Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2548421pxj; Mon, 10 May 2021 05:41:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzQYD/lJYE1QrJ1lVErW/9j/sfz6ZQ/B6KCb3URYntP8iCXee8PT50DwbAWMUQi1KrWLepr X-Received: by 2002:a6b:c889:: with SMTP id y131mr17927866iof.196.1620650488741; Mon, 10 May 2021 05:41:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620650488; cv=none; d=google.com; s=arc-20160816; b=gC/rcLu0VreOUfm7q1t4nmBW6JVx+RROODgEa8nnRf64B/RVwNwVHhiZb/6c0sy8z0 gTm3h2sJlEBviLmwTiF7X+w0SXijl6hZB3c8gtiF1XjmFJLVZSHUJKs5NfAw+P2Ifjm2 f8jqOA1IaTGip73E0x0eg3dIBoHCHJG5h7wQfx7cIUpecXRGRN+zV3XTzagWtueQnYv0 2oVxDMYZ5VR3RcP9WpzkR47HK5u+uxdduwbopj9u8NMCghYyRlR/IEG8T4bJ4uyI930I WeEz33FwsBtYNUfDtgfd5CPSQR5AQ8uK++ZjwL2VQI1eeNiJy2r4xa7pKkRCuGH6I6yD Dtug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=RLCw3FXj2cL103IihOA9p4YEth8TPHlR2T/PZvMM6Ng=; b=vaiisJpD1VrQRM6GbggwwFh6NXw5fZXlnyfQHIrLp/HdLgZixGCCxcNrVWuWUAGkOK 5/7yUpOoTLqPntX94Oz/SrB344NIqKSTLNWcBTwcdRzjolnCSTW3sFKoIEwOO3qqylUF 6XJjVmFQApHSVX4lKFje5yIyWPwK2SfMBG63sLFgnpTvcti7uTsmaSEFWDnsMZWU/oJW SXn4SBj4K2NIlzDly7h6oG6gmNNnaczirTb8fyhOkp1daM+3z+fDkMmjj2hHEVSG/V2d DXPH6BHqVN8pZJFhCnIQ9Ft00wjw+UYlNGO9gr86G0FgFjG3YHrHaoUhsFmVrcc0lrmi X8OQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=g6sTzlgS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j24si15732712jad.22.2021.05.10.05.41.16; Mon, 10 May 2021 05:41:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=g6sTzlgS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347050AbhEJMdM (ORCPT + 99 others); Mon, 10 May 2021 08:33:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:46932 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231923AbhEJLLw (ORCPT ); Mon, 10 May 2021 07:11:52 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7FBBF61934; Mon, 10 May 2021 11:09:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620644959; bh=2Ew7SdvYxcFLa2uDXttS0jcue6Vsq8HnzaliefXOdWo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=g6sTzlgSPOtUXmqi+wKJdRATES9+zn4cymloVk6t5ZYhT4MfMaaJGu3Vo2d2KyyNO eh0yGFLK2RXsp9zCFss7jqtL0dK/5leX3JaZzMfOF2wSGEACDLkKDPsHjXHxlRPwYL X6o6JWchI8+ideIR+MFBfU92Hgk0tO1fg5KuXhMQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yunlei He , Eric Biggers , Chao Yu , Jaegeuk Kim Subject: [PATCH 5.12 292/384] f2fs: fix error handling in f2fs_end_enable_verity() Date: Mon, 10 May 2021 12:21:21 +0200 Message-Id: <20210510102024.441556397@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210510102014.849075526@linuxfoundation.org> References: <20210510102014.849075526@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit 3c0315424f5e3d2a4113c7272367bee1e8e6a174 upstream. f2fs didn't properly clean up if verity failed to be enabled on a file: - It left verity metadata (pages past EOF) in the page cache, which would be exposed to userspace if the file was later extended. - It didn't truncate the verity metadata at all (either from cache or from disk) if an error occurred while setting the verity bit. Fix these bugs by adding a call to truncate_inode_pages() and ensuring that we truncate the verity metadata (both from cache and from disk) in all error paths. Also rework the code to cleanly separate the success path from the error paths, which makes it much easier to understand. Finally, log a message if f2fs_truncate() fails, since it might otherwise fail silently. Reported-by: Yunlei He Fixes: 95ae251fe828 ("f2fs: add fs-verity support") Cc: # v5.4+ Signed-off-by: Eric Biggers Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman --- fs/f2fs/verity.c | 79 ++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 56 insertions(+), 23 deletions(-) --- a/fs/f2fs/verity.c +++ b/fs/f2fs/verity.c @@ -152,40 +152,73 @@ static int f2fs_end_enable_verity(struct size_t desc_size, u64 merkle_tree_size) { struct inode *inode = file_inode(filp); + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); u64 desc_pos = f2fs_verity_metadata_pos(inode) + merkle_tree_size; struct fsverity_descriptor_location dloc = { .version = cpu_to_le32(F2FS_VERIFY_VER), .size = cpu_to_le32(desc_size), .pos = cpu_to_le64(desc_pos), }; - int err = 0; + int err = 0, err2 = 0; - if (desc != NULL) { - /* Succeeded; write the verity descriptor. */ - err = pagecache_write(inode, desc, desc_size, desc_pos); - - /* Write all pages before clearing FI_VERITY_IN_PROGRESS. */ - if (!err) - err = filemap_write_and_wait(inode->i_mapping); - } - - /* If we failed, truncate anything we wrote past i_size. */ - if (desc == NULL || err) - f2fs_truncate(inode); + /* + * If an error already occurred (which fs/verity/ signals by passing + * desc == NULL), then only clean-up is needed. + */ + if (desc == NULL) + goto cleanup; + + /* Append the verity descriptor. */ + err = pagecache_write(inode, desc, desc_size, desc_pos); + if (err) + goto cleanup; + + /* + * Write all pages (both data and verity metadata). Note that this must + * happen before clearing FI_VERITY_IN_PROGRESS; otherwise pages beyond + * i_size won't be written properly. For crash consistency, this also + * must happen before the verity inode flag gets persisted. + */ + err = filemap_write_and_wait(inode->i_mapping); + if (err) + goto cleanup; + + /* Set the verity xattr. */ + err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_VERITY, + F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc), + NULL, XATTR_CREATE); + if (err) + goto cleanup; + + /* Finally, set the verity inode flag. */ + file_set_verity(inode); + f2fs_set_inode_flags(inode); + f2fs_mark_inode_dirty_sync(inode, true); clear_inode_flag(inode, FI_VERITY_IN_PROGRESS); + return 0; - if (desc != NULL && !err) { - err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_VERITY, - F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc), - NULL, XATTR_CREATE); - if (!err) { - file_set_verity(inode); - f2fs_set_inode_flags(inode); - f2fs_mark_inode_dirty_sync(inode, true); - } +cleanup: + /* + * Verity failed to be enabled, so clean up by truncating any verity + * metadata that was written beyond i_size (both from cache and from + * disk) and clearing FI_VERITY_IN_PROGRESS. + * + * Taking i_gc_rwsem[WRITE] is needed to stop f2fs garbage collection + * from re-instantiating cached pages we are truncating (since unlike + * normal file accesses, garbage collection isn't limited by i_size). + */ + down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); + truncate_inode_pages(inode->i_mapping, inode->i_size); + err2 = f2fs_truncate(inode); + if (err2) { + f2fs_err(sbi, "Truncating verity metadata failed (errno=%d)", + err2); + set_sbi_flag(sbi, SBI_NEED_FSCK); } - return err; + up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]); + clear_inode_flag(inode, FI_VERITY_IN_PROGRESS); + return err ?: err2; } static int f2fs_get_verity_descriptor(struct inode *inode, void *buf,