| Message ID | 20221027112653.12122-1-lhenriques@suse.de |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp172520wru;
Thu, 27 Oct 2022 04:29:16 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM44UcljVf0DPurMAFYgC1xuBuTfDIoPkFbm9AjAB6EsoKh0TDAp0fDJCdkOLw6ifaSMninl
X-Received: by 2002:a17:902:d490:b0:186:c544:8ac7 with SMTP id
c16-20020a170902d49000b00186c5448ac7mr12515942plg.158.1666870156133;
Thu, 27 Oct 2022 04:29:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666870156; cv=none;
d=google.com; s=arc-20160816;
b=XvRqB8hDLgNsev4fIyPQcF/Gy6pBl06Tt619OnoIZjCQ30bCLOjzkrfsx4indLb9LN
Re65nDoVVCBOI91PtSDH+BQ+U48Ro7MQYJ0Z3Hw5pVKt8lcLvduPf+WZWhRGU1Wp7cfR
rXtHaUiaJ5ZMEJoq2Mun6/tXXYwYUvpwUdhgb0qxmTzbc0/Joj6aMkWqpWU24P1hkL5Q
tGdLZ6k63FTCYkjCTfcOYh8BlM5ibabv70hOG/7Peclfb5jKZXLLR7EeaxY52U19jNA0
O2Z4cLXEmWh7a1b1eKpMLBHooOptP5PQj88K+b6qxOV7PPkxQy5tKEPs5UqwlxwtACWy
hSHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature:dkim-signature;
bh=3p3rnTGQGMUuJC2g4FPdqKLLvoOr0ndD88Zj59SSr28=;
b=pciWXkZMMfRUbvemW4bzzkQZz1r5CRtIS+x+oyvLY0CmidpzbCBQGfvQli/3kDUBJR
gDpgRVvl4KITO+WzSjHZuomaQ84/9SzFkV8tiBLKeZGZOkH5Ht4e56SDA1VacrRXm5PA
q3N+zWsgN/sjJaxUAvP3KVM3dIJSednhNr4sT92skZXT6W3GAWk/Vz/DsJqJSUBa3che
IIjeDnhWQ+R2/N5WQn5wCH814FuJIO6Y1uIwY9vLSCN3YhAWfyqyQRmHDHp4dTba5ayf
je/RnyhtYObeCBI6HOUZ24SQjKuM+NQmPRmd0SkmxdA3VF1K1qf2xjr782JEx+yrwh0H
l3pA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=kT2DqU9J;
dkim=neutral (no key) header.i=@suse.de;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
q5-20020a654945000000b0043541f027e0si1289422pgs.877.2022.10.27.04.29.03;
Thu, 27 Oct 2022 04:29:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=kT2DqU9J;
dkim=neutral (no key) header.i=@suse.de;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S235227AbiJ0L0D (ORCPT <rfc822;chrisfriedt@gmail.com>
+ 99 others); Thu, 27 Oct 2022 07:26:03 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48576 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234874AbiJ0L0B (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 27 Oct 2022 07:26:01 -0400
Received: from smtp-out1.suse.de (smtp-out1.suse.de
[IPv6:2001:67c:2178:6::1c])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7CE12AE85F;
Thu, 27 Oct 2022 04:25:59 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by smtp-out1.suse.de (Postfix) with ESMTPS id 3A0F12251F;
Thu, 27 Oct 2022 11:25:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_rsa;
t=1666869958;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=3p3rnTGQGMUuJC2g4FPdqKLLvoOr0ndD88Zj59SSr28=;
b=kT2DqU9JTulQesICc/QKp3fKjxPZVkVcB+ZPC6sBW88mLE/mJD9VlxzS0R45ZnqFMOBzom
ShITtwxXAw52zsve0yev+4jgwwVLZbVLiI2BtHxSbWiJUrp6M39+lfCmUcAtYfiOGj9w1I
SsMvYJCrs+2DijDFnU6iCzR3KeXL0s4=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_ed25519; t=1666869958;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=3p3rnTGQGMUuJC2g4FPdqKLLvoOr0ndD88Zj59SSr28=;
b=sxK6FwoHx2Qv21Dz+SKevO2k3kB4Y25bR/vHM31SC+QRVLh3yfrWCXpayBrMKIwOvsMKXg
cKuOehcu04dHTRCA==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id BA57813357;
Thu, 27 Oct 2022 11:25:57 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
by imap2.suse-dmz.suse.de with ESMTPSA
id kqV8KsVqWmNKIwAAMHmgww
(envelope-from <lhenriques@suse.de>); Thu, 27 Oct 2022 11:25:57 +0000
