<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/fs/ecryptfs/crypto.c, branch v2.6.32</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>eCryptfs: Propagate vfs_read and vfs_write return codes</title>
<updated>2009-09-23T14:10:34+00:00</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@linux.vnet.ibm.com</email>
</author>
<published>2009-09-17T00:04:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=96a7b9c2f5df899f302ade45cf17ad753fe130fd'/>
<id>96a7b9c2f5df899f302ade45cf17ad753fe130fd</id>
<content type='text'>
Errors returned from vfs_read() and vfs_write() calls to the lower
filesystem were being masked as -EINVAL.  This caused some confusion to
users who saw EINVAL instead of ENOSPC when the disk was full, for
instance.

Also, the actual bytes read or written were not accessible by callers to
ecryptfs_read_lower() and ecryptfs_write_lower(), which may be useful in
some cases.  This patch updates the error handling logic where those
functions are called in order to accept positive return codes indicating
success.

Cc: Eric Sandeen &lt;esandeen@redhat.com&gt;
Acked-by: Serge Hallyn &lt;serue@us.ibm.com&gt;
Cc: ecryptfs-devel@lists.launchpad.net
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Errors returned from vfs_read() and vfs_write() calls to the lower
filesystem were being masked as -EINVAL.  This caused some confusion to
users who saw EINVAL instead of ENOSPC when the disk was full, for
instance.

Also, the actual bytes read or written were not accessible by callers to
ecryptfs_read_lower() and ecryptfs_write_lower(), which may be useful in
some cases.  This patch updates the error handling logic where those
functions are called in order to accept positive return codes indicating
success.

Cc: Eric Sandeen &lt;esandeen@redhat.com&gt;
Acked-by: Serge Hallyn &lt;serue@us.ibm.com&gt;
Cc: ecryptfs-devel@lists.launchpad.net
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>eCryptfs: Filename encryption only supports password auth tokens</title>
<updated>2009-09-23T14:10:32+00:00</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@linux.vnet.ibm.com</email>
</author>
<published>2009-08-21T09:27:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=df6ad33ba1b9846bd5f0e2b9016c30c20bc2d948'/>
<id>df6ad33ba1b9846bd5f0e2b9016c30c20bc2d948</id>
<content type='text'>
Returns -ENOTSUPP when attempting to use filename encryption with
something other than a password authentication token, such as a private
token from openssl.  Using filename encryption with a userspace eCryptfs
key module is a future goal.  Until then, this patch handles the
situation a little better than simply using a BUG_ON().

Acked-by: Serge Hallyn &lt;serue@us.ibm.com&gt;
Cc: ecryptfs-devel@lists.launchpad.net
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Returns -ENOTSUPP when attempting to use filename encryption with
something other than a password authentication token, such as a private
token from openssl.  Using filename encryption with a userspace eCryptfs
key module is a future goal.  Until then, this patch handles the
situation a little better than simply using a BUG_ON().

Acked-by: Serge Hallyn &lt;serue@us.ibm.com&gt;
Cc: ecryptfs-devel@lists.launchpad.net
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>eCryptfs: Handle unrecognized tag 3 cipher codes</title>
<updated>2009-09-23T14:10:31+00:00</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@linux.vnet.ibm.com</email>
</author>
<published>2009-08-11T05:36:32+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=b0105eaefa7cce8f4a941d0fc6354b250d30e745'/>
<id>b0105eaefa7cce8f4a941d0fc6354b250d30e745</id>
<content type='text'>
Returns an error when an unrecognized cipher code is present in a tag 3
packet or an ecryptfs_crypt_stat cannot be initialized.  Also sets an
crypt_stat-&gt;tfm error pointer to NULL to ensure that it will not be
incorrectly freed in ecryptfs_destroy_crypt_stat().

Acked-by: Serge Hallyn &lt;serue@us.ibm.com&gt;
Cc: ecryptfs-devel@lists.launchpad.net
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Returns an error when an unrecognized cipher code is present in a tag 3
packet or an ecryptfs_crypt_stat cannot be initialized.  Also sets an
crypt_stat-&gt;tfm error pointer to NULL to ensure that it will not be
incorrectly freed in ecryptfs_destroy_crypt_stat().

Acked-by: Serge Hallyn &lt;serue@us.ibm.com&gt;
Cc: ecryptfs-devel@lists.launchpad.net
Cc: stable &lt;stable@kernel.org&gt;
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ecryptfs: improved dependency checking and reporting</title>
<updated>2009-09-23T14:10:31+00:00</updated>
<author>
<name>Dave Hansen</name>
<email>dave@linux.vnet.ibm.com</email>
</author>
<published>2009-08-27T16:47:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=382684984e93039a3bbd83b04d341b0ceb831519'/>
<id>382684984e93039a3bbd83b04d341b0ceb831519</id>
<content type='text'>
So, I compiled a 2.6.31-rc5 kernel with ecryptfs and loaded its module.
When it came time to mount my filesystem, I got this in dmesg, and it
refused to mount:

[93577.776637] Unable to allocate crypto cipher with name [aes]; rc = [-2]
[93577.783280] Error attempting to initialize key TFM cipher with name = [aes]; rc = [-2]
[93577.791183] Error attempting to initialize cipher with name = [aes] and key size = [32]; rc = [-2]
[93577.800113] Error parsing options; rc = [-22]

I figured from the error message that I'd either forgotten to load "aes"
or that my key size was bogus.  Neither one of those was the case.  In
fact, I was missing the CRYPTO_ECB config option and the 'ecb' module.
Unfortunately, there's no trace of 'ecb' in that error message.

I've done two things to fix this.  First, I've modified ecryptfs's
Kconfig entry to select CRYPTO_ECB and CRYPTO_CBC.  I also took CRYPTO
out of the dependencies since the 'select' will take care of it for us.

I've also modified the error messages to print a string that should
contain both 'ecb' and 'aes' in my error case.  That will give any
future users a chance of finding the right modules and Kconfig options.

I also wonder if we should:

	select CRYPTO_AES if !EMBEDDED

since I think most ecryptfs users are using AES like me.

Cc: ecryptfs-devel@lists.launchpad.net
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Dustin Kirkland &lt;kirkland@canonical.com&gt;
Signed-off-by: Dave Hansen &lt;dave@linux.vnet.ibm.com&gt;
[tyhicks@linux.vnet.ibm.com: Removed extra newline, 80-char violation]
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
So, I compiled a 2.6.31-rc5 kernel with ecryptfs and loaded its module.
When it came time to mount my filesystem, I got this in dmesg, and it
refused to mount:

[93577.776637] Unable to allocate crypto cipher with name [aes]; rc = [-2]
[93577.783280] Error attempting to initialize key TFM cipher with name = [aes]; rc = [-2]
[93577.791183] Error attempting to initialize cipher with name = [aes] and key size = [32]; rc = [-2]
[93577.800113] Error parsing options; rc = [-22]

I figured from the error message that I'd either forgotten to load "aes"
or that my key size was bogus.  Neither one of those was the case.  In
fact, I was missing the CRYPTO_ECB config option and the 'ecb' module.
Unfortunately, there's no trace of 'ecb' in that error message.

