License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 22:07:57 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
2006-10-11 16:20:50 +08:00
|
|
|
/*
|
2006-10-11 16:20:53 +08:00
|
|
|
* linux/fs/ext4/ioctl.c
|
2006-10-11 16:20:50 +08:00
|
|
|
*
|
|
|
|
* Copyright (C) 1993, 1994, 1995
|
|
|
|
* Remy Card (card@masi.ibp.fr)
|
|
|
|
* Laboratoire MASI - Institut Blaise Pascal
|
|
|
|
* Universite Pierre et Marie Curie (Paris VI)
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/capability.h>
|
|
|
|
#include <linux/time.h>
|
|
|
|
#include <linux/compat.h>
|
2008-02-16 06:37:46 +08:00
|
|
|
#include <linux/mount.h>
|
2009-06-18 07:24:03 +08:00
|
|
|
#include <linux/file.h>
|
2016-01-09 05:01:22 +08:00
|
|
|
#include <linux/quotaops.h>
|
2017-11-09 11:23:20 +08:00
|
|
|
#include <linux/random.h>
|
2016-05-21 08:01:00 +08:00
|
|
|
#include <linux/uuid.h>
|
2016-12-25 03:46:01 +08:00
|
|
|
#include <linux/uaccess.h>
|
2017-02-06 08:47:14 +08:00
|
|
|
#include <linux/delay.h>
|
2018-01-09 21:21:39 +08:00
|
|
|
#include <linux/iversion.h>
|
2021-04-07 20:36:43 +08:00
|
|
|
#include <linux/fileattr.h>
|
2008-04-30 06:13:32 +08:00
|
|
|
#include "ext4_jbd2.h"
|
|
|
|
#include "ext4.h"
|
2017-04-30 12:36:53 +08:00
|
|
|
#include <linux/fsmap.h>
|
|
|
|
#include "fsmap.h"
|
|
|
|
#include <trace/events/ext4.h>
|
2006-10-11 16:20:50 +08:00
|
|
|
|
2013-04-09 00:54:05 +08:00
|
|
|
/**
|
|
|
|
* Swap memory between @a and @b for @len bytes.
|
|
|
|
*
|
|
|
|
* @a: pointer to first memory area
|
|
|
|
* @b: pointer to second memory area
|
|
|
|
* @len: number of bytes to swap
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
static void memswap(void *a, void *b, size_t len)
|
|
|
|
{
|
|
|
|
unsigned char *ap, *bp;
|
|
|
|
|
|
|
|
ap = (unsigned char *)a;
|
|
|
|
bp = (unsigned char *)b;
|
|
|
|
while (len-- > 0) {
|
2015-06-13 11:46:33 +08:00
|
|
|
swap(*ap, *bp);
|
2013-04-09 00:54:05 +08:00
|
|
|
ap++;
|
|
|
|
bp++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Swap i_data and associated attributes between @inode1 and @inode2.
|
|
|
|
* This function is used for the primary swap between inode1 and inode2
|
|
|
|
* and also to revert this primary swap in case of errors.
|
|
|
|
*
|
|
|
|
* Therefore you have to make sure, that calling this method twice
|
|
|
|
* will revert all changes.
|
|
|
|
*
|
|
|
|
* @inode1: pointer to first inode
|
|
|
|
* @inode2: pointer to second inode
|
|
|
|
*/
|
|
|
|
static void swap_inode_data(struct inode *inode1, struct inode *inode2)
|
|
|
|
{
|
|
|
|
loff_t isize;
|
|
|
|
struct ext4_inode_info *ei1;
|
|
|
|
struct ext4_inode_info *ei2;
|
2019-02-11 13:35:06 +08:00
|
|
|
unsigned long tmp;
|
2013-04-09 00:54:05 +08:00
|
|
|
|
|
|
|
ei1 = EXT4_I(inode1);
|
|
|
|
ei2 = EXT4_I(inode2);
|
|
|
|
|
2017-07-31 12:55:34 +08:00
|
|
|
swap(inode1->i_version, inode2->i_version);
|
|
|
|
swap(inode1->i_atime, inode2->i_atime);
|
|
|
|
swap(inode1->i_mtime, inode2->i_mtime);
|
2013-04-09 00:54:05 +08:00
|
|
|
|
|
|
|
memswap(ei1->i_data, ei2->i_data, sizeof(ei1->i_data));
|
2019-02-11 13:35:06 +08:00
|
|
|
tmp = ei1->i_flags & EXT4_FL_SHOULD_SWAP;
|
|
|
|
ei1->i_flags = (ei2->i_flags & EXT4_FL_SHOULD_SWAP) |
|
|
|
|
(ei1->i_flags & ~EXT4_FL_SHOULD_SWAP);
|
|
|
|
ei2->i_flags = tmp | (ei2->i_flags & ~EXT4_FL_SHOULD_SWAP);
|
2017-07-31 12:55:34 +08:00
|
|
|
swap(ei1->i_disksize, ei2->i_disksize);
|
2013-08-12 21:29:30 +08:00
|
|
|
ext4_es_remove_extent(inode1, 0, EXT_MAX_BLOCKS);
|
|
|
|
ext4_es_remove_extent(inode2, 0, EXT_MAX_BLOCKS);
|
2013-04-09 00:54:05 +08:00
|
|
|
|
|
|
|
isize = i_size_read(inode1);
|
|
|
|
i_size_write(inode1, i_size_read(inode2));
|
|
|
|
i_size_write(inode2, isize);
|
|
|
|
}
|
|
|
|
|
2020-10-16 04:37:59 +08:00
|
|
|
void ext4_reset_inode_seed(struct inode *inode)
|
2018-10-03 06:21:19 +08:00
|
|
|
{
|
|
|
|
struct ext4_inode_info *ei = EXT4_I(inode);
|
|
|
|
struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
|
|
|
|
__le32 inum = cpu_to_le32(inode->i_ino);
|
|
|
|
__le32 gen = cpu_to_le32(inode->i_generation);
|
|
|
|
__u32 csum;
|
|
|
|
|
|
|
|
if (!ext4_has_metadata_csum(inode->i_sb))
|
|
|
|
return;
|
|
|
|
|
|
|
|
csum = ext4_chksum(sbi, sbi->s_csum_seed, (__u8 *)&inum, sizeof(inum));
|
|
|
|
ei->i_csum_seed = ext4_chksum(sbi, csum, (__u8 *)&gen, sizeof(gen));
|
|
|
|
}
|
|
|
|
|
2013-04-09 00:54:05 +08:00
|
|
|
/**
|
|
|
|
* Swap the information from the given @inode and the inode
|
|
|
|
* EXT4_BOOT_LOADER_INO. It will basically swap i_data and all other
|
|
|
|
* important fields of the inodes.
|
|
|
|
*
|
|
|
|
* @sb: the super block of the filesystem
|
2021-01-21 21:19:57 +08:00
|
|
|
* @mnt_userns: user namespace of the mount the inode was found from
|
2013-04-09 00:54:05 +08:00
|
|
|
* @inode: the inode to swap with EXT4_BOOT_LOADER_INO
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
static long swap_inode_boot_loader(struct super_block *sb,
|
2021-01-21 21:19:57 +08:00
|
|
|
struct user_namespace *mnt_userns,
|
2013-04-09 00:54:05 +08:00
|
|
|
struct inode *inode)
|
|
|
|
{
|
|
|
|
handle_t *handle;
|
|
|
|
int err;
|
|
|
|
struct inode *inode_bl;
|
|
|
|
struct ext4_inode_info *ei_bl;
|
2019-02-11 13:14:02 +08:00
|
|
|
qsize_t size, size_bl, diff;
|
|
|
|
blkcnt_t blocks;
|
|
|
|
unsigned short bytes;
|
2013-04-09 00:54:05 +08:00
|
|
|
|
ext4: avoid declaring fs inconsistent due to invalid file handles
If we receive a file handle, either from NFS or open_by_handle_at(2),
and it points at an inode which has not been initialized, and the file
system has metadata checksums enabled, we shouldn't try to get the
inode, discover the checksum is invalid, and then declare the file
system as being inconsistent.
This can be reproduced by creating a test file system via "mke2fs -t
ext4 -O metadata_csum /tmp/foo.img 8M", mounting it, cd'ing into that
directory, and then running the following program.
#define _GNU_SOURCE
#include <fcntl.h>
struct handle {
struct file_handle fh;
unsigned char fid[MAX_HANDLE_SZ];
};
int main(int argc, char **argv)
{
struct handle h = {{8, 1 }, { 12, }};
open_by_handle_at(AT_FDCWD, &h.fh, O_RDONLY);
return 0;
}
Google-Bug-Id: 120690101
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
2018-12-20 01:29:13 +08:00
|
|
|
inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL);
|
2014-02-18 09:44:36 +08:00
|
|
|
if (IS_ERR(inode_bl))
|
|
|
|
return PTR_ERR(inode_bl);
|
2013-04-09 00:54:05 +08:00
|
|
|
ei_bl = EXT4_I(inode_bl);
|
|
|
|
|
|
|
|
/* Protect orig inodes against a truncate and make sure,
|
|
|
|
* that only 1 swap_inode_boot_loader is running. */
|
2012-04-19 03:16:33 +08:00
|
|
|
lock_two_nondirectories(inode, inode_bl);
|
2013-04-09 00:54:05 +08:00
|
|
|
|
2019-02-11 13:02:05 +08:00
|
|
|
if (inode->i_nlink != 1 || !S_ISREG(inode->i_mode) ||
|
|
|
|
IS_SWAPFILE(inode) || IS_ENCRYPTED(inode) ||
|
2019-02-11 14:07:10 +08:00
|
|
|
(EXT4_I(inode)->i_flags & EXT4_JOURNAL_DATA_FL) ||
|
2019-02-11 13:02:05 +08:00
|
|
|
ext4_has_inline_data(inode)) {
|
|
|
|
err = -EINVAL;
|
|
|
|
goto journal_err_out;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (IS_RDONLY(inode) || IS_APPEND(inode) || IS_IMMUTABLE(inode) ||
|
2021-01-21 21:19:57 +08:00
|
|
|
!inode_owner_or_capable(mnt_userns, inode) ||
|
2021-01-21 21:19:25 +08:00
|
|
|
!capable(CAP_SYS_ADMIN)) {
|
2019-02-11 13:02:05 +08:00
|
|
|
err = -EPERM;
|
|
|
|
goto journal_err_out;
|
|
|
|
}
|
|
|
|
|
2021-02-05 01:05:42 +08:00
|
|
|
filemap_invalidate_lock(inode->i_mapping);
|
2019-02-11 13:05:24 +08:00
|
|
|
err = filemap_write_and_wait(inode->i_mapping);
|
|
|
|
if (err)
|
|
|
|
goto err_out;
|
|
|
|
|
|
|
|
err = filemap_write_and_wait(inode_bl->i_mapping);
|
|
|
|
if (err)
|
|
|
|
goto err_out;
|
|
|
|
|
2013-04-09 00:54:05 +08:00
|
|
|
/* Wait for all existing dio workers */
|
|
|
|
inode_dio_wait(inode);
|
|
|
|
inode_dio_wait(inode_bl);
|
|
|
|
|
2018-10-03 06:21:19 +08:00
|
|
|
truncate_inode_pages(&inode->i_data, 0);
|
|
|
|
truncate_inode_pages(&inode_bl->i_data, 0);
|
|
|
|
|
2013-04-09 00:54:05 +08:00
|
|
|
handle = ext4_journal_start(inode_bl, EXT4_HT_MOVE_EXTENTS, 2);
|
|
|
|
if (IS_ERR(handle)) {
|
|
|
|
err = -EINVAL;
|
2019-02-11 13:05:24 +08:00
|
|
|
goto err_out;
|
2013-04-09 00:54:05 +08:00
|
|
|
}
|
2021-12-24 04:21:38 +08:00
|
|
|
ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_SWAP_BOOT);
|
2013-04-09 00:54:05 +08:00
|
|
|
|
|
|
|
/* Protect extent tree against block allocations via delalloc */
|
|
|
|
ext4_double_down_write_data_sem(inode, inode_bl);
|
|
|
|
|
|
|
|
if (inode_bl->i_nlink == 0) {
|
|
|
|
/* this inode has never been used as a BOOT_LOADER */
|
|
|
|
set_nlink(inode_bl, 1);
|
|
|
|
i_uid_write(inode_bl, 0);
|
|
|
|
i_gid_write(inode_bl, 0);
|
|
|
|
inode_bl->i_flags = 0;
|
|
|
|
ei_bl->i_flags = 0;
|
2018-01-09 21:21:39 +08:00
|
|
|
inode_set_iversion(inode_bl, 1);
|
2013-04-09 00:54:05 +08:00
|
|
|
i_size_write(inode_bl, 0);
|
|
|
|
inode_bl->i_mode = S_IFREG;
|
2015-10-18 04:18:43 +08:00
|
|
|
if (ext4_has_feature_extents(sb)) {
|
2013-04-09 00:54:05 +08:00
|
|
|
ext4_set_inode_flag(inode_bl, EXT4_INODE_EXTENTS);
|
|
|
|
ext4_ext_tree_init(handle, inode_bl);
|
|
|
|
} else
|
|
|
|
memset(ei_bl->i_data, 0, sizeof(ei_bl->i_data));
|
|
|
|
}
|
|
|
|
|
2019-02-11 13:14:02 +08:00
|
|
|
err = dquot_initialize(inode);
|
|
|
|
if (err)
|
|
|
|
goto err_out1;
|
|
|
|
|
|
|
|
size = (qsize_t)(inode->i_blocks) * (1 << 9) + inode->i_bytes;
|
|
|
|
size_bl = (qsize_t)(inode_bl->i_blocks) * (1 << 9) + inode_bl->i_bytes;
|
|
|
|
diff = size - size_bl;
|
2013-04-09 00:54:05 +08:00
|
|
|
swap_inode_data(inode, inode_bl);
|
|
|
|
|
2016-11-15 10:40:10 +08:00
|
|
|
inode->i_ctime = inode_bl->i_ctime = current_time(inode);
|
2013-04-09 00:54:05 +08:00
|
|
|
|
2017-11-09 11:23:20 +08:00
|
|
|
inode->i_generation = prandom_u32();
|
|
|
|
inode_bl->i_generation = prandom_u32();
|
2020-10-16 04:37:59 +08:00
|
|
|
ext4_reset_inode_seed(inode);
|
|
|
|
ext4_reset_inode_seed(inode_bl);
|
2013-04-09 00:54:05 +08:00
|
|
|
|
2020-08-17 15:36:15 +08:00
|
|
|
ext4_discard_preallocations(inode, 0);
|
2013-04-09 00:54:05 +08:00
|
|
|
|
|
|
|
err = ext4_mark_inode_dirty(handle, inode);
|
|
|
|
if (err < 0) {
|
2019-02-11 13:14:02 +08:00
