linux/fs/ext4
Ross Zwisler 7d3e06a8da ext4: add sanity check for encryption + DAX
We prevent DAX from being used on inodes which are using ext4's built in
encryption via a check in ext4_set_inode_flags().  We do have what appears
to be an unsafe transition of S_DAX in ext4_set_context(), though, where
S_DAX can get disabled without us doing a proper writeback + invalidate.

There are also issues with mm-level races when changing the value of S_DAX,
as well as issues with the VM_MIXEDMAP flag:

https://www.spinics.net/lists/linux-xfs/msg09859.html

I actually think we are safe in this case because of the following:

1) You can't encrypt an existing file.  Encryption can only be set on an
empty directory, with new inodes in that directory being created with
encryption turned on, so I don't think it's possible to turn encryption on
for a file that has open DAX mmaps or outstanding I/Os.

2) There is no way to turn encryption off on a given file.  Once an inode
is encrypted, it stays encrypted for the life of that inode, so we don't
have to worry about the case where we turn encryption off and S_DAX
suddenly turns on.

3) The only way we end up in ext4_set_context() to turn on encryption is
when we are creating a new file in the encrypted directory.  This happens
as part of ext4_create() before the inode has been allowed to do any I/O.
Here's the call tree:

 ext4_create()
   __ext4_new_inode()
	 ext4_set_inode_flags() // sets S_DAX
	 fscrypt_inherit_context()
		fscrypt_get_encryption_info();
		ext4_set_context() // sets EXT4_INODE_ENCRYPT, clears S_DAX

So, I actually think it's safe to transition S_DAX in ext4_set_context()
without any locking, writebacks or invalidations.  I've added a
WARN_ON_ONCE() sanity check to make sure that we are notified if we ever
encounter a case where we are encrypting an inode that already has data,
in which case we need to add code to safely transition S_DAX.

Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
2017-10-12 11:58:05 -04:00
..
acl.c ext4: Don't clear SGID when inheriting ACLs 2017-07-30 23:33:01 -04:00
acl.h ext2/3/4: use generic posix ACL infrastructure 2014-01-25 23:58:19 -05:00
balloc.c ext4: retry allocations conservatively 2017-10-01 17:59:54 -04:00
bitmap.c ext4: remove unused header files 2015-04-02 23:47:42 -04:00
block_validity.c ext4: add missing KERN_CONT to a few more debugging uses 2016-10-15 09:57:31 -04:00
dir.c ext4: use sizeof(*ptr) 2017-08-24 13:50:24 -04:00
ext4_extents.h ext4: fix misspellings in comments. 2016-03-09 23:49:05 -05:00
ext4_jbd2.c VFS: Convert sb->s_flags & MS_RDONLY to sb_rdonly(sb) 2017-07-17 08:45:34 +01:00
ext4_jbd2.h ext4, project: expand inode extra size if possible 2017-08-06 01:00:49 -04:00
ext4.h ext4: Switch to iomap for SEEK_HOLE / SEEK_DATA 2017-10-01 17:58:54 -04:00
extents_status.c scripts/spelling.txt: add "comsume(r)" pattern and fix typo instances 2017-02-27 18:43:47 -08:00
extents_status.h ext4: move procfs registration code to fs/ext4/sysfs.c 2015-09-23 12:46:17 -04:00
extents.c ext4: fix interaction between i_size, fallocate, and delalloc after a crash 2017-10-06 23:09:55 -04:00
file.c ext4: Switch to iomap for SEEK_HOLE / SEEK_DATA 2017-10-01 17:58:54 -04:00
fsmap.c ext4: fix off-by-one fsmap error on 1k block filesystems 2017-06-23 00:58:57 -04:00
fsmap.h ext4: support GETFSMAP ioctls 2017-04-30 00:36:53 -04:00
fsync.c VFS: Convert sb->s_flags & MS_RDONLY to sb_rdonly(sb) 2017-07-17 08:45:34 +01:00
hash.c ext4: remove useless test and assignment in strtohash functions 2017-08-24 15:11:34 -04:00
ialloc.c Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-09-14 18:54:01 -07:00
indirect.c ext4: call journal revoke when freeing ea_inode blocks 2017-06-21 21:36:51 -04:00
inline.c ext4: prevent data corruption with inline data + DAX 2017-10-12 11:52:34 -04:00
inode.c ext4: prevent data corruption with journaling + DAX 2017-10-12 11:54:08 -04:00
ioctl.c ext4: prevent data corruption with journaling + DAX 2017-10-12 11:54:08 -04:00
Kconfig ext4: Switch to iomap for SEEK_HOLE / SEEK_DATA 2017-10-01 17:58:54 -04:00
Makefile ext4: support GETFSMAP ioctls 2017-04-30 00:36:53 -04:00
mballoc.c ext4: fix clang build regression 2017-08-14 08:29:18 -04:00
mballoc.h ext4: send parallel discards on commit completions 2017-06-22 23:54:33 -04:00
migrate.c ext4: do not set posix acls on xattr inodes 2017-06-21 21:21:39 -04:00
mmp.c Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2017-09-14 18:54:01 -07:00
move_extent.c ext4: add ext4_is_quota_file() 2017-06-22 11:31:25 -04:00
namei.c ext4: make xattr inode reads faster 2017-08-06 00:07:01 -04:00
page-io.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
readpage.c block: replace bi_bdev with a gendisk pointer and partitions index 2017-08-23 12:49:55 -06:00
resize.c ext4: fix overflow caused by missing cast in ext4_resize_fs() 2017-08-06 01:18:31 -04:00
super.c ext4: add sanity check for encryption + DAX 2017-10-12 11:58:05 -04:00
symlink.c ext4: Add statx support 2017-04-03 01:05:58 -04:00
sysfs.c ext4: check return value of kstrtoull correctly in reserved_clusters_store 2017-06-23 01:08:22 -04:00
truncate.h ext4: fix races between page faults and hole punching 2015-12-07 14:28:03 -05:00
xattr_security.c switch xattr_handler->set() to passing dentry and inode separately 2016-05-27 15:39:43 -04:00
xattr_trusted.c switch xattr_handler->set() to passing dentry and inode separately 2016-05-27 15:39:43 -04:00
xattr_user.c switch xattr_handler->set() to passing dentry and inode separately 2016-05-27 15:39:43 -04:00
xattr.c ext4: backward compatibility support for Lustre ea_inode implementation 2017-08-24 14:25:02 -04:00
xattr.h ext4: fix __ext4_new_inode() journal credits calculation 2017-07-06 00:01:59 -04:00