| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pull f2fs update from Jaegeuk Kim:
"In this round, we've mainly focused on performance tuning and critical
bug fixes occurred in low-end devices. Sheng Yong introduced
lost_found feature to keep missing files during recovery instead of
thrashing them. We're preparing coming fsverity implementation. And,
we've got more features to communicate with users for better
performance. In low-end devices, some memory-related issues were
fixed, and subtle race condtions and corner cases were addressed as
well.
Enhancements:
- large nat bitmaps for more free node ids
- add three block allocation policies to pass down write hints given by user
- expose extension list to user and introduce hot file extension
- tune small devices seamlessly for low-end devices
- set readdir_ra by default
- give more resources under gc_urgent mode regarding to discard and cleaning
- introduce fsync_mode to enforce posix or not
- nowait aio support
- add lost_found feature to keep dangling inodes
- reserve bits for future fsverity feature
- add test_dummy_encryption for FBE
Bug fixes:
- don't use highmem for dentry pages
- align memory boundary for bitops
- truncate preallocated blocks in write errors
- guarantee i_times on fsync call
- clear CP_TRIMMED_FLAG correctly
- prevent node chain loop during recovery
- avoid data race between atomic write and background cleaning
- avoid unnecessary selinux violation warnings on resgid option
- GFP_NOFS to avoid deadlock in quota and read paths
- fix f2fs_skip_inode_update to allow i_size recovery
In addition to the above, there are several minor bug fixes and clean-ups"
Cherry-pick from origin/upstream-f2fs-stable-linux-4.4.y:
42bf67fc543b f2fs: remain written times to update inode during fsync
6cb5aa02bfbd f2fs: make assignment of t->dentry_bitmap more readable
a8d07f1f9c62 f2fs: truncate preallocated blocks in error case
86444d600692 f2fs: fix a wrong condition in f2fs_skip_inode_update
db2188a68704 f2fs: reserve bits for fs-verity
ee2e74b3f00e f2fs: Add a segment type check in inplace write
0192e0a4502f f2fs: no need to initialize zero value for GFP_F2FS_ZERO
49338842e9b2 f2fs: don't track new nat entry in nat set
d6a69d5e6568 f2fs: clean up with F2FS_BLK_ALIGN
2c8834a7a2c9 f2fs: check blkaddr more accuratly before issue a bio
6ab573a9d96f f2fs: Set GF_NOFS in read_cache_page_gfp while doing f2fs_quota_read
7419dcb8be02 f2fs: introduce a new mount option test_dummy_encryption
9321e22c038c f2fs: introduce F2FS_FEATURE_LOST_FOUND feature
8a5719615847 f2fs: release locks before return in f2fs_ioc_gc_range()
739ace131cdf f2fs: align memory boundary for bitops
4c55abe4f8d2 f2fs: remove unneeded set_cold_node()
30654507e0a2 f2fs: add nowait aio support
d909e9410634 f2fs: wrap all options with f2fs_sb_info.mount_opt
5738be52b3e8 f2fs: Don't overwrite all types of node to keep node chain
0bdeb167c843 f2fs: introduce mount option for fsync mode
6bc490f0eedc f2fs: fix to restore old mount option in ->remount_fs
0c9c3e034410 f2fs: wrap sb_rdonly with f2fs_readonly
6c6611223a79 f2fs: avoid selinux denial on CAP_SYS_RESOURCE
076a6f32fe5d f2fs: support hot file extension
58edcdbca67a f2fs: fix to avoid race in between atomic write and background GC
1e0aeb0af9ed f2fs: do gc in greedy mode for whole range if gc_urgent mode is set
10b2d001d6ac f2fs: issue discard aggressively in the gc_urgent mode
a5052f32b940 f2fs: set readdir_ra by default
1aa536a624cc f2fs: add auto tuning for small devices
0ffdffc8f106 f2fs: add mount option for segment allocation policy
b79829891249 f2fs: don't stop GC if GC is contended
766d2321697f f2fs: expose extension_list sysfs entry
98b329de5026 f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range
4d409fa3346b f2fs: introduce sb_lock to make encrypt pwsalt update exclusive
1f6bac14c100 f2fs: remove redundant initialization of pointer 'p'
946aefc7545d f2fs: flush cp pack except cp pack 2 page at first
e5081a52ac09 f2fs: clean up f2fs_sb_has_xxx functions
a292477154b5 f2fs: remove redundant check of page type when submit bio
190e64a819df f2fs: fix to handle looped node chain during recovery
889d98087652 f2fs: handle quota for orphan inodes
92b12bb1a23e f2fs: support passing down write hints to block layer with F2FS policy
22fa74c2b097 f2fs: support passing down write hints given by users to block layer
180900373ec1 f2fs: fix to clear CP_TRIMMED_FLAG
0671fae134bb f2fs: support large nat bitmap
eceb943d5d59 f2fs: fix to check extent cache in f2fs_drop_extent_tree
2e2a339c9853 f2fs: restrict inline_xattr_size configuration
41dda1164137 f2fs: fix heap mode to reset it back
39575737bb62 f2fs: fix potential corruption in area before F2FS_SUPER_OFFSET
7e0e7995ee97 fscrypt: fix build with pre-4.6 gcc versions
31d3279a4fca fscrypt: fix up fscrypt_fname_encrypted_size() for internal use
82bec888567b fscrypt: define fscrypt_fname_alloc_buffer() to be for presented names
168a90782888 fscrypt: calculate NUL-padding length in one place only
042ae9f4cfbf fscrypt: move fscrypt_symlink_data to fscrypt_private.h
f9550c24c20e fscrypt: remove fscrypt_fname_usr_to_disk()
7ac4756a2474 f2fs: switch to fscrypt_get_symlink()
6b76f58e24bd f2fs: switch to fscrypt ->symlink() helper functions
fd457d2c4e04 fscrypt: new helper function - fscrypt_get_symlink()
a1cdacb7ae0d fscrypt: new helper functions for ->symlink()
7f43602f4d10 fscrypt: trim down fscrypt.h includes
d9cadc11bdcf fscrypt: move fscrypt_is_dot_dotdot() to fs/crypto/fname.c
e6fe930580cb fscrypt: move fscrypt_valid_enc_modes() to fscrypt_private.h
efefa434f47e fscrypt: move fscrypt_operations declaration to fscrypt_supp.h
7ed178bc8ae9 fscrypt: split fscrypt_dummy_context_enabled() into supp/notsupp versions
3f16e09dadfb fscrypt: move fscrypt_ctx declaration to fscrypt_supp.h
8216a0b51a3b fscrypt: move fscrypt_info_cachep declaration to fscrypt_private.h
dfe0b3b1b67f fscrypt: move fscrypt_control_page() to supp/notsupp headers
3a2c79177822 fscrypt: move fscrypt_has_encryption_key() to supp/notsupp headers
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If two processes share a common memory region, they usually want some
guarantees to allow safe access. This often includes:
- one side cannot overwrite data while the other reads it
- one side cannot shrink the buffer while the other accesses it
- one side cannot grow the buffer beyond previously set boundaries
If there is a trust-relationship between both parties, there is no need
for policy enforcement. However, if there's no trust relationship (eg.,
for general-purpose IPC) sharing memory-regions is highly fragile and
often not possible without local copies. Look at the following two
use-cases:
1) A graphics client wants to share its rendering-buffer with a
graphics-server. The memory-region is allocated by the client for
read/write access and a second FD is passed to the server. While
scanning out from the memory region, the server has no guarantee that
the client doesn't shrink the buffer at any time, requiring rather
cumbersome SIGBUS handling.
2) A process wants to perform an RPC on another process. To avoid huge
bandwidth consumption, zero-copy is preferred. After a message is
assembled in-memory and a FD is passed to the remote side, both sides
want to be sure that neither modifies this shared copy, anymore. The
source may have put sensible data into the message without a separate
copy and the target may want to parse the message inline, to avoid a
local copy.
While SIGBUS handling, POSIX mandatory locking and MAP_DENYWRITE provide
ways to achieve most of this, the first one is unproportionally ugly to
use in libraries and the latter two are broken/racy or even disabled due
to denial of service attacks.
This patch introduces the concept of SEALING. If you seal a file, a
specific set of operations is blocked on that file forever. Unlike locks,
seals can only be set, never removed. Hence, once you verified a specific
set of seals is set, you're guaranteed that no-one can perform the blocked
operations on this file, anymore.
An initial set of SEALS is introduced by this patch:
- SHRINK: If SEAL_SHRINK is set, the file in question cannot be reduced
in size. This affects ftruncate() and open(O_TRUNC).
- GROW: If SEAL_GROW is set, the file in question cannot be increased
in size. This affects ftruncate(), fallocate() and write().
- WRITE: If SEAL_WRITE is set, no write operations (besides resizing)
are possible. This affects fallocate(PUNCH_HOLE), mmap() and
write().
- SEAL: If SEAL_SEAL is set, no further seals can be added to a file.
This basically prevents the F_ADD_SEAL operation on a file and
can be set to prevent others from adding further seals that you
don't want.
The described use-cases can easily use these seals to provide safe use
without any trust-relationship:
1) The graphics server can verify that a passed file-descriptor has
SEAL_SHRINK set. This allows safe scanout, while the client is
allowed to increase buffer size for window-resizing on-the-fly.
Concurrent writes are explicitly allowed.
2) For general-purpose IPC, both processes can verify that SEAL_SHRINK,
SEAL_GROW and SEAL_WRITE are set. This guarantees that neither
process can modify the data while the other side parses it.
Furthermore, it guarantees that even with writable FDs passed to the
peer, it cannot increase the size to hit memory-limits of the source
process (in case the file-storage is accounted to the source).
The new API is an extension to fcntl(), adding two new commands:
F_GET_SEALS: Return a bitset describing the seals on the file. This
can be called on any FD if the underlying file supports
sealing.
F_ADD_SEALS: Change the seals of a given file. This requires WRITE
access to the file and F_SEAL_SEAL may not already be set.
Furthermore, the underlying file must support sealing and
there may not be any existing shared mapping of that file.
Otherwise, EBADF/EPERM is returned.
The given seals are _added_ to the existing set of seals
on the file. You cannot remove seals again.
The fcntl() handler is currently specific to shmem and disabled on all
files. A file needs to explicitly support sealing for this interface to
work. A separate syscall is added in a follow-up, which creates files that
support sealing. There is no intention to support this on other
file-systems. Semantics are unclear for non-volatile files and we lack any
use-case right now. Therefore, the implementation is specific to shmem.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Ryan Lortie <desrt@desrt.ca>
Cc: Lennart Poettering <lennart@poettering.net>
Cc: Daniel Mack <zonque@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
