAL otherwise 444 + */ 445 + static int 446 + ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key, 447 + struct ecryptfs_auth_tok **auth_tok) 448 + { 449 + int rc = 0; 450 + 451 + (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key); 452 + if (ecryptfs_verify_version((*auth_tok)->version)) { 453 + printk(KERN_ERR "Data structure version mismatch. Userspace " 454 + "tools must match eCryptfs kernel module with major " 455 + "version [%d] and minor version [%d]\n", 456 + ECRYPTFS_VERSION_MAJOR, ECRYPTFS_VERSION_MINOR); 457 + rc = -EINVAL; 458 + goto out; 459 + } 460 + if ((*auth_tok)->token_type != ECRYPTFS_PASSWORD 461 + && (*auth_tok)->token_type != ECRYPTFS_PRIVATE_KEY) { 462 + printk(KERN_ERR "Invalid auth_tok structure " 463 + "returned from key query\n"); 464 + rc = -EINVAL; 465 + goto out; 466 + } 467 + out: 468 + return rc; 469 + } 470 + 471 static int 472 ecryptfs_find_global_auth_tok_for_sig( 473 + struct key **auth_tok_key, 474 + struct ecryptfs_auth_tok **auth_tok, 475 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, char *sig) 476 { 477 struct ecryptfs_global_auth_tok *walker; 478 int rc = 0; 479 480 + (*auth_tok_key) = NULL; 481 + (*auth_tok) = NULL; 482 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 483 list_for_each_entry(walker, 484 &mount_crypt_stat->global_auth_tok_list, 485 mount_crypt_stat_list) { 486 + if (memcmp(walker->sig, sig, ECRYPTFS_SIG_SIZE_HEX)) 487 + continue; 488 + 489 + if (walker->flags & ECRYPTFS_AUTH_TOK_INVALID) { 490 + rc = -EINVAL; 491 goto out; 492 } 493 + 494 + rc = key_validate(walker->global_auth_tok_key); 495 + if (rc) { 496 + if (rc == -EKEYEXPIRED) 497 + goto out; 498 + goto out_invalid_auth_tok; 499 + } 500 + 501 + down_write(&(walker->global_auth_tok_key->sem)); 502 + rc = ecryptfs_verify_auth_tok_from_key( 503 + walker->global_auth_tok_key, auth_tok); 504 + if (rc) 505 + goto out_invalid_auth_tok_unlock; 506 + 507 + (*auth_tok_key) = walker->global_auth_tok_key; 508 + key_get(*auth_tok_key); 509 + goto out; 510 } 511 + rc = -ENOENT; 512 + goto out; 513 + out_invalid_auth_tok_unlock: 514 + up_write(&(walker->global_auth_tok_key->sem)); 515 + out_invalid_auth_tok: 516 + printk(KERN_WARNING "Invalidating auth tok with sig = [%s]\n", sig); 517 + walker->flags |= ECRYPTFS_AUTH_TOK_INVALID; 518 + key_put(walker->global_auth_tok_key); 519 + walker->global_auth_tok_key = NULL; 520 out: 521 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 522 return rc; ··· 451 struct ecryptfs_mount_crypt_stat *mount_crypt_stat, 452 char *sig) 453 { 454 int rc = 0; 455 456 + rc = ecryptfs_find_global_auth_tok_for_sig(auth_tok_key, auth_tok, 457 + mount_crypt_stat, sig); 458 + if (rc == -ENOENT) { 459 /* if the flag ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY is set in the 460 * mount_crypt_stat structure, we prevent to use auth toks that 461 * are not inserted through the ecryptfs_add_global_auth_tok ··· 470 471 rc = ecryptfs_keyring_auth_tok_for_sig(auth_tok_key, auth_tok, 472 sig); 473 + } 474 return rc; 475 } 476 ··· 531 } 532 s->desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP; 533 (*packet_size) = 0; 534 + rc = ecryptfs_find_auth_tok_for_sig( 535 + &auth_tok_key, 536 + &s->auth_tok, mount_crypt_stat, 537 + mount_crypt_stat->global_default_fnek_sig); 538 + if (rc) { 539 + printk(KERN_ERR "%s: Error attempting to find auth tok for " 540 + "fnek sig [%s]; rc = [%d]\n", __func__, 541 + mount_crypt_stat->global_default_fnek_sig, rc); 542 + goto out; 543 + } 544 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name( 545 &s->desc.tfm, 546 &s->tfm_mutex, mount_crypt_stat->global_default_fn_cipher_name); ··· 616 goto out_free_unlock; 617 } 618 dest[s->i++] = s->cipher_code; 619 /* TODO: Support other key modules than passphrase for 620 * filename encryption */ 621 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { ··· 765 out_unlock: 766 mutex_unlock(s->tfm_mutex); 767 out: 768 + if (auth_tok_key) { 769 + up_write(&(auth_tok_key->sem)); 770 key_put(auth_tok_key); 771 + } 772 kfree(s); 773 return rc; 774 } ··· 879 __func__, s->cipher_code); 880 goto out; 881 } 882 + rc = ecryptfs_find_auth_tok_for_sig(&auth_tok_key, 883 + &s->auth_tok, mount_crypt_stat, 884 + s->fnek_sig_hex); 885 + if (rc) { 886 + printk(KERN_ERR "%s: Error attempting to find auth tok for " 887 + "fnek sig [%s]; rc = [%d]\n", __func__, s->fnek_sig_hex, 888 + rc); 889 + goto out; 890 + } 891 rc = ecryptfs_get_tfm_and_mutex_for_cipher_name(&s->desc.tfm, 892 &s->tfm_mutex, 893 s->cipher_string); ··· 925 * >= ECRYPTFS_MAX_IV_BYTES. */ 926 memset(s->iv, 0, ECRYPTFS_MAX_IV_BYTES); 927 s->desc.info = s->iv; 928 /* TODO: Support other key modules than passphrase for 929 * filename encryption */ 930 if (s->auth_tok->token_type != ECRYPTFS_PASSWORD) { ··· 1002 (*filename_size) = 0; 1003 (*filename) = NULL; 1004 } 1005 + if (auth_tok_key) { 1006 + up_write(&(auth_tok_key->sem)); 1007 key_put(auth_tok_key); 1008 + } 1009 kfree(s); 1010 return rc; 1011 } ··· 1520 return rc; 1521 } 1522 1523 int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key, 1524 struct ecryptfs_auth_tok **auth_tok, 1525 char *sig) ··· 1563 printk(KERN_ERR "Could not find key with description: [%s]\n", 1564 sig); 1565 rc = process_request_key_err(PTR_ERR(*auth_tok_key)); 1566 + (*auth_tok_key) = NULL; 1567 goto out; 1568 } 1569 + down_write(&(*auth_tok_key)->sem); 1570 + rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); 1571 if (rc) { 1572 + up_write(&(*auth_tok_key)->sem); 1573 key_put(*auth_tok_key); 1574 (*auth_tok_key) = NULL; 1575 + goto out; 1576 } 1577 out: 1578 return rc; ··· 1809 find_next_matching_auth_tok: 1810 found_auth_tok = 0; 1811 if (auth_tok_key) { 1812 + up_write(&(auth_tok_key->sem)); 1813 key_put(auth_tok_key); 1814 auth_tok_key = NULL; 1815 } ··· 1895 out_wipe_list: 1896 wipe_auth_tok_list(&auth_tok_list); 1897 out: 1898 + if (auth_tok_key) { 1899 + up_write(&(auth_tok_key->sem)); 1900 key_put(auth_tok_key); 1901 + } 1902 return rc; 1903 } 1904 ··· 2324 size_t max) 2325 { 2326 struct ecryptfs_auth_tok *auth_tok; 2327 + struct key *auth_tok_key = NULL; 2328 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 2329 &ecryptfs_superblock_to_private( 2330 ecryptfs_dentry->d_sb)->mount_crypt_stat; ··· 2343 list_for_each_entry(key_sig, &crypt_stat->keysig_list, 2344 crypt_stat_list) { 2345 memset(key_rec, 0, sizeof(*key_rec)); 2346 + rc = ecryptfs_find_global_auth_tok_for_sig(&auth_tok_key, 2347 + &auth_tok, 2348 mount_crypt_stat, 2349 key_sig->keysig); 2350 if (rc) { 2351 + printk(KERN_WARNING "Unable to retrieve auth tok with " 2352 + "sig = [%s]\n", key_sig->keysig); 2353 + rc = process_find_global_auth_tok_for_sig_err(rc); 2354 goto out_free; 2355 } 2356 if (auth_tok->token_type == ECRYPTFS_PASSWORD) { 2357 rc = write_tag_3_packet((dest_base + (*len)), 2358 &max, auth_tok, ··· 2395 rc = -EINVAL; 2396 goto out_free; 2397 } 2398 + up_write(&(auth_tok_key->sem)); 2399 + key_put(auth_tok_key); 2400 + auth_tok_key = NULL; 