Received: from localhost (brahms.olymp [local])
by brahms.olymp (OpenSMTPD) with ESMTPA id d41acb50;
Thu, 27 Oct 2022 11:26:56 +0000 (UTC)
From: =?utf-8?q?Lu=C3=ADs_Henriques?= <lhenriques@suse.de>
To: Xiubo Li <xiubli@redhat.com>, Ilya Dryomov <idryomov@gmail.com>,
Jeff Layton <jlayton@kernel.org>
Cc: ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org, =?utf-8?q?Lu?=
=?utf-8?q?=C3=ADs_Henriques?= <lhenriques@suse.de>
Subject: [RFC PATCH] ceph: allow encrypting a directory while not having Ax
caps
Date: Thu, 27 Oct 2022 12:26:53 +0100
Message-Id: <20221027112653.12122-1-lhenriques@suse.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747840040658020508?=
X-GMAIL-MSGID: =?utf-8?q?1747840040658020508?=
|
| Series |
[RFC] ceph: allow encrypting a directory while not having Ax caps
|
|
Commit Message
Luis Henriques
Oct. 27, 2022, 11:26 a.m. UTC
If a client doesn't have Fx caps on a directory, it will get errors while
trying encrypt it:
ceph: handle_cap_grant: cap grant attempt to change fscrypt_auth on non-I_NEW inode (old len 0 new len 48)
fscrypt (ceph, inode 1099511627812): Error -105 getting encryption context
A simple way to reproduce this is to use two clients:
client1 # mkdir /mnt/mydir
client2 # ls /mnt/mydir
client1 # fscrypt encrypt /mnt/mydir
client1 # echo hello > /mnt/mydir/world
This happens because, in __ceph_setattr(), we only initialize
ci->fscrypt_auth if we have Ax. If we don't have, we'll need to do that
later, in handle_cap_grant().
Signed-off-by: Luís Henriques <lhenriques@suse.de>
---
Hi!
To be honest, I'm not really sure about the conditions in the 'if': shall
I bother checking it's really a dir and that it is empty?
Cheers,
--
Luís
fs/ceph/caps.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
Comments
On 27/10/2022 19:26, Luís Henriques wrote: > If a client doesn't have Fx caps on a directory, it will get errors while > trying encrypt it: > > ceph: handle_cap_grant: cap grant attempt to change fscrypt_auth on non-I_NEW inode (old len 0 new len 48) > fscrypt (ceph, inode 1099511627812): Error -105 getting encryption context > > A simple way to reproduce this is to use two clients: > > client1 # mkdir /mnt/mydir > > client2 # ls /mnt/mydir > > client1 # fscrypt encrypt /mnt/mydir > client1 # echo hello > /mnt/mydir/world > > This happens because, in __ceph_setattr(), we only initialize > ci->fscrypt_auth if we have Ax. If we don't have, we'll need to do that > later, in handle_cap_grant(). > > Signed-off-by: Luís Henriques <lhenriques@suse.de> > --- > Hi! > > To be honest, I'm not really sure about the conditions in the 'if': shall > I bother checking it's really a dir and that it is empty? > > Cheers, > -- > Luís > > fs/ceph/caps.c | 26 +++++++++++++++++++++++--- > 1 file changed, 23 insertions(+), 3 deletions(-) > > diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c > index 443fce066d42..e33b5c276cf3 100644 > --- a/fs/ceph/caps.c > +++ b/fs/ceph/caps.c > @@ -3511,9 +3511,29 @@ static void handle_cap_grant(struct inode *inode, > from_kuid(&init_user_ns, inode->i_uid), > from_kgid(&init_user_ns, inode->i_gid)); > #if IS_ENABLED(CONFIG_FS_ENCRYPTION) > - if (ci->fscrypt_auth_len != extra_info->fscrypt_auth_len || > - memcmp(ci->fscrypt_auth, