From patchwork Wed Jun 26 02:33:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 11016795 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 247721575 for ; Wed, 26 Jun 2019 02:33:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0F877285AB for ; Wed, 26 Jun 2019 02:33:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F2D8C2863C; Wed, 26 Jun 2019 02:33:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 65CA2285D5 for ; Wed, 26 Jun 2019 02:33:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 489E28E0003; Tue, 25 Jun 2019 22:33:20 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 43A7C8E0002; Tue, 25 Jun 2019 22:33:20 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 350EC8E0003; Tue, 25 Jun 2019 22:33:20 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-yb1-f200.google.com (mail-yb1-f200.google.com [209.85.219.200]) by kanga.kvack.org (Postfix) with ESMTP id 160A78E0002 for ; Tue, 25 Jun 2019 22:33:20 -0400 (EDT) Received: by mail-yb1-f200.google.com with SMTP id 133so2363398ybl.8 for ; Tue, 25 Jun 2019 19:33:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:subject:from:to:cc:date :message-id:in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=GZ5Da9i8UXdicVq5/ebI4XscP19RKvf9/ymCHA5iuvw=; b=Nj85QZzC+4V3eys8dS60lN4cIOqbwsYjX0zJs5Ib5bU4VtnAhlfXrOJdR5kc/50UlP IwYFBcRPBwGEbt7oCBxAUadzhFq/klNLXoLzoLX009eiWe6FZ15okacDXdIXmFR+iedz 6JE2MGh4drDqjYAHPrDnOcEL0yCPegGaeKd5YXHNCJfNKiVQY1QnpZDMYIv3KMUxHo0M Lnm7IMx7ElPozt615wNtzalwIk+7IlNhI6oWHAa1AooKRje3rMDBnlNe4mJ0ZBZSdNQy RcKamxpeOCmrOV1WVBXdXfUWDUJDbgMjU+6xypjMD1wfdWCjp5Yje8Vih4AgVWHeSkog 7cmA== X-Gm-Message-State: APjAAAVbdSH5sl4zQ6nNZtXpw/wOHyTNxgxtSovm4TUHyzTXJOj1N1q6 IE4m6zrnDxOTWB35mMSdIMJJ+etA2tukz0VDKm84jZGaXfjpKYQEGgnV1QGNsaj4q5I3FRVTAXH SFOXwJTpDsKLslgcA3uB6SkB16pamLNkpHC5hoJAb4cOlcZGpFcrh1lH4O+lG712wqA== X-Received: by 2002:a81:7b02:: with SMTP id w2mr1268747ywc.436.1561516399703; Tue, 25 Jun 2019 19:33:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqxdz0m+3CVZrodg7rrzhT4bt85DH+RKe33SDn6d7Mo0BpOjKKVQs6pU+/4QALdCCGmaDRKN X-Received: by 2002:a81:7b02:: with SMTP id w2mr1268728ywc.436.1561516398870; Tue, 25 Jun 2019 19:33:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561516398; cv=none; d=google.com; s=arc-20160816; b=AyJt6JCfvdGNoh9VKQqeD6Dy2SZwCyqbTgTIMrMVFqukBXa8do0FvuD8MLiaHTKP4+ dyvmby4Cz037M9lUAjGH/rirLR2SlJzZvag8aVcQTJJ89HfdvcrfBsp/A3qskJoWEKgg I+BRl7AZiejHCyUtPRc/TPs0nNCRnKkSZnCQSANcSkyDoRljAjfyxyYC6wUMLhwW+wi+ nQMX0k4wyAVlg/vlJC5uIiUEkwIjnUOq6jIdC1ordLrbZ8s8XS9j2WiAlZTLf00w0BBG MQZ2jq/aRTIM7btW/A5YMmlUbO7WnGP7C1ATitIpqQcR1cGcgo3BleUUKxllj6+TrV/2 oPNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:dkim-signature; bh=GZ5Da9i8UXdicVq5/ebI4XscP19RKvf9/ymCHA5iuvw=; b=vuHKH85Kc4PABXjm+uofhug6GcCcaVCBpDPr1767DbDrYwP+YNFZXj1zhuSLD+jsZS +Da9bT3+o7GZflZcJ6E8qO8EaHxcNe9mw2802fV9BTdyjQnmI0WkV8iYE1XK85aSjtZK FibYXnZw0YEj8u6KZIKaxbx5pMTy3d2t91oijx0WokXkghj6wBg08juwRvO+zYLQxPyc MMdvuCpdiyqLKosUOqwK3t/ol4sJTy0rpTiuE286EF1i1bPl6ExRNwOaiR9qCLquLiCc yvbf2RAbhcxrNQAwx4eN1DPrSXiJrNglr0aY39ScipOpGsD4a9HiX1y7SEsIW0SaEpAj BpPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=OwYWG9CO; spf=pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from userp2130.oracle.com (userp2130.oracle.com. [156.151.31.86]) by mx.google.com with ESMTPS id r126si5905821yba.165.2019.06.25.19.33.18 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jun 2019 19:33:18 -0700 (PDT) Received-SPF: pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) client-ip=156.151.31.86; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=OwYWG9CO; spf=pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5Q2St3m116601; Wed, 26 Jun 2019 02:33:06 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : from : to : cc : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=GZ5Da9i8UXdicVq5/ebI4XscP19RKvf9/ymCHA5iuvw=; b=OwYWG9COa/utVeg+XFueBCQNbNHCKEORscmBRW6CX5wX1eaV2FXBC7NljSPy3RS4qDUE b9M9KeySwRTS+CsKX1Xla151y395HzGSXJJfbVfWx4faXRcg07z0e6bgKSj3w9DHkvII gHuoqvYt3YoddlkFH+TkNlF+72zdoGX3Sep9OlkXKvgZw+mtCU/rS3hW1v8feUw3Jiv+ swWRG78ZiDDHbKViaLEwV+Y4c0KtsiRV7RBTt83NxTKbz7E7deMXzIVYS9lFPFateZVC +waBXMHaI1HYAQqb+CTireZ6bU/vo07hOOzWEEuIfzyuXzso74QcEtkOyaT392xtlJLV lg== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2130.oracle.com with ESMTP id 2t9brt7mm4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Jun 2019 02:33:06 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5Q2WkGE080003; Wed, 26 Jun 2019 02:33:05 GMT Received: from pps.reinject (localhost [127.0.0.1]) by userp3020.oracle.com with ESMTP id 2tat7cjnv7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 26 Jun 2019 02:33:05 +0000 Received: from userp3020.oracle.com (userp3020.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.27/8.16.0.27) with SMTP id x5Q2X5bt080432; Wed, 26 Jun 2019 02:33:05 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3020.oracle.com with ESMTP id 2tat7cjnv1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Jun 2019 02:33:05 +0000 Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x5Q2X32M024230; Wed, 26 Jun 2019 02:33:03 GMT Received: from localhost (/10.159.230.235) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 25 Jun 2019 19:33:03 -0700 Subject: [PATCH 1/5] mm/fs: don't allow writes to immutable files From: "Darrick J. Wong" To: matthew.garrett@nebula.com, yuchao0@huawei.com, tytso@mit.edu, darrick.wong@oracle.com, ard.biesheuvel@linaro.org, josef@toxicpanda.com, hch@infradead.org, clm@fb.com, adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com, dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org Cc: reiserfs-devel@vger.kernel.org, linux-efi@vger.kernel.org, Jan Kara , devel@lists.orangefs.org, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org, ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-btrfs@vger.kernel.org Date: Tue, 25 Jun 2019 19:33:00 -0700 Message-ID: <156151638036.2283603.8347635093125152699.stgit@magnolia> In-Reply-To: <156151637248.2283603.8458727861336380714.stgit@magnolia> References: <156151637248.2283603.8458727861336380714.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9299 signatures=668687 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=324 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906260027 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong The chattr manpage has this to say about immutable files: "A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode." Once the flag is set, it is enforced for quite a few file operations, such as fallocate, fpunch, fzero, rm, touch, open, etc. However, we don't check for immutability when doing a write(), a PROT_WRITE mmap(), a truncate(), or a write to a previously established mmap. If a program has an open write fd to a file that the administrator subsequently marks immutable, the program still can change the file contents. Weird! The ability to write to an immutable file does not follow the manpage promise that immutable files cannot be modified. Worse yet it's inconsistent with the behavior of other syscalls which don't allow modifications of immutable files. Therefore, add the necessary checks to make the write, mmap, and truncate behavior consistent with what the manpage says and consistent with other syscalls on filesystems which support IMMUTABLE. Signed-off-by: Darrick J. Wong Reviewed-by: Jan Kara --- fs/attr.c | 13 ++++++------- mm/filemap.c | 3 +++ mm/memory.c | 3 +++ mm/mmap.c | 8 ++++++-- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index d22e8187477f..1fcfdcc5b367 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -233,19 +233,18 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de WARN_ON_ONCE(!inode_is_locked(inode)); - if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) { - if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) - return -EPERM; - } + if (IS_IMMUTABLE(inode)) + return -EPERM; + + if ((ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) && + IS_APPEND(inode)) + return -EPERM; /* * If utimes(2) and friends are called with times == NULL (or both * times are UTIME_NOW), then we need to check for write permission */ if (ia_valid & ATTR_TOUCH) { - if (IS_IMMUTABLE(inode)) - return -EPERM; - if (!inode_owner_or_capable(inode)) { error = inode_permission(inode, MAY_WRITE); if (error) diff --git a/mm/filemap.c b/mm/filemap.c index aac71aef4c61..dad85e10f5f8 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2935,6 +2935,9 @@ inline ssize_t generic_write_checks(struct kiocb *iocb, struct iov_iter *from) loff_t count; int ret; + if (IS_IMMUTABLE(inode)) + return -EPERM; + if (!iov_iter_count(from)) return 0; diff --git a/mm/memory.c b/mm/memory.c index ddf20bd0c317..4311cfdade90 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2235,6 +2235,9 @@ static vm_fault_t do_page_mkwrite(struct vm_fault *vmf) vmf->flags = FAULT_FLAG_WRITE|FAULT_FLAG_MKWRITE; + if (vmf->vma->vm_file && IS_IMMUTABLE(file_inode(vmf->vma->vm_file))) + return VM_FAULT_SIGBUS; + ret = vmf->vma->vm_ops->page_mkwrite(vmf); /* Restore original flags so that caller is not surprised */ vmf->flags = old_flags; diff --git a/mm/mmap.c b/mm/mmap.c index 7e8c3e8ae75f..ac1e32205237 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1483,8 +1483,12 @@ unsigned long do_mmap(struct file *file, unsigned long addr, case MAP_SHARED_VALIDATE: if (flags & ~flags_mask) return -EOPNOTSUPP; - if ((prot&PROT_WRITE) && !(file->f_mode&FMODE_WRITE)) - return -EACCES; + if (prot & PROT_WRITE) { + if (!(file->f_mode & FMODE_WRITE)) + return -EACCES; + if (IS_IMMUTABLE(file_inode(file))) + return -EPERM; + } /* * Make sure we don't allow writing to an append-only From patchwork Wed Jun 26 02:33:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 11016811 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6CCC1112C for ; Wed, 26 Jun 2019 02:33:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 59DD2285AB for ; Wed, 26 Jun 2019 02:33:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4CEAE285E0; Wed, 26 Jun 2019 02:33:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1E584285AB for ; Wed, 26 Jun 2019 02:33:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id ACCE08E0006; Tue, 25 Jun 2019 22:33:25 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id A55A18E0002; Tue, 25 Jun 2019 22:33:25 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8F6DD8E0006; Tue, 25 Jun 2019 22:33:25 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) by kanga.kvack.org (Postfix) with ESMTP id 7162E8E0002 for ; Tue, 25 Jun 2019 22:33:25 -0400 (EDT) Received: by mail-io1-f71.google.com with SMTP id i133so821617ioa.11 for ; Tue, 25 Jun 2019 19:33:25 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:subject:from:to:cc:date :message-id:in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=6o4YpGypPLzjpZ+ZkqPbxHMhFQ/fAokL7gT/kdrS3rU=; b=lnPCpEpibS9PqNO1zW9K+UBBeWXx0+KSfYw8oRj8WzzlptTyjSWuXEr8LzwQf2BZcQ cg/Y97b7+Kdz5mKHI4rYOPdTBP2GuTXUUimsL3cQXX6zvTH3kILcHrXepNDvYIbfu6kP c7OOX17XGizW2LsbnhFczPUY9hcBwFNCQSBrtLaqkE41gIqPHK68Bt8QK2LyFw6+1b0f 6Upmih89U/VU2TrgXty8g67SYm5mPWeJw302s28jgeJ1xwVpfpF6SUtCkACxv/LkTlRv 6nxyayYmDcpdOZU7q62Du4qvglUrHCz/IYrq04x8xaM51MhCibliSM8ijdjU3oT8cNbu u7rw== X-Gm-Message-State: APjAAAUHLk0sji9kB0zuaJvu3hayrOuG6gK6hR2A1uTacSav9YkxmhVO OqjChtPxwNUw4F4AdYLaUGJdRQlYzwnw7T0mhY8Wh1yu6ntOlvJWFIXSmbIuH1mBrX4SiKx1TGT cDeHZR+VrUvWEtYwmajNs2//whVuQ0n2ZHuPblfgHwGF7s/DBq6Q8OwAqIAtYxE6CUg== X-Received: by 2002:a5e:d612:: with SMTP id w18mr2097988iom.279.1561516405221; Tue, 25 Jun 2019 19:33:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqwTE+nLHQEtw4eRCuVg68wk5pkHssYT80Qflo4wOS4P7sgjxZexLeTLNteTJIPU0++lw6Xk X-Received: by 2002:a5e:d612:: with SMTP id w18mr2097948iom.279.1561516404518; Tue, 25 Jun 2019 19:33:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561516404; cv=none; d=google.com; s=arc-20160816; b=WfAy4TNIRkvc6kjei8a5zizpXpG0HCh/XvhuoP/4IwMUKGe5UCEyCDeJa4vOfViojZ pSHjjyyPUdl+AC6OTbN7/AO0jT7jt68FAVz+8tTJVzPLbXOLCUWwIboC7gCnfPNDV+Bq DqzrkelEo6A9kiMP7pq05lRv86LZ2XcIQ6H1vIdrjJCAHq6OGmCF4F2/WOWqdSVFfh6f 2p7lIyhhouLbqmY7+Z59BwZ7ZDvblfAZGxnfgHbKpKaQw8vKqajm10BoDfu6d6Wg/v9e mrmT5nj0F3MuLGQAn/etLlo+PUe4JQbp+zzi9Tb8/ZO0ZvKmoIEIxn6eBlfqEf3PLyK7 MmCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:dkim-signature; bh=6o4YpGypPLzjpZ+ZkqPbxHMhFQ/fAokL7gT/kdrS3rU=; b=x8PFW1FUuqrua9lZL7AccjNZdnTgnNjDfEFtUaLWAtH7bu/zwE9zsqsByzhLD82pqx +0OvVX/k0f/SdDr6YEodIhaVDdyYc1CxgidZZCFsKmfZ5wXoOvT6IY63Xixp0/cTGafk GUs73fO9XPM2HtdIlpIvSPlTbNkmKTojDPukZgApIx9Yqw+EotY5WkjJXVrpzg6SFmxD qnAD2epdydcVe6ujEB0cQN9a52miNmLl/TcFzG+fSpcwmnCG8xMmMnF1w/DWyDCRWlI9 tnO641scACrrdjZrl+H13y4ayI/oyhQ4zjGYUzAxH7DckhZd3LagXhIGyREKqBj4/Tyk EFKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=P4AM2r4O; spf=pass (google.com: domain of darrick.wong@oracle.com designates 141.146.126.78 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from aserp2120.oracle.com (aserp2120.oracle.com. [141.146.126.78]) by mx.google.com with ESMTPS id b5si22401745jab.52.2019.06.25.19.33.24 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jun 2019 19:33:24 -0700 (PDT) Received-SPF: pass (google.com: domain of darrick.wong@oracle.com designates 141.146.126.78 as permitted sender) client-ip=141.146.126.78; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=P4AM2r4O; spf=pass (google.com: domain of darrick.wong@oracle.com designates 141.146.126.78 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5Q2TGdr026619; Wed, 26 Jun 2019 02:33:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : from : to : cc : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=6o4YpGypPLzjpZ+ZkqPbxHMhFQ/fAokL7gT/kdrS3rU=; b=P4AM2r4O8nU7c0TP/3hgIM76kuCtB1+zo+JXjO4gCVkCBD/nNSLKwF4llit6BOzR/hos kVaWFauOSx3tSBZ1Kfb6P8sGvXDU1tR4q+dRkLjBcvlxDoQKuW0MY8FQgfsiNWesMYbB 5DJY7OmafEjZr2+80d2LAaWYW0pablNO6XKlpNbkUaUh8WlCsd9N/VfCLktuqrcMlFTW TtZhGmSg7llHlD3X8jtnVZsfOw+KwiDhbGpoAqw8vbFJ+cYyOu68k7d3v5OVSQqBKdRy XGnhdj8YiQjBBP6DTCVfRzJ+Uo7uR4+2Zz+kccWNVWHDl6kE2dSLvbJXB+hR4M3omUGE wQ== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by aserp2120.oracle.com with ESMTP id 2t9c9pqjkg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Jun 2019 02:33:14 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5Q2WjnS020557; Wed, 26 Jun 2019 02:33:13 GMT Received: from pps.reinject (localhost [127.0.0.1]) by aserp3020.oracle.com with ESMTP id 2t9p6uh2f7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 26 Jun 2019 02:33:13 +0000 Received: from aserp3020.oracle.com (aserp3020.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.27/8.16.0.27) with SMTP id x5Q2XD75021253; Wed, 26 Jun 2019 02:33:13 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserp3020.oracle.com with ESMTP id 2t9p6uh2f1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Jun 2019 02:33:13 +0000 Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x5Q2XBEe024251; Wed, 26 Jun 2019 02:33:11 GMT Received: from localhost (/10.159.230.235) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 25 Jun 2019 19:33:10 -0700 Subject: [PATCH 2/5] vfs: flush and wait for io when setting the immutable flag via SETFLAGS From: "Darrick J. Wong" To: matthew.garrett@nebula.com, yuchao0@huawei.com, tytso@mit.edu, darrick.wong@oracle.com, ard.biesheuvel@linaro.org, josef@toxicpanda.com, hch@infradead.org, clm@fb.com, adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com, dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org Cc: reiserfs-devel@vger.kernel.org, linux-efi@vger.kernel.org, devel@lists.orangefs.org, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org, ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-btrfs@vger.kernel.org Date: Tue, 25 Jun 2019 19:33:08 -0700 Message-ID: <156151638826.2283603.17232416684567376466.stgit@magnolia> In-Reply-To: <156151637248.2283603.8458727861336380714.stgit@magnolia> References: <156151637248.2283603.8458727861336380714.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9299 signatures=668687 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=777 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906260027 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong When we're using FS_IOC_SETFLAGS to set the immutable flag on a file, we need to ensure that userspace can't continue to write the file after the file becomes immutable. To make that happen, we have to flush all the dirty pagecache pages to disk to ensure that we can fail a page fault on a mmap'd region, wait for pending directio to complete, and hope the caller locked out any new writes by holding the inode lock. Signed-off-by: Darrick J. Wong --- fs/inode.c | 21 +++++++++++++++++++-- include/linux/fs.h | 11 +++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index f08711b34341..65a412af3ffb 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2193,7 +2193,8 @@ EXPORT_SYMBOL(current_time); /* * Generic function to check FS_IOC_SETFLAGS values and reject any invalid - * configurations. + * configurations. Once we're done, prepare the inode for whatever changes + * are coming down the pipeline. * * Note: the caller should be holding i_mutex, or else be sure that they have * exclusive access to the inode structure. @@ -2201,6 +2202,8 @@ EXPORT_SYMBOL(current_time); int vfs_ioc_setflags_prepare(struct inode *inode, unsigned int oldflags, unsigned int flags) { + int ret; + /* * The IMMUTABLE and APPEND_ONLY flags can only be changed by * the relevant capability. @@ -2211,7 +2214,21 @@ int vfs_ioc_setflags_prepare(struct inode *inode, unsigned int oldflags, !capable(CAP_LINUX_IMMUTABLE)) return -EPERM; - return 0; + /* + * Now that we're done checking the new flags, flush all pending IO and + * dirty mappings before setting S_IMMUTABLE on an inode via + * FS_IOC_SETFLAGS. If the flush fails we'll clear the flag before + * returning error. + */ + if (!S_ISREG(inode->i_mode) || IS_IMMUTABLE(inode) || + !(flags & FS_IMMUTABLE_FL)) + return 0; + + inode_set_flags(inode, S_IMMUTABLE, S_IMMUTABLE); + ret = inode_drain_writes(inode); + if (ret) + inode_set_flags(inode, 0, S_IMMUTABLE); + return ret; } EXPORT_SYMBOL(vfs_ioc_setflags_prepare); diff --git a/include/linux/fs.h b/include/linux/fs.h index 48322bfd7299..51266c9dbadc 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3561,4 +3561,15 @@ int vfs_ioc_setflags_prepare(struct inode *inode, unsigned int oldflags, int vfs_ioc_fssetxattr_check(struct inode *inode, const struct fsxattr *old_fa, struct fsxattr *fa); +/* + * Flush file data before changing attributes. Caller must hold any locks + * required to prevent further writes to this file until we're done setting + * flags. + */ +static inline int inode_drain_writes(struct inode *inode) +{ + inode_dio_wait(inode); + return filemap_write_and_wait(inode->i_mapping); +} + #endif /* _LINUX_FS_H */ From patchwork Wed Jun 26 02:33:16 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 11016881 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B8F4B112C for ; Wed, 26 Jun 2019 02:35:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 93E99262F2 for ; Wed, 26 Jun 2019 02:35:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 822BE26E51; Wed, 26 Jun 2019 02:35:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ADB25262F2 for ; Wed, 26 Jun 2019 02:35:41 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D3A536B0003; Tue, 25 Jun 2019 22:35:40 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id CC5618E0003; Tue, 25 Jun 2019 22:35:40 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B8AE88E0002; Tue, 25 Jun 2019 22:35:40 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-yw1-f71.google.com (mail-yw1-f71.google.com [209.85.161.71]) by kanga.kvack.org (Postfix) with ESMTP id 91C7A6B0003 for ; Tue, 25 Jun 2019 22:35:40 -0400 (EDT) Received: by mail-yw1-f71.google.com with SMTP id y205so1809943ywy.19 for ; Tue, 25 Jun 2019 19:35:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:subject:from:to:cc:date :message-id:in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=FEN+goJhMPORyHM4KJFXebyZi4tarHTDm26+xICB5hA=; b=fr9+K0hzjhGSog8ool0xZUxf6V4/HmK5E87MngbNt1VqLxTmKsjf9o3ZnCTUebDNsn TYNrZ+c1T5DtpE+FQoNnhh9JbOyHucLA60pfTcSxOl0sMRyfBAGS24Ck2X5syCIbnOJA p7fBem2BRvaF+r380SMEmMsfWp/mnO8QtTZ5seucDBCmZk04bF7AIn03Mqk/vKfNqRAj fiPcTXZvuj4tUzgClaiPIHsYtIobipl1j2nv19dlePyLs83Z5kFpZj2fZi1iXm0m/FDo JreDfSad/lLwy3iTDHi96eG+oXQiUPuDSLzuZZYVP0m9D3xOis230KfAdaybVc6Zzuu8 9R7Q== X-Gm-Message-State: APjAAAWavFiaK2CbBJ+LTBsFFHGVRqybwsncfWg2z+fuNt1/cs8xQEFG HxaV6MJlNjJeBCyWilAC2grUAMp/8FvdI+0YMsurTr2d9pHOOvBuSsRxPGf1ZsApukzpKDOTeJ3 /os4pPERAT0lG2mjbg/UfIRasA/gGiWF4cFHRb5W+uEWWKKofEXfF6kP4pdJKFNP1qQ== X-Received: by 2002:a81:6c04:: with SMTP id h4mr1128721ywc.457.1561516540342; Tue, 25 Jun 2019 19:35:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqypfO0zLMFscC6NIpq5wZAmBHDY6EFosureXhdQyTEoQ2ZPy7FSLreYwNjZZlfFxJ7N0wwM X-Received: by 2002:a81:6c04:: with SMTP id h4mr1128697ywc.457.1561516539325; Tue, 25 Jun 2019 19:35:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561516539; cv=none; d=google.com; s=arc-20160816; b=pY6XyRyDFBKuBMyKMSIX3QFTGpbqnxRhi6/tvAqKbWvp8FCsmgwKijUGe4ow4rpXFT diG0UmnRNqoC47hbjm1qdoxpK+wUQHTEiRUlp0WZ8LGEJkk9cTlWj69Itt3sYWkuLMfI /kYpicSG4tp3gDW7HNRHDLR2FokFIGU8zCv1NssLEvh9Q6f0EBylqNnVmrGaf8MW26FC GJnviRhyO42jUkJQbNEx/HKVrP86nOx3lWvKs5+td1LOjaV4/lejzJdF8ib5VYfEj00y vo11iWl3qjeepO2hiU0y7tLsTF5nx5wzTOX7m6WxrnRKihScHrD7FpxK/a2woDRDxRqw dPhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:dkim-signature; bh=FEN+goJhMPORyHM4KJFXebyZi4tarHTDm26+xICB5hA=; b=jcDtyIujrpks/bBi+xAxEEzTz7f30vFXtREp7FKS3CGHFudj/bt8JdJAblRIVxEHSq ubA7AZk3/11RPw1NgDNu/3eJIx9BPyOsa1+gRaquTtqZhh6M6dU6TQzDaXZbZwi7bWMZ XfKk4NY8bXBQ+ahFUe+lP+vAMbqVQUvEtbHIsv98fy9yazfgj3MpU2Fkyx0AbCEbtRLd 05S/UW8SYc+C4HWdUkoOTgqLmlEHqYPxc2IWIwwz/XNkQ0KqHFfd3ZccixFbmVLR23LM GciZ1snDMS9tZEso+Uz3r/PwGItgo77kL2bl7FApWHAK9CUhvDwuo+UxbP6q7XA7T1I4 lg/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=h4CU9wnF; spf=pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from userp2130.oracle.com (userp2130.oracle.com. [156.151.31.86]) by mx.google.com with ESMTPS id t188si5669653yba.112.2019.06.25.19.35.39 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jun 2019 19:35:39 -0700 (PDT) Received-SPF: pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) client-ip=156.151.31.86; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=h4CU9wnF; spf=pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5Q2Ykgb120656; Wed, 26 Jun 2019 02:35:26 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : from : to : cc : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=FEN+goJhMPORyHM4KJFXebyZi4tarHTDm26+xICB5hA=; b=h4CU9wnFOOS1YSb/1A5WUJ9R3mK0Lo4KDpPlx3IsKGFGb5GJDBgZdFF/ZkNeWJpw6ADQ z+48Fvs+Pd7PcF23eYSOuy/NgmC1FwimwF1CdjSRf7x6XmzQJR0FNvunJLDSAy/S3smG ddG5MlPmNZh7CEycU6bXfXwLQUBwmwz3yJdercybA222E3ljvBmtwC6s44Nv0fmoNFnY gQqgtyZlP6+to4/pWiK1OWN68DNeIlef0tARhlq4bA7ZqwvbkPG4MVRjDf2FeLozit1o ADMHU/0tRMhL9MKSCw8ikiY8qmzEGU5M3LTFzW066uDKTdzVCO3dSQqnm92Mh3qwjY4J Mg== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2130.oracle.com with ESMTP id 2t9brt7msy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Jun 2019 02:35:26 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5Q2XQWv081280; Wed, 26 Jun 2019 02:33:26 GMT Received: from pps.reinject (localhost [127.0.0.1]) by userp3020.oracle.com with ESMTP id 2tat7cjny2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 26 Jun 2019 02:33:26 +0000 Received: from userp3020.oracle.com (userp3020.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.27/8.16.0.27) with SMTP id x5Q2XK5E081200; Wed, 26 Jun 2019 02:33:20 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userp3020.oracle.com with ESMTP id 2tat7cjnxr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Jun 2019 02:33:20 +0000 Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x5Q2XJ67012227; Wed, 26 Jun 2019 02:33:19 GMT Received: from localhost (/10.159.230.235) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 25 Jun 2019 19:33:18 -0700 Subject: [PATCH 3/5] vfs: flush and wait for io when setting the immutable flag via FSSETXATTR From: "Darrick J. Wong" To: matthew.garrett@nebula.com, yuchao0@huawei.com, tytso@mit.edu, darrick.wong@oracle.com, ard.biesheuvel@linaro.org, josef@toxicpanda.com, hch@infradead.org, clm@fb.com, adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com, dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org Cc: reiserfs-devel@vger.kernel.org, linux-efi@vger.kernel.org, devel@lists.orangefs.org, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org, ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-btrfs@vger.kernel.org Date: Tue, 25 Jun 2019 19:33:16 -0700 Message-ID: <156151639615.2283603.2028690322950797383.stgit@magnolia> In-Reply-To: <156151637248.2283603.8458727861336380714.stgit@magnolia> References: <156151637248.2283603.8458727861336380714.