2401 } 2402 if (likely(max > 0)) { 2403 dest_base[(*len)] = 0x00; ··· 2407 out: 2408 if (rc) 2409 (*len) = 0; 2410 + if (auth_tok_key) { 2411 + up_write(&(auth_tok_key->sem)); 2412 + key_put(auth_tok_key); 2413 + } 2414 + 2415 mutex_unlock(&crypt_stat->keysig_list_mutex); 2416 return rc; 2417 } ··· 2424 return -ENOMEM; 2425 } 2426 memcpy(new_key_sig->keysig, sig, ECRYPTFS_SIG_SIZE_HEX); 2427 + new_key_sig->keysig[ECRYPTFS_SIG_SIZE_HEX] = '\0'; 2428 /* Caller must hold keysig_list_mutex */ 2429 list_add(&new_key_sig->crypt_stat_list, &crypt_stat->keysig_list); 2430 ··· 2453 mutex_lock(&mount_crypt_stat->global_auth_tok_list_mutex); 2454 list_add(&new_auth_tok->mount_crypt_stat_list, 2455 &mount_crypt_stat->global_auth_tok_list); 2456 mutex_unlock(&mount_crypt_stat->global_auth_tok_list_mutex); 2457 out: 2458 return rc;
+5 -5
fs/ecryptfs/main.c
··· 122 ecryptfs_inode_to_private(ecryptfs_dentry->d_inode); 123 int rc = 0; 124 125 - mutex_lock(&inode_info->lower_file_mutex); 126 if (!inode_info->lower_file) { 127 struct dentry *lower_dentry; 128 struct vfsmount *lower_mnt = ··· 137 inode_info->lower_file = NULL; 138 } 139 } 140 - mutex_unlock(&inode_info->lower_file_mutex); 141 return rc; 142 } 143 ··· 239 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 240 { 241 struct ecryptfs_global_auth_tok *global_auth_tok; 242 int rc = 0; 243 244 list_for_each_entry(global_auth_tok, 245 &mount_crypt_stat->global_auth_tok_list, 246 mount_crypt_stat_list) { 247 rc = ecryptfs_keyring_auth_tok_for_sig( 248 - &global_auth_tok->global_auth_tok_key, 249 - &global_auth_tok->global_auth_tok, 250 global_auth_tok->sig); 251 if (rc) { 252 printk(KERN_ERR "Could not find valid key in user " ··· 254 "option: [%s]\n", global_auth_tok->sig); 255 global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID; 256 goto out; 257 - } else 258 global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID; 259 } 260 out: 261 return rc;
··· 122 ecryptfs_inode_to_private(ecryptfs_dentry->d_inode); 123 int rc = 0; 124 125 if (!inode_info->lower_file) { 126 struct dentry *lower_dentry; 127 struct vfsmount *lower_mnt = ··· 138 inode_info->lower_file = NULL; 139 } 140 } 141 return rc; 142 } 143 ··· 241 struct ecryptfs_mount_crypt_stat *mount_crypt_stat) 242 { 243 struct ecryptfs_global_auth_tok *global_auth_tok; 244 + struct ecryptfs_auth_tok *auth_tok; 245 int rc = 0; 246 247 list_for_each_entry(global_auth_tok, 248 &mount_crypt_stat->global_auth_tok_list, 249 mount_crypt_stat_list) { 250 rc = ecryptfs_keyring_auth_tok_for_sig( 251 + &global_auth_tok->global_auth_tok_key, &auth_tok, 252 global_auth_tok->sig); 253 if (rc) { 254 printk(KERN_ERR "Could not find valid key in user " ··· 256 "option: [%s]\n", global_auth_tok->sig); 257 global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID; 258 goto out; 259 + } else { 260 global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID; 261 + up_write(&(global_auth_tok->global_auth_tok_key)->sem); 262 + } 263 } 264 out: 265 return rc;
+34 -27
fs/ecryptfs/mmap.c
··· 62 { 63 int rc; 64 65 rc = ecryptfs_encrypt_page(page); 66 if (rc) { 67 ecryptfs_printk(KERN_WARNING, "Error encrypting " ··· 82 goto out; 83 } 84 SetPageUptodate(page); 85 - unlock_page(page); 86 out: 87 return rc; 88 } 89 ··· 205 &ecryptfs_inode_to_private(page->mapping->host)->crypt_stat; 206 int rc = 0; 207 208 - if (!crypt_stat 209 - || !(crypt_stat->flags & ECRYPTFS_ENCRYPTED) 210 - || (crypt_stat->flags & ECRYPTFS_NEW_FILE)) { 211 - ecryptfs_printk(KERN_DEBUG, 212 - "Passing through unencrypted page\n"); 213 rc = ecryptfs_read_lower_page_segment(page, page->index, 0, 214 PAGE_CACHE_SIZE, 215 page->mapping->host); ··· 303 struct ecryptfs_crypt_stat *crypt_stat = 304 &ecryptfs_inode_to_private(mapping->host)->crypt_stat; 305 306 - if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED) 307 - || (crypt_stat->flags & ECRYPTFS_NEW_FILE)) { 308 rc = ecryptfs_read_lower_page_segment( 309 page, index, 0, PAGE_CACHE_SIZE, mapping->host); 310 if (rc) { ··· 381 && (pos != 0)) 382 zero_user(page, 0, PAGE_CACHE_SIZE); 383 out: 384 return rc; 385 } 386 ··· 498 struct ecryptfs_crypt_stat *crypt_stat = 499 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; 500 int rc; 501 502 - if (crypt_stat->flags & ECRYPTFS_NEW_FILE) { 503 - ecryptfs_printk(KERN_DEBUG, "ECRYPTFS_NEW_FILE flag set in " 504 - "crypt_stat at memory location [%p]\n", crypt_stat); 505 - crypt_stat->flags &= ~(ECRYPTFS_NEW_FILE); 506 - } else 507 - ecryptfs_printk(KERN_DEBUG, "Not a new file\n"); 508 ecryptfs_printk(KERN_DEBUG, "Calling fill_zeros_to_end_of_page" 509 "(page w/ index = [0x%.16lx], to = [%d])\n", index, to); 510 if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { ··· 519 "zeros in page with index = [0x%.16lx]\n", index); 520 goto out; 521 } 522 - rc = ecryptfs_encrypt_page(page); 523 - if (rc) { 524 - ecryptfs_printk(KERN_WARNING, "Error encrypting page (upper " 525 - "index [0x%.16lx])\n", index); 526 - goto out; 527 - } 528 if (pos + copied > i_size_read(ecryptfs_inode)) { 529 i_size_write(ecryptfs_inode, pos + copied); 530 ecryptfs_printk(KERN_DEBUG, "Expanded file size to " 531 "[0x%.16llx]\n", 532 (unsigned long long)i_size_read(ecryptfs_inode)); 533 } 534 - rc = ecryptfs_write_inode_size_to_metadata(ecryptfs_inode); 535 - if (rc) 536 - printk(KERN_ERR "Error writing inode size to metadata; " 537 - "rc = [%d]\n", rc); 538 - else 539 - rc = copied; 540 out: 541 - unlock_page(page); 542 page_cache_release(page); 543 return rc; 544 }
··· 62 { 63 int rc; 64 65 + /* 66 + * Refuse to write the page out if we are called from reclaim context 67 + * since our writepage() path may potentially allocate memory when 68 + * calling into the lower fs vfs_write() which may in turn invoke 69 + * us again. 70 + */ 71 + if (current->flags & PF_MEMALLOC) { 72 + redirty_page_for_writepage(wbc, page); 73 + rc = 0; 74 + goto out; 75 + } 76 + 77 rc = ecryptfs_encrypt_page(page); 78 if (rc) { 79 ecryptfs_printk(KERN_WARNING, "Error encrypting " ··· 70 goto out; 71 } 72 SetPageUptodate(page); 73 out: 74 + unlock_page(page); 75 return rc; 76 } 77 ··· 193 &ecryptfs_inode_to_private(page->mapping->host)->crypt_stat; 194 int rc = 0; 195 196 + if (!crypt_stat || !(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 197 rc = ecryptfs_read_lower_page_segment(page, page->index, 0, 198 PAGE_CACHE_SIZE, 199 page->mapping->host); ··· 295 struct ecryptfs_crypt_stat *crypt_stat = 296 &ecryptfs_inode_to_private(mapping->host)->crypt_stat; 297 298 + if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 299 rc = ecryptfs_read_lower_page_segment( 300 page, index, 0, PAGE_CACHE_SIZE, mapping->host); 301 if (rc) { ··· 374 && (pos != 0)) 375 zero_user(page, 0, PAGE_CACHE_SIZE); 376 out: 377 + if (unlikely(rc)) { 378 + unlock_page(page); 379 + page_cache_release(page); 380 + *pagep = NULL; 381 + } 382 return rc; 383 } 384 ··· 486 struct ecryptfs_crypt_stat *crypt_stat = 487 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; 488 int rc; 489 + int need_unlock_page = 1; 490 491 ecryptfs_printk(KERN_DEBUG, "Calling fill_zeros_to_end_of_page" 492 "(page w/ index = [0x%.16lx], to = [%d])\n", index, to); 493 if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { ··· 512 "zeros in page with index = [0x%.16lx]\n", index); 513 goto out; 514 } 515 + set_page_dirty(page); 516 + unlock_page(page); 517 + need_unlock_page = 0; 518 if (pos + copied > i_size_read(ecryptfs_inode)) { 519 i_size_write(ecryptfs_inode, pos + copied); 520 ecryptfs_printk(KERN_DEBUG, "Expanded file size to " 521 "[0x%.16llx]\n", 522 (unsigned long long)i_size_read(ecryptfs_inode)); 523 + balance_dirty_pages_ratelimited(mapping); 524 + rc = ecryptfs_write_inode_size_to_metadata(ecryptfs_inode); 525 + if (rc) { 526 + printk(KERN_ERR "Error writing inode size to metadata; " 527 + "rc = [%d]\n", rc); 528 + goto out; 529 + } 530 } 531 + rc = copied; 532 out: 533 + if (need_unlock_page) 534 + unlock_page(page); 535 page_cache_release(page); 536 return rc; 537 }
+2 -10
fs/ecryptfs/read_write.c
··· 44 ssize_t rc; 45 46 inode_info = ecryptfs_inode_to_private(ecryptfs_inode); 47 - mutex_lock(&inode_info->lower_file_mutex); 48 BUG_ON(!inode_info->lower_file); 49 - inode_info->lower_file->f_pos = offset; 50 fs_save = get_fs(); 51 set_fs(get_ds()); 52 - rc = vfs_write(inode_info->lower_file, data, size, 53 - &inode_info->lower_file->f_pos); 54 set_fs(fs_save); 55 - mutex_unlock(&inode_info->lower_file_mutex); 56 mark_inode_dirty_sync(ecryptfs_inode); 57 return rc; 58 } ··· 230 mm_segment_t fs_save; 231 ssize_t rc; 232 233 - mutex_lock(&inode_info->lower_file_mutex); 234 BUG_ON(!inode_info->lower_file); 235 - inode_info->lower_file->f_pos = offset; 236 fs_save = get_fs(); 237 set_fs(get_ds()); 238 - rc = vfs_read(inode_info->lower_file, data, size, 239 - &inode_info->lower_file->f_pos); 240 set_fs(fs_save); 241 - mutex_unlock(&inode_info->lower_file_mutex); 242 return rc; 243 } 244
··· 44 ssize_t rc; 45 46 inode_info = ecryptfs_inode_to_private(ecryptfs_inode); 47 BUG_ON(!inode_info->lower_file); 48 fs_save = get_fs(); 49 set_fs(get_ds()); 50 + rc = vfs_write(inode_info->lower_file, data, size, &offset); 51 set_fs(fs_save); 52 mark_inode_dirty_sync(ecryptfs_inode); 53 return rc; 54 } ··· 234 mm_segment_t fs_save; 235 ssize_t rc; 236 237 BUG_ON(!inode_info->lower_file); 238 fs_save = get_fs(); 239 set_fs(get_ds()); 240 + rc = vfs_read(inode_info->lower_file, data, size, &offset); 241 set_fs(fs_save); 242 return rc; 243 } 244
+1 -2
fs/ecryptfs/super.c
··· 55 if (unlikely(!inode_info)) 56 goto out; 57 ecryptfs_init_crypt_stat(&inode_info->crypt_stat); 58 - mutex_init(&inode_info->lower_file_mutex); 59 inode_info->lower_file = NULL; 60 inode = &inode_info->vfs_inode; 61 out: ··· 197 const struct super_operations ecryptfs_sops = { 198 .alloc_inode = ecryptfs_alloc_inode, 199 .destroy_inode = ecryptfs_destroy_inode, 200 - .drop_inode = generic_delete_inode, 201 .statfs = ecryptfs_statfs, 202 .remount_fs = NULL, 203 .evict_inode = ecryptfs_evict_inode,
··· 55 if (unlikely(!inode_info)) 56 goto out; 57 ecryptfs_init_crypt_stat(&inode_info->crypt_stat); 58 inode_info->lower_file = NULL; 59 inode = &inode_info->vfs_inode; 60 out: ··· 198 const struct super_operations ecryptfs_sops = { 199 .alloc_inode = ecryptfs_alloc_inode, 200 .destroy_inode = ecryptfs_destroy_inode, 201 + .drop_inode = generic_drop_inode, 202 .statfs = ecryptfs_statfs, 203 .remount_fs = NULL, 204 .evict_inode = ecryptfs_evict_inode,