From: Boris Burkov <boris@bur.io>
To: linux-btrfs@vger.kernel.org, kernel-team@fb.com,
linux-fscrypt@vger.kernel.org,
'Eric Biggers ' <ebiggers@kernel.org>
Subject: [PATCH v2 5/5] btrfs: verity metadata orphan items
Date: Fri, 5 Mar 2021 11:26:33 -0800 [thread overview]
Message-ID: <8c3aaea8cde506ff5d75a7dcc77263213a3659e6.1614971203.git.boris@bur.io> (raw)
In-Reply-To: <cover.1614971203.git.boris@bur.io>
If we don't finish creating fsverity metadata for a file, or fail to
clean up already created metadata after a failure, we could leak the
verity items.
To address this issue, we use the orphan mechanism. When we start
enabling verity on a file, we also add an orphan item for that inode.
When we are finished, we delete the orphan. However, if we are
interrupted midway, the orphan will be present at mount and we can
cleanup the half-formed verity state.
One thing to note is that this is a resurrection of using orphans to
signal orphaned metadata that isn't the inode itself. This makes the
comment discussing deprecating that concept a bit messy in full context.
Signed-off-by: Boris Burkov <boris@bur.io>
---
fs/btrfs/inode.c | 15 +++++++--
fs/btrfs/verity.c | 80 +++++++++++++++++++++++++++++++++++++++++------
2 files changed, 83 insertions(+), 12 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 9291f6633bc6..7c00863ba8a3 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -3419,7 +3419,9 @@ int btrfs_orphan_cleanup(struct btrfs_root *root)
/*
* If we have an inode with links, there are a couple of
- * possibilities. Old kernels (before v3.12) used to create an
+ * possibilities:
+ *
+ * 1. Old kernels (before v3.12) used to create an
* orphan item for truncate indicating that there were possibly
* extent items past i_size that needed to be deleted. In v3.12,
* truncate was changed to update i_size in sync with the extent
@@ -3432,13 +3434,22 @@ int btrfs_orphan_cleanup(struct btrfs_root *root)
* slim, and it's a pain to do the truncate now, so just delete
* the orphan item.
*
+ * 2. We were halfway through creating fsverity metadata for the
+ * file. In that case, the orphan item represents incomplete
+ * fsverity metadata which must be cleaned up with
+ * btrfs_drop_verity_items.
+ *
* It's also possible that this orphan item was supposed to be
* deleted but wasn't. The inode number may have been reused,
* but either way, we can delete the orphan item.
*/
if (ret == -ENOENT || inode->i_nlink) {
- if (!ret)
+ if (!ret) {
+ ret = btrfs_drop_verity_items(BTRFS_I(inode));
iput(inode);
+ if (ret)
+ goto out;
+ }
trans = btrfs_start_transaction(root, 1);
if (IS_ERR(trans)) {
ret = PTR_ERR(trans);
diff --git a/fs/btrfs/verity.c b/fs/btrfs/verity.c
index 648bda5a3716..b677288db411 100644
--- a/fs/btrfs/verity.c
+++ b/fs/btrfs/verity.c
@@ -350,6 +350,60 @@ static ssize_t read_key_bytes(struct btrfs_inode *inode, u8 key_type, u64 offset
return ret;
}
+static int add_orphan(struct btrfs_inode *inode)
+{
+ struct btrfs_trans_handle *trans;
+ struct btrfs_root *root = inode->root;
+ int ret = 0;
+
+ trans = btrfs_start_transaction(root, 1);
+ if (IS_ERR(trans)) {
+ ret = PTR_ERR(trans);
+ goto out;
+ }
+ ret = btrfs_orphan_add(trans, inode);
+ if (ret) {
+ btrfs_abort_transaction(trans, ret);
+ goto out;
+ }
+ btrfs_end_transaction(trans);
+
+out:
+ return ret;
+}
+
+static int del_orphan(struct btrfs_inode *inode)
+{
+ struct btrfs_trans_handle *trans;
+ struct btrfs_root *root = inode->root;
+ int ret;
+
+ trans = btrfs_start_transaction(root, 1);
+ if (IS_ERR(trans))
+ return PTR_ERR(trans);
+
+ ret = btrfs_del_orphan_item(trans, root, btrfs_ino(inode));
+ if (ret) {
+ btrfs_abort_transaction(trans, ret);
+ goto out;
+ }
+ btrfs_end_transaction(trans);
+
+out:
+ return ret;
+}
+
+int btrfs_drop_verity_items(struct btrfs_inode *inode)
+{
+ int ret;
+
+ ret = drop_verity_items(inode, BTRFS_VERITY_DESC_ITEM_KEY);
+ if (ret)
+ return ret;
+
+ return drop_verity_items(inode, BTRFS_VERITY_MERKLE_ITEM_KEY);
+}
+
/*
* fsverity op that begins enabling verity.
* fsverity calls this to ask us to setup the inode for enabling. We
@@ -363,17 +417,13 @@ static int btrfs_begin_enable_verity(struct file *filp)
if (test_bit(BTRFS_INODE_VERITY_IN_PROGRESS, &BTRFS_I(inode)->runtime_flags))
return -EBUSY;
- /*
- * ext4 adds the inode to the orphan list here, presumably because the
- * truncate done at orphan processing time will delete partial
- * measurements. TODO: setup orphans
- */
set_bit(BTRFS_INODE_VERITY_IN_PROGRESS, &BTRFS_I(inode)->runtime_flags);
- ret = drop_verity_items(BTRFS_I(inode), BTRFS_VERITY_DESC_ITEM_KEY);
+
+ ret = btrfs_drop_verity_items(BTRFS_I(inode));
if (ret)
goto err;
- ret = drop_verity_items(BTRFS_I(inode), BTRFS_VERITY_MERKLE_ITEM_KEY);
+ ret = add_orphan(BTRFS_I(inode));
if (ret)
goto err;
@@ -400,6 +450,7 @@ static int btrfs_end_enable_verity(struct file *filp, const void *desc,
struct btrfs_root *root = BTRFS_I(inode)->root;
struct btrfs_verity_descriptor_item item;
int ret;
+ int keep_orphan = 0;
if (desc != NULL) {
/* write out the descriptor item */
@@ -431,11 +482,20 @@ static int btrfs_end_enable_verity(struct file *filp, const void *desc,
out:
if (desc == NULL || ret) {
- /* If we failed, drop all the verity items */
- drop_verity_items(BTRFS_I(inode), BTRFS_VERITY_DESC_ITEM_KEY);
- drop_verity_items(BTRFS_I(inode), BTRFS_VERITY_MERKLE_ITEM_KEY);
+ /*
+ * If verity failed (here or in the generic code), drop all the
+ * verity items.
+ */
+ keep_orphan = btrfs_drop_verity_items(BTRFS_I(inode));
} else
btrfs_set_fs_compat_ro(root->fs_info, VERITY);
+ /*
+ * If we are handling an error, but failed to drop the verity items,
+ * we still need the orphan.
+ */
+ if (!keep_orphan)
+ del_orphan(BTRFS_I(inode));
+
clear_bit(BTRFS_INODE_VERITY_IN_PROGRESS, &BTRFS_I(inode)->runtime_flags);
return ret;
}
--
2.24.1
next prev parent reply other threads:[~2021-03-05 19:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-05 19:26 [PATCH v2 0/5] btrfs: support fsverity Boris Burkov
2021-03-05 19:26 ` [PATCH v2 1/5] btrfs: add compat_flags to btrfs_inode_item Boris Burkov
2021-03-15 23:07 ` Eric Biggers
2021-03-15 23:29 ` Boris Burkov
2021-03-05 19:26 ` [PATCH v2 2/5] btrfs: initial fsverity support Boris Burkov
2021-03-07 7:13 ` kernel test robot
2021-03-15 23:17 ` Eric Biggers
2021-03-16 0:42 ` Boris Burkov
2021-03-16 0:57 ` Eric Biggers
2021-03-16 18:44 ` Eric Biggers
2021-03-05 19:26 ` [PATCH v2 3/5] btrfs: check verity for reads of inline extents and holes Boris Burkov
2021-03-05 19:26 ` [PATCH v2 4/5] btrfs: fallback to buffered io for verity files Boris Burkov
2021-03-05 19:26 ` Boris Burkov [this message]
2021-03-15 23:09 ` [PATCH v2 0/5] btrfs: support fsverity Eric Biggers
2021-03-15 23:47 ` Boris Burkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8c3aaea8cde506ff5d75a7dcc77263213a3659e6.1614971203.git.boris@bur.io \
--to=boris@bur.io \
--cc=ebiggers@kernel.org \
--cc=kernel-team@fb.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).