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9299 signatures=668687 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=2 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906260028 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong When we're using FS_IOC_FSSETXATTR to set the immutable flag on a file, we need to ensure that userspace can't continue to write the file after the file becomes immutable. To make that happen, we have to flush all the dirty pagecache pages to disk to ensure that we can fail a page fault on a mmap'd region, wait for pending directio to complete, and hope the caller locked out any new writes by holding the inode lock. XFS has more complex locking than other FSSETXATTR implementations so we have to keep the checking and preparation code in different functions. Signed-off-by: Darrick J. Wong --- fs/btrfs/ioctl.c | 2 + fs/ext4/ioctl.c | 2 + fs/f2fs/file.c | 2 + fs/inode.c | 31 +++++++++++++++++++++++ fs/xfs/xfs_ioctl.c | 71 +++++++++++++++++++++++++++++++++++++++------------- include/linux/fs.h | 3 ++ 6 files changed, 90 insertions(+), 21 deletions(-) diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 0f5af7c5f66b..bbd6d908900e 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -423,7 +423,7 @@ static int btrfs_ioctl_fssetxattr(struct file *file, void __user *arg) old_flags = binode->flags; old_i_flags = inode->i_flags; - ret = vfs_ioc_fssetxattr_check(inode, &old_fa, &fa); + ret = vfs_ioc_fssetxattr_prepare(inode, &old_fa, &fa); if (ret) goto out_unlock; diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c index 1e88c3af9a8d..146587c3fe8e 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -1109,7 +1109,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) inode_lock(inode); ext4_fill_fsxattr(inode, &old_fa); - err = vfs_ioc_fssetxattr_check(inode, &old_fa, &fa); + err = vfs_ioc_fssetxattr_prepare(inode, &old_fa, &fa); if (err) goto out; flags = (ei->i_flags & ~EXT4_FL_XFLAG_VISIBLE) | diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index d6ed319388d6..af0fc040a15c 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -2826,7 +2826,7 @@ static int f2fs_ioc_fssetxattr(struct file *filp, unsigned long arg) inode_lock(inode); f2fs_fill_fsxattr(inode, &old_fa); - err = vfs_ioc_fssetxattr_check(inode, &old_fa, &fa); + err = vfs_ioc_fssetxattr_prepare(inode, &old_fa, &fa); if (err) goto out; flags = (fi->i_flags & ~F2FS_FL_XFLAG_VISIBLE) | diff --git a/fs/inode.c b/fs/inode.c index 65a412af3ffb..cf07378e5731 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2293,3 +2293,34 @@ int vfs_ioc_fssetxattr_check(struct inode *inode, const struct fsxattr *old_fa, return 0; } EXPORT_SYMBOL(vfs_ioc_fssetxattr_check); + +/* + * Generic function to check FS_IOC_FSSETXATTR values and reject any invalid + * configurations. If none are found, flush all pending IO and dirty mappings + * before setting S_IMMUTABLE on an inode. If the flush fails we'll clear the + * flag before returning error. + * + * Note: the caller must hold whatever locks are necessary to block any other + * threads from starting a write to the file. + */ +int vfs_ioc_fssetxattr_prepare(struct inode *inode, + const struct fsxattr *old_fa, + struct fsxattr *fa) +{ + int ret; + + ret = vfs_ioc_fssetxattr_check(inode, old_fa, fa); + if (ret) + return ret; + + if (!S_ISREG(inode->i_mode) || IS_IMMUTABLE(inode) || + !(fa->fsx_xflags & FS_XFLAG_IMMUTABLE)) + return 0; + + inode_set_flags(inode, S_IMMUTABLE, S_IMMUTABLE); + ret = inode_drain_writes(inode); + if (ret) + inode_set_flags(inode, 0, S_IMMUTABLE); + return ret; +} +EXPORT_SYMBOL(vfs_ioc_fssetxattr_prepare); diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index 011657bd50ca..723550c8a2e4 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -1058,6 +1058,30 @@ xfs_ioctl_setattr_xflags( return 0; } +/* + * If we're setting immutable on a regular file, we need to prevent new writes. + * Once we've done that, we must wait for all the other writes to complete. + * + * The caller must use @join_flags to release the locks which are held on @ip + * regardless of return value. + */ +static int +xfs_ioctl_setattr_drain_writes( + struct xfs_inode *ip, + const struct fsxattr *fa, + int *join_flags) +{ + struct inode *inode = VFS_I(ip); + + if (!S_ISREG(inode->i_mode) || !(fa->fsx_xflags & FS_XFLAG_IMMUTABLE)) + return 0; + + *join_flags = XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL; + xfs_ilock(ip, *join_flags); + + return inode_drain_writes(inode); +} + /* * If we are changing DAX flags, we have to ensure the file is clean and any * cached objects in the address space are invalidated and removed. This @@ -1065,6 +1089,9 @@ xfs_ioctl_setattr_xflags( * operation. The locks need to be held until the transaction has been committed * so that the cache invalidation is atomic with respect to the DAX flag * manipulation. + * + * The caller must use @join_flags to release the locks which are held on @ip + * regardless of return value. */ static int xfs_ioctl_setattr_dax_invalidate( @@ -1076,8 +1103,6 @@ xfs_ioctl_setattr_dax_invalidate( struct super_block *sb = inode->i_sb; int error; - *join_flags = 0; - /* * It is only valid to set the DAX flag on regular files and * directories on filesystems where the block size is equal to the page @@ -1103,21 +1128,15 @@ xfs_ioctl_setattr_dax_invalidate( return 0; /* lock, flush and invalidate mapping in preparation for flag change */ - xfs_ilock(ip, XFS_MMAPLOCK_EXCL | XFS_IOLOCK_EXCL); - error = filemap_write_and_wait(inode->i_mapping); - if (error) - goto out_unlock; - error = invalidate_inode_pages2(inode->i_mapping); - if (error) - goto out_unlock; - - *join_flags = XFS_MMAPLOCK_EXCL | XFS_IOLOCK_EXCL; - return 0; - -out_unlock: - xfs_iunlock(ip, XFS_MMAPLOCK_EXCL | XFS_IOLOCK_EXCL); - return error; + if (*join_flags == 0) { + *join_flags = XFS_MMAPLOCK_EXCL | XFS_IOLOCK_EXCL; + xfs_ilock(ip, *join_flags); + error = filemap_write_and_wait(inode->i_mapping); + if (error) + return error; + } + return invalidate_inode_pages2(inode->i_mapping); } /* @@ -1326,6 +1345,12 @@ xfs_ioctl_setattr( return code; } + code = xfs_ioctl_setattr_drain_writes(ip, fa, &join_flags); + if (code) { + xfs_iunlock(ip, join_flags); + goto error_free_dquots; + } + /* * Changing DAX config may require inode locking for mapping * invalidation. These need to be held all the way to