|
|
|
/* No need to update quota information. */
|
2013-04-09 00:54:05 +08:00
|
|
|
ext4_warning(inode->i_sb,
|
|
|
|
"couldn't mark inode #%lu dirty (err %d)",
|
|
|
|
inode->i_ino, err);
|
|
|
|
/* Revert all changes: */
|
|
|
|
swap_inode_data(inode, inode_bl);
|
2018-10-03 06:21:19 +08:00
|
|
|
ext4_mark_inode_dirty(handle, inode);
|
2019-02-11 13:14:02 +08:00
|
|
|
goto err_out1;
|
|
|
|
}
|
|
|
|
|
|
|
|
blocks = inode_bl->i_blocks;
|
|
|
|
bytes = inode_bl->i_bytes;
|
|
|
|
inode_bl->i_blocks = inode->i_blocks;
|
|
|
|
inode_bl->i_bytes = inode->i_bytes;
|
|
|
|
err = ext4_mark_inode_dirty(handle, inode_bl);
|
|
|
|
if (err < 0) {
|
|
|
|
/* No need to update quota information. */
|
|
|
|
ext4_warning(inode_bl->i_sb,
|
|
|
|
"couldn't mark inode #%lu dirty (err %d)",
|
|
|
|
inode_bl->i_ino, err);
|
|
|
|
goto revert;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Bootloader inode should not be counted into quota information. */
|
|
|
|
if (diff > 0)
|
|
|
|
dquot_free_space(inode, diff);
|
|
|
|
else
|
|
|
|
err = dquot_alloc_space(inode, -1 * diff);
|
|
|
|
|
|
|
|
if (err < 0) {
|
|
|
|
revert:
|
|
|
|
/* Revert all changes: */
|
|
|
|
inode_bl->i_blocks = blocks;
|
|
|
|
inode_bl->i_bytes = bytes;
|
|
|
|
swap_inode_data(inode, inode_bl);
|
|
|
|
ext4_mark_inode_dirty(handle, inode);
|
|
|
|
ext4_mark_inode_dirty(handle, inode_bl);
|
2013-04-09 00:54:05 +08:00
|
|
|
}
|
2019-02-11 13:14:02 +08:00
|
|
|
|
|
|
|
err_out1:
|
2013-04-09 00:54:05 +08:00
|
|
|
ext4_journal_stop(handle);
|
|
|
|
ext4_double_up_write_data_sem(inode, inode_bl);
|
|
|
|
|
2019-02-11 13:05:24 +08:00
|
|
|
err_out:
|
2021-02-05 01:05:42 +08:00
|
|
|
filemap_invalidate_unlock(inode->i_mapping);
|
2014-02-13 00:48:31 +08:00
|
|
|
journal_err_out:
|
2012-04-19 03:16:33 +08:00
|
|
|
unlock_two_nondirectories(inode, inode_bl);
|
2013-04-09 00:54:05 +08:00
|
|
|
iput(inode_bl);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2018-12-12 17:50:12 +08:00
|
|
|
#ifdef CONFIG_FS_ENCRYPTION
|
2015-04-11 19:48:01 +08:00
|
|
|
static int uuid_is_zero(__u8 u[16])
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = 0; i < 16; i++)
|
|
|
|
if (u[i])
|
|
|
|
return 0;
|
|
|
|
return 1;
|
|
|
|
}
|
2016-12-02 00:55:51 +08:00
|
|
|
#endif
|
2015-04-11 19:48:01 +08:00
|
|
|
|
2019-06-10 09:41:41 +08:00
|
|
|
/*
|
|
|
|
* If immutable is set and we are not clearing it, we're not allowed to change
|
|
|
|
* anything else in the inode. Don't error out if we're only trying to set
|
|
|
|
* immutable on an immutable file.
|
|
|
|
*/
|
|
|
|
static int ext4_ioctl_check_immutable(struct inode *inode, __u32 new_projid,
|
|
|
|
unsigned int flags)
|
|
|
|
{
|
|
|
|
struct ext4_inode_info *ei = EXT4_I(inode);
|
|
|
|
unsigned int oldflags = ei->i_flags;
|
|
|
|
|
|
|
|
if (!(oldflags & EXT4_IMMUTABLE_FL) || !(flags & EXT4_IMMUTABLE_FL))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if ((oldflags & ~EXT4_IMMUTABLE_FL) != (flags & ~EXT4_IMMUTABLE_FL))
|
|
|
|
return -EPERM;
|
|
|
|
if (ext4_has_feature_project(inode->i_sb) &&
|
|
|
|
__kprojid_val(ei->i_projid) != new_projid)
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2020-05-28 23:00:02 +08:00
|
|
|
static void ext4_dax_dontcache(struct inode *inode, unsigned int flags)
|
|
|
|
{
|
|
|
|
struct ext4_inode_info *ei = EXT4_I(inode);
|
|
|
|
|
|
|
|
if (S_ISDIR(inode->i_mode))
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (test_opt2(inode->i_sb, DAX_NEVER) ||
|
|
|
|
test_opt(inode->i_sb, DAX_ALWAYS))
|
|
|
|
return;
|
|
|
|
|
|
|
|
if ((ei->i_flags ^ flags) & EXT4_DAX_FL)
|
|
|
|
d_mark_dontcache(inode);
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool dax_compatible(struct inode *inode, unsigned int oldflags,
|
|
|
|
unsigned int flags)
|
|
|
|
{
|
2021-04-13 05:19:00 +08:00
|
|
|
/* Allow the DAX flag to be changed on inline directories */
|
|
|
|
if (S_ISDIR(inode->i_mode)) {
|
|
|
|
flags &= ~EXT4_INLINE_DATA_FL;
|
|
|
|
oldflags &= ~EXT4_INLINE_DATA_FL;
|
|
|
|
}
|
|
|
|
|
2020-05-28 23:00:02 +08:00
|
|
|
if (flags & EXT4_DAX_FL) {
|
|
|
|
if ((oldflags & EXT4_DAX_MUT_EXCL) ||
|
|
|
|
ext4_test_inode_state(inode,
|
|
|
|
EXT4_STATE_VERITY_IN_PROGRESS)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((flags & EXT4_DAX_MUT_EXCL) && (oldflags & EXT4_DAX_FL))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-01-09 05:01:22 +08:00
|
|
|
static int ext4_ioctl_setflags(struct inode *inode,
|
|
|
|
unsigned int flags)
|
|
|
|
{
|
|
|
|
struct ext4_inode_info *ei = EXT4_I(inode);
|
|
|
|
handle_t *handle = NULL;
|
ext4: ioctl: fix erroneous return value
The ext4_ioctl_setflags() function which is used in the ioctls
EXT4_IOC_SETFLAGS and EXT4_IOC_FSSETXATTR may return the positive value
EPERM instead of -EPERM in case of error. This bug was introduced by a
recent commit 9b7365fc.
The following program can be used to illustrate the wrong behavior:
#include <sys/types.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <err.h>
#define FS_IOC_GETFLAGS _IOR('f', 1, long)
#define FS_IOC_SETFLAGS _IOW('f', 2, long)
#define FS_IMMUTABLE_FL 0x00000010
int main(void)
{
int fd;
long flags;
fd = open("file", O_RDWR|O_CREAT, 0600);
if (fd < 0)
err(1, "open");
if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0)
err(1, "ioctl: FS_IOC_GETFLAGS");
flags |= FS_IMMUTABLE_FL;
if (ioctl(fd, FS_IOC_SETFLAGS, &flags) < 0)
err(1, "ioctl: FS_IOC_SETFLAGS");
warnx("ioctl returned no error");
return 0;
}
Running it gives the following result:
$ strace -e ioctl ./test
ioctl(3, FS_IOC_GETFLAGS, 0x7ffdbd8bfd38) = 0
ioctl(3, FS_IOC_SETFLAGS, 0x7ffdbd8bfd38) = 1
test: ioctl returned no error
+++ exited with 0 +++
Running the program on a kernel with the bug fixed gives the proper result:
$ strace -e ioctl ./test
ioctl(3, FS_IOC_GETFLAGS, 0x7ffdd2768258) = 0
ioctl(3, FS_IOC_SETFLAGS, 0x7ffdd2768258) = -1 EPERM (Operation not permitted)
test: ioctl: FS_IOC_SETFLAGS: Operation not permitted
+++ exited with 1 +++
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2016-02-12 12:57:21 +08:00
|
|
|
int err = -EPERM, migrate = 0;
|
2016-01-09 05:01:22 +08:00
|
|
|
struct ext4_iloc iloc;
|
|
|
|
unsigned int oldflags, mask, i;
|
ext4: Support case-insensitive file name lookups
This patch implements the actual support for case-insensitive file name
lookups in ext4, based on the feature bit and the encoding stored in the
superblock.
A filesystem that has the casefold feature set is able to configure
directories with the +F (EXT4_CASEFOLD_FL) attribute, enabling lookups
to succeed in that directory in a case-insensitive fashion, i.e: match
a directory entry even if the name used by userspace is not a byte per
byte match with the disk name, but is an equivalent case-insensitive
version of the Unicode string. This operation is called a
case-insensitive file name lookup.
The feature is configured as an inode attribute applied to directories
and inherited by its children. This attribute can only be enabled on
empty directories for filesystems that support the encoding feature,
thus preventing collision of file names that only differ by case.
* dcache handling:
For a +F directory, Ext4 only stores the first equivalent name dentry
used in the dcache. This is done to prevent unintentional duplication of
dentries in the dcache, while also allowing the VFS code to quickly find
the right entry in the cache despite which equivalent string was used in
a previous lookup, without having to resort to ->lookup().
d_hash() of casefolded directories is implemented as the hash of the
casefolded string, such that we always have a well-known bucket for all
the equivalencies of the same string. d_compare() uses the
utf8_strncasecmp() infrastructure, which handles the comparison of
equivalent, same case, names as well.
For now, negative lookups are not inserted in the dcache, since they
would need to be invalidated anyway, because we can't trust missing file
dentries. This is bad for performance but requires some leveraging of
the vfs layer to fix. We can live without that for now, and so does
everyone else.
* on-disk data:
Despite using a specific version of the name as the internal
representation within the dcache, the name stored and fetched from the
disk is a byte-per-byte match with what the user requested, making this
implementation 'name-preserving'. i.e. no actual information is lost
when writing to storage.
DX is supported by modifying the hashes used in +F directories to make
them case/encoding-aware. The new disk hashes are calculated as the
hash of the full casefolded string, instead of the string directly.
This allows us to efficiently search for file names in the htree without
requiring the user to provide an exact name.
* Dealing with invalid sequences:
By default, when a invalid UTF-8 sequence is identified, ext4 will treat
it as an opaque byte sequence, ignoring the encoding and reverting to
the old behavior for that unique file. This means that case-insensitive
file name lookup will not work only for that file. An optional bit can
be set in the superblock telling the filesystem code and userspace tools
to enforce the encoding. When that optional bit is set, any attempt to
create a file name using an invalid UTF-8 sequence will fail and return
an error to userspace.
* Normalization algorithm:
The UTF-8 algorithms used to compare strings in ext4 is implemented
lives in fs/unicode, and is based on a previous version developed by
SGI. It implements the Canonical decomposition (NFD) algorithm
described by the Unicode specification 12.1, or higher, combined with
the elimination of ignorable code points (NFDi) and full
case-folding (CF) as documented in fs/unicode/utf8_norm.c.
NFD seems to be the best normalization method for EXT4 because:
- It has a lower cost than NFC/NFKC (which requires
decomposing to NFD as an intermediary step)
- It doesn't eliminate important semantic meaning like
compatibility decompositions.
Although:
- This implementation is not completely linguistic accurate, because
different languages have conflicting rules, which would require the
specialization of the filesystem to a given locale, which brings all
sorts of problems for removable media and for users who use more than
one language.
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2019-04-26 02:12:08 +08:00
|
|
|
struct super_block *sb = inode->i_sb;
|
2016-01-09 05:01:22 +08:00
|
|
|
|
|
|
|
/* Is it quota file? Do not allow user to mess with it */
|
2017-06-22 23:31:25 +08:00
|
|
|
if (ext4_is_quota_file(inode))
|
2016-01-09 05:01:22 +08:00
|
|
|
goto flags_out;
|
|
|
|
|
|
|
|
oldflags = ei->i_flags;
|
|
|
|
/*
|
|
|
|
* The JOURNAL_DATA flag can only be changed by
|
|
|
|
* the relevant capability.
|
|
|
|
*/
|
2020-05-28 23:00:01 +08:00
|
|
|
if ((flags ^ oldflags) & (EXT4_JOURNAL_DATA_FL)) {
|
2016-01-09 05:01:22 +08:00
|
|
|
if (!capable(CAP_SYS_RESOURCE))
|
|
|
|
goto flags_out;
|
|
|
|
}
|
2020-05-28 23:00:02 +08:00
|
|
|
|
|
|
|
if (!dax_compatible(inode, oldflags, flags)) {
|
|
|
|
err = -EOPNOTSUPP;
|
|
|
|
goto flags_out;
|
|
|
|
}
|
|
|
|
|
2016-01-09 05:01:22 +08:00
|
|
|
if ((flags ^ oldflags) & EXT4_EXTENTS_FL)
|
|
|
|
migrate = 1;
|
|
|
|
|
ext4: Support case-insensitive file name lookups
This patch implements the actual support for case-insensitive file name
lookups in ext4, based on the feature bit and the encoding stored in the
superblock.
A filesystem that has the casefold feature set is able to configure
directories with the +F (EXT4_CASEFOLD_FL) attribute, enabling lookups
to succeed in that directory in a case-insensitive fashion, i.e: match
a directory entry even if the name used by userspace is not a byte per
byte match with the disk name, but is an equivalent case-insensitive
version of the Unicode string. This operation is called a
case-insensitive file name lookup.
The feature is configured as an inode attribute applied to directories
and inherited by its children. This attribute can only be enabled on
empty directories for filesystems that support the encoding feature,
thus preventing collision of file names that only differ by case.
* dcache handling:
For a +F directory, Ext4 only stores the first equivalent name dentry
used in the dcache. This is done to prevent unintentional duplication of
dentries in the dcache, while also allowing the VFS code to quickly find
the right entry in the cache despite which equivalent string was used in
a previous lookup, without having to resort to ->lookup().
d_hash() of casefolded directories is implemented as the hash of the
casefolded string, such that we always have a well-known bucket for all
the equivalencies of the same string. d_compare() uses the
utf8_strncasecmp() infrastructure, which handles the comparison of
equivalent, same case, names as well.
For now, negative lookups are not inserted in the dcache, since they
would need to be invalidated anyway, because we can't trust missing file
dentries. This is bad for performance but requires some leveraging of
the vfs layer to fix. We can live without that for now, and so does
everyone else.
* on-disk data:
Despite using a specific version of the name as the internal
representation within the dcache, the name stored and fetched from the
disk is a byte-per-byte match with what the user requested, making this
implementation 'name-preserving'. i.e. no actual information is lost
when writing to storage.
DX is supported by modifying the hashes used in +F directories to make
them case/encoding-aware. The new disk hashes are calculated as the
hash of the full casefolded string, instead of the string directly.
This allows us to efficiently search for file names in the htree without
requiring the user to provide an exact name.
* Dealing with invalid sequences:
By default, when a invalid UTF-8 sequence is identified, ext4 will treat
it as an opaque byte sequence, ignoring the encoding and reverting to
the old behavior for that unique file. This means that case-insensitive
file name lookup will not work only for that file. An optional bit can
be set in the superblock telling the filesystem code and userspace tools
to enforce the encoding. When that optional bit is set, any attempt to
create a file name using an invalid UTF-8 sequence will fail and return
an error to userspace.
* Normalization algorithm:
The UTF-8 algorithms used to compare strings in ext4 is implemented
lives in fs/unicode, and is based on a previous version developed by
SGI. It implements the Canonical decomposition (NFD) algorithm
described by the Unicode specification 12.1, or higher, combined with
the elimination of ignorable code points (NFDi) and full
case-folding (CF) as documented in fs/unicode/utf8_norm.c.
NFD seems to be the best normalization method for EXT4 because:
- It has a lower cost than NFC/NFKC (which requires
decomposing to NFD as an intermediary step)
- It doesn't eliminate important semantic meaning like
compatibility decompositions.
Although:
- This implementation is not completely linguistic accurate, because
different languages have conflicting rules, which would require the
specialization of the filesystem to a given locale, which brings all
sorts of problems for removable media and for users who use more than
one language.
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2019-04-26 02:12:08 +08:00
|
|
|
if ((flags ^ oldflags) & EXT4_CASEFOLD_FL) {
|
|
|
|
if (!ext4_has_feature_casefold(sb)) {
|
|
|
|
err = -EOPNOTSUPP;
|
|
|
|
goto flags_out;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!S_ISDIR(inode->i_mode)) {
|
|
|
|
err = -ENOTDIR;
|
|
|
|
goto flags_out;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!ext4_empty_dir(inode)) {
|
|
|
|
err = -ENOTEMPTY;
|
|
|
|
goto flags_out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-06-10 09:41:41 +08:00
|
|
|
/*
|
|
|
|
* Wait for all pending directio and then flush all the dirty pages
|
|
|
|
* for this file. The flush marks all the pages readonly, so any
|
|
|
|
* subsequent attempt to write to the file (particularly mmap pages)
|
|
|
|
* will come through the filesystem and fail.
|
|
|
|
*/
|
|
|
|
if (S_ISREG(inode->i_mode) && !IS_IMMUTABLE(inode) &&
|
|
|
|
(flags & EXT4_IMMUTABLE_FL)) {
|
|
|
|
inode_dio_wait(inode);
|
|
|
|
err = filemap_write_and_wait(inode->i_mapping);
|
|
|
|
if (err)
|
|
|
|
goto flags_out;
|
|
|
|
}
|
|
|
|
|
2016-01-09 05:01:22 +08:00
|
|
|
handle = ext4_journal_start(inode, EXT4_HT_INODE, 1);
|
|
|
|
if (IS_ERR(handle)) {
|
|
|
|
err = PTR_ERR(handle);
|
|
|
|
goto flags_out;
|
|
|
|
}
|
|
|
|
if (IS_SYNC(inode))
|
|
|
|
ext4_handle_sync(handle);
|
|
|
|
err = ext4_reserve_inode_write(handle, inode, &iloc);
|
|
|
|
if (err)
|
|
|
|
goto flags_err;
|
|
|
|
|
2020-05-28 23:00:02 +08:00
|
|
|
ext4_dax_dontcache(inode, flags);
|
|
|
|
|
2016-01-09 05:01:22 +08:00
|
|
|
for (i = 0, mask = 1; i < 32; i++, mask <<= 1) {
|
|
|
|
if (!(mask & EXT4_FL_USER_MODIFIABLE))
|
|
|
|
continue;
|
2016-11-30 00:13:13 +08:00
|
|
|
/* These flags get special treatment later */
|
|
|
|
if (mask == EXT4_JOURNAL_DATA_FL || mask == EXT4_EXTENTS_FL)
|
|
|
|
continue;
|
2016-01-09 05:01:22 +08:00
|
|
|
if (mask & flags)
|
|
|
|
ext4_set_inode_flag(inode, i);
|
|
|
|
else
|
|
|
|
ext4_clear_inode_flag(inode, i);
|
|
|
|
}
|
|
|
|
|
2020-05-28 22:59:59 +08:00
|
|
|
ext4_set_inode_flags(inode, false);
|
|
|
|
|
2016-11-15 10:40:10 +08:00
|
|
|
inode->i_ctime = current_time(inode);
|
2016-01-09 05:01:22 +08:00
|
|
|
|
|
|
|
err = ext4_mark_iloc_dirty(handle, inode, &iloc);
|
|
|
|
flags_err:
|
|
|
|
ext4_journal_stop(handle);
|
|
|
|
if (err)
|
|
|
|
goto flags_out;
|
|
|
|
|
2020-05-28 23:00:01 +08:00
|
|
|
if ((flags ^ oldflags) & (EXT4_JOURNAL_DATA_FL)) {
|
2017-10-12 23:54:08 +08:00
|
|
|
/*
|
|
|
|
* Changes to the journaling mode can cause unsafe changes to
|
2020-05-28 22:59:55 +08:00
|
|
|
* S_DAX if the inode is DAX
|
2017-10-12 23:54:08 +08:00
|
|
|
*/
|
2020-05-28 22:59:55 +08:00
|
|
|
if (IS_DAX(inode)) {
|
2017-10-12 23:54:08 +08:00
|
|
|
err = -EBUSY;
|
|
|
|
goto flags_out;
|
|
|
|
}
|
|
|
|
|
2020-05-28 23:00:01 +08:00
|
|
|
err = ext4_change_inode_journal_flag(inode,
|
|
|
|
flags & EXT4_JOURNAL_DATA_FL);
|
2017-10-12 23:54:08 +08:00
|
|
|
if (err)
|
|
|
|
goto flags_out;
|
|
|
|
}
|
2016-01-09 05:01:22 +08:00
|
|
|
if (migrate) {
|
|
|
|
if (flags & EXT4_EXTENTS_FL)
|
|
|
|
err = ext4_ext_migrate(inode);
|
|
|
|
else
|
|
|
|
err = ext4_ind_migrate(inode);
|
|
|
|
}
|
|
|
|
|
|
|
|
flags_out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_QUOTA
|
2021-04-07 20:36:43 +08:00
|
|
|
static int ext4_ioctl_setproject(struct inode *inode, __u32 projid)
|
2016-01-09 05:01:22 +08:00
|
|
|
{
|
|
|
|
struct super_block *sb = inode->i_sb;
|
|
|
|
struct ext4_inode_info *ei = EXT4_I(inode);
|
|
|
|
int err, rc;
|
|
|
|
handle_t *handle;
|
|
|
|
kprojid_t kprojid;
|
|
|
|
struct ext4_iloc iloc;
|
|
|
|
struct ext4_inode *raw_inode;
|
2016-07-06 09:33:52 +08:00
|
|
|
struct dquot *transfer_to[MAXQUOTAS] = { };
|
2016-01-09 05:01:22 +08:00
|
|
|
|
2016-09-06 11:11:58 +08:00
|
|
|
if (!ext4_has_feature_project(sb)) {
|
2016-01-09 05:01:22 +08:00
|
|
|
if (projid != EXT4_DEF_PROJID)
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
else
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (EXT4_INODE_SIZE(sb) <= EXT4_GOOD_OLD_INODE_SIZE)
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
|
|
|
kprojid = make_kprojid(&init_user_ns, (projid_t)projid);
|
|
|
|
|
|
|
|
if (projid_eq(kprojid, EXT4_I(inode)->i_projid))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
err = -EPERM;
|
|
|
|
/* Is it quota file? Do not allow user to mess with it */
|
2017-06-22 23:31:25 +08:00
|
|
|
if (ext4_is_quota_file(inode))
|
ext4: fix setattr project check in fssetxattr ioctl
Currently, project quota could be changed by fssetxattr
ioctl, and existed permission check inode_owner_or_capable()
is obviously not enough, just think that common users could
change project id of file, that could make users to
break project quota easily.
This patch try to follow same regular of xfs project
quota:
"Project Quota ID state is only allowed to change from
within the init namespace. Enforce that restriction only
if we are trying to change the quota ID state.
Everything else is allowed in user namespaces."
Besides that, check and set project id'state should
be an atomic operation, protect whole operation with
inode lock, ext4_ioctl_setproject() is only used for
ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file()
before ext4_ioctl_setflags(), and ext4_ioctl_setproject()
is called after ext4_ioctl_setflags(), we could share
codes, so remove it inside ext4_ioctl_setproject().
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
2018-10-03 22:33:32 +08:00
|
|
|
return err;
|
2016-01-09 05:01:22 +08:00
|
|
|
|
|
|
|
err = ext4_get_inode_loc(inode, &iloc);
|
|
|
|
if (err)
|
ext4: fix setattr project check in fssetxattr ioctl
Currently, project quota could be changed by fssetxattr
ioctl, and existed permission check inode_owner_or_capable()
is obviously not enough, just think that common users could
change project id of file, that could make users to
break project quota easily.
This patch try to follow same regular of xfs project
quota:
"Project Quota ID state is only allowed to change from
within the init namespace. Enforce that restriction only
if we are trying to change the quota ID state.
Everything else is allowed in user namespaces."
Besides that, check and set project id'state should
be an atomic operation, protect whole operation with
inode lock, ext4_ioctl_setproject() is only used for
ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file()
before ext4_ioctl_setflags(), and ext4_ioctl_setproject()
is called after ext4_ioctl_setflags(), we could share
codes, so remove it inside ext4_ioctl_setproject().
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
2018-10-03 22:33:32 +08:00
|
|
|
return err;
|
2016-01-09 05:01:22 +08:00
|
|
|
|
|
|
|
raw_inode = ext4_raw_inode(&iloc);
|
|
|
|
if (!EXT4_FITS_IN_INODE(raw_inode, ei, i_projid)) {
|
2017-08-06 13:00:49 +08:00
|
|
|
err = ext4_expand_extra_isize(inode,
|
|
|
|
EXT4_SB(sb)->s_want_extra_isize,
|
|
|
|
&iloc);
|
|
|
|
if (err)
|
ext4: fix setattr project check in fssetxattr ioctl
Currently, project quota could be changed by fssetxattr
ioctl, and existed permission check inode_owner_or_capable()
is obviously not enough, just think that common users could
change project id of file, that could make users to
break project quota easily.
This patch try to follow same regular of xfs project
quota:
"Project Quota ID state is only allowed to change from
within the init namespace. Enforce that restriction only
if we are trying to change the quota ID state.
Everything else is allowed in user namespaces."
Besides that, check and set project id'state should
be an atomic operation, protect whole operation with
inode lock, ext4_ioctl_setproject() is only used for
ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file()
before ext4_ioctl_setflags(), and ext4_ioctl_setproject()
is called after ext4_ioctl_setflags(), we could share
codes, so remove it inside ext4_ioctl_setproject().
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
2018-10-03 22:33:32 +08:00
|
|
|
return err;
|
2017-08-06 13:00:49 +08:00
|
|
|
} else {
|
2016-01-09 05:01:22 +08:00
|
|
|
brelse(iloc.bh);
|
|
|
|
}
|
|
|
|
|
2018-10-04 00:19:21 +08:00
|
|
|
err = dquot_initialize(inode);
|
|
|
|
if (err)
|
|
|
|
return err;
|
2016-01-09 05:01:22 +08:00
|
|
|
|
|
|
|
handle = ext4_journal_start(inode, EXT4_HT_QUOTA,
|
|
|
|
EXT4_QUOTA_INIT_BLOCKS(sb) +
|
|
|
|
EXT4_QUOTA_DEL_BLOCKS(sb) + 3);
|
ext4: fix setattr project check in fssetxattr ioctl
Currently, project quota could be changed by fssetxattr
ioctl, and existed permission check inode_owner_or_capable()
is obviously not enough, just think that common users could
change project id of file, that could make users to
break project quota easily.
This patch try to follow same regular of xfs project
quota:
"Project Quota ID state is only allowed to change from
within the init namespace. Enforce that restriction only
if we are trying to change the quota ID state.
Everything else is allowed in user namespaces."
Besides that, check and set project id'state should
be an atomic operation, protect whole operation with
inode lock, ext4_ioctl_setproject() is only used for
ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file()
before ext4_ioctl_setflags(), and ext4_ioctl_setproject()
is called after ext4_ioctl_setflags(), we could share
codes, so remove it inside ext4_ioctl_setproject().
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
2018-10-03 22:33:32 +08:00
|
|
|
if (IS_ERR(handle))
|
|
|
|
return PTR_ERR(handle);
|
2016-01-09 05:01:22 +08:00
|
|
|
|
|
|
|
err = ext4_reserve_inode_write(handle, inode, &iloc);
|
|
|
|
if (err)
|
|
|
|
goto out_stop;
|
|
|
|
|
2016-07-06 09:33:52 +08:00
|
|
|
transfer_to[PRJQUOTA] = dqget(sb, make_kqid_projid(kprojid));
|
|
|
|
if (!IS_ERR(transfer_to[PRJQUOTA])) {
|
2017-06-22 23:46:48 +08:00
|
|
|
|
|
|
|
/* __dquot_transfer() calls back ext4_get_inode_usage() which
|
|
|
|
* counts xattr inode references.
|
|
|
|
*/
|
|
|
|
down_read(&EXT4_I(inode)->xattr_sem);
|
2016-07-06 09:33:52 +08:00
|
|
|
err = __dquot_transfer(inode, transfer_to);
|
2017-06-22 23:46:48 +08:00
|
|
|
up_read(&EXT4_I(inode)->xattr_sem);
|
2016-07-06 09:33:52 +08:00
|
|
|
dqput(transfer_to[PRJQUOTA]);
|
|
|
|
if (err)
|
|
|
|
goto out_dirty;
|
2016-01-09 05:01:22 +08:00
|
|
|
}
|
2016-07-06 09:33:52 +08:00
|
|
|
|
2016-01-09 05:01:22 +08:00
|
|
|
EXT4_I(inode)->i_projid = kprojid;
|
2016-11-15 10:40:10 +08:00
|
|
|
inode->i_ctime = current_time(inode);
|
2016-01-09 05:01:22 +08:00
|
|
|
out_dirty:
|
|
|
|
rc = ext4_mark_iloc_dirty(handle, inode, &iloc);
|
|
|
|
if (!err)
|
|
|
|
err = rc;
|
|
|
|
out_stop:
|
|
|
|
ext4_journal_stop(handle);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
#else
|
2021-04-07 20:36:43 +08:00
|
|
|
static int ext4_ioctl_setproject(struct inode *inode, __u32 projid)
|
2016-01-09 05:01:22 +08:00
|
|
|
{
|
|
|
|
if (projid != EXT4_DEF_PROJID)
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2017-04-30 12:40:44 +08:00
|
|
|
static int ext4_shutdown(struct super_block *sb, unsigned long arg)
|
2017-02-06 08:47:14 +08:00
|
|
|
{
|
|
|
|
struct ext4_sb_info *sbi = EXT4_SB(sb);
|
|
|
|
__u32 flags;
|
|
|
|
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
if (get_user(flags, (__u32 __user *)arg))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
if (flags > EXT4_GOING_FLAGS_NOLOGFLUSH)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (ext4_forced_shutdown(sbi))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ext4_msg(sb, KERN_ALERT, "shut down requested (%d)", flags);
|
2018-02-19 09:53:23 +08:00
|
|
|
trace_ext4_shutdown(sb, flags);
|
2017-02-06 08:47:14 +08:00
|
|
|
|
|
|
|
switch (flags) {
|
|
|
|
case EXT4_GOING_FLAGS_DEFAULT:
|
|
|
|
freeze_bdev(sb->s_bdev);
|
|
|
|
set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags);
|
2020-11-24 18:54:06 +08:00
|
|
|
thaw_bdev(sb->s_bdev);
|
2017-02-06 08:47:14 +08:00
|
|
|
break;
|
|
|
|
case EXT4_GOING_FLAGS_LOGFLUSH:
|
|
|
|
set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags);
|
|
|
|
if (sbi->s_journal && !is_journal_aborted(sbi->s_journal)) {
|
|
|
|
(void) ext4_force_commit(sb);
|
2018-02-19 12:45:18 +08:00
|
|
|
jbd2_journal_abort(sbi->s_journal, -ESHUTDOWN);
|
2017-02-06 08:47:14 +08:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
case EXT4_GOING_FLAGS_NOLOGFLUSH:
|
|
|
|
set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags);
|
2018-02-19 12:16:28 +08:00
|
|
|
if (sbi->s_journal && !is_journal_aborted(sbi->s_journal))
|
2018-02-19 12:45:18 +08:00
|
|
|
jbd2_journal_abort(sbi->s_journal, -ESHUTDOWN);
|
2017-02-06 08:47:14 +08:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
clear_opt(sb, DISCARD);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-04-30 12:36:53 +08:00
|
|
|
struct getfsmap_info {
|
|
|
|
struct super_block *gi_sb;
|
|
|
|
struct fsmap_head __user *gi_data;
|
|
|
|
unsigned int gi_idx;
|
|
|
|
__u32 gi_last_flags;
|
|
|
|
};
|
|
|
|
|
|
|
|
static int ext4_getfsmap_format(struct ext4_fsmap *xfm, void *priv)
|
|
|
|
{
|
|
|
|
struct getfsmap_info *info = priv;
|
|
|
|
struct fsmap fm;
|
|
|
|
|
|
|
|
trace_ext4_getfsmap_mapping(info->gi_sb, xfm);
|
|
|
|
|
|
|
|
info->gi_last_flags = xfm->fmr_flags;
|
|
|
|
ext4_fsmap_from_internal(info->gi_sb, &fm, xfm);
|
|
|
|
if (copy_to_user(&info->gi_data->fmh_recs[info->gi_idx++], &fm,
|
|
|
|
sizeof(struct fsmap)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int ext4_ioc_getfsmap(struct super_block *sb,
|
|
|
|
struct fsmap_head __user *arg)
|
|
|
|
{
|
2019-05-12 16:49:47 +08:00
|
|
|
struct getfsmap_info info = { NULL };
|
2017-04-30 12:36:53 +08:00
|
|
|
struct ext4_fsmap_head xhead = {0};
|
|
|
|
struct fsmap_head head;
|
|
|
|
bool aborted = false;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (copy_from_user(&head, arg, sizeof(struct fsmap_head)))
|
|
|
|
return -EFAULT;
|
|
|
|
if (memchr_inv(head.fmh_reserved, 0, sizeof(head.fmh_reserved)) ||
|
|
|
|
memchr_inv(head.fmh_keys[0].fmr_reserved, 0,
|
|
|
|
sizeof(head.fmh_keys[0].fmr_reserved)) ||
|
|
|
|
memchr_inv(head.fmh_keys[1].fmr_reserved, 0,
|
|
|
|
sizeof(head.fmh_keys[1].fmr_reserved)))
|
|
|
|
return -EINVAL;
|
|
|
|
/*
|
|
|
|
* ext4 doesn't report file extents at all, so the only valid
|
|
|
|
* file offsets are the magic ones (all zeroes or all ones).
|
|
|
|
*/
|
|
|
|
if (head.fmh_keys[0].fmr_offset ||
|
|
|
|
(head.fmh_keys[1].fmr_offset != 0 &&
|
|
|
|
head.fmh_keys[1].fmr_offset != -1ULL))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
xhead.fmh_iflags = head.fmh_iflags;
|
|
|
|
xhead.fmh_count = head.fmh_count;
|
|
|
|
ext4_fsmap_to_internal(sb, &xhead.fmh_keys[0], &head.fmh_keys[0]);
|
|
|
|
ext4_fsmap_to_internal(sb, &xhead.fmh_keys[1], &head.fmh_keys[1]);
|
|
|
|
|
|
|
|
trace_ext4_getfsmap_low_key(sb, &xhead.fmh_keys[0]);
|
|
|
|
trace_ext4_getfsmap_high_key(sb, &xhead.fmh_keys[1]);
|
|
|
|
|
|
|
|
info.gi_sb = sb;
|
|
|
|
info.gi_data = arg;
|
|
|
|
error = ext4_getfsmap(sb, &xhead, ext4_getfsmap_format, &info);
|
2021-04-29 18:16:49 +08:00
|
|
|
if (error == EXT4_QUERY_RANGE_ABORT)
|
2017-04-30 12:36:53 +08:00
|
|
|
aborted = true;
|
2021-04-29 18:16:49 +08:00
|
|
|
else if (error)
|
2017-04-30 12:36:53 +08:00
|
|
|
return error;
|
|
|
|
|
|
|
|
/* If we didn't abort, set the "last" flag in the last fmx */
|
|
|
|
if (!aborted && info.gi_idx) {
|
|
|
|
info.gi_last_flags |= FMR_OF_LAST;
|
|
|
|
if (copy_to_user(&info.gi_data->fmh_recs[info.gi_idx - 1].fmr_flags,
|
|
|
|
&info.gi_last_flags,
|
|
|
|
sizeof(info.gi_last_flags)))
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* copy back header */
|
|
|
|
head.fmh_entries = xhead.fmh_entries;
|
|
|
|
head.fmh_oflags = xhead.fmh_oflags;
|
|
|
|
if (copy_to_user(arg, &head, sizeof(struct fsmap_head)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-09-30 09:39:59 +08:00
|
|
|
static long ext4_ioctl_group_add(struct file *file,
|
|
|
|
struct ext4_new_group_data *input)
|
|
|
|
{
|
|
|
|
struct super_block *sb = file_inode(file)->i_sb;
|
|
|
|
int err, err2=0;
|
|
|
|
|
|
|
|
err = ext4_resize_begin(sb);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
2021-07-01 08:54:22 +08:00
|
|
|
if (ext4_has_feature_bigalloc(sb)) {
|
|
|
|
ext4_msg(sb, KERN_ERR,
|
|
|
|
"Online resizing not supported with bigalloc");
|
|
|
|
err = -EOPNOTSUPP;
|
|
|
|
goto group_add_out;
|
|
|
|
}
|
|
|
|
|
2017-09-30 09:39:59 +08:00
|
|
|
err = mnt_want_write_file(file);
|
|
|
|
if (err)
|
|
|
|
goto group_add_out;
|
|
|
|
|
|
|
|
err = ext4_group_add(sb, input);
|
|
|
|
if (EXT4_SB(sb)->s_journal) {
|
|
|
|
jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
|
2021-05-18 23:13:25 +08:00
|
|
|
err2 = jbd2_journal_flush(EXT4_SB(sb)->s_journal, 0);
|
2017-09-30 09:39:59 +08:00
|
|
|
jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
|
|
|
|
}
|
|
|
|
if (err == 0)
|
|
|
|
err = err2;
|
|
|
|
mnt_drop_write_file(file);
|
|
|
|
if (!err && ext4_has_group_desc_csum(sb) &&
|
|
|
|
test_opt(sb, INIT_INODE_TABLE))
|
|
|
|
err = ext4_register_li_request(sb, input->group);
|
|
|
|
group_add_out:
|
|
|
|
ext4_resize_end(sb);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2021-04-07 20:36:43 +08:00
|
|
|
int ext4_fileattr_get(struct dentry *dentry, struct fileattr *fa)
|
ext4: fix setattr project check in fssetxattr ioctl
Currently, project quota could be changed by fssetxattr
ioctl, and existed permission check inode_owner_or_capable()
is obviously not enough, just think that common users could
change project id of file, that could make users to
break project quota easily.
This patch try to follow same regular of xfs project
quota:
"Project Quota ID state is only allowed to change from
within the init namespace. Enforce that restriction only
if we are trying to change the quota ID state.
Everything else is allowed in user namespaces."
Besides that, check and set project id'state should
be an atomic operation, protect whole operation with
inode lock, ext4_ioctl_setproject() is only used for
ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file()
before ext4_ioctl_setflags(), and ext4_ioctl_setproject()
is called after ext4_ioctl_setflags(), we could share
codes, so remove it inside ext4_ioctl_setproject().
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
2018-10-03 22:33:32 +08:00
|
|
|
{
|
2021-04-07 20:36:43 +08:00
|
|
|
struct inode *inode = d_inode(dentry);
|
2019-07-01 23:25:35 +08:00
|
|
|
struct ext4_inode_info *ei = EXT4_I(inode);
|
2021-04-07 20:36:43 +08:00
|
|
|
u32 flags = ei->i_flags & EXT4_FL_USER_VISIBLE;
|
ext4: fix setattr project check in fssetxattr ioctl
Currently, project quota could be changed by fssetxattr
ioctl, and existed permission check inode_owner_or_capable()
is obviously not enough, just think that common users could
change project id of file, that could make users to
break project quota easily.
This patch try to follow same regular of xfs project
quota:
"Project Quota ID state is only allowed to change from
within the init namespace. Enforce that restriction only
if we are trying to change the quota ID state.
Everything else is allowed in user namespaces."
Besides that, check and set project id'state should
be an atomic operation, protect whole operation with
inode lock, ext4_ioctl_setproject() is only used for
ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file()
before ext4_ioctl_setflags(), and ext4_ioctl_setproject()
is called after ext4_ioctl_setflags(), we could share
codes, so remove it inside ext4_ioctl_setproject().
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
2018-10-03 22:33:32 +08:00
|
|
|
|
2021-04-07 20:36:43 +08:00
|
|
|
if (S_ISREG(inode->i_mode))
|
|
|
|
flags &= ~FS_PROJINHERIT_FL;
|
ext4: fix setattr project check in fssetxattr ioctl
Currently, project quota could be changed by fssetxattr
ioctl, and existed permission check inode_owner_or_capable()
is obviously not enough, just think that common users could
change project id of file, that could make users to
break project quota easily.
This patch try to follow same regular of xfs project
quota:
"Project Quota ID state is only allowed to change from
within the init namespace. Enforce that restriction only
if we are trying to change the quota ID state.
Everything else is allowed in user namespaces."
Besides that, check and set project id'state should
be an atomic operation, protect whole operation with
inode lock, ext4_ioctl_setproject() is only used for
ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file()
before ext4_ioctl_setflags(), and ext4_ioctl_setproject()
is called after ext4_ioctl_setflags(), we could share
codes, so remove it inside ext4_ioctl_setproject().
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
2018-10-03 22:33:32 +08:00
|
|
|
|
2021-04-07 20:36:43 +08:00
|
|
|
fileattr_fill_flags(fa, flags);
|
2019-07-01 23:25:35 +08:00
|
|
|
if (ext4_has_feature_project(inode->i_sb))
|
|
|
|
fa->fsx_projid = from_kprojid(&init_user_ns, ei->i_projid);
|
2021-04-07 20:36:43 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int ext4_fileattr_set(struct user_namespace *mnt_userns,
|
|
|
|
struct dentry *dentry, struct fileattr *fa)
|
|
|
|
{
|
|
|
|
struct inode *inode = d_inode(dentry);
|
|
|
|
u32 flags = fa->flags;
|
|
|
|
int err = -EOPNOTSUPP;
|
|
|
|
|
|
|
|
if (flags & ~EXT4_FL_USER_VISIBLE)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* chattr(1) grabs flags via GETFLAGS, modifies the result and
|
|
|
|
* passes that to SETFLAGS. So we cannot easily make SETFLAGS
|
|
|
|
* more restrictive than just silently masking off visible but
|
|
|
|
* not settable flags as we always did.
|
|
|
|
*/
|
|
|
|
flags &= EXT4_FL_USER_MODIFIABLE;
|
|
|
|
if (ext4_mask_flags(inode->i_mode, flags) != flags)
|
|
|
|
goto out;
|
|
|
|
err = ext4_ioctl_check_immutable(inode, fa->fsx_projid, flags);
|
|
|
|
if (err)
|
|
|
|
goto out;
|
|
|
|
err = ext4_ioctl_setflags(inode, flags);
|
|
|
|
if (err)
|
|
|
|
goto out;
|
|
|
|
err = ext4_ioctl_setproject(inode, fa->fsx_projid);
|
|
|
|
out:
|
|
|
|
return err;
|
ext4: fix setattr project check in fssetxattr ioctl
Currently, project quota could be changed by fssetxattr
ioctl, and existed permission check inode_owner_or_capable()
is obviously not enough, just think that common users could
change project id of file, that could make users to
break project quota easily.
This patch try to follow same regular of xfs project
quota:
"Project Quota ID state is only allowed to change from
within the init namespace. Enforce that restriction only
if we are trying to change the quota ID state.
Everything else is allowed in user namespaces."
Besides that, check and set project id'state should
be an atomic operation, protect whole operation with
inode lock, ext4_ioctl_setproject() is only used for
ioctl EXT4_IOC_FSSETXATTR, we have held mnt_want_write_file()
before ext4_ioctl_setflags(), and ext4_ioctl_setproject()
is called after ext4_ioctl_setflags(), we could share
codes, so remove it inside ext4_ioctl_setproject().
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
2018-10-03 22:33:32 +08:00
|
|
|
}
|
|
|
|
|
2019-08-12 04:32:41 +08:00
|
|
|
/* So that the fiemap access checks can't overflow on 32 bit machines. */
|
|
|
|
#define FIEMAP_MAX_EXTENTS (UINT_MAX / sizeof(struct fiemap_extent))
|
|
|
|
|
|
|
|
static int ext4_ioctl_get_es_cache(struct file *filp, unsigned long arg)
|
|
|
|
{
|
|
|
|
struct fiemap fiemap;
|
|
|
|
struct fiemap __user *ufiemap = (struct fiemap __user *) arg;
|
|
|
|
struct fiemap_extent_info fieinfo = { 0, };
|
|
|
|
struct inode *inode = file_inode(filp);
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (copy_from_user(&fiemap, ufiemap, sizeof(fiemap)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
if (fiemap.fm_extent_count > FIEMAP_MAX_EXTENTS)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
fieinfo.fi_flags = fiemap.fm_flags;
|
|
|
|
fieinfo.fi_extents_max = fiemap.fm_extent_count;
|
|
|
|
fieinfo.fi_extents_start = ufiemap->fm_extents;
|
|
|
|
|
2020-05-05 23:43:15 +08:00
|
|
|
error = ext4_get_es_cache(inode, &fieinfo, fiemap.fm_start,
|
|
|
|
fiemap.fm_length);
|
2019-08-12 04:32:41 +08:00
|
|
|
fiemap.fm_flags = fieinfo.fi_flags;
|
|
|
|
fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
|
|
|
|
if (copy_to_user(ufiemap, &fiemap, sizeof(fiemap)))
|
|
|
|
error = -EFAULT;
|
|
|
|
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
ext4: add ioctl EXT4_IOC_CHECKPOINT
ioctl EXT4_IOC_CHECKPOINT checkpoints and flushes the journal. This
includes forcing all the transactions to the log, checkpointing the
transactions, and flushing the log to disk. This ioctl takes u32 "flags"
as an argument. Three flags are supported. EXT4_IOC_CHECKPOINT_FLAG_DRY_RUN
can be used to verify input to the ioctl. It returns error if there is any
invalid input, otherwise it returns success without performing
any checkpointing. The other two flags, EXT4_IOC_CHECKPOINT_FLAG_DISCARD
and EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT, can be used to issue requests to
discard or zeroout the journal logs blocks, respectively. At this
point, EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT is primarily added to enable
testing of this codepath on devices that don't support discard.
EXT4_IOC_CHECKPOINT_FLAG_DISCARD and EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT
cannot both be set.
Systems that wish to achieve content deletion SLO can set up a daemon
that calls this ioctl at a regular interval such that it matches with the
SLO requirement. Thus, with this patch, the ext4_dir_entry2 wipeout
patch[1], and the Ext4 "-o discard" mount option set, Ext4 can now
guarantee that all file contents, file metatdata, and filenames will not
be accessible through the filesystem and will have had discard or
zeroout requests issued for corresponding device blocks.
The __jbd2_journal_erase function could also be used to discard or
zero-fill the journal during journal load after recovery. This would
provide a potential solution to a journal replay bug reported earlier this
year[2]. After a successful journal recovery, e2fsck can call this ioctl to
discard the journal as well.
[1] https://lore.kernel.org/linux-ext4/YIHknqxngB1sUdie@mit.edu/
[2] https://lore.kernel.org/linux-ext4/YDZoaacIYStFQT8g@mit.edu/
Link: https://lore.kernel.org/r/20210518151327.130198-2-leah.rumancik@gmail.com
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2021-05-18 23:13:26 +08:00
|
|
|
static int ext4_ioctl_checkpoint(struct file *filp, unsigned long arg)
|
|
|
|
{
|
|
|
|
int err = 0;
|
|
|
|
__u32 flags = 0;
|
|
|
|
unsigned int flush_flags = 0;
|
|
|
|
struct super_block *sb = file_inode(filp)->i_sb;
|
|
|
|
struct request_queue *q;
|
|
|
|
|
|
|
|
if (copy_from_user(&flags, (__u32 __user *)arg,
|
|
|
|
sizeof(__u32)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
|
|
return -EPERM;
|
|
|
|
|
|
|
|
/* check for invalid bits set */
|
|
|
|
if ((flags & ~EXT4_IOC_CHECKPOINT_FLAG_VALID) ||
|
|
|
|
((flags & JBD2_JOURNAL_FLUSH_DISCARD) &&
|
|
|
|
(flags & JBD2_JOURNAL_FLUSH_ZEROOUT)))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (!EXT4_SB(sb)->s_journal)
|
|
|
|
return -ENODEV;
|
|
|
|
|
2021-07-03 01:21:06 +08:00
|
|
|
if (flags & ~EXT4_IOC_CHECKPOINT_FLAG_VALID)
|
ext4: add ioctl EXT4_IOC_CHECKPOINT
ioctl EXT4_IOC_CHECKPOINT checkpoints and flushes the journal. This
includes forcing all the transactions to the log, checkpointing the
transactions, and flushing the log to disk. This ioctl takes u32 "flags"
as an argument. Three flags are supported. EXT4_IOC_CHECKPOINT_FLAG_DRY_RUN
can be used to verify input to the ioctl. It returns error if there is any
invalid input, otherwise it returns success without performing
any checkpointing. The other two flags, EXT4_IOC_CHECKPOINT_FLAG_DISCARD
and EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT, can be used to issue requests to
discard or zeroout the journal logs blocks, respectively. At this
point, EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT is primarily added to enable
testing of this codepath on devices that don't support discard.
EXT4_IOC_CHECKPOINT_FLAG_DISCARD and EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT
cannot both be set.
Systems that wish to achieve content deletion SLO can set up a daemon
that calls this ioctl at a regular interval such that it matches with the
SLO requirement. Thus, with this patch, the ext4_dir_entry2 wipeout
patch[1], and the Ext4 "-o discard" mount option set, Ext4 can now
guarantee that all file contents, file metatdata, and filenames will not
be accessible through the filesystem and will have had discard or
zeroout requests issued for corresponding device blocks.
The __jbd2_journal_erase function could also be used to discard or
zero-fill the journal during journal load after recovery. This would
provide a potential solution to a journal replay bug reported earlier this
year[2]. After a successful journal recovery, e2fsck can call this ioctl to
discard the journal as well.
[1] https://lore.kernel.org/linux-ext4/YIHknqxngB1sUdie@mit.edu/
[2] https://lore.kernel.org/linux-ext4/YDZoaacIYStFQT8g@mit.edu/
Link: https://lore.kernel.org/r/20210518151327.130198-2-leah.rumancik@gmail.com
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2021-05-18 23:13:26 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
q = bdev_get_queue(EXT4_SB(sb)->s_journal->j_dev);
|
|
|
|
if (!q)
|
|
|
|
return -ENXIO;
|
|
|
|
if ((flags & JBD2_JOURNAL_FLUSH_DISCARD) && !blk_queue_discard(q))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
|
|
|
if (flags & EXT4_IOC_CHECKPOINT_FLAG_DRY_RUN)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (flags & EXT4_IOC_CHECKPOINT_FLAG_DISCARD)
|
|
|
|
flush_flags |= JBD2_JOURNAL_FLUSH_DISCARD;
|
|
|
|
|
|
|
|
if (flags & EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT) {
|
|
|
|
flush_flags |= JBD2_JOURNAL_FLUSH_ZEROOUT;
|
|
|
|
pr_info_ratelimited("warning: checkpointing journal with EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT can be slow");
|
|
|
|
}
|
|
|
|
|
|
|
|
jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
|
|
|
|
err = jbd2_journal_flush(EXT4_SB(sb)->s_journal, flush_flags);
|
|
|
|
jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
|
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2020-10-16 04:37:57 +08:00
|
|
|
static long __ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
2006-10-11 16:20:50 +08:00
|
|
|
{
|
2013-01-24 06:07:38 +08:00
|
|
|
struct inode *inode = file_inode(filp);
|
2011-09-10 06:36:51 +08:00
|
|
|
struct super_block *sb = inode->i_sb;
|
2021-01-21 21:19:57 +08:00
|
|
|
struct user_namespace *mnt_userns = file_mnt_user_ns(filp);
|
2006-10-11 16:20:50 +08:00
|
|
|
|
2008-09-09 10:25:24 +08:00
|
|
|
ext4_debug("cmd = %u, arg = %lu\n", cmd, arg);
|
2006-10-11 16:20:50 +08:00
|
|
|
|
|
|
|
switch (cmd) {
|
2017-04-30 12:36:53 +08:00
|
|
|
case FS_IOC_GETFSMAP:
|
|
|
|
return ext4_ioc_getfsmap(sb, (void __user *)arg);
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC_GETVERSION:
|
|
|
|
case EXT4_IOC_GETVERSION_OLD:
|
2006-10-11 16:20:50 +08:00
|
|
|
return put_user(inode->i_generation, (int __user *) arg);
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC_SETVERSION:
|
|
|
|
case EXT4_IOC_SETVERSION_OLD: {
|
2006-10-11 16:20:50 +08:00
|
|
|
handle_t *handle;
|
2006-10-11 16:20:53 +08:00
|
|
|
struct ext4_iloc iloc;
|
2006-10-11 16:20:50 +08:00
|
|
|
__u32 generation;
|
|
|
|
int err;
|
|
|
|
|
2021-01-21 21:19:57 +08:00
|
|
|
if (!inode_owner_or_capable(mnt_userns, inode))
|
2006-10-11 16:20:50 +08:00
|
|
|
return -EPERM;
|
2008-02-16 06:37:46 +08:00
|
|
|
|
2014-10-13 15:36:16 +08:00
|
|
|
if (ext4_has_metadata_csum(inode->i_sb)) {
|
2012-04-30 06:31:10 +08:00
|
|
|
ext4_warning(sb, "Setting inode version is not "
|
|
|
|
"supported with metadata_csum enabled.");
|
|
|
|
return -ENOTTY;
|
|
|
|
}
|
|
|
|
|
2011-11-24 00:57:51 +08:00
|
|
|
err = mnt_want_write_file(filp);
|
2008-02-16 06:37:46 +08:00
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
if (get_user(generation, (int __user *) arg)) {
|
|
|
|
err = -EFAULT;
|
|
|
|
goto setversion_out;
|
|
|
|
}
|
2006-10-11 16:20:50 +08:00
|
|
|
|
2016-01-23 04:40:57 +08:00
|
|
|
inode_lock(inode);
|
2013-02-09 10:59:22 +08:00
|
|
|
handle = ext4_journal_start(inode, EXT4_HT_INODE, 1);
|
2008-02-16 06:37:46 +08:00
|
|
|
if (IS_ERR(handle)) {
|
|
|
|
err = PTR_ERR(handle);
|
2012-01-03 09:31:52 +08:00
|
|
|
goto unlock_out;
|
2008-02-16 06:37:46 +08:00
|
|
|
}
|
2006-10-11 16:20:53 +08:00
|
|
|
err = ext4_reserve_inode_write(handle, inode, &iloc);
|
2006-10-11 16:20:50 +08:00
|
|
|
if (err == 0) {
|
2016-11-15 10:40:10 +08:00
|
|
|
inode->i_ctime = current_time(inode);
|
2006-10-11 16:20:50 +08:00
|
|
|
inode->i_generation = generation;
|
2006-10-11 16:20:53 +08:00
|
|
|
err = ext4_mark_iloc_dirty(handle, inode, &iloc);
|
2006-10-11 16:20:50 +08:00
|
|
|
}
|
2006-10-11 16:20:53 +08:00
|
|
|
ext4_journal_stop(handle);
|
2012-01-03 09:31:52 +08:00
|
|
|
|
|
|
|
unlock_out:
|
2016-01-23 04:40:57 +08:00
|
|
|
inode_unlock(inode);
|
2008-02-16 06:37:46 +08:00
|
|
|
setversion_out:
|
2011-12-09 21:06:57 +08:00
|
|
|
mnt_drop_write_file(filp);
|
2006-10-11 16:20:50 +08:00
|
|
|
return err;
|
|
|
|
}
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC_GROUP_EXTEND: {
|
|
|
|
ext4_fsblk_t n_blocks_count;
|
2009-07-13 21:30:17 +08:00
|
|
|
int err, err2=0;
|
2006-10-11 16:20:50 +08:00
|
|
|
|
2011-07-27 09:35:44 +08:00
|
|
|
err = ext4_resize_begin(sb);
|
|
|
|
if (err)
|
|
|
|
return err;
|
2006-10-11 16:20:50 +08:00
|
|
|
|
2012-01-05 06:09:52 +08:00
|
|
|
if (get_user(n_blocks_count, (__u32 __user *)arg)) {
|
|
|
|
err = -EFAULT;
|
|
|
|
goto group_extend_out;
|
|
|
|
}
|
2006-10-11 16:20:50 +08:00
|
|
|
|
2021-07-01 08:54:22 +08:00
|
|
|
if (ext4_has_feature_bigalloc(sb)) {
|
|
|
|
ext4_msg(sb, KERN_ERR,
|
|
|
|
"Online resizing not supported with bigalloc");
|
|
|
|
err = -EOPNOTSUPP;
|
|
|
|
goto group_extend_out;
|
|
|
|
}
|
|
|
|
|
2011-11-24 00:57:51 +08:00
|
|
|
err = mnt_want_write_file(filp);
|
2008-02-16 06:37:46 +08:00
|
|
|
if (err)
|
2012-01-05 06:09:52 +08:00
|
|
|
goto group_extend_out;
|
2008-02-16 06:37:46 +08:00
|
|
|
|
2006-10-11 16:20:53 +08:00
|
|
|
err = ext4_group_extend(sb, EXT4_SB(sb)->s_es, n_blocks_count);
|
2009-07-13 21:30:17 +08:00
|
|
|
if (EXT4_SB(sb)->s_journal) {
|
|
|
|
jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
|
2021-05-18 23:13:25 +08:00
|
|
|
err2 = jbd2_journal_flush(EXT4_SB(sb)->s_journal, 0);
|
2009-07-13 21:30:17 +08:00
|
|
|
jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
|
|
|
|
}
|
2008-10-11 08:29:21 +08:00
|
|
|
if (err == 0)
|
|
|
|
err = err2;
|
2011-12-09 21:06:57 +08:00
|
|
|
mnt_drop_write_file(filp);
|
2012-01-05 06:09:52 +08:00
|
|
|
group_extend_out:
|
2011-07-27 09:35:44 +08:00
|
|
|
ext4_resize_end(sb);
|
2006-10-11 16:20:50 +08:00
|
|
|
return err;
|
|
|
|
}
|
2009-06-18 07:24:03 +08:00
|
|
|
|
|
|
|
case EXT4_IOC_MOVE_EXT: {
|
|
|
|
struct move_extent me;
|
2012-08-29 00:52:22 +08:00
|
|
|
struct fd donor;
|
|
|
|
int err;
|
2009-06-18 07:24:03 +08:00
|
|
|
|
2009-12-07 12:38:31 +08:00
|
|
|
if (!(filp->f_mode & FMODE_READ) ||
|
|
|
|
!(filp->f_mode & FMODE_WRITE))
|
|
|
|
return -EBADF;
|
|
|
|
|
2009-06-18 07:24:03 +08:00
|
|
|
if (copy_from_user(&me,
|
|
|
|
(struct move_extent __user *)arg, sizeof(me)))
|
|
|
|
return -EFAULT;
|
2009-12-07 12:38:31 +08:00
|
|
|
me.moved_len = 0;
|
2009-06-18 07:24:03 +08:00
|
|
|
|
2012-08-29 00:52:22 +08:00
|
|
|
donor = fdget(me.donor_fd);
|
|
|
|
if (!donor.file)
|
2009-06-18 07:24:03 +08:00
|
|
|
return -EBADF;
|
|
|
|
|
2012-08-29 00:52:22 +08:00
|
|
|
if (!(donor.file->f_mode & FMODE_WRITE)) {
|
2009-12-07 12:38:31 +08:00
|
|
|
err = -EBADF;
|
|
|
|
goto mext_out;
|
2009-06-18 07:24:03 +08:00
|
|
|
}
|
|
|
|
|
2015-10-18 04:18:43 +08:00
|
|
|
if (ext4_has_feature_bigalloc(sb)) {
|
2011-09-10 06:36:51 +08:00
|
|
|
ext4_msg(sb, KERN_ERR,
|
|
|
|
"Online defrag not supported with bigalloc");
|
2012-08-27 09:00:03 +08:00
|
|
|
err = -EOPNOTSUPP;
|
|
|
|
goto mext_out;
|
2016-02-27 07:19:49 +08:00
|
|
|
} else if (IS_DAX(inode)) {
|
|
|
|
ext4_msg(sb, KERN_ERR,
|
|
|
|
"Online defrag not supported with DAX");
|
|
|
|
err = -EOPNOTSUPP;
|
|
|
|
goto mext_out;
|
2011-09-10 06:36:51 +08:00
|
|
|
}
|
|
|
|
|
2011-11-24 00:57:51 +08:00
|
|
|
err = mnt_want_write_file(filp);
|
2009-12-07 12:38:31 +08:00
|
|
|
if (err)
|
|
|
|
goto mext_out;
|
|
|
|
|
2012-08-29 00:52:22 +08:00
|
|
|
err = ext4_move_extents(filp, donor.file, me.orig_start,
|
2009-06-18 07:24:03 +08:00
|
|
|
me.donor_start, me.len, &me.moved_len);
|
2011-12-09 21:06:57 +08:00
|
|
|
mnt_drop_write_file(filp);
|
2009-06-18 07:24:03 +08:00
|
|
|
|
2010-05-17 19:00:00 +08:00
|
|
|
if (copy_to_user((struct move_extent __user *)arg,
|
2010-03-04 13:39:24 +08:00
|
|
|
&me, sizeof(me)))
|
2009-12-07 12:38:31 +08:00
|
|
|
err = -EFAULT;
|
|
|
|
mext_out:
|
2012-08-29 00:52:22 +08:00
|
|
|
fdput(donor);
|
2009-06-18 07:24:03 +08:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC_GROUP_ADD: {
|
|
|
|
struct ext4_new_group_data input;
|
2006-10-11 16:20:50 +08:00
|
|
|
|
2006-10-11 16:20:53 +08:00
|
|
|
if (copy_from_user(&input, (struct ext4_new_group_input __user *)arg,
|
2017-09-30 09:39:59 +08:00
|
|
|
sizeof(input)))
|
|
|
|
return -EFAULT;
|
2008-02-16 06:37:46 +08:00
|
|
|
|
2017-09-30 09:39:59 +08:00
|
|
|
return ext4_ioctl_group_add(filp, &input);
|
2006-10-11 16:20:50 +08:00
|
|
|
}
|
|
|
|
|
2008-01-29 12:58:26 +08:00
|
|
|
case EXT4_IOC_MIGRATE:
|
2008-09-14 00:52:26 +08:00
|
|
|
{
|
|
|
|
int err;
|
2021-01-21 21:19:57 +08:00
|
|
|
if (!inode_owner_or_capable(mnt_userns, inode))
|
2008-09-14 00:52:26 +08:00
|
|
|
return -EACCES;
|
|
|
|
|
2011-11-24 00:57:51 +08:00
|
|
|
err = mnt_want_write_file(filp);
|
2008-09-14 00:52:26 +08:00
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
/*
|
|
|
|
* inode_mutex prevent write and truncate on the file.
|
|
|
|
* Read still goes through. We take i_data_sem in
|
|
|
|
* ext4_ext_swap_inode_data before we switch the
|
|
|
|
* inode format to prevent read.
|
|
|
|
*/
|
2016-01-23 04:40:57 +08:00
|
|
|
inode_lock((inode));
|
2008-09-14 00:52:26 +08:00
|
|
|
err = ext4_ext_migrate(inode);
|
2016-01-23 04:40:57 +08:00
|
|
|
inode_unlock((inode));
|
2011-12-09 21:06:57 +08:00
|
|
|
mnt_drop_write_file(filp);
|
2008-09-14 00:52:26 +08:00
|
|
|
return err;
|
|
|
|
}
|
2008-01-29 12:58:26 +08:00
|
|
|
|
2009-02-26 14:04:07 +08:00
|
|
|
case EXT4_IOC_ALLOC_DA_BLKS:
|
|
|
|
{
|
|
|
|
int err;
|
2021-01-21 21:19:57 +08:00
|
|
|
if (!inode_owner_or_capable(mnt_userns, inode))
|
2009-02-26 14:04:07 +08:00
|
|
|
return -EACCES;
|
|
|
|
|
2011-11-24 00:57:51 +08:00
|
|
|
err = mnt_want_write_file(filp);
|
2009-02-26 14:04:07 +08:00
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
err = ext4_alloc_da_blocks(inode);
|
2011-12-09 21:06:57 +08:00
|
|
|
mnt_drop_write_file(filp);
|
2009-02-26 14:04:07 +08:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2013-04-09 00:54:05 +08:00
|
|
|
case EXT4_IOC_SWAP_BOOT:
|
2014-10-04 00:47:23 +08:00
|
|
|
{
|
|
|
|
int err;
|
2013-04-09 00:54:05 +08:00
|
|
|
if (!(filp->f_mode & FMODE_WRITE))
|
|
|
|
return -EBADF;
|
2014-10-04 00:47:23 +08:00
|
|
|
err = mnt_want_write_file(filp);
|
|
|
|
if (err)
|
|
|
|
return err;
|
2021-01-21 21:19:57 +08:00
|
|
|
err = swap_inode_boot_loader(sb, mnt_userns, inode);
|
2014-10-04 00:47:23 +08:00
|
|
|
mnt_drop_write_file(filp);
|
|
|
|
return err;
|
|
|
|
}
|
2013-04-09 00:54:05 +08:00
|
|
|
|
2012-01-05 06:09:44 +08:00
|
|
|
case EXT4_IOC_RESIZE_FS: {
|
|
|
|
ext4_fsblk_t n_blocks_count;
|
|
|
|
int err = 0, err2 = 0;
|
2013-01-13 21:41:45 +08:00
|
|
|
ext4_group_t o_group = EXT4_SB(sb)->s_groups_count;
|
2012-01-05 06:09:44 +08:00
|
|
|
|
|
|
|
if (copy_from_user(&n_blocks_count, (__u64 __user *)arg,
|
|
|
|
sizeof(__u64))) {
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
|
|
|
|
err = ext4_resize_begin(sb);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
2012-07-19 15:19:07 +08:00
|
|
|
err = mnt_want_write_file(filp);
|
2012-01-05 06:09:44 +08:00
|
|
|
if (err)
|
|
|
|
goto resizefs_out;
|
|
|
|
|
|
|
|
err = ext4_resize_fs(sb, n_blocks_count);
|
|
|
|
if (EXT4_SB(sb)->s_journal) {
|
2020-10-16 04:37:57 +08:00
|
|
|
ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_RESIZE);
|
2012-01-05 06:09:44 +08:00
|
|
|
jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
|
2021-05-18 23:13:25 +08:00
|
|
|
err2 = jbd2_journal_flush(EXT4_SB(sb)->s_journal, 0);
|
2012-01-05 06:09:44 +08:00
|
|
|
jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
|
|
|
|
}
|
|
|
|
if (err == 0)
|
|
|
|
err = err2;
|
2012-07-19 15:19:07 +08:00
|
|
|
mnt_drop_write_file(filp);
|
2019-04-26 01:06:18 +08:00
|
|
|
if (!err && (o_group < EXT4_SB(sb)->s_groups_count) &&
|
2013-01-13 21:41:45 +08:00
|
|
|
ext4_has_group_desc_csum(sb) &&
|
|
|
|
test_opt(sb, INIT_INODE_TABLE))
|
|
|
|
err = ext4_register_li_request(sb, o_group);
|
|
|
|
|
2012-01-05 06:09:44 +08:00
|
|
|
resizefs_out:
|
|
|
|
ext4_resize_end(sb);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2010-11-20 10:47:07 +08:00
|
|
|
case FITRIM:
|
|
|
|
{
|
2011-02-24 01:42:32 +08:00
|
|
|
struct request_queue *q = bdev_get_queue(sb->s_bdev);
|
2010-11-20 10:47:07 +08:00
|
|
|
struct fstrim_range range;
|
|
|
|
int ret = 0;
|
|
|
|
|
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
|
|
|
return -EPERM;
|
|
|
|
|
2011-02-24 01:42:32 +08:00
|
|
|
if (!blk_queue_discard(q))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
2019-03-24 00:10:29 +08:00
|
|
|
/*
|
|
|
|
* We haven't replayed the journal, so we cannot use our
|
|
|
|
* block-bitmap-guided storage zapping commands.
|
|
|
|
*/
|
|
|
|
if (test_opt(sb, NOLOAD) && ext4_has_feature_journal(sb))
|
|
|
|
return -EROFS;
|
|
|
|
|
2011-10-18 22:59:51 +08:00
|
|
|
if (copy_from_user(&range, (struct fstrim_range __user *)arg,
|
2010-11-20 10:47:07 +08:00
|
|
|
sizeof(range)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
ret = ext4_trim_fs(sb, &range);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
|
|
|
|
2011-10-18 22:59:51 +08:00
|
|
|
if (copy_to_user((struct fstrim_range __user *)arg, &range,
|
2010-11-20 10:47:07 +08:00
|
|
|
sizeof(range)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2013-08-17 10:05:14 +08:00
|
|
|
case EXT4_IOC_PRECACHE_EXTENTS:
|
|
|
|
return ext4_ext_precache(inode);
|
2015-04-11 19:48:01 +08:00
|
|
|
|
2020-07-15 07:09:09 +08:00
|
|
|
case FS_IOC_SET_ENCRYPTION_POLICY:
|
2016-09-30 13:49:55 +08:00
|
|
|
if (!ext4_has_feature_encrypt(sb))
|
|
|
|
return -EOPNOTSUPP;
|
2016-11-27 08:07:49 +08:00
|
|
|
return fscrypt_ioctl_set_policy(filp, (const void __user *)arg);
|
2016-09-30 13:49:55 +08:00
|
|
|
|
2020-07-15 07:09:09 +08:00
|
|
|
case FS_IOC_GET_ENCRYPTION_PWSALT: {
|
2018-12-12 17:50:12 +08:00
|
|
|
#ifdef CONFIG_FS_ENCRYPTION
|
2015-04-11 19:48:01 +08:00
|
|
|
int err, err2;
|
|
|
|
struct ext4_sb_info *sbi = EXT4_SB(sb);
|
|
|
|
handle_t *handle;
|
|
|
|
|
2016-12-02 00:54:18 +08:00
|
|
|
if (!ext4_has_feature_encrypt(sb))
|
2015-04-11 19:48:01 +08:00
|
|
|
return -EOPNOTSUPP;
|
|
|
|
if (uuid_is_zero(sbi->s_es->s_encrypt_pw_salt)) {
|
|
|
|
err = mnt_want_write_file(filp);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
handle = ext4_journal_start_sb(sb, EXT4_HT_MISC, 1);
|
|
|
|
if (IS_ERR(handle)) {
|
|
|
|
err = PTR_ERR(handle);
|
|
|
|
goto pwsalt_err_exit;
|
|
|
|
}
|
2021-08-16 17:57:04 +08:00
|
|
|
err = ext4_journal_get_write_access(handle, sb,
|
|
|
|
sbi->s_sbh,
|
|
|
|
EXT4_JTR_NONE);
|
2015-04-11 19:48:01 +08:00
|
|
|
if (err)
|
|
|
|
goto pwsalt_err_journal;
|
2020-12-16 18:18:43 +08:00
|
|
|
lock_buffer(sbi->s_sbh);
|
2015-04-11 19:48:01 +08:00
|
|
|
generate_random_uuid(sbi->s_es->s_encrypt_pw_salt);
|
2020-12-16 18:18:43 +08:00
|
|
|
ext4_superblock_csum_set(sb);
|
|
|
|
unlock_buffer(sbi->s_sbh);
|
2015-04-11 19:48:01 +08:00
|
|
|
err = ext4_handle_dirty_metadata(handle, NULL,
|
|
|
|
sbi->s_sbh);
|
|
|
|
pwsalt_err_journal:
|
|
|
|
err2 = ext4_journal_stop(handle);
|
|
|
|
if (err2 && !err)
|
|
|
|
err = err2;
|
|
|
|
pwsalt_err_exit:
|
|
|
|
mnt_drop_write_file(filp);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
}
|
2015-06-09 00:23:21 +08:00
|
|
|
if (copy_to_user((void __user *) arg,
|
|
|
|
sbi->s_es->s_encrypt_pw_salt, 16))
|
2015-04-11 19:48:01 +08:00
|
|
|
return -EFAULT;
|
|
|
|
return 0;
|
2016-12-02 00:55:51 +08:00
|
|
|
#else
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
#endif
|
2015-04-11 19:48:01 +08:00
|
|
|
}
|
2020-07-15 07:09:09 +08:00
|
|
|
case FS_IOC_GET_ENCRYPTION_POLICY:
|
2019-08-04 17:56:43 +08:00
|
|
|
if (!ext4_has_feature_encrypt(sb))
|
|
|
|
return -EOPNOTSUPP;
|
2016-11-27 08:07:49 +08:00
|
|
|
return fscrypt_ioctl_get_policy(filp, (void __user *)arg);
|
2015-04-11 19:48:01 +08:00
|
|
|
|
2019-08-05 10:35:48 +08:00
|
|
|
case FS_IOC_GET_ENCRYPTION_POLICY_EX:
|
|
|
|
if (!ext4_has_feature_encrypt(sb))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return fscrypt_ioctl_get_policy_ex(filp, (void __user *)arg);
|
|
|
|
|
|
|
|
case FS_IOC_ADD_ENCRYPTION_KEY:
|
|
|
|
if (!ext4_has_feature_encrypt(sb))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return fscrypt_ioctl_add_key(filp, (void __user *)arg);
|
|
|
|
|
|
|
|
case FS_IOC_REMOVE_ENCRYPTION_KEY:
|
|
|
|
if (!ext4_has_feature_encrypt(sb))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return fscrypt_ioctl_remove_key(filp, (void __user *)arg);
|
|
|
|
|
|
|
|
case FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS:
|
|
|
|
if (!ext4_has_feature_encrypt(sb))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return fscrypt_ioctl_remove_key_all_users(filp,
|
|
|
|
(void __user *)arg);
|
|
|
|
case FS_IOC_GET_ENCRYPTION_KEY_STATUS:
|
|
|
|
if (!ext4_has_feature_encrypt(sb))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return fscrypt_ioctl_get_key_status(filp, (void __user *)arg);
|
|
|
|
|
2020-03-15 04:50:50 +08:00
|
|
|
case FS_IOC_GET_ENCRYPTION_NONCE:
|
|
|
|
if (!ext4_has_feature_encrypt(sb))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return fscrypt_ioctl_get_nonce(filp, (void __user *)arg);
|
|
|
|
|
2019-08-12 04:30:41 +08:00
|
|
|
case EXT4_IOC_CLEAR_ES_CACHE:
|
|
|
|
{
|
2021-01-21 21:19:57 +08:00
|
|
|
if (!inode_owner_or_capable(mnt_userns, inode))
|
2019-08-12 04:30:41 +08:00
|
|
|
return -EACCES;
|
|
|
|
ext4_clear_inode_es(inode);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-08-12 04:31:41 +08:00
|
|
|
case EXT4_IOC_GETSTATE:
|
|
|
|
{
|
|
|
|
__u32 state = 0;
|
|
|
|
|
|
|
|
if (ext4_test_inode_state(inode, EXT4_STATE_EXT_PRECACHED))
|
|
|
|
state |= EXT4_STATE_FLAG_EXT_PRECACHED;
|
|
|
|
if (ext4_test_inode_state(inode, EXT4_STATE_NEW))
|
|
|
|
state |= EXT4_STATE_FLAG_NEW;
|
|
|
|
if (ext4_test_inode_state(inode, EXT4_STATE_NEWENTRY))
|
|
|
|
state |= EXT4_STATE_FLAG_NEWENTRY;
|
|
|
|
if (ext4_test_inode_state(inode, EXT4_STATE_DA_ALLOC_CLOSE))
|
|
|
|
state |= EXT4_STATE_FLAG_DA_ALLOC_CLOSE;
|
|
|
|
|
|
|
|
return put_user(state, (__u32 __user *) arg);
|
|
|
|
}
|
|
|
|
|
2019-08-12 04:32:41 +08:00
|
|
|
case EXT4_IOC_GET_ES_CACHE:
|
|
|
|
return ext4_ioctl_get_es_cache(filp, arg);
|
|
|
|
|
2017-02-21 04:34:59 +08:00
|
|
|
case EXT4_IOC_SHUTDOWN:
|
|
|
|
return ext4_shutdown(sb, arg);
|
2019-07-23 00:26:24 +08:00
|
|
|
|
|
|
|
case FS_IOC_ENABLE_VERITY:
|
|
|
|
if (!ext4_has_feature_verity(sb))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return fsverity_ioctl_enable(filp, (const void __user *)arg);
|
|
|
|
|
|
|
|
case FS_IOC_MEASURE_VERITY:
|
|
|
|
if (!ext4_has_feature_verity(sb))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return fsverity_ioctl_measure(filp, (void __user *)arg);
|
|
|
|
|
fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl
Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity
metadata from a file that has fs-verity enabled, including:
- The Merkle tree
- The fsverity_descriptor (not including the signature if present)
- The built-in signature, if present
This ioctl has similar semantics to pread(). It is passed the type of
metadata to read (one of the above three), and a buffer, offset, and
size. It returns the number of bytes read or an error.
Separate patches will add support for each of the above metadata types.
This patch just adds the ioctl itself.
This ioctl doesn't make any assumption about where the metadata is
stored on-disk. It does assume the metadata is in a stable format, but
that's basically already the case:
- The Merkle tree and fsverity_descriptor are defined by how fs-verity
file digests are computed; see the "File digest computation" section
of Documentation/filesystems/fsverity.rst. Technically, the way in
which the levels of the tree are ordered relative to each other wasn't
previously specified, but it's logical to put the root level first.
- The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
This ioctl is useful because it allows writing a server program that
takes a verity file and serves it to a client program, such that the
client can do its own fs-verity compatible verification of the file.
This only makes sense if the client doesn't trust the server and if the
server needs to provide the storage for the client.
More concretely, there is interest in using this ability in Android to
export APK files (which are protected by fs-verity) to "protected VMs".
This would use Protected KVM (https://lwn.net/Articles/836693), which
provides an isolated execution environment without having to trust the
traditional "host". A "guest" VM can boot from a signed image and
perform specific tasks in a minimum trusted environment using files that
have fs-verity enabled on the host, without trusting the host or
requiring that the guest has its own trusted storage.
Technically, it would be possible to duplicate the metadata and store it
in separate files for serving. However, that would be less efficient
and would require extra care in userspace to maintain file consistency.
In addition to the above, the ability to read the built-in signatures is
useful because it allows a system that is using the in-kernel signature
verification to migrate to userspace signature verification.
Link: https://lore.kernel.org/r/20210115181819.34732-4-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-01-16 02:18:16 +08:00
|
|
|
case FS_IOC_READ_VERITY_METADATA:
|
|
|
|
if (!ext4_has_feature_verity(sb))
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
return fsverity_ioctl_read_metadata(filp,
|
|
|
|
(const void __user *)arg);
|
|
|
|
|
ext4: add ioctl EXT4_IOC_CHECKPOINT
ioctl EXT4_IOC_CHECKPOINT checkpoints and flushes the journal. This
includes forcing all the transactions to the log, checkpointing the
transactions, and flushing the log to disk. This ioctl takes u32 "flags"
as an argument. Three flags are supported. EXT4_IOC_CHECKPOINT_FLAG_DRY_RUN
can be used to verify input to the ioctl. It returns error if there is any
invalid input, otherwise it returns success without performing
any checkpointing. The other two flags, EXT4_IOC_CHECKPOINT_FLAG_DISCARD
and EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT, can be used to issue requests to
discard or zeroout the journal logs blocks, respectively. At this
point, EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT is primarily added to enable
testing of this codepath on devices that don't support discard.
EXT4_IOC_CHECKPOINT_FLAG_DISCARD and EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT
cannot both be set.
Systems that wish to achieve content deletion SLO can set up a daemon
that calls this ioctl at a regular interval such that it matches with the
SLO requirement. Thus, with this patch, the ext4_dir_entry2 wipeout
patch[1], and the Ext4 "-o discard" mount option set, Ext4 can now
guarantee that all file contents, file metatdata, and filenames will not
be accessible through the filesystem and will have had discard or
zeroout requests issued for corresponding device blocks.
The __jbd2_journal_erase function could also be used to discard or
zero-fill the journal during journal load after recovery. This would
provide a potential solution to a journal replay bug reported earlier this
year[2]. After a successful journal recovery, e2fsck can call this ioctl to
discard the journal as well.
[1] https://lore.kernel.org/linux-ext4/YIHknqxngB1sUdie@mit.edu/
[2] https://lore.kernel.org/linux-ext4/YDZoaacIYStFQT8g@mit.edu/
Link: https://lore.kernel.org/r/20210518151327.130198-2-leah.rumancik@gmail.com
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2021-05-18 23:13:26 +08:00
|
|
|
case EXT4_IOC_CHECKPOINT:
|
|
|
|
return ext4_ioctl_checkpoint(filp, arg);
|
|
|
|
|
2006-10-11 16:20:50 +08:00
|
|
|
default:
|
|
|
|
return -ENOTTY;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-16 04:37:57 +08:00
|
|
|
long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|
|
|
{
|
2021-12-24 04:21:37 +08:00
|
|
|
return __ext4_ioctl(filp, cmd, arg);
|
2020-10-16 04:37:57 +08:00
|
|
|
}
|
|
|
|
|
2006-10-11 16:20:50 +08:00
|
|
|
#ifdef CONFIG_COMPAT
|
2006-10-11 16:20:53 +08:00
|
|
|
long ext4_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
2006-10-11 16:20:50 +08:00
|
|
|
{
|
|
|
|
/* These are just misnamed, they actually get/put from/to user an int */
|
|
|
|
switch (cmd) {
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC32_GETVERSION:
|
|
|
|
cmd = EXT4_IOC_GETVERSION;
|
2006-10-11 16:20:50 +08:00
|
|
|
break;
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC32_SETVERSION:
|
|
|
|
cmd = EXT4_IOC_SETVERSION;
|
2006-10-11 16:20:50 +08:00
|
|
|
break;
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC32_GROUP_EXTEND:
|
|
|
|
cmd = EXT4_IOC_GROUP_EXTEND;
|
2006-10-11 16:20:50 +08:00
|
|
|
break;
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC32_GETVERSION_OLD:
|
|
|
|
cmd = EXT4_IOC_GETVERSION_OLD;
|
2006-10-11 16:20:50 +08:00
|
|
|
break;
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC32_SETVERSION_OLD:
|
|
|
|
cmd = EXT4_IOC_SETVERSION_OLD;
|
2006-10-11 16:20:50 +08:00
|
|
|
break;
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC32_GETRSVSZ:
|
|
|
|
cmd = EXT4_IOC_GETRSVSZ;
|
2006-10-11 16:20:50 +08:00
|
|
|
break;
|
2006-10-11 16:20:53 +08:00
|
|
|
case EXT4_IOC32_SETRSVSZ:
|
|
|
|
cmd = EXT4_IOC_SETRSVSZ;
|
2006-10-11 16:20:50 +08:00
|
|
|
break;
|
2010-05-17 18:00:00 +08:00
|
|
|
case EXT4_IOC32_GROUP_ADD: {
|
|
|
|
struct compat_ext4_new_group_input __user *uinput;
|
2017-09-30 09:39:59 +08:00
|
|
|
struct ext4_new_group_data input;
|
2010-05-17 18:00:00 +08:00
|
|
|
int err;
|
|
|
|
|
|
|
|
uinput = compat_ptr(arg);
|
|
|
|
err = get_user(input.group, &uinput->group);
|
|
|
|
err |= get_user(input.block_bitmap, &uinput->block_bitmap);
|
|
|
|
err |= get_user(input.inode_bitmap, &uinput->inode_bitmap);
|
|
|
|
err |= get_user(input.inode_table, &uinput->inode_table);
|
|
|
|
err |= get_user(input.blocks_count, &uinput->blocks_count);
|
|
|
|
err |= get_user(input.reserved_blocks,
|
|
|
|
&uinput->reserved_blocks);
|
|
|
|
if (err)
|
|
|
|
return -EFAULT;
|
2017-09-30 09:39:59 +08:00
|
|
|
return ext4_ioctl_group_add(file, &input);
|
2010-05-17 18:00:00 +08:00
|
|
|
}
|
2010-05-15 12:00:00 +08:00
|
|
|
case EXT4_IOC_MOVE_EXT:
|
2012-01-05 06:09:44 +08:00
|
|
|
case EXT4_IOC_RESIZE_FS:
|
2019-06-03 19:51:58 +08:00
|
|
|
case FITRIM:
|
2013-08-17 10:05:14 +08:00
|
|
|
case EXT4_IOC_PRECACHE_EXTENTS:
|
2020-07-15 07:09:09 +08:00
|
|
|
case FS_IOC_SET_ENCRYPTION_POLICY:
|
|
|
|
case FS_IOC_GET_ENCRYPTION_PWSALT:
|
|
|
|
case FS_IOC_GET_ENCRYPTION_POLICY:
|
2019-08-05 10:35:48 +08:00
|
|
|
case FS_IOC_GET_ENCRYPTION_POLICY_EX:
|
|
|
|
case FS_IOC_ADD_ENCRYPTION_KEY:
|
|
|
|
case FS_IOC_REMOVE_ENCRYPTION_KEY:
|
|
|
|
case FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS:
|
|
|
|
case FS_IOC_GET_ENCRYPTION_KEY_STATUS:
|
2020-03-15 04:50:50 +08:00
|
|
|
case FS_IOC_GET_ENCRYPTION_NONCE:
|
2017-02-21 04:34:59 +08:00
|
|
|
case EXT4_IOC_SHUTDOWN:
|
2017-04-30 12:36:53 +08:00
|
|
|
case FS_IOC_GETFSMAP:
|
2019-07-23 00:26:24 +08:00
|
|
|
case FS_IOC_ENABLE_VERITY:
|
|
|
|
case FS_IOC_MEASURE_VERITY:
|
fs-verity: add FS_IOC_READ_VERITY_METADATA ioctl
Add an ioctl FS_IOC_READ_VERITY_METADATA which will allow reading verity
metadata from a file that has fs-verity enabled, including:
- The Merkle tree
- The fsverity_descriptor (not including the signature if present)
- The built-in signature, if present
This ioctl has similar semantics to pread(). It is passed the type of
metadata to read (one of the above three), and a buffer, offset, and
size. It returns the number of bytes read or an error.
Separate patches will add support for each of the above metadata types.
This patch just adds the ioctl itself.
This ioctl doesn't make any assumption about where the metadata is
stored on-disk. It does assume the metadata is in a stable format, but
that's basically already the case:
- The Merkle tree and fsverity_descriptor are defined by how fs-verity
file digests are computed; see the "File digest computation" section
of Documentation/filesystems/fsverity.rst. Technically, the way in
which the levels of the tree are ordered relative to each other wasn't
previously specified, but it's logical to put the root level first.
- The built-in signature is the value passed to FS_IOC_ENABLE_VERITY.
This ioctl is useful because it allows writing a server program that
takes a verity file and serves it to a client program, such that the
client can do its own fs-verity compatible verification of the file.
This only makes sense if the client doesn't trust the server and if the
server needs to provide the storage for the client.
More concretely, there is interest in using this ability in Android to
export APK files (which are protected by fs-verity) to "protected VMs".
This would use Protected KVM (https://lwn.net/Articles/836693), which
provides an isolated execution environment without having to trust the
traditional "host". A "guest" VM can boot from a signed image and
perform specific tasks in a minimum trusted environment using files that
have fs-verity enabled on the host, without trusting the host or
requiring that the guest has its own trusted storage.
Technically, it would be possible to duplicate the metadata and store it
in separate files for serving. However, that would be less efficient
and would require extra care in userspace to maintain file consistency.
In addition to the above, the ability to read the built-in signatures is
useful because it allows a system that is using the in-kernel signature
verification to migrate to userspace signature verification.
Link: https://lore.kernel.org/r/20210115181819.34732-4-ebiggers@kernel.org
Reviewed-by: Victor Hsieh <victorhsieh@google.com>
Acked-by: Jaegeuk Kim <jaegeuk@kernel.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2021-01-16 02:18:16 +08:00
|
|
|
case FS_IOC_READ_VERITY_METADATA:
|
2019-08-12 04:30:41 +08:00
|
|
|
case EXT4_IOC_CLEAR_ES_CACHE:
|
2019-08-12 04:31:41 +08:00
|
|
|
case EXT4_IOC_GETSTATE:
|
2019-08-12 04:32:41 +08:00
|
|
|
case EXT4_IOC_GET_ES_CACHE:
|
ext4: add ioctl EXT4_IOC_CHECKPOINT
ioctl EXT4_IOC_CHECKPOINT checkpoints and flushes the journal. This
includes forcing all the transactions to the log, checkpointing the
transactions, and flushing the log to disk. This ioctl takes u32 "flags"
as an argument. Three flags are supported. EXT4_IOC_CHECKPOINT_FLAG_DRY_RUN
can be used to verify input to the ioctl. It returns error if there is any
invalid input, otherwise it returns success without performing
any checkpointing. The other two flags, EXT4_IOC_CHECKPOINT_FLAG_DISCARD
and EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT, can be used to issue requests to
discard or zeroout the journal logs blocks, respectively. At this
point, EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT is primarily added to enable
testing of this codepath on devices that don't support discard.
EXT4_IOC_CHECKPOINT_FLAG_DISCARD and EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT
cannot both be set.
Systems that wish to achieve content deletion SLO can set up a daemon
that calls this ioctl at a regular interval such that it matches with the
SLO requirement. Thus, with this patch, the ext4_dir_entry2 wipeout
patch[1], and the Ext4 "-o discard" mount option set, Ext4 can now
guarantee that all file contents, file metatdata, and filenames will not
be accessible through the filesystem and will have had discard or
zeroout requests issued for corresponding device blocks.
The __jbd2_journal_erase function could also be used to discard or
zero-fill the journal during journal load after recovery. This would
provide a potential solution to a journal replay bug reported earlier this
year[2]. After a successful journal recovery, e2fsck can call this ioctl to
discard the journal as well.
[1] https://lore.kernel.org/linux-ext4/YIHknqxngB1sUdie@mit.edu/
[2] https://lore.kernel.org/linux-ext4/YDZoaacIYStFQT8g@mit.edu/
Link: https://lore.kernel.org/r/20210518151327.130198-2-leah.rumancik@gmail.com
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2021-05-18 23:13:26 +08:00
|
|
|
case EXT4_IOC_CHECKPOINT:
|
2010-05-15 12:00:00 +08:00
|
|
|
break;
|
2006-10-11 16:20:50 +08:00
|
|
|
default:
|
|
|
|
return -ENOIOCTLCMD;
|
|
|
|
}
|
2008-04-30 10:03:54 +08:00
|
|
|
return ext4_ioctl(file, cmd, (unsigned long) compat_ptr(arg));
|
2006-10-11 16:20:50 +08:00
|
|
|
}
|
|
|
|
#endif
|