1. 11 Oct, 2020 3 commits
  2. 24 Sep, 2020 1 commit
  3. 02 Aug, 2020 1 commit
  4. 19 Jan, 2020 1 commit
    • Quanyang Wang's avatar
      ubifs: Fix memory leak from c->sup_node · ff90bdfb
      Quanyang Wang authored
      The c->sup_node is allocated in function ubifs_read_sb_node but
      is not freed. This will cause memory leak as below:
      
      unreferenced object 0xbc9ce000 (size 4096):
        comm "mount", pid 500, jiffies 4294952946 (age 315.820s)
        hex dump (first 32 bytes):
          31 18 10 06 06 7b f1 11 02 00 00 00 00 00 00 00  1....{..........
          00 10 00 00 06 00 00 00 00 00 00 00 08 00 00 00  ................
        backtrace:
          [<d1c503cd>] ubifs_read_superblock+0x48/0xebc
          [<a20e14bd>] ubifs_mount+0x974/0x1420
          [<8589ecc3>] legacy_get_tree+0x2c/0x50
          [<5f1fb889>] vfs_get_tree+0x28/0xfc
          [<bbfc7939>] do_mount+0x4f8/0x748
          [<4151f538>] ksys_mount+0x78/0xa0
          [<d59910a9>] ret_fast_syscall+0x0/0x54
          [<1cc40005>] 0x7ea02790
      
      Free it in ubifs_umount and in the error path of mount_ubifs.
      
      Fixes: fd615005
      
       ("ubifs: Store read superblock node")
      Signed-off-by: default avatarQuanyang Wang <quanyang.wang@windriver.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      ff90bdfb
  5. 17 Nov, 2019 1 commit
  6. 15 Sep, 2019 1 commit
  7. 22 Aug, 2019 1 commit
    • Richard Weinberger's avatar
      ubifs: Correctly initialize c->min_log_bytes · 377e208f
      Richard Weinberger authored
      Currently on a freshly mounted UBIFS, c->min_log_bytes is 0.
      This can lead to a log overrun and make commits fail.
      
      Recent kernels will report the following assert:
      UBIFS assert failed: c->lhead_lnum != c->ltail_lnum, in fs/ubifs/log.c:412
      
      c->min_log_bytes can have two states, 0 and c->leb_size.
      It controls how much bytes of the log area are reserved for non-bud
      nodes such as commit nodes.
      
      After a commit it has to be set to c->leb_size such that we have always
      enough space for a commit. While a commit runs it can be 0 to make the
      remaining bytes of the log available to writers.
      
      Having it set to 0 right after mount is wrong since no space for commits
      is reserved.
      
      Fixes: 1e51764a
      
       ("UBIFS: add new flash file system")
      Reported-and-tested-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      377e208f
  8. 13 Aug, 2019 1 commit
    • Eric Biggers's avatar
      ubifs: wire up new fscrypt ioctls · 62de2592
      Eric Biggers authored
      
      Wire up the new ioctls for adding and removing fscrypt keys to/from the
      filesystem, and the new ioctl for retrieving v2 encryption policies.
      
      The key removal ioctls also required making UBIFS use
      fscrypt_drop_inode().
      
      For more details see Documentation/filesystems/fscrypt.rst and the
      fscrypt patches that added the implementation of these ioctls.
      Reviewed-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      62de2592
  9. 08 Jul, 2019 3 commits
    • Michele Dionisio's avatar
      ubifs: Add support for zstd compression. · eeabb986
      Michele Dionisio authored
      
      zstd shows a good compression rate and is faster than lzo,
      also on slow ARM cores.
      
      Cc: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
      Signed-off-by: default avatarMichele Dionisio <michele.dionisio@gmail.com>
      [rw: rewrote commit message]
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      eeabb986
    • Sascha Hauer's avatar
      ubifs: support offline signed images · 817aa094
      Sascha Hauer authored
      
      HMACs can only be generated on the system the UBIFS image is running on.
      To support offline signed images we add a PKCS#7 signature to the UBIFS
      image which can be created by mkfs.ubifs.
      
      Both the master node and the superblock need to be authenticated, during
      normal runtime both are protected with HMACs. For offline signature
      support however only a single signature is desired. We add a signature
      covering the superblock node directly behind it. To protect the master
      node a hash of the master node is added to the superblock which is used
      when the master node doesn't contain a HMAC.
      
      Transition to a read/write filesystem is also supported. During
      transition first the master node is rewritten with a HMAC (implicitly,
      it is written anyway as the FS is marked dirty). Afterwards the
      superblock is rewritten with a HMAC. Once after the image has been
      mounted read/write it is HMAC only, the signature is no longer required
      or even present on the filesystem.
      
      In an offline signed image the master node is authenticated by the
      superblock. In a transition to r/w we have to make sure that the master
      node is rewritten before the superblock node. In this case the master
      node gets a HMAC and its authenticity no longer depends on the
      superblock node. There are some cases in which the current code first
      writes the superblock node though, so with this patch writing of the
      superblock node is delayed until the master node is written.
      Signed-off-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      817aa094
    • Liu Song's avatar
      ubifs: Simplify redundant code · d5cf9473
      Liu Song authored
      
      cbuf's size can be simply assigned.
      Signed-off-by: default avatarLiu Song <liu.song11@zte.com.cn>
      Reviewed-by: default avatarJiang Biao <jiang.biao2@zte.com.cn>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      d5cf9473
  10. 03 Jul, 2019 1 commit
  11. 05 Jun, 2019 1 commit
    • Thomas Gleixner's avatar
      treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 · 2b27bdcc
      Thomas Gleixner authored
      
      Based on 1 normalized pattern(s):
      
        this program is free software you can redistribute it and or modify
        it under the terms of the gnu general public license version 2 as
        published by the free software foundation this program is
        distributed in the hope that it will be useful but without any
        warranty without even the implied warranty of merchantability or
        fitness for a particular purpose see the gnu general public license
        for more details you should have received a copy of the gnu general
        public license along with this program if not write to the free
        software foundation inc 51 franklin st fifth floor boston ma 02110
        1301 usa
      
      extracted by the scancode license scanner the SPDX license identifier
      
        GPL-2.0-only
      
      has been chosen to replace the boilerplate/reference in 246 file(s).
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarAlexios Zavras <alexios.zavras@intel.com>
      Reviewed-by: Allison Randal <allison@...
      2b27bdcc
  12. 07 May, 2019 3 commits
  13. 02 May, 2019 1 commit
  14. 17 Apr, 2019 1 commit
    • Eric Biggers's avatar
      fscrypt: cache decrypted symlink target in ->i_link · 2c58d548
      Eric Biggers authored
      
      Path lookups that traverse encrypted symlink(s) are very slow because
      each encrypted symlink needs to be decrypted each time it's followed.
      This also involves dropping out of rcu-walk mode.
      
      Make encrypted symlinks faster by caching the decrypted symlink target
      in ->i_link.  The first call to fscrypt_get_symlink() sets it.  Then,
      the existing VFS path lookup code uses the non-NULL ->i_link to take the
      fast path where ->get_link() isn't called, and lookups in rcu-walk mode
      remain in rcu-walk mode.
      
      Also set ->i_link immediately when a new encrypted symlink is created.
      
      To safely free the symlink target after an RCU grace period has elapsed,
      introduce a new function fscrypt_free_inode(), and make the relevant
      filesystems call it just before actually freeing the inode.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      2c58d548
  15. 01 Apr, 2019 1 commit
  16. 24 Jan, 2019 1 commit
  17. 23 Oct, 2018 5 commits
    • Sascha Hauer's avatar
      ubifs: Enable authentication support · d8a22773
      Sascha Hauer authored
      
      With the preparations all being done this patch now enables authentication
      support for UBIFS. Authentication is enabled when the newly introduced
      auth_key and auth_hash_name mount options are passed. auth_key provides
      the key which is used for authentication whereas auth_hash_name provides
      the hashing algorithm used for this FS. Passing these options make
      authentication mandatory and only UBIFS images that can be authenticated
      with the given key are allowed.
      Signed-off-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      d8a22773
    • Sascha Hauer's avatar
      ubifs: Do not update inode size in-place in authenticated mode · 1e76592f
      Sascha Hauer authored
      
      In authenticated mode we cannot fixup the inode sizes in-place
      during recovery as this would invalidate the hashes and HMACs
      we stored for this inode.
      
      Instead, we just write the updated inodes to the journal. We can
      only do this after ubifs_rcvry_gc_commit() is done though, so for
      authenticated mode call ubifs_recover_size() after
      ubifs_rcvry_gc_commit() and not vice versa as normally done.
      
      Calling ubifs_recover_size() after ubifs_rcvry_gc_commit() has the
      drawback that after a commit the size fixup information is gone, so
      when a powercut happens while recovering from another powercut
      we may lose some data written right before the first powercut.
      This is why we only do this in authenticated mode and leave the
      behaviour for unauthenticated mode untouched.
      Signed-off-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      1e76592f
    • Sascha Hauer's avatar
      ubifs: Add authentication nodes to journal · 6a98bc46
      Sascha Hauer authored
      
      Nodes that are written to flash can only be authenticated through the
      index after the next commit. When a journal replay is necessary the
      nodes are not yet referenced by the index and thus can't be
      authenticated.
      
      This patch overcomes this situation by creating a hash over all nodes
      beginning from the commit start node over the reference node(s) and
      the buds themselves. From
      time to time we insert authentication nodes. Authentication nodes
      contain a HMAC from the current hash state, so that they can be
      used to authenticate a journal replay up to the point where the
      authentication node is. The hash is continued afterwards
      so that theoretically we would only have to check the HMAC of
      the last authentication node we find.
      
      Overall we get this picture:
      
      ,,,,,,,,
      ,......,...........................................
      ,. CS  ,               hash1.----.           hash2.----.
      ,.  |  ,                    .    |hmac            .    |hmac
      ,.  v  ,                    .    v                .    v
      ,.REF#0,-> bud -> bud -> bud.-> auth -> bud -> bud.-> auth ...
      ,..|...,...........................................
      ,  |   ,
      ,  |   ,,,,,,,,,,,,,,,
      .  |            hash3,----.
      ,  |                 ,    |hmac
      ,  v                 ,    v
      , REF#1 -> bud -> bud,-> auth ...
      ,,,|,,,,,,,,,,,,,,,,,,
         v
        REF#2 -> ...
         |
         V
        ...
      
      Note how hash3 covers CS, REF#0 and REF#1 so that it is not possible to
      exchange or skip any reference nodes. Unlike the picture suggests the
      auth nodes themselves are not hashed.
      
      With this it is possible for an offline attacker to cut each journal
      head or to drop the last reference node(s), but not to skip any journal
      heads or to reorder any operations.
      Signed-off-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      6a98bc46
    • Sascha Hauer's avatar
      ubifs: Format changes for authentication support · 5125cfdf
      Sascha Hauer authored
      
      This patch adds the changes to the on disk format needed for
      authentication support. We'll add:
      
      * a HMAC covering super block node
      * a HMAC covering the master node
      * a hash over the root index node to the master node
      * a hash over the LPT to the master node
      * a flag to the filesystem flag indicating the filesystem is
        authenticated
      * an authentication node necessary to authenticate the nodes written
        to the journal heads while they are written.
      * a HMAC of a well known message to the super block node to be able
        to check if the correct key is provided
      
      And finally, not visible in this patch, nevertheless explained here:
      
      * hashes over the referenced child nodes in each branch of a index node
      Signed-off-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      5125cfdf
    • Sascha Hauer's avatar
      ubifs: Store read superblock node · fd615005
      Sascha Hauer authored
      
      The superblock node is read/modified/written several times throughout
      the UBIFS code. Instead of reading it from the device each time just
      keep a copy in memory and write back the modified copy when necessary.
      This patch helps for authentication support, here we not only have to
      read the superblock node, but also have to authenticate it, which
      is easier if we do it once during initialization.
      Signed-off-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      fd615005
  18. 13 Oct, 2018 1 commit
  19. 20 Sep, 2018 2 commits
    • Sascha Hauer's avatar
      ubifs: drop false positive assertion · d3bdc016
      Sascha Hauer authored
      
      The following sequence triggers
      
      	ubifs_assert(c, c->lst.taken_empty_lebs > 0);
      
      at the end of ubifs_remount_fs():
      
      mount -t ubifs /dev/ubi0_0 /mnt
      echo 1 > /sys/kernel/debug/ubifs/ubi0_0/ro_error
      umount /mnt
      mount -t ubifs -o ro /dev/ubix_y /mnt
      mount -o remount,ro /mnt
      
      The resulting
      
      UBIFS assert failed in ubifs_remount_fs at 1878 (pid 161)
      
      is a false positive. In the case above c->lst.taken_empty_lebs has
      never been changed from its initial zero value. This will only happen
      when the deferred recovery is done.
      
      Fix this by doing the assertion only when recovery has been done
      already.
      Signed-off-by: default avatarSascha Hauer <s.hauer@pengutronix.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      d3bdc016
    • Richard Weinberger's avatar
      ubifs: Check for name being NULL while mounting · 37f31b6c
      Richard Weinberger authored
      The requested device name can be NULL or an empty string.
      Check for that and refuse to continue. UBIFS has to do this manually
      since we cannot use mount_bdev(), which checks for this condition.
      
      Fixes: 1e51764a
      
       ("UBIFS: add new flash file system")
      Reported-by: syzbot+38bd0f7865e5c6379280@syzkaller.appspotmail.com
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      37f31b6c
  20. 14 Aug, 2018 5 commits
  21. 12 Jun, 2018 1 commit
    • Kees Cook's avatar
      treewide: kmalloc() -> kmalloc_array() · 6da2ec56
      Kees Cook authored
      The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
      patch replaces cases of:
      
              kmalloc(a * b, gfp)
      
      with:
              kmalloc_array(a * b, gfp)
      
      as well as handling cases of:
      
              kmalloc(a * b * c, gfp)
      
      with:
      
              kmalloc(array3_size(a, b, c), gfp)
      
      as it's slightly less ugly than:
      
              kmalloc_array(array_size(a, b), c, gfp)
      
      This does, however, attempt to ignore constant size factors like:
      
              kmalloc(4 * 1024, gfp)
      
      though any constants defined via macros get caught up in the conversion.
      
      Any factors with a sizeof() of "unsigned char", "char", and "u8" were
      dropped, since they're redundant.
      
      The tools/ directory was manually excluded, since it has its own
      implementation of kmalloc().
      
      The Coccinelle script used for this was:
      
      // Fix redundant parens around sizeof().
      @@
      type TYPE;
      expression THING, E;
      @@
      
      (
        kmalloc(
      -	(sizeof(TYPE)) * E
      +	sizeof(TYPE) * E
        , ...)
      |
        kmalloc(
      -	(sizeof(THING)) * E
      +	sizeof(THING) * E
      ...
      6da2ec56
  22. 04 Apr, 2018 1 commit
  23. 12 Jan, 2018 1 commit
  24. 27 Nov, 2017 1 commit
    • Linus Torvalds's avatar
      Rename superblock flags (MS_xyz -> SB_xyz) · 1751e8a6
      Linus Torvalds authored
      
      This is a pure automated search-and-replace of the internal kernel
      superblock flags.
      
      The s_flags are now called SB_*, with the names and the values for the
      moment mirroring the MS_* flags that they're equivalent to.
      
      Note how the MS_xyz flags are the ones passed to the mount system call,
      while the SB_xyz flags are what we then use in sb->s_flags.
      
      The script to do this was:
      
          # places to look in; re security/*: it generally should *not* be
          # touched (that stuff parses mount(2) arguments directly), but
          # there are two places where we really deal with superblock flags.
          FILES="drivers/mtd drivers/staging/lustre fs ipc mm \
                  include/linux/fs.h include/uapi/linux/bfs_fs.h \
                  security/apparmor/apparmorfs.c security/apparmor/include/lib.h"
          # the list of MS_... constants
          SYMS="RDONLY NOSUID NODEV NOEXEC SYNCHRONOUS REMOUNT MANDLOCK \
                DIRSYNC NOATIME NODIRATIME BIND MOVE REC VERBOSE SILENT \
                POSIXACL UNBINDABLE PRIVATE SLAVE SHARED RELATIME KERNMOUNT \
                I_VERSION STRICTATIME LAZYTIME SUBMOUNT NOREMOTELOCK NOSEC BORN \
                ACTIVE NOUSER"
      
          SED_PROG=
          for i in $SYMS; do SED_PROG="$SED_PROG -e s/MS_$i/SB_$i/g"; done
      
          # we want files that contain at least one of MS_...,
          # with fs/namespace.c and fs/pnode.c excluded.
          L=$(for i in $SYMS; do git grep -w -l MS_$i $FILES; done| sort|uniq|grep -v '^fs/namespace.c'|grep -v '^fs/pnode.c')
      
          for f in $L; do sed -i $f $SED_PROG; done
      Requested-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1751e8a6
  25. 18 Oct, 2017 1 commit