transaction commit @@ -1334,8 +1359,10 @@ xfs_ioctl_setattr( * appropriately. */ code = xfs_ioctl_setattr_dax_invalidate(ip, fa, &join_flags); - if (code) + if (code) { + xfs_iunlock(ip, join_flags); goto error_free_dquots; + } tp = xfs_ioctl_setattr_get_trans(ip, join_flags); if (IS_ERR(tp)) { @@ -1485,6 +1512,12 @@ xfs_ioc_setxflags( if (error) return error; + error = xfs_ioctl_setattr_drain_writes(ip, &fa, &join_flags); + if (error) { + xfs_iunlock(ip, join_flags); + goto out_drop_write; + } + /* * Changing DAX config may require inode locking for mapping * invalidation. These need to be held all the way to transaction commit @@ -1493,8 +1526,10 @@ xfs_ioc_setxflags( * appropriately. */ error = xfs_ioctl_setattr_dax_invalidate(ip, &fa, &join_flags); - if (error) + if (error) { + xfs_iunlock(ip, join_flags); goto out_drop_write; + } tp = xfs_ioctl_setattr_get_trans(ip, join_flags); if (IS_ERR(tp)) { diff --git a/include/linux/fs.h b/include/linux/fs.h index 51266c9dbadc..675ce9743bc1 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3560,6 +3560,9 @@ int vfs_ioc_setflags_prepare(struct inode *inode, unsigned int oldflags, int vfs_ioc_fssetxattr_check(struct inode *inode, const struct fsxattr *old_fa, struct fsxattr *fa); +int vfs_ioc_fssetxattr_prepare(struct inode *inode, + const struct fsxattr *old_fa, + struct fsxattr *fa); /* * Flush file data before changing attributes. Caller must hold any locks From patchwork Wed Jun 26 02:33:24 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 11016825 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 13F76112C for ; Wed, 26 Jun 2019 02:33:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0048B285AB for ; Wed, 26 Jun 2019 02:33:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E53A4285E0; Wed, 26 Jun 2019 02:33:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 65F5C285AB for ; Wed, 26 Jun 2019 02:33:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5C2A98E0007; Tue, 25 Jun 2019 22:33:44 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 54BAF8E0002; Tue, 25 Jun 2019 22:33:44 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3C50A8E0007; Tue, 25 Jun 2019 22:33:44 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-yw1-f71.google.com (mail-yw1-f71.google.com [209.85.161.71]) by kanga.kvack.org (Postfix) with ESMTP id 159738E0002 for ; Tue, 25 Jun 2019 22:33:44 -0400 (EDT) Received: by mail-yw1-f71.google.com with SMTP id y205so1800694ywy.19 for ; Tue, 25 Jun 2019 19:33:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:subject:from:to:cc:date :message-id:in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=mV9lFn0ZU5Q9Z/uVcSNUaPT4H36wgugtQJzUEwexaJw=; b=qZ0vLbT1Zt5efqLtRN9JJajEKfoKmHlhjoYs+9f+AlR7tsmT70pHx64P8m8oJPgR0o AxKwsDljURpPr+0AMBAt5pcOeQ6BU2Le4/HiZwmsNrGX32553bD6R79YnJ0a1fOaXmPy zk5m1tqcrbKbUaaMhAgBRUB8VPn2nJAwj3LSDAE6kcwdW3OlIyB2i2g9Vh6IRkwOyUh6 KtaUfRjm6cV2rzNKPtpYcU5LcfRvBxKAk2kf9vtK3Ou1j6nOfrFUMkyL8yMdhZtuTrNV OsHJDb0jC2+7kVyVxM+wbN9lbdbFUJUdjdvgbZwEIlIlD8U78LJvscmIqur4jlExus8n OwCw== X-Gm-Message-State: APjAAAUfGGnDLsyyyCFGSiMY+vRxibTbxBBSuLuq7/+/2VWTqRgXvsIa MyHM0uM+SqWlpLbO9ZEJN5iSTEVCl/lbiHfbQbfE3h7+4qCBFwkt4GfWXpAUY4vhskNmY/3t3oM 7jHvqQIEcOjub+rp+CjCbcLDM4wfa4zVF5niAlUJTUkjDLp9ggPWxY25bbSjXFIUSaw== X-Received: by 2002:a0d:d50c:: with SMTP id x12mr1244966ywd.418.1561516423791; Tue, 25 Jun 2019 19:33:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqynnNmqW3GUl0+i1zeBQwxULJKk9rMcZElk/ndzPIn/JYCWShJfuMq+G0HxP62XrHIVndIO X-Received: by 2002:a0d:d50c:: with SMTP id x12mr1244953ywd.418.1561516423086; Tue, 25 Jun 2019 19:33:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561516423; cv=none; d=google.com; s=arc-20160816; b=duHC5/fsyS+uk45RCmHor8zJf0YGIesb55UlWwZ3Rt8EEPoTwjTDa4/AUmgQUuo/+A 8BU+3XiKrRO47jUqGjKCQ+b1bzm7TZeJz4vSZMdTZz7rPdHn8gPSAvRWFjP7cO97dASM gmvDx7R8BmXEzn1S2A+M2RhVRcWHcFonHM05FG+UpKUUpCv4RAhdEFRlkg3NqfvC7QbK jIe/moV7yKKxAie2+WO6BczUDZW6LxP2B/xwj16I1659SRjq08wWJrj+Pg2lArDmpgv9 WO+X+W8bI0d4cMnBSxvgjfVuCtD+nzV0SxmQqYcZFGwvyzsEnLTEgA/uI+0Qyc7WPnIn fpoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:dkim-signature; bh=mV9lFn0ZU5Q9Z/uVcSNUaPT4H36wgugtQJzUEwexaJw=; b=xupkMWDX+G3PG4xxg1XZ6SlTZjYOh8jxHLsdkySXhqMpSO9vjJ4YMyPi/C1Wc6WVZs 0PoaHhpr1pxxFVLmpUFEGd5FBhicagGTnDKMSluxcZoh+jCk7G+ph2SyWW1euhglxGaJ FKTJQwIRJlVZTxGx3UJdejH+mU4uBwMhz1Nz7WfrDRO45+t1ZK8zYqqaej1fnMd4cuJ2 5uSs8MXjDncbxHcO+kz7J0ksA9Gv8sbYibkLhP/fTWyh9mjUKpf+nd1dGSi4U+O+y8dO x0W4VB07b6AlXRNBnGkWjCS7JQ5T99avAzEjufHm7T9kfxtZaLnUJNaAi9NJNuca73eH J39w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=Bbgfx+OF; spf=pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from userp2130.oracle.com (userp2130.oracle.com. [156.151.31.86]) by mx.google.com with ESMTPS id m69si3487059ybm.60.2019.06.25.19.33.42 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jun 2019 19:33:43 -0700 (PDT) Received-SPF: pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) client-ip=156.151.31.86; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=Bbgfx+OF; spf=pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5Q2T27Q116704; Wed, 26 Jun 2019 02:33:33 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : from : to : cc : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=mV9lFn0ZU5Q9Z/uVcSNUaPT4H36wgugtQJzUEwexaJw=; b=Bbgfx+OF55IU8/l75LipHQ6ChFrxwEh3rej4w1HwnTiGr/YF8XpRL2Gr3GPLc5TCwsni EZzjsXkEb4i8hu7iHWaB9bnxN6LeEjyXUTH2cFB98jE65Cq+8AUQ4FEmQivvki6SJ5Zf Hho8t8iJZl+aAEcupTrda0bvVui6NciXafJvRqe/3bA4axOe/5sbOwAJr8/nXvuuoQKT 1hFautW0d9ZwytdNz83QDzFzXR0YIzfOmIU7x9qeyprMF5NbacmHfHsaauQ5H6AfjALF vLuw1Tum1ogZV7XwEVxCcFUJlujj07A0PYITiCds/n2YGe3Xyx4D/ChX0QzpclqG4mGi 0g== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by userp2130.oracle.com with ESMTP id 2t9brt7mn5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Jun 2019 02:33:32 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5Q2XVsr152430; Wed, 26 Jun 2019 02:33:32 GMT Received: from pps.reinject (localhost [127.0.0.1]) by aserp3030.oracle.com with ESMTP id 2t9accehj8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 26 Jun 2019 02:33:32 +0000 Received: from aserp3030.oracle.com (aserp3030.