Presently the data buffer used to return the per-UID timeout description
is created based on information provided by the user. It is expected
that the user populates a variable called 'timeouts_array_size' which is
heavily scrutinised to ensure the value provided is appropriate i.e.
smaller than the largest possible value but large enough to contain all
of the data we wish to pass back.
The issue is that the aforementioned scrutiny is imposed on a different
variable to the one expected. Contrary to expectation, the data buffer
is actually being allocated to the size specified in a variable named
'timeouts_array_size_out'. A variable originally designed to only
contain the output information i.e. the size of the data actually copied
to the user for consumption. This value is also user provided and is
not given the same level of scrutiny as the former.
The fix in this case is simple. Ignore 'timeouts_array_size_out' until
it is time to populate (over-write) it ourselves and use
'timeouts_array_size' to shape the buffer as intended.
Bug: 281547360
Change-Id: I95e12879a33a2355f9e4bc0ce2bfc3f229141aa8
Signed-off-by: Lee Jones <joneslee@google.com>
(cherry picked from commit 5a4d20a3eb4e651f88ed2f1f08cee066639ca801)
Now that the branch is used to create production GKI
images, need to institute ACK DrNo for all commits.
The DrNo approvers are in the android-mainline branch
at /OWNERS_DrNo.
Bug: 287162457
Signed-off-by: Matthias Maennich <maennich@google.com>
Change-Id: Id5bb83d7add5f314df6816c1c51b4bf2d8018e79
Since evicting inodes triggers writes to the backing file, which uses
the mi_owner field from the mount_info struct, make sure inodes are
evicted before we free the mount_info data
Test: incfs_test
Bug: 270117845
Change-Id: I673b2e0e04b5adc3998caf6f22443598a30338af
Signed-off-by: Paul Lawrence <paullawrence@google.com>
(cherry picked from commit 7899985277527b29c47929a6d6a89c5c89b406ad)
Bug: 241479010
Test: incfs_test passes, play confirm behavior in bug is fixed
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Ie51f2b76d0873057f54fecf7fcc793c66df20969
Also fix race whereby multiple providers writinig the same block would
actually write out the same block.
Note that multiple_providers_test started failing when incfs was ported
to 5.15, and these fixes are needed to make the test reliable
Bug: 264703896
Test: incfs-test passes, specifically multiple_providers_test. Ran 100
times
Change-Id: I05ad5b2b2f62cf218256222cecb79bbe9953bd97
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Add an explicite check for ATTR_KILL_SUID and ATTR_MODE in incfs_setattr.
Both of these attributes can not be set at the same time, otherwise
notify_change() function will check it and invoke BUG(), crashing
the system.
Bug: 243394930
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: I91080d68efbd62f1441e20a5c02feef3d1b06e4e
In commit 0c5fd887d2 ("acl: move idmapped mount fixup into
vfs_{g,s}etxattr()") the signature of setxattr has changed, so fixup
incfs so that it continues to build properly.
Someday this will be merged upstream and this type of maintenance will
happen automagically...
Fixes: 0c5fd887d2 ("acl: move idmapped mount fixup into vfs_{g,s}etxattr()")
Cc: Paul Lawrence <paullawrence@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I78e4af3fb999cf0ffc1128ccc15d6af6a3b1f591
When building android-mainline with a version of clang that supports
CONFIG_RANDSTRUCT, there are errors about casts from randomized
structures to non-randomized structures:
fs/incfs/data_mgmt.c:240:10: error: casting from randomized structure pointer type 'struct dentry *' to 'struct data_file *'
return (struct data_file *)index_file_dentry;
^
fs/incfs/data_mgmt.c:257:12: error: casting from randomized structure pointer type 'struct file *' to 'struct data_file *'
result = (struct data_file *)bf;
^
2 errors generated.
As suggested by Kees on aosp/1995750, these casts should actually be
using the ERR_CAST macro, which is a more proper way to pass error
pointers around.
Change-Id: Iab73ac7503235f1147154a01a22ab8608e3daf8b
Fixes: 3f4938108a ("ANDROID: Incremental fs: Create mapped file")
Link: https://github.com/ClangBuiltLinux/linux/issues/1652
Suggested-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
This is a "weak" conversion which converts straight back to using pages
to keep the build working properly.
A full conversion should be performed at some point, hopefully by
someone familiar with the filesystem.
Fixes: 7e0a126519 ("mm,fs: Remove aops->readpage")
CC: Paul Lawrence <paullawrence@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id34db2c71743731d6a69b7b566a1f3a0a12dffe1
The merkle tree pages at the end of the incremental files were being
zero'd and marked uptodate on 5.15. Mark uptodate on creation to prevent
this.
Bug: 197663427
Test: The test in that bug now passes on 5.15 kernel
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I5c0781c51bfbc64929e7a465db1ae975ce5928f9
(cherry picked from commit 68d2a58b28ecad58340643ebab511ecd2689c2b1)
Syzbot recently found a number of issues related to incremental-fs
(see bug numbers below). All have to do with the fact that incr-fs
allows mounts of the same source and target multiple times.
This is a design decision and the user space component "Data Loader"
expects this to work for app re-install use case.
The mounting depth needs to be controlled, however, and only allowed
to be two levels deep. In case of more than two mount attempts the
driver needs to return an error.
In case of the issues listed below the common pattern is that the
reproducer calls:
mount("./file0", "./file0", "incremental-fs", 0, NULL)
many times and then invokes a file operation like chmod, setxattr,
or open on the ./file0. This causes a recursive call for all the
mounted instances, which eventually causes a stack overflow and
a kernel crash:
BUG: stack guard page was hit at ffffc90000c0fff8
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
This change also cleans up the mount error path to properly clean
allocated resources and call deactivate_locked_super(), which
causes the incfs_kill_sb() to be called, where the sb is freed.
Bug: 211066171
Bug: 213140206
Bug: 213215835
Bug: 211914587
Bug: 211213635
Bug: 213137376
Bug: 211161296
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: I08d9b545a2715423296bf4beb67bdbbed78d1be1
This reverts commit f35524a260.
This is to fix the incrementalinstall test.
This is the second revert required on android-mainline
Can now install the same apk twice, and repeated installs are stable.
Bug: 217661925
Bug: 219731048
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: I941faf5420dbdcaaac13064542f627bb1dd1a572
This reverts commit 8f40a6318c.
Two reverts needed on android-mainline to fix increment-fs regression.
This is the first one.
Test: Can now install the same apk twice, and repeated installs are
stable.
Bug: 217661925
Bug: 218732047
Bug: 219731048
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: I7a72bba7e44b039ef0383af1fcc8edadab8c5b5c
The old and new mount user name spaces need to be populated
before calling vfs_rename().
Bug: 211066171
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: Ieac6975abb4131c8f5bdefe25b5f241c80023e38
Cleanup incremental-fs left overs on umount, otherwise incr-fs will
complain as below:
BUG: Dentry {i=47a,n=.incomplete} still in use [unmount of incremental-fs]
This requires vfs_rmdir() of the special index and incomplete dirs.
Also free options.sysfs_name in incfs_mount_fs() instead of in
incfs_free_mount_info() to make it consistent with incfs_remount_fs().
Since set_anon_super() was used in incfs_mount_fs() the incfs_kill_sb()
should use kill_anon_super() instead of generic_shutdown_super()
otherwise it will leak the pseudo dev_t that set_anon_super() allocates.
Bug: 211066171
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: I7ea54db63513fc130e1997cbf79121015ee12405
It is possible that fget returns NULL. This needs to be handled
correctly in ioctl_permit_fill.
Bug: 212821226
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: Iec8be21982afeab6794b78ab1a542671c52acea2
Syzbot recently found a number of issues related to incremental-fs
(see bug numbers below). All have to do with the fact that incr-fs
allows mounts of the same source and target multiple times.
The correct behavior for a file system is to allow only one such
mount, and then every subsequent attempt should fail with a -EBUSY
error code. In case of the issues listed below the common pattern
is that the reproducer calls:
mount("./file0", "./file0", "incremental-fs", 0, NULL)
many times and then invokes a file operation like chmod, setxattr,
or open on the ./file0. This causes a recursive call for all the
mounted instances, which eventually causes a stack overflow and
a kernel crash:
BUG: stack guard page was hit at ffffc90000c0fff8
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
The reason why many mounts with the same source and target are
possible is because the incfs_mount_fs() as it is allocates a new
super_block for every call, regardless of whether a given mount already
exists or not. This happens every time the sget() function is called
with a test param equal to NULL.
The correct behavior for an FS mount implementation is to call
appropriate mount vfs call for it's type, i.e. mount_bdev() for
a block device backed FS, mount_single() for a pseudo file system,
like sysfs that is mounted in a single, well know location, or
mount_nodev() for other special purpose FS like overlayfs.
In case of incremental-fs the open coded mount logic doesn't check
for abusive mount attempts such as overlays.
To fix this issue the logic needs to be changed to pass a proper
test function to sget() call, which then checks if a super_block
for a mount instance has already been allocated and also allows
the VFS to properly verify invalid mount attempts.
Bug: 211066171
Bug: 213140206
Bug: 213215835
Bug: 211914587
Bug: 211213635
Bug: 213137376
Bug: 211161296
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: I66cfc3f1b5aaffb32b0845b2dad3ff26fe952e27
Commit cf30f6a5f0 ("lib: zstd: Add kernel-specific API") changed the
zstd api. Given that the incfs code is not in the kernel tree, it was
not also converted so do that here to keep the build working properly.
Fixes: cf30f6a5f0 ("lib: zstd: Add kernel-specific API")
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I2e786a5e032adf104c0f3778bfb516a58c134047
In commit edb0872f44 ("block: move the bdi from the request_queue to
the gendisk"), the backing device info moved .h files which breaks the
building of incfs. Fix this up like was done for fat, just include the
correct .h file.
Fixes: edb0872f44 ("block: move the bdi from the request_queue to the gendisk")
CC: Paul Lawrence <paullawrence@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iccc990b1b01af4580192921410b915b91dc6a155
<linux/blkdev.h> no longer includes <linux/pagemap.h>.
Besides, source files should explicitly include headers providing used
functionality anyway.
Fixes: 4ee60ec156 ("include: remove pagemap.h from blkdev.h")
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I6d28e5cc100780ecd74f5d772f08fd4b0f977898
Prior change
ANDROID: Incremental fs: stat should return actual used blocks
adds blocks to getattr. Unfortunately the code always looks for the
backing file, and pseudo files don't have backing files, so getattr
fails for pseudo files.
Bug: 186567511
Test: incfs_test passes, can do incremental installs on test device
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Ia3df87f3683e095d05c822b69747515963c95f1c
Sparse complains about casting a five byte number to a ulong on 32-bit
platorms. Fix by anding the constant with ULONG_MAX
Bug: 186015158
Test: incfs_test passes, sparse reports no warnings on 32 & 64 bit builds
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Ic83e03626b7f290370d75b3aaba187b8392fb344
Adding seven sysfs entries per mount:
reads_failed_timed_out
reads_failed_hash_verification
reads_failed_other
reads_delayed_pending
reads_delayed_pending_us
reads_delayed_min
reads_delayed_min_us
to allow for status monitoring from userland
Change-Id: I50677511c2af4778ba0c574bb80323f31425b4d0
Test: incfs_test passes
Bug: 160634343
Bug: 184291759
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Compiler (arm-linux-gnueabihf-gcc 8.3.0) complains about an invalid cast
of an __aligned_u64 integer to a pointer on 32-bit architectures. Using
u64_to_user_ptr() for the cast fixes the following warning:
fs/incfs/pseudo_files.c: In function ‘ioctl_create_file’:
fs/incfs/pseudo_files.c:656:10: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
656 | (u8 __user *)args.signature_info,
| ^
Bug: 183339614
Fixes: bc6a70e849 (ANDROID: Incremental fs: Remove signature checks from kernel)
Reported-by: kernelci.org bot <bot@kernelci.org>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I98a987fb83c160740796c0b4b3fdd7551880e12a
Use the correct printk specifier [%zu] for size_t variable.
This fixes the following warning:
fs/incfs/format.c: In function ‘incfs_read_next_metadata_record’:
./include/linux/kern_levels.h:5:18: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
fs/incfs/format.c:669:3: note: in expansion of macro ‘pr_warn’
669 | pr_warn("incfs: The record is too large. Size: %ld",
| ^~~~~~~
Bug: 183339614
Fixes: c6819dd778 (ANDROID: Initial commit of Incremental FS)
Reported-by: kernelci.org bot <bot@kernelci.org>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: Ia784a9ced9fb6bc76e2f1baa495b3ccf568e3b1d
Lots of different vfs changes happened in 7d6beb71da ("Merge tag
'idmapped-mounts-v5.12' of
git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux") which were
not made to incfs as it is out-of-tree :(
So fix it up by doing a quick port to the initial user namespace and
hopefully all works properly now, at least it builds :)
Fixes: 7d6beb71da ("Merge tag 'idmapped-mounts-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux")
Cc: Paul Lawrence <paullawrence@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I32899a792fbfad9455d504868e7a02d30a0a6049
This reverts commit 3484eba91d.
It's causing too many merge issues, so revert it for now and hopefully
bring it back later...
Cc: Mark Salyzyn <salyzyn@android.com>
Bug: 133515582
Bug: 136124883
Bug: 129319403
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id70a37d9471eff58f0027a1371538858136604d3
In order to provide better reviewer suggestions and to introduce fine
grained additional approval permissions, sprinkle some OWNERS files over
the tree.
This essentially grants additional OWNERS permissions in
- net/
- arch/arm*/net
- arch/x86/net
- drivers/net
- fs/crypto
- fs/f2fs
- fs/verity
All other permissions are already covered by ref/meta/config:OWNERS.
Signed-off-by: Matthias Maennich <maennich@google.com>
Change-Id: I02a6563e4dd63842af37c50f7180bf38e9b9b4be
Backing file needs to have write permissions for all users
even though the mounted view doesn't - otherwise incfs can't
change the internal file data.
Bug: 180535478
Test: adb install <apk>
Signed-off-by: Yurii Zubrytskyi <zyy@google.com>
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I5d7915b28072cff1508ba45b56e844cb678ca466
For incfs files that were created without a merkle tree, enabling verity
requires building a merkle tree first. Although this is the same logic
as verity performs, it is not that easy to reconcile the two given that
incfs has the merkle tree potentially when verity is not enabled.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Ia15a4051fa3362820846d65859e3af76b77f8cc4
Add ioctl to return the verity file digest, compatible with the identical
ioctl in fs/verity/.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I1bc2dc975b9be122e1c831a25a1d44f27a360f3c
Now fsverity state is preserved across inode eviction.
Added incfs.verity xattr to track when a file is fs-verity enabled.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I41d90abd55527884d9eff642c9834ad837ff6918
Add FS_IOC_GETFLAGS ioctl to incfs. Currently this will only get the
S_VERITY flag.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Id79add0db0d66f604ca0f222fe5faec91450ade5
Add FS_IOC_ENABLE_VERITY ioctl
When called, calculate measurement, validate signature against fsverity,
and set S_VERITY flag.
This does not (yet) preserve the verity status once the inode is
evicted.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I88af2721f650098accc72a64528c7d85b753c7f6
