* [PATCH v2] fscrypt: use READ_ONCE() to access ->i_crypt_info
@ 2019-04-11 21:32 Eric Biggers
2019-04-16 22:57 ` Theodore Ts'o
0 siblings, 1 reply; 2+ messages in thread
From: Eric Biggers @ 2019-04-11 21:32 UTC (permalink / raw)
To: linux-fscrypt; +Cc: linux-fsdevel
From: Eric Biggers <ebiggers@google.com>
->i_crypt_info starts out NULL and may later be locklessly set to a
non-NULL value by the cmpxchg() in fscrypt_get_encryption_info().
But ->i_crypt_info is used directly, which technically is incorrect.
It's a data race, and it doesn't include the data dependency barrier
needed to safely dereference the pointer on at least one architecture.
Fix this by using READ_ONCE() instead. Note: we don't need to use
smp_load_acquire(), since dereferencing the pointer only requires a data
dependency barrier, which is already included in READ_ONCE(). We also
don't need READ_ONCE() in places where ->i_crypt_info is unconditionally
dereferenced, since it must have already been checked.
Also downgrade the cmpxchg() to cmpxchg_release(), since RELEASE
semantics are sufficient on the write side.
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
This supersedes my earlier patch:
"fscrypt: use proper memory barriers for ->i_crypt_info"
https://patchwork.kernel.org/patch/10858269/
fs/crypto/crypto.c | 2 +-
fs/crypto/fname.c | 4 ++--
fs/crypto/keyinfo.c | 4 ++--
fs/crypto/policy.c | 6 +++---
include/linux/fscrypt.h | 3 ++-
5 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
index 5efc494a4e38f..0988077882574 100644
--- a/fs/crypto/crypto.c
+++ b/fs/crypto/crypto.c
@@ -328,7 +328,7 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
spin_lock(&dentry->d_lock);
cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY;
spin_unlock(&dentry->d_lock);
- dir_has_key = (d_inode(dir)->i_crypt_info != NULL);
+ dir_has_key = fscrypt_has_encryption_key(d_inode(dir));
dput(dir);
/*
diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c
index 7ff40a73dbece..050384c79f40e 100644
--- a/fs/crypto/fname.c
+++ b/fs/crypto/fname.c
@@ -269,7 +269,7 @@ int fscrypt_fname_disk_to_usr(struct inode *inode,
if (iname->len < FS_CRYPTO_BLOCK_SIZE)
return -EUCLEAN;
- if (inode->i_crypt_info)
+ if (fscrypt_has_encryption_key(inode))
return fname_decrypt(inode, iname, oname);
if (iname->len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE) {
@@ -336,7 +336,7 @@ int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname,
if (ret)
return ret;
- if (dir->i_crypt_info) {
+ if (fscrypt_has_encryption_key(dir)) {
if (!fscrypt_fname_encrypted_size(dir, iname->len,
dir->i_sb->s_cop->max_namelen,
&fname->crypto_buf.len))
diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
index 34c4682f23bee..82989098b2fc9 100644
--- a/fs/crypto/keyinfo.c
+++ b/fs/crypto/keyinfo.c
@@ -509,7 +509,7 @@ int fscrypt_get_encryption_info(struct inode *inode)
u8 *raw_key = NULL;
int res;
- if (inode->i_crypt_info)
+ if (fscrypt_has_encryption_key(inode))
return 0;
res = fscrypt_initialize(inode->i_sb->s_cop->flags);
@@ -573,7 +573,7 @@ int fscrypt_get_encryption_info(struct inode *inode)
if (res)
goto out;
- if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL)
+ if (cmpxchg_release(&inode->i_crypt_info, NULL, crypt_info) == NULL)
crypt_info = NULL;
out:
if (res == -ENOKEY)
diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
index bd7eaf9b3f003..d536889ac31bf 100644
--- a/fs/crypto/policy.c
+++ b/fs/crypto/policy.c
@@ -194,8 +194,8 @@ int fscrypt_has_permitted_context(struct inode *parent, struct inode *child)
res = fscrypt_get_encryption_info(child);
if (res)
return 0;
- parent_ci = parent->i_crypt_info;
- child_ci = child->i_crypt_info;
+ parent_ci = READ_ONCE(parent->i_crypt_info);
+ child_ci = READ_ONCE(child->i_crypt_info);
if (parent_ci && child_ci) {
return memcmp(parent_ci->ci_master_key_descriptor,
@@ -246,7 +246,7 @@ int fscrypt_inherit_context(struct inode *parent, struct inode *child,
if (res < 0)
return res;
- ci = parent->i_crypt_info;
+ ci = READ_ONCE(parent->i_crypt_info);
if (ci == NULL)
return -ENOKEY;
diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h
index 02c3e320f5b3f..48145beedaa7f 100644
--- a/include/linux/fscrypt.h
+++ b/include/linux/fscrypt.h
@@ -79,7 +79,8 @@ struct fscrypt_ctx {
static inline bool fscrypt_has_encryption_key(const struct inode *inode)
{
- return (inode->i_crypt_info != NULL);
+ /* pairs with cmpxchg_release() in fscrypt_get_encryption_info() */
+ return READ_ONCE(inode->i_crypt_info) != NULL;
}
static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
--
2.21.0.392.gf8f6787159e-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] fscrypt: use READ_ONCE() to access ->i_crypt_info
2019-04-11 21:32 [PATCH v2] fscrypt: use READ_ONCE() to access ->i_crypt_info Eric Biggers
@ 2019-04-16 22:57 ` Theodore Ts'o
0 siblings, 0 replies; 2+ messages in thread
From: Theodore Ts'o @ 2019-04-16 22:57 UTC (permalink / raw)
To: Eric Biggers; +Cc: linux-fscrypt, linux-fsdevel
On Thu, Apr 11, 2019 at 02:32:15PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> ->i_crypt_info starts out NULL and may later be locklessly set to a
> non-NULL value by the cmpxchg() in fscrypt_get_encryption_info().
>
> But ->i_crypt_info is used directly, which technically is incorrect.
> It's a data race, and it doesn't include the data dependency barrier
> needed to safely dereference the pointer on at least one architecture.
>
> Fix this by using READ_ONCE() instead. Note: we don't need to use
> smp_load_acquire(), since dereferencing the pointer only requires a data
> dependency barrier, which is already included in READ_ONCE(). We also
> don't need READ_ONCE() in places where ->i_crypt_info is unconditionally
> dereferenced, since it must have already been checked.
>
> Also downgrade the cmpxchg() to cmpxchg_release(), since RELEASE
> semantics are sufficient on the write side.
>
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Looks good, applied.
- Ted
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-04-16 22:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-11 21:32 [PATCH v2] fscrypt: use READ_ONCE() to access ->i_crypt_info Eric Biggers
2019-04-16 22:57 ` Theodore Ts'o
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).