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.27/8.16.0.27) with SMTP id x5Q2XVTW152431; Wed, 26 Jun 2019 02:33:31 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserp3030.oracle.com with ESMTP id 2t9accehhg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Jun 2019 02:33:31 +0000 Received: from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x5Q2XQor012254; Wed, 26 Jun 2019 02:33:26 GMT Received: from localhost (/10.159.230.235) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 25 Jun 2019 19:33:26 -0700 Subject: [PATCH 4/5] vfs: don't allow most setxattr to immutable files From: "Darrick J. Wong" To: matthew.garrett@nebula.com, yuchao0@huawei.com, tytso@mit.edu, darrick.wong@oracle.com, ard.biesheuvel@linaro.org, josef@toxicpanda.com, hch@infradead.org, clm@fb.com, adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com, dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org Cc: reiserfs-devel@vger.kernel.org, linux-efi@vger.kernel.org, devel@lists.orangefs.org, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org, ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-btrfs@vger.kernel.org Date: Tue, 25 Jun 2019 19:33:24 -0700 Message-ID: <156151640402.2283603.11025968584452701508.stgit@magnolia> In-Reply-To: <156151637248.2283603.8458727861336380714.stgit@magnolia> References: <156151637248.2283603.8458727861336380714.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9299 signatures=668687 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=895 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906260027 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong The chattr manpage has this to say about immutable files: "A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode." However, we don't actually check the immutable flag in the setattr code, which means that we can update inode flags and project ids and extent size hints on supposedly immutable files. Therefore, reject setflags and fssetxattr calls on an immutable file if the file is immutable and will remain that way. Signed-off-by: Darrick J. Wong --- fs/inode.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/fs/inode.c b/fs/inode.c index cf07378e5731..4261c709e50e 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2214,6 +2214,14 @@ int vfs_ioc_setflags_prepare(struct inode *inode, unsigned int oldflags, !capable(CAP_LINUX_IMMUTABLE)) return -EPERM; + /* + * We aren't allowed to change any other flags if the immutable flag is + * already set and is not being unset. + */ + if ((oldflags & FS_IMMUTABLE_FL) && (flags & FS_IMMUTABLE_FL) && + oldflags != flags) + return -EPERM; + /* * Now that we're done checking the new flags, flush all pending IO and * dirty mappings before setting S_IMMUTABLE on an inode via @@ -2284,6 +2292,25 @@ int vfs_ioc_fssetxattr_check(struct inode *inode, const struct fsxattr *old_fa, !(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode))) return -EINVAL; + /* + * We aren't allowed to change any fields if the immutable flag is + * already set and is not being unset. + */ + if ((old_fa->fsx_xflags & FS_XFLAG_IMMUTABLE) && + (fa->fsx_xflags & FS_XFLAG_IMMUTABLE)) { + if (old_fa->fsx_xflags != fa->fsx_xflags) + return -EPERM; + if (old_fa->fsx_projid != fa->fsx_projid) + return -EPERM; + if ((fa->fsx_xflags & (FS_XFLAG_EXTSIZE | + FS_XFLAG_EXTSZINHERIT)) && + old_fa->fsx_extsize != fa->fsx_extsize) + return -EPERM; + if ((old_fa->fsx_xflags & FS_XFLAG_COWEXTSIZE) && + old_fa->fsx_cowextsize != fa->fsx_cowextsize) + return -EPERM; + } + /* Extent size hints of zero turn off the flags. */ if (fa->fsx_extsize == 0) fa->fsx_xflags &= ~(FS_XFLAG_EXTSIZE | FS_XFLAG_EXTSZINHERIT); From patchwork Wed Jun 26 02:33:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 11016883 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 818A614BB for ; Wed, 26 Jun 2019 02:35:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6DA63262F2 for ; Wed, 26 Jun 2019 02:35:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5F3A726E51; Wed, 26 Jun 2019 02:35:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DFEE7262F2 for ; Wed, 26 Jun 2019 02:35:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E73986B0006; Tue, 25 Jun 2019 22:35:47 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id DFD358E0003; Tue, 25 Jun 2019 22:35:47 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CC3F98E0002; Tue, 25 Jun 2019 22:35:47 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) by kanga.kvack.org (Postfix) with ESMTP id ACE786B0006 for ; Tue, 25 Jun 2019 22:35:47 -0400 (EDT) Received: by mail-io1-f69.google.com with SMTP id r27so819795iob.14 for ; Tue, 25 Jun 2019 19:35:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:subject:from:to:cc:date :message-id:in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=RDkQFwhFFQ2vI5qz0xIqaf4zf8uM8p//mWlaoaNYF+I=; b=kECuBBOx4Nf/IxXaWq72XJhDxfLqE847S9E5Hwg/zF0J+MZ1blsFGMIjjeN1qFKf0S YUu1dXmZr/sKO0KdsXEJ3cemMqomWfhT/4KR545YgwEK2tAZBs9F1dn6h/xMt/EoVRYL hPgpCj0LPQgBQaBh+PoSlkR7IUpSKrMm1GdhnRlSW+BiIn8w801dD2w9YDh1079M7Tj1 MAEDHCi5dGLmuB2e9TWNgGlF09Rp/GEgfLoxD9Qlqk+5zMq8bHBfjKPD2T82Av6h79Sw VfXcT0Gchqr+0C40f7Z3O4MYJFUfQENxMRvI7U0l+d/dLJQ45Neq7WCvz4JjvVHx5i3I BqeA== X-Gm-Message-State: APjAAAXBsNtLms5D5uBYhOZjYyxxuKb17QzmK56vCLPqZ8V5jWf0+Des Bl+iBCzPlDbNtXBwLXdTUWRbIf5xX/y1HFlFUxXNOvnm6a64ZITZTVyY6fD8n181Q3Xt+pkKpvM 2vy9KbOvveChgyRTcDWsNv0Erm32mvgWQJ/+wx+U3gKFanW36luUZnlZmvZVTSVi1Bw== X-Received: by 2002:a02:9991:: with SMTP id a17mr1813944jal.1.1561516547506; Tue, 25 Jun 2019 19:35:47 -0700 (PDT) X-Google-Smtp-Source: APXvYqyLd4gq05E44Y6lIpL0hb8ZpA9nm+6Kn2Fb91v8I4PplPL8arszhkQi2vNC+Vj1OPVoAnYf X-Received: by 2002:a02:9991:: with SMTP id a17mr1813909jal.1.1561516546839; Tue, 25 Jun 2019 19:35:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561516546; cv=none; d=google.com; s=arc-20160816; b=xs6+94X15qhx8/Zuh+wCnnzO7iLFZdjGuIz2I0h3/3UtJUTBV4hLz3x4nc2E83yYx9 XpSVucpZ5b5bXOaJhpXCmPY2XZJblqzrBUuwMaO5ovNIaU9DVhyyQ46W0fWHoPtNA7Dc sx1s6sOt0DLUI0Ew3rfNKLqWRGQLcIwgrLAOG8UGHTlHZRMzrE4Y4d0ENxrUMLWbb9eE EZIH0+0qNxK6KPA9Ep/lGQlz8DQXK86qZDyDm2F9WWMvuDA0OuVfwkKwilUKfj9UvE+y SGzi+VCiGNYVwDybLGA3UUTLBiTcYukqzTj1zQKl7Yrdd+WH7zNXtxjlHAckpqXIdKCl 3qLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:dkim-signature; bh=RDkQFwhFFQ2vI5qz0xIqaf4zf8uM8p//mWlaoaNYF+I=; b=I9VGUxX5n+QtjUNuKpzdTuRQL+9Pqkuy2r6GcrkyXQesxtREY+s3S+l/68DlKweUUa