I've done two things to fix this.  First, I've modified ecryptfs's
Kconfig entry to select CRYPTO_ECB and CRYPTO_CBC.  I also took CRYPTO
out of the dependencies since the 'select' will take care of it for us.

I've also modified the error messages to print a string that should
contain both 'ecb' and 'aes' in my error case.  That will give any
future users a chance of finding the right modules and Kconfig options.

I also wonder if we should:

	select CRYPTO_AES if !EMBEDDED

since I think most ecryptfs users are using AES like me.

Cc: ecryptfs-devel@lists.launchpad.net
Cc: linux-fsdevel@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Dustin Kirkland &lt;kirkland@canonical.com&gt;
Signed-off-by: Dave Hansen &lt;dave@linux.vnet.ibm.com&gt;
[tyhicks@linux.vnet.ibm.com: Removed extra newline, 80-char violation]
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>eCryptfs: Fix lockdep-reported AB-BA mutex issue</title>
<updated>2009-09-23T14:10:30+00:00</updated>
<author>
<name>Roland Dreier</name>
<email>rdreier@cisco.com</email>
</author>
<published>2009-07-01T22:48:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=aa06117f19944573cda0c4bee026c916b5256090'/>
<id>aa06117f19944573cda0c4bee026c916b5256090</id>
<content type='text'>
Lockdep reports the following valid-looking possible AB-BA deadlock with
global_auth_tok_list_mutex and keysig_list_mutex:

  ecryptfs_new_file_context() -&gt;
      ecryptfs_copy_mount_wide_sigs_to_inode_sigs() -&gt;
          mutex_lock(&amp;mount_crypt_stat-&gt;global_auth_tok_list_mutex);
          -&gt; ecryptfs_add_keysig() -&gt;
              mutex_lock(&amp;crypt_stat-&gt;keysig_list_mutex);

vs

  ecryptfs_generate_key_packet_set() -&gt;
      mutex_lock(&amp;crypt_stat-&gt;keysig_list_mutex);
      -&gt; ecryptfs_find_global_auth_tok_for_sig() -&gt;
          mutex_lock(&amp;mount_crypt_stat-&gt;global_auth_tok_list_mutex);

ie the two mutexes are taken in opposite orders in the two different
code paths.  I'm not sure if this is a real bug where two threads could
actually hit the two paths in parallel and deadlock, but it at least
makes lockdep impossible to use with ecryptfs since this report triggers
every time and disables future lockdep reporting.

Since ecryptfs_add_keysig() is called only from the single callsite in
ecryptfs_copy_mount_wide_sigs_to_inode_sigs(), the simplest fix seems to
be to move the lock of keysig_list_mutex back up outside of the where
global_auth_tok_list_mutex is taken.  This patch does that, and fixes
the lockdep report on my system (and ecryptfs still works OK).

The full output of lockdep fixed by this patch is:

=======================================================
[ INFO: possible circular locking dependency detected ]
2.6.31-2-generic #14~rbd2
-------------------------------------------------------
gdm/2640 is trying to acquire lock:
 (&amp;mount_crypt_stat-&gt;global_auth_tok_list_mutex){+.+.+.}, at: [&lt;ffffffff8121591e&gt;] ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90

but task is already holding lock:
 (&amp;crypt_stat-&gt;keysig_list_mutex){+.+.+.}, at: [&lt;ffffffff81217728&gt;] ecryptfs_generate_key_packet_set+0x58/0x2b0

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-&gt; #1 (&amp;crypt_stat-&gt;keysig_list_mutex){+.+.+.}:
       [&lt;ffffffff8108c897&gt;] check_prev_add+0x2a7/0x370
       [&lt;ffffffff8108cfc1&gt;] validate_chain+0x661/0x750
       [&lt;ffffffff8108d2e7&gt;] __lock_acquire+0x237/0x430
       [&lt;ffffffff8108d585&gt;] lock_acquire+0xa5/0x150
       [&lt;ffffffff815526cd&gt;] __mutex_lock_common+0x4d/0x3d0
       [&lt;ffffffff81552b56&gt;] mutex_lock_nested+0x46/0x60
       [&lt;ffffffff8121526a&gt;] ecryptfs_add_keysig+0x5a/0xb0
       [&lt;ffffffff81213299&gt;] ecryptfs_copy_mount_wide_sigs_to_inode_sigs+0x59/0xb0
       [&lt;ffffffff81214b06&gt;] ecryptfs_new_file_context+0xa6/0x1a0
       [&lt;ffffffff8120e42a&gt;] ecryptfs_initialize_file+0x4a/0x140
       [&lt;ffffffff8120e54d&gt;] ecryptfs_create+0x2d/0x60
       [&lt;ffffffff8113a7d4&gt;] vfs_create+0xb4/0xe0
       [&lt;ffffffff8113a8c4&gt;] __open_namei_create+0xc4/0x110
       [&lt;ffffffff8113d1c1&gt;] do_filp_open+0xa01/0xae0
       [&lt;ffffffff8112d8d9&gt;] do_sys_open+0x69/0x140
       [&lt;ffffffff8112d9f0&gt;] sys_open+0x20/0x30
       [&lt;ffffffff81013132&gt;] system_call_fastpath+0x16/0x1b
       [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff

-&gt; #0 (&amp;mount_crypt_stat-&gt;global_auth_tok_list_mutex){+.+.+.}:
       [&lt;ffffffff8108c675&gt;] check_prev_add+0x85/0x370
       [&lt;ffffffff8108cfc1&gt;] validate_chain+0x661/0x750
       [&lt;ffffffff8108d2e7&gt;] __lock_acquire+0x237/0x430
       [&lt;ffffffff8108d585&gt;] lock_acquire+0xa5/0x150
       [&lt;ffffffff815526cd&gt;] __mutex_lock_common+0x4d/0x3d0
       [&lt;ffffffff81552b56&gt;] mutex_lock_nested+0x46/0x60
       [&lt;ffffffff8121591e&gt;] ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
       [&lt;ffffffff812177d5&gt;] ecryptfs_generate_key_packet_set+0x105/0x2b0
       [&lt;ffffffff81212f49&gt;] ecryptfs_write_headers_virt+0xc9/0x120
       [&lt;ffffffff8121306d&gt;] ecryptfs_write_metadata+0xcd/0x200
       [&lt;ffffffff8120e44b&gt;] ecryptfs_initialize_file+0x6b/0x140
       [&lt;ffffffff8120e54d&gt;] ecryptfs_create+0x2d/0x60
       [&lt;ffffffff8113a7d4&gt;] vfs_create+0xb4/0xe0
       [&lt;ffffffff8113a8c4&gt;] __open_namei_create+0xc4/0x110
       [&lt;ffffffff8113d1c1&gt;] do_filp_open+0xa01/0xae0
       [&lt;ffffffff8112d8d9&gt;] do_sys_open+0x69/0x140
       [&lt;ffffffff8112d9f0&gt;] sys_open+0x20/0x30
       [&lt;ffffffff81013132&gt;] system_call_fastpath+0x16/0x1b
       [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff

other info that might help us debug this:

2 locks held by gdm/2640:
 #0:  (&amp;sb-&gt;s_type-&gt;i_mutex_key#11){+.+.+.}, at: [&lt;ffffffff8113cb8b&gt;] do_filp_open+0x3cb/0xae0
 #1:  (&amp;crypt_stat-&gt;keysig_list_mutex){+.+.+.}, at: [&lt;ffffffff81217728&gt;] ecryptfs_generate_key_packet_set+0x58/0x2b0

stack backtrace:
Pid: 2640, comm: gdm Tainted: G         C 2.6.31-2-generic #14~rbd2
Call Trace:
 [&lt;ffffffff8108b988&gt;] print_circular_bug_tail+0xa8/0xf0
 [&lt;ffffffff8108c675&gt;] check_prev_add+0x85/0x370
 [&lt;ffffffff81094912&gt;] ? __module_text_address+0x12/0x60
 [&lt;ffffffff8108cfc1&gt;] validate_chain+0x661/0x750
 [&lt;ffffffff81017275&gt;] ? print_context_stack+0x85/0x140
 [&lt;ffffffff81089c68&gt;] ? find_usage_backwards+0x38/0x160
 [&lt;ffffffff8108d2e7&gt;] __lock_acquire+0x237/0x430
 [&lt;ffffffff8108d585&gt;] lock_acquire+0xa5/0x150
 [&lt;ffffffff8121591e&gt;] ? ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
 [&lt;ffffffff8108b0b0&gt;] ? check_usage_backwards+0x0/0xb0
 [&lt;ffffffff815526cd&gt;] __mutex_lock_common+0x4d/0x3d0
 [&lt;ffffffff8121591e&gt;] ? ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
 [&lt;ffffffff8121591e&gt;] ? ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
 [&lt;ffffffff8108c02c&gt;] ? mark_held_locks+0x6c/0xa0
 [&lt;ffffffff81125b0d&gt;] ? kmem_cache_alloc+0xfd/0x1a0
 [&lt;ffffffff8108c34d&gt;] ? trace_hardirqs_on_caller+0x14d/0x190
 [&lt;ffffffff81552b56&gt;] mutex_lock_nested+0x46/0x60
 [&lt;ffffffff8121591e&gt;] ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
 [&lt;ffffffff812177d5&gt;] ecryptfs_generate_key_packet_set+0x105/0x2b0
 [&lt;ffffffff81212f49&gt;] ecryptfs_write_headers_virt+0xc9/0x120
 [&lt;ffffffff8121306d&gt;] ecryptfs_write_metadata+0xcd/0x200
 [&lt;ffffffff81210240&gt;] ? ecryptfs_init_persistent_file+0x60/0xe0
 [&lt;ffffffff8120e44b&gt;] ecryptfs_initialize_file+0x6b/0x140
 [&lt;ffffffff8120e54d&gt;] ecryptfs_create+0x2d/0x60
 [&lt;ffffffff8113a7d4&gt;] vfs_create+0xb4/0xe0
 [&lt;ffffffff8113a8c4&gt;] __open_namei_create+0xc4/0x110
 [&lt;ffffffff8113d1c1&gt;] do_filp_open+0xa01/0xae0
 [&lt;ffffffff8129a93e&gt;] ? _raw_spin_unlock+0x5e/0xb0
 [&lt;ffffffff8155410b&gt;] ? _spin_unlock+0x2b/0x40
 [&lt;ffffffff81139e9b&gt;] ? getname+0x3b/0x240
 [&lt;ffffffff81148a5a&gt;] ? alloc_fd+0xfa/0x140
 [&lt;ffffffff8112d8d9&gt;] do_sys_open+0x69/0x140
 [&lt;ffffffff81553b8f&gt;] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [&lt;ffffffff8112d9f0&gt;] sys_open+0x20/0x30
 [&lt;ffffffff81013132&gt;] system_call_fastpath+0x16/0x1b

Signed-off-by: Roland Dreier &lt;rolandd@cisco.com&gt;
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Lockdep reports the following valid-looking possible AB-BA deadlock with
global_auth_tok_list_mutex and keysig_list_mutex:

  ecryptfs_new_file_context() -&gt;
      ecryptfs_copy_mount_wide_sigs_to_inode_sigs() -&gt;
          mutex_lock(&amp;mount_crypt_stat-&gt;global_auth_tok_list_mutex);
          -&gt; ecryptfs_add_keysig() -&gt;
              mutex_lock(&amp;crypt_stat-&gt;keysig_list_mutex);

vs

  ecryptfs_generate_key_packet_set() -&gt;
      mutex_lock(&amp;crypt_stat-&gt;keysig_list_mutex);
      -&gt; ecryptfs_find_global_auth_tok_for_sig() -&gt;
          mutex_lock(&amp;mount_crypt_stat-&gt;global_auth_tok_list_mutex);

ie the two mutexes are taken in opposite orders in the two different
code paths.  I'm not sure if this is a real bug where two threads could
actually hit the two paths in parallel and deadlock, but it at least
makes lockdep impossible to use with ecryptfs since this report triggers
every time and disables future lockdep reporting.

Since ecryptfs_add_keysig() is called only from the single callsite in
ecryptfs_copy_mount_wide_sigs_to_inode_sigs(), the simplest fix seems to
be to move the lock of keysig_list_mutex back up outside of the where
global_auth_tok_list_mutex is taken.  This patch does that, and fixes
the lockdep report on my system (and ecryptfs still works OK).

The full output of lockdep fixed by this patch is:

=======================================================
[ INFO: possible circular locking dependency detected ]
2.6.31-2-generic #14~rbd2
-------------------------------------------------------
gdm/2640 is trying to acquire lock:
 (&amp;mount_crypt_stat-&gt;global_auth_tok_list_mutex){+.+.+.}, at: [&lt;ffffffff8121591e&gt;] ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90

but task is already holding lock:
 (&amp;crypt_stat-&gt;keysig_list_mutex){+.+.+.}, at: [&lt;ffffffff81217728&gt;] ecryptfs_generate_key_packet_set+0x58/0x2b0

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:

-&gt; #1 (&amp;crypt_stat-&gt;keysig_list_mutex){+.+.+.}:
       [&lt;ffffffff8108c897&gt;] check_prev_add+0x2a7/0x370
       [&lt;ffffffff8108cfc1&gt;] validate_chain+0x661/0x750
       [&lt;ffffffff8108d2e7&gt;] __lock_acquire+0x237/0x430
       [&lt;ffffffff8108d585&gt;] lock_acquire+0xa5/0x150
       [&lt;ffffffff815526cd&gt;] __mutex_lock_common+0x4d/0x3d0
       [&lt;ffffffff81552b56&gt;] mutex_lock_nested+0x46/0x60
       [&lt;ffffffff8121526a&gt;] ecryptfs_add_keysig+0x5a/0xb0
       [&lt;ffffffff81213299&gt;] ecryptfs_copy_mount_wide_sigs_to_inode_sigs+0x59/0xb0
       [&lt;ffffffff81214b06&gt;] ecryptfs_new_file_context+0xa6/0x1a0
       [&lt;ffffffff8120e42a&gt;] ecryptfs_initialize_file+0x4a/0x140
       [&lt;ffffffff8120e54d&gt;] ecryptfs_create+0x2d/0x60
       [&lt;ffffffff8113a7d4&gt;] vfs_create+0xb4/0xe0
       [&lt;ffffffff8113a8c4&gt;] __open_namei_create+0xc4/0x110
       [&lt;ffffffff8113d1c1&gt;] do_filp_open+0xa01/0xae0
       [&lt;ffffffff8112d8d9&gt;] do_sys_open+0x69/0x140
       [&lt;ffffffff8112d9f0&gt;] sys_open+0x20/0x30
       [&lt;ffffffff81013132&gt;] system_call_fastpath+0x16/0x1b
       [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff

-&gt; #0 (&amp;mount_crypt_stat-&gt;global_auth_tok_list_mutex){+.+.+.}:
       [&lt;ffffffff8108c675&gt;] check_prev_add+0x85/0x370
       [&lt;ffffffff8108cfc1&gt;] validate_chain+0x661/0x750
       [&lt;ffffffff8108d2e7&gt;] __lock_acquire+0x237/0x430
       [&lt;ffffffff8108d585&gt;] lock_acquire+0xa5/0x150
       [&lt;ffffffff815526cd&gt;] __mutex_lock_common+0x4d/0x3d0
       [&lt;ffffffff81552b56&gt;] mutex_lock_nested+0x46/0x60
       [&lt;ffffffff8121591e&gt;] ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
       [&lt;ffffffff812177d5&gt;] ecryptfs_generate_key_packet_set+0x105/0x2b0
       [&lt;ffffffff81212f49&gt;] ecryptfs_write_headers_virt+0xc9/0x120
       [&lt;ffffffff8121306d&gt;] ecryptfs_write_metadata+0xcd/0x200
       [&lt;ffffffff8120e44b&gt;] ecryptfs_initialize_file+0x6b/0x140
       [&lt;ffffffff8120e54d&gt;] ecryptfs_create+0x2d/0x60
       [&lt;ffffffff8113a7d4&gt;] vfs_create+0xb4/0xe0
       [&lt;ffffffff8113a8c4&gt;] __open_namei_create+0xc4/0x110
       [&lt;ffffffff8113d1c1&gt;] do_filp_open+0xa01/0xae0
       [&lt;ffffffff8112d8d9&gt;] do_sys_open+0x69/0x140
       [&lt;ffffffff8112d9f0&gt;] sys_open+0x20/0x30
       [&lt;ffffffff81013132&gt;] system_call_fastpath+0x16/0x1b
       [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff

other info that might help us debug this:

2 locks held by gdm/2640:
 #0:  (&amp;sb-&gt;s_type-&gt;i_mutex_key#11){+.+.+.}, at: [&lt;ffffffff8113cb8b&gt;] do_filp_open+0x3cb/0xae0
 #1:  (&amp;crypt_stat-&gt;keysig_list_mutex){+.+.+.}, at: [&lt;ffffffff81217728&gt;] ecryptfs_generate_key_packet_set+0x58/0x2b0

stack backtrace:
Pid: 2640, comm: gdm Tainted: G         C 2.6.31-2-generic #14~rbd2
Call Trace:
 [&lt;ffffffff8108b988&gt;] print_circular_bug_tail+0xa8/0xf0
 [&lt;ffffffff8108c675&gt;] check_prev_add+0x85/0x370
 [&lt;ffffffff81094912&gt;] ? __module_text_address+0x12/0x60
 [&lt;ffffffff8108cfc1&gt;] validate_chain+0x661/0x750
 [&lt;ffffffff81017275&gt;] ? print_context_stack+0x85/0x140
 [&lt;ffffffff81089c68&gt;] ? find_usage_backwards+0x38/0x160
 [&lt;ffffffff8108d2e7&gt;] __lock_acquire+0x237/0x430
 [&lt;ffffffff8108d585&gt;] lock_acquire+0xa5/0x150
 [&lt;ffffffff8121591e&gt;] ? ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
 [&lt;ffffffff8108b0b0&gt;] ? check_usage_backwards+0x0/0xb0
 [&lt;ffffffff815526cd&gt;] __mutex_lock_common+0x4d/0x3d0
 [&lt;ffffffff8121591e&gt;] ? ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
 [&lt;ffffffff8121591e&gt;] ? ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
 [&lt;ffffffff8108c02c&gt;] ? mark_held_locks+0x6c/0xa0
 [&lt;ffffffff81125b0d&gt;] ? kmem_cache_alloc+0xfd/0x1a0
 [&lt;ffffffff8108c34d&gt;] ? trace_hardirqs_on_caller+0x14d/0x190
 [&lt;ffffffff81552b56&gt;] mutex_lock_nested+0x46/0x60
 [&lt;ffffffff8121591e&gt;] ecryptfs_find_global_auth_tok_for_sig+0x2e/0x90
 [&lt;ffffffff812177d5&gt;] ecryptfs_generate_key_packet_set+0x105/0x2b0
 [&lt;ffffffff81212f49&gt;] ecryptfs_write_headers_virt+0xc9/0x120
 [&lt;ffffffff8121306d&gt;] ecryptfs_write_metadata+0xcd/0x200
 [&lt;ffffffff81210240&gt;] ? ecryptfs_init_persistent_file+0x60/0xe0
 [&lt;ffffffff8120e44b&gt;] ecryptfs_initialize_file+0x6b/0x140
 [&lt;ffffffff8120e54d&gt;] ecryptfs_create+0x2d/0x60
 [&lt;ffffffff8113a7d4&gt;] vfs_create+0xb4/0xe0
 [&lt;ffffffff8113a8c4&gt;] __open_namei_create+0xc4/0x110
 [&lt;ffffffff8113d1c1&gt;] do_filp_open+0xa01/0xae0
 [&lt;ffffffff8129a93e&gt;] ? _raw_spin_unlock+0x5e/0xb0
 [&lt;ffffffff8155410b&gt;] ? _spin_unlock+0x2b/0x40
 [&lt;ffffffff81139e9b&gt;] ? getname+0x3b/0x240
 [&lt;ffffffff81148a5a&gt;] ? alloc_fd+0xfa/0x140
 [&lt;ffffffff8112d8d9&gt;] do_sys_open+0x69/0x140
 [&lt;ffffffff81553b8f&gt;] ? trace_hardirqs_on_thunk+0x3a/0x3f
 [&lt;ffffffff8112d9f0&gt;] sys_open+0x20/0x30
 [&lt;ffffffff81013132&gt;] system_call_fastpath+0x16/0x1b

Signed-off-by: Roland Dreier &lt;rolandd@cisco.com&gt;
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ecryptfs: Remove unneeded locking that triggers lockdep false positives</title>
<updated>2009-09-23T14:10:30+00:00</updated>
<author>
<name>Roland Dreier</name>
<email>roland@digitalvampire.org</email>
</author>
<published>2009-07-14T20:32:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=05dafedb906425fe935199f4c92700d87285e3e9'/>
<id>05dafedb906425fe935199f4c92700d87285e3e9</id>
<content type='text'>
In ecryptfs_destroy_inode(), inode_info-&gt;lower_file_mutex is locked,
and just after the mutex is unlocked, the code does:

 	kmem_cache_free(ecryptfs_inode_info_cache, inode_info);

This means that if another context could possibly try to take the same
mutex as ecryptfs_destroy_inode(), then it could end up getting the
mutex just before the data structure containing the mutex is freed.
So any such use would be an obvious use-after-free bug (catchable with
slab poisoning or mutex debugging), and therefore the locking in
ecryptfs_destroy_inode() is not needed and can be dropped.

Similarly, in ecryptfs_destroy_crypt_stat(), crypt_stat-&gt;keysig_list_mutex
is locked, and then the mutex is unlocked just before the code does:

 	memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));

Therefore taking this mutex is similarly not necessary.

Removing this locking fixes false-positive lockdep reports such as the
following (and they are false-positives for exactly the same reason
that the locking is not needed):

=================================
[ INFO: inconsistent lock state ]
2.6.31-2-generic #14~rbd3
---------------------------------
inconsistent {RECLAIM_FS-ON-W} -&gt; {IN-RECLAIM_FS-W} usage.
kswapd0/323 [HC0[0]:SC0[0]:HE1:SE1] takes:
 (&amp;inode_info-&gt;lower_file_mutex){+.+.?.}, at: [&lt;ffffffff81210d34&gt;] ecryptfs_destroy_inode+0x34/0x100
{RECLAIM_FS-ON-W} state was registered at:
  [&lt;ffffffff8108c02c&gt;] mark_held_locks+0x6c/0xa0
  [&lt;ffffffff8108c10f&gt;] lockdep_trace_alloc+0xaf/0xe0
  [&lt;ffffffff81125a51&gt;] kmem_cache_alloc+0x41/0x1a0
  [&lt;ffffffff8113117a&gt;] get_empty_filp+0x7a/0x1a0
  [&lt;ffffffff8112dd46&gt;] dentry_open+0x36/0xc0
  [&lt;ffffffff8121a36c&gt;] ecryptfs_privileged_open+0x5c/0x2e0
  [&lt;ffffffff81210283&gt;] ecryptfs_init_persistent_file+0xa3/0xe0
  [&lt;ffffffff8120e838&gt;] ecryptfs_lookup_and_interpose_lower+0x278/0x380
  [&lt;ffffffff8120f97a&gt;] ecryptfs_lookup+0x12a/0x250
  [&lt;ffffffff8113930a&gt;] real_lookup+0xea/0x160
  [&lt;ffffffff8113afc8&gt;] do_lookup+0xb8/0xf0
  [&lt;ffffffff8113b518&gt;] __link_path_walk+0x518/0x870
  [&lt;ffffffff8113bd9c&gt;] path_walk+0x5c/0xc0
  [&lt;ffffffff8113be5b&gt;] do_path_lookup+0x5b/0xa0
  [&lt;ffffffff8113bfe7&gt;] user_path_at+0x57/0xa0
  [&lt;ffffffff811340dc&gt;] vfs_fstatat+0x3c/0x80
  [&lt;ffffffff8113424b&gt;] vfs_stat+0x1b/0x20
  [&lt;ffffffff81134274&gt;] sys_newstat+0x24/0x50
  [&lt;ffffffff81013132&gt;] system_call_fastpath+0x16/0x1b
  [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff
irq event stamp: 7811
hardirqs last  enabled at (7811): [&lt;ffffffff810c037f&gt;] call_rcu+0x5f/0x90
hardirqs last disabled at (7810): [&lt;ffffffff810c0353&gt;] call_rcu+0x33/0x90
softirqs last  enabled at (3764): [&lt;ffffffff810631da&gt;] __do_softirq+0x14a/0x220
softirqs last disabled at (3751): [&lt;ffffffff8101440c&gt;] call_softirq+0x1c/0x30

other info that might help us debug this:
2 locks held by kswapd0/323:
 #0:  (shrinker_rwsem){++++..}, at: [&lt;ffffffff810f67ed&gt;] shrink_slab+0x3d/0x190
 #1:  (&amp;type-&gt;s_umount_key#35){.+.+..}, at: [&lt;ffffffff811429a1&gt;] prune_dcache+0xd1/0x1b0

stack backtrace:
Pid: 323, comm: kswapd0 Tainted: G         C 2.6.31-2-generic #14~rbd3
Call Trace:
 [&lt;ffffffff8108ad6c&gt;] print_usage_bug+0x18c/0x1a0
 [&lt;ffffffff8108aff0&gt;] ? check_usage_forwards+0x0/0xc0
 [&lt;ffffffff8108bac2&gt;] mark_lock_irq+0xf2/0x280
 [&lt;ffffffff8108bd87&gt;] mark_lock+0x137/0x1d0
 [&lt;ffffffff81164710&gt;] ? fsnotify_clear_marks_by_inode+0x30/0xf0
 [&lt;ffffffff8108bee6&gt;] mark_irqflags+0xc6/0x1a0
 [&lt;ffffffff8108d337&gt;] __lock_acquire+0x287/0x430
 [&lt;ffffffff8108d585&gt;] lock_acquire+0xa5/0x150
 [&lt;ffffffff81210d34&gt;] ? ecryptfs_destroy_inode+0x34/0x100
 [&lt;ffffffff8108d2e7&gt;] ? __lock_acquire+0x237/0x430
 [&lt;ffffffff815526ad&gt;] __mutex_lock_common+0x4d/0x3d0
 [&lt;ffffffff81210d34&gt;] ? ecryptfs_destroy_inode+0x34/0x100
 [&lt;ffffffff81164710&gt;] ? fsnotify_clear_marks_by_inode+0x30/0xf0
 [&lt;ffffffff81210d34&gt;] ? ecryptfs_destroy_inode+0x34/0x100
 [&lt;ffffffff8129a91e&gt;] ? _raw_spin_unlock+0x5e/0xb0
 [&lt;ffffffff81552b36&gt;] mutex_lock_nested+0x46/0x60
 [&lt;ffffffff81210d34&gt;] ecryptfs_destroy_inode+0x34/0x100
 [&lt;ffffffff81145d27&gt;] destroy_inode+0x87/0xd0
 [&lt;ffffffff81146b4c&gt;] generic_delete_inode+0x12c/0x1a0
 [&lt;ffffffff81145832&gt;] iput+0x62/0x70
 [&lt;ffffffff811423c8&gt;] dentry_iput+0x98/0x110
 [&lt;ffffffff81142550&gt;] d_kill+0x50/0x80
 [&lt;ffffffff81142623&gt;] prune_one_dentry+0xa3/0xc0
 [&lt;ffffffff811428b1&gt;] __shrink_dcache_sb+0x271/0x290
 [&lt;ffffffff811429d9&gt;] prune_dcache+0x109/0x1b0
 [&lt;ffffffff81142abf&gt;] shrink_dcache_memory+0x3f/0x50
 [&lt;ffffffff810f68dd&gt;] shrink_slab+0x12d/0x190
 [&lt;ffffffff810f9377&gt;] balance_pgdat+0x4d7/0x640
 [&lt;ffffffff8104c4c0&gt;] ? finish_task_switch+0x40/0x150
 [&lt;ffffffff810f63c0&gt;] ? isolate_pages_global+0x0/0x60
 [&lt;ffffffff810f95f7&gt;] kswapd+0x117/0x170
 [&lt;ffffffff810777a0&gt;] ? autoremove_wake_function+0x0/0x40
 [&lt;ffffffff810f94e0&gt;] ? kswapd+0x0/0x170
 [&lt;ffffffff810773be&gt;] kthread+0x9e/0xb0
 [&lt;ffffffff8101430a&gt;] child_rip+0xa/0x20
 [&lt;ffffffff81013c90&gt;] ? restore_args+0x0/0x30
 [&lt;ffffffff81077320&gt;] ? kthread+0x0/0xb0
 [&lt;ffffffff81014300&gt;] ? child_rip+0x0/0x20

Signed-off-by: Roland Dreier &lt;roland@digitalvampire.org&gt;
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
In ecryptfs_destroy_inode(), inode_info-&gt;lower_file_mutex is locked,
and just after the mutex is unlocked, the code does:

 	kmem_cache_free(ecryptfs_inode_info_cache, inode_info);

This means that if another context could possibly try to take the same
mutex as ecryptfs_destroy_inode(), then it could end up getting the
mutex just before the data structure containing the mutex is freed.
So any such use would be an obvious use-after-free bug (catchable with
slab poisoning or mutex debugging), and therefore the locking in
ecryptfs_destroy_inode() is not needed and can be dropped.

Similarly, in ecryptfs_destroy_crypt_stat(), crypt_stat-&gt;keysig_list_mutex
is locked, and then the mutex is unlocked just before the code does:

 	memset(crypt_stat, 0, sizeof(struct ecryptfs_crypt_stat));

Therefore taking this mutex is similarly not necessary.

Removing this locking fixes false-positive lockdep reports such as the
following (and they are false-positives for exactly the same reason
that the locking is not needed):

=================================
[ INFO: inconsistent lock state ]
2.6.31-2-generic #14~rbd3
---------------------------------
inconsistent {RECLAIM_FS-ON-W} -&gt; {IN-RECLAIM_FS-W} usage.
kswapd0/323 [HC0[0]:SC0[0]:HE1:SE1] takes:
 (&amp;inode_info-&gt;lower_file_mutex){+.+.?.}, at: [&lt;ffffffff81210d34&gt;] ecryptfs_destroy_inode+0x34/0x100
{RECLAIM_FS-ON-W} state was registered at:
  [&lt;ffffffff8108c02c&gt;] mark_held_locks+0x6c/0xa0
  [&lt;ffffffff8108c10f&gt;] lockdep_trace_alloc+0xaf/0xe0
  [&lt;ffffffff81125a51&gt;] kmem_cache_alloc+0x41/0x1a0
  [&lt;ffffffff8113117a&gt;] get_empty_filp+0x7a/0x1a0
  [&lt;ffffffff8112dd46&gt;] dentry_open+0x36/0xc0
  [&lt;ffffffff8121a36c&gt;] ecryptfs_privileged_open+0x5c/0x2e0
  [&lt;ffffffff81210283&gt;] ecryptfs_init_persistent_file+0xa3/0xe0
  [&lt;ffffffff8120e838&gt;] ecryptfs_lookup_and_interpose_lower+0x278/0x380
  [&lt;ffffffff8120f97a&gt;] ecryptfs_lookup+0x12a/0x250
  [&lt;ffffffff8113930a&gt;] real_lookup+0xea/0x160
  [&lt;ffffffff8113afc8&gt;] do_lookup+0xb8/0xf0
  [&lt;ffffffff8113b518&gt;] __link_path_walk+0x518/0x870
  [&lt;ffffffff8113bd9c&gt;] path_walk+0x5c/0xc0
  [&lt;ffffffff8113be5b&gt;] do_path_lookup+0x5b/0xa0
  [&lt;ffffffff8113bfe7&gt;] user_path_at+0x57/0xa0
  [&lt;ffffffff811340dc&gt;] vfs_fstatat+0x3c/0x80
  [&lt;ffffffff8113424b&gt;] vfs_stat+0x1b/0x20
  [&lt;ffffffff81134274&gt;] sys_newstat+0x24/0x50
  [&lt;ffffffff81013132&gt;] system_call_fastpath+0x16/0x1b
  [&lt;ffffffffffffffff&gt;] 0xffffffffffffffff
irq event stamp: 7811
hardirqs last  enabled at (7811): [&lt;ffffffff810c037f&gt;] call_rcu+0x5f/0x90
hardirqs last disabled at (7810): [&lt;ffffffff810c0353&gt;] call_rcu+0x33/0x90
softirqs last  enabled at (3764): [&lt;ffffffff810631da&gt;] __do_softirq+0x14a/0x220
softirqs last disabled at (3751): [&lt;ffffffff8101440c&gt;] call_softirq+0x1c/0x30

other info that might help us debug this:
2 locks held by kswapd0/323:
 #0:  (shrinker_rwsem){++++..}, at: [&lt;ffffffff810f67ed&gt;] shrink_slab+0x3d/0x190
 #1:  (&amp;type-&gt;s_umount_key#35){.+.+..}, at: [&lt;ffffffff811429a1&gt;] prune_dcache+0xd1/0x1b0

stack backtrace:
Pid: 323, comm: kswapd0 Tainted: G         C 2.6.31-2-generic #14~rbd3
Call Trace:
 [&lt;ffffffff8108ad6c&gt;] print_usage_bug+0x18c/0x1a0
 [&lt;ffffffff8108aff0&gt;] ? check_usage_forwards+0x0/0xc0
 [&lt;ffffffff8108bac2&gt;] mark_lock_irq+0xf2/0x280
 [&lt;ffffffff8108bd87&gt;] mark_lock+0x137/0x1d0
 [&lt;ffffffff81164710&gt;] ? fsnotify_clear_marks_by_inode+0x30/0xf0
 [&lt;ffffffff8108bee6&gt;] mark_irqflags+0xc6/0x1a0
 [&lt;ffffffff8108d337&gt;] __lock_acquire+0x287/0x430
 [&lt;ffffffff8108d585&gt;] lock_acquire+0xa5/0x150
 [&lt;ffffffff81210d34&gt;] ? ecryptfs_destroy_inode+0x34/0x100
 [&lt;ffffffff8108d2e7&gt;] ? __lock_acquire+0x237/0x430
 [&lt;ffffffff815526ad&gt;] __mutex_lock_common+0x4d/0x3d0
 [&lt;ffffffff81210d34&gt;] ? ecryptfs_destroy_inode+0x34/0x100
 [&lt;ffffffff81164710&gt;] ? fsnotify_clear_marks_by_inode+0x30/0xf0
 [&lt;ffffffff81210d34&gt;] ? ecryptfs_destroy_inode+0x34/0x100
 [&lt;ffffffff8129a91e&gt;] ? _raw_spin_unlock+0x5e/0xb0
 [&lt;ffffffff81552b36&gt;] mutex_lock_nested+0x46/0x60
 [&lt;ffffffff81210d34&gt;] ecryptfs_destroy_inode+0x34/0x100
 [&lt;ffffffff81145d27&gt;] destroy_inode+0x87/0xd0
 [&lt;ffffffff81146b4c&gt;] generic_delete_inode+0x12c/0x1a0
 [&lt;ffffffff81145832&gt;] iput+0x62/0x70
 [&lt;ffffffff811423c8&gt;] dentry_iput+0x98/0x110
 [&lt;ffffffff81142550&gt;] d_kill+0x50/0x80
 [&lt;ffffffff81142623&gt;] prune_one_dentry+0xa3/0xc0
 [&lt;ffffffff811428b1&gt;] __shrink_dcache_sb+0x271/0x290
 [&lt;ffffffff811429d9&gt;] prune_dcache+0x109/0x1b0
 [&lt;ffffffff81142abf&gt;] shrink_dcache_memory+0x3f/0x50
 [&lt;ffffffff810f68dd&gt;] shrink_slab+0x12d/0x190
 [&lt;ffffffff810f9377&gt;] balance_pgdat+0x4d7/0x640
 [&lt;ffffffff8104c4c0&gt;] ? finish_task_switch+0x40/0x150
 [&lt;ffffffff810f63c0&gt;] ? isolate_pages_global+0x0/0x60
 [&lt;ffffffff810f95f7&gt;] kswapd+0x117/0x170
 [&lt;ffffffff810777a0&gt;] ? autoremove_wake_function+0x0/0x40
 [&lt;ffffffff810f94e0&gt;] ? kswapd+0x0/0x170
 [&lt;ffffffff810773be&gt;] kthread+0x9e/0xb0
 [&lt;ffffffff8101430a&gt;] child_rip+0xa/0x20
 [&lt;ffffffff81013c90&gt;] ? restore_args+0x0/0x30
 [&lt;ffffffff81077320&gt;] ? kthread+0x0/0xb0
 [&lt;ffffffff81014300&gt;] ? child_rip+0x0/0x20

Signed-off-by: Roland Dreier &lt;roland@digitalvampire.org&gt;
Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>eCryptfs: Fix data corruption when using ecryptfs_passthrough</title>
<updated>2009-04-22T08:54:13+00:00</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@linux.vnet.ibm.com</email>
</author>
<published>2009-04-13T20:29:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=13a791b4e63eb0537a7f804a340d6527485983b4'/>
<id>13a791b4e63eb0537a7f804a340d6527485983b4</id>
<content type='text'>
ecryptfs_passthrough is a mount option that allows eCryptfs to allow
data to be written to non-eCryptfs files in the lower filesystem.  The
passthrough option was causing data corruption due to it not always
being treated as a non-eCryptfs file.

The first 8 bytes of an eCryptfs file contains the decrypted file size.
This value was being written to the non-eCryptfs files, too.  Also,
extra 0x00 characters were being written to make the file size a
multiple of PAGE_CACHE_SIZE.

Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
ecryptfs_passthrough is a mount option that allows eCryptfs to allow
data to be written to non-eCryptfs files in the lower filesystem.  The
passthrough option was causing data corruption due to it not always
being treated as a non-eCryptfs file.

The first 8 bytes of an eCryptfs file contains the decrypted file size.
This value was being written to the non-eCryptfs files, too.  Also,
extra 0x00 characters were being written to make the file size a
multiple of PAGE_CACHE_SIZE.

Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>eCryptfs: NULL crypt_stat dereference during lookup</title>
<updated>2009-03-22T18:20:43+00:00</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@linux.vnet.ibm.com</email>
</author>
<published>2009-03-20T07:23:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2aac0cf88681bfa092f731553bc7fbd23516be73'/>
<id>2aac0cf88681bfa092f731553bc7fbd23516be73</id>
<content type='text'>
If ecryptfs_encrypted_view or ecryptfs_xattr_metadata were being
specified as mount options, a NULL pointer dereference of crypt_stat
was possible during lookup.

This patch moves the crypt_stat assignment into
ecryptfs_lookup_and_interpose_lower(), ensuring that crypt_stat
will not be NULL before we attempt to dereference it.

Thanks to Dan Carpenter and his static analysis tool, smatch, for
finding this bug.

Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
Acked-by: Dustin Kirkland &lt;kirkland@canonical.com&gt;
Cc: Dan Carpenter &lt;error27@gmail.com&gt;
Cc: Serge Hallyn &lt;serue@us.ibm.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If ecryptfs_encrypted_view or ecryptfs_xattr_metadata were being
specified as mount options, a NULL pointer dereference of crypt_stat
was possible during lookup.

This patch moves the crypt_stat assignment into
ecryptfs_lookup_and_interpose_lower(), ensuring that crypt_stat
will not be NULL before we attempt to dereference it.

Thanks to Dan Carpenter and his static analysis tool, smatch, for
finding this bug.

Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
Acked-by: Dustin Kirkland &lt;kirkland@canonical.com&gt;
Cc: Dan Carpenter &lt;error27@gmail.com&gt;
Cc: Serge Hallyn &lt;serue@us.ibm.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>eCryptfs: Allocate a variable number of pages for file headers</title>
<updated>2009-03-22T18:20:43+00:00</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@linux.vnet.ibm.com</email>
</author>
<published>2009-03-20T06:25:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=8faece5f906725c10e7a1f6caf84452abadbdc7b'/>
<id>8faece5f906725c10e7a1f6caf84452abadbdc7b</id>
<content type='text'>
When allocating the memory used to store the eCryptfs header contents, a
single, zeroed page was being allocated with get_zeroed_page().
However, the size of an eCryptfs header is either PAGE_CACHE_SIZE or
ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is
stored in the file's private_data-&gt;crypt_stat-&gt;num_header_bytes_at_front
field.

ecryptfs_write_metadata_to_contents() was using
num_header_bytes_at_front to decide how many bytes should be written to
the lower filesystem for the file header.  Unfortunately, at least 8K
was being written from the page, despite the chance of the single,
zeroed page being smaller than 8K.  This resulted in random areas of
kernel memory being written between the 0x1000 and 0x1FFF bytes offsets
in the eCryptfs file headers if PAGE_SIZE was 4K.

This patch allocates a variable number of pages, calculated with
num_header_bytes_at_front, and passes the number of allocated pages
along to ecryptfs_write_metadata_to_contents().

Thanks to Florian Streibelt for reporting the data leak and working with
me to find the problem.  2.6.28 is the only kernel release with this
vulnerability.  Corresponds to CVE-2009-0787

Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
Acked-by: Dustin Kirkland &lt;kirkland@canonical.com&gt;
Reviewed-by: Eric Sandeen &lt;sandeen@redhat.com&gt;
Reviewed-by: Eugene Teo &lt;eugeneteo@kernel.sg&gt;
Cc: Greg KH &lt;greg@kroah.com&gt;
Cc: dann frazier &lt;dannf@dannf.org&gt;
Cc: Serge E. Hallyn &lt;serue@us.ibm.com&gt;
Cc: Florian Streibelt &lt;florian@f-streibelt.de&gt;
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When allocating the memory used to store the eCryptfs header contents, a
single, zeroed page was being allocated with get_zeroed_page().
However, the size of an eCryptfs header is either PAGE_CACHE_SIZE or
ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is
stored in the file's private_data-&gt;crypt_stat-&gt;num_header_bytes_at_front
field.

ecryptfs_write_metadata_to_contents() was using
num_header_bytes_at_front to decide how many bytes should be written to
the lower filesystem for the file header.  Unfortunately, at least 8K
was being written from the page, despite the chance of the single,
zeroed page being smaller than 8K.  This resulted in random areas of
kernel memory being written between the 0x1000 and 0x1FFF bytes offsets
in the eCryptfs file headers if PAGE_SIZE was 4K.

This patch allocates a variable number of pages, calculated with
num_header_bytes_at_front, and passes the number of allocated pages
along to ecryptfs_write_metadata_to_contents().

Thanks to Florian Streibelt for reporting the data leak and working with
me to find the problem.  2.6.28 is the only kernel release with this
vulnerability.  Corresponds to CVE-2009-0787

Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
Acked-by: Dustin Kirkland &lt;kirkland@canonical.com&gt;
Reviewed-by: Eric Sandeen &lt;sandeen@redhat.com&gt;
Reviewed-by: Eugene Teo &lt;eugeneteo@kernel.sg&gt;
Cc: Greg KH &lt;greg@kroah.com&gt;
Cc: dann frazier &lt;dannf@dannf.org&gt;
Cc: Serge E. Hallyn &lt;serue@us.ibm.com&gt;
Cc: Florian Streibelt &lt;florian@f-streibelt.de&gt;
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>eCryptfs: don't encrypt file key with filename key</title>
<updated>2009-03-14T18:57:22+00:00</updated>
<author>
<name>Tyler Hicks</name>
<email>tyhicks@linux.vnet.ibm.com</email>
</author>
<published>2009-03-13T20:51:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=84814d642a4f1f294bd675ab11aae1ca54c6cedb'/>
<id>84814d642a4f1f294bd675ab11aae1ca54c6cedb</id>
<content type='text'>
eCryptfs has file encryption keys (FEK), file encryption key encryption
keys (FEKEK), and filename encryption keys (FNEK).  The per-file FEK is
encrypted with one or more FEKEKs and stored in the header of the
encrypted file.  I noticed that the FEK is also being encrypted by the
FNEK.  This is a problem if a user wants to use a different FNEK than
their FEKEK, as their file contents will still be accessible with the
FNEK.

This is a minimalistic patch which prevents the FNEKs signatures from
being copied to the inode signatures list.  Ultimately, it keeps the FEK
from being encrypted with a FNEK.

Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
Cc: Serge Hallyn &lt;serue@us.ibm.com&gt;
Acked-by: Dustin Kirkland &lt;kirkland@canonical.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
eCryptfs has file encryption keys (FEK), file encryption key encryption
keys (FEKEK), and filename encryption keys (FNEK).  The per-file FEK is
encrypted with one or more FEKEKs and stored in the header of the
encrypted file.  I noticed that the FEK is also being encrypted by the
FNEK.  This is a problem if a user wants to use a different FNEK than
their FEKEK, as their file contents will still be accessible with the
FNEK.

This is a minimalistic patch which prevents the FNEKs signatures from
being copied to the inode signatures list.  Ultimately, it keeps the FEK
from being encrypted with a FNEK.

Signed-off-by: Tyler Hicks &lt;tyhicks@linux.vnet.ibm.com&gt;
Cc: Serge Hallyn &lt;serue@us.ibm.com&gt;
Acked-by: Dustin Kirkland &lt;kirkland@canonical.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