H8bWfrUyMruunS/RnYUJhRhvbbbwfcbBvp8D0fqPavr4GA3PWhwEvskWuwWnQYuhlF43 j4Qf4LsymZ04U9OiaLtPfeQdKifvt333WSQzVQZOGxWOuIVBXfXlxbo+FZTiu1iKDSrO NP4b2uKpmRH34wyX71T7xRmMRGKgE2PaxfH7s2fzvpxefs8+U16N6XiLVN1U8kTHiWbl w2pL+CGIcH7L90rIkDjcldngmBPYHk19vnKtIGwriTj+fHbMSlM3PWMB62atGEeio2aF xzHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=Qi2NwHnV; spf=pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from userp2130.oracle.com (userp2130.oracle.com. [156.151.31.86]) by mx.google.com with ESMTPS id w3si20885759iot.79.2019.06.25.19.35.46 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jun 2019 19:35:46 -0700 (PDT) Received-SPF: pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) client-ip=156.151.31.86; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=Qi2NwHnV; spf=pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5Q2Z0Zp120740; Wed, 26 Jun 2019 02:35:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : from : to : cc : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=RDkQFwhFFQ2vI5qz0xIqaf4zf8uM8p//mWlaoaNYF+I=; b=Qi2NwHnVvWi7uetKAFrtDLbEc7vBEztBO544xnn041sSZ7Fd3ocayxJrgUVLY5aWK0nf Ite4JKYpy0UTn6/XETb7boW3RhaAdXiKa1fL2V5TysE/aV9BaTPrGmv7gGnaw4E3aPVd h1eAr0iXSQgZ8bt1cz+Y/aA8/0mIndivv/2HisCjrSY7yBaaGjEge4/5om9TBbv2jvW3 eOfa1J2vXFZDfhPdb+EttM0EV/jAq/YuGxJoz8dMa6tkFMJao88u3rFVpg9bj4ZNDBKS k6bGwT+rfiYQyJ1DPmadzn9S646qAfU1gSQw1fIjxewe/fI4Upnp6HJpT25nXB2TRGu8 EA== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2130.oracle.com with ESMTP id 2t9brt7mt2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Jun 2019 02:35:36 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5Q2XQY8081296; Wed, 26 Jun 2019 02:33:36 GMT Received: from pps.reinject (localhost [127.0.0.1]) by userp3020.oracle.com with ESMTP id 2tat7cjp2n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 26 Jun 2019 02:33:36 +0000 Received: from userp3020.oracle.com (userp3020.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.27/8.16.0.27) with SMTP id x5Q2XZtv081761; Wed, 26 Jun 2019 02:33:35 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userp3020.oracle.com with ESMTP id 2tat7cjp28-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 26 Jun 2019 02:33:35 +0000 Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x5Q2XY3k021348; Wed, 26 Jun 2019 02:33:34 GMT Received: from localhost (/10.159.230.235) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 25 Jun 2019 19:33:34 -0700 Subject: [PATCH 5/5] vfs: don't allow writes to swap files From: "Darrick J. Wong" To: matthew.garrett@nebula.com, yuchao0@huawei.com, tytso@mit.edu, darrick.wong@oracle.com, ard.biesheuvel@linaro.org, josef@toxicpanda.com, hch@infradead.org, clm@fb.com, adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com, dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org Cc: reiserfs-devel@vger.kernel.org, linux-efi@vger.kernel.org, devel@lists.orangefs.org, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org, ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-btrfs@vger.kernel.org Date: Tue, 25 Jun 2019 19:33:31 -0700 Message-ID: <156151641177.2283603.7806026378321236401.stgit@magnolia> In-Reply-To: <156151637248.2283603.8458727861336380714.stgit@magnolia> References: <156151637248.2283603.8458727861336380714.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9299 signatures=668687 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906260028 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong Don't let userspace write to an active swap file because the kernel effectively has a long term lease on the storage and things could get seriously corrupted if we let this happen. Signed-off-by: Darrick J. Wong --- fs/attr.c | 3 +++ mm/filemap.c | 3 +++ mm/memory.c | 4 +++- mm/mmap.c | 2 ++ mm/swapfile.c | 15 +++++++++++++-- 5 files changed, 24 insertions(+), 3 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index 1fcfdcc5b367..42f4d4fb0631 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -236,6 +236,9 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de if (IS_IMMUTABLE(inode)) return -EPERM; + if (IS_SWAPFILE(inode)) + return -ETXTBSY; + if ((ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) && IS_APPEND(inode)) return -EPERM; diff --git a/mm/filemap.c b/mm/filemap.c index dad85e10f5f8..fd80bc20e30a 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2938,6 +2938,9 @@ inline ssize_t generic_write_checks(struct kiocb *iocb, struct iov_iter *from) if (IS_IMMUTABLE(inode)) return -EPERM; + if (IS_SWAPFILE(inode)) + return -ETXTBSY; + if (!iov_iter_count(from)) return 0; diff --git a/mm/memory.c b/mm/memory.c index 4311cfdade90..c04c6a689995 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2235,7 +2235,9 @@ static vm_fault_t do_page_mkwrite(struct vm_fault *vmf) vmf->flags = FAULT_FLAG_WRITE|FAULT_FLAG_MKWRITE; - if (vmf->vma->vm_file && IS_IMMUTABLE(file_inode(vmf->vma->vm_file))) + if (vmf->vma->vm_file && + (IS_IMMUTABLE(file_inode(vmf->vma->vm_file)) || + IS_SWAPFILE(file_inode(vmf->vma->vm_file)))) return VM_FAULT_SIGBUS; ret = vmf->vma->vm_ops->page_mkwrite(vmf); diff --git a/mm/mmap.c b/mm/mmap.c index ac1e32205237..031807339869 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1488,6 +1488,8 @@ unsigned long do_mmap(struct file *file, unsigned long addr, return -EACCES; if (IS_IMMUTABLE(file_inode(file))) return -EPERM; + if (IS_SWAPFILE(file_inode(file))) + return -ETXTBSY; } /* diff --git a/mm/swapfile.c b/mm/swapfile.c index 596ac98051c5..1ca4ee8c2d60 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -3165,6 +3165,19 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags) if (error) goto bad_swap; + /* + * Flush any pending IO and dirty mappings before we start using this + * swap file. + */ + if (S_ISREG(inode->i_mode)) { + inode->i_flags |= S_SWAPFILE; + error = inode_drain_writes(inode); + if (error) { + inode->i_flags &= ~S_SWAPFILE; + goto bad_swap; + } + } + mutex_lock(&swapon_mutex); prio = -1; if (swap_flags & SWAP_FLAG_PREFER) @@ -3185,8 +3198,6 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags) atomic_inc(&proc_poll_event); wake_up_interruptible(&proc_poll_wait); - if (S_ISREG(inode->i_mode)) - inode->i_flags |= S_SWAPFILE; error = 0; goto out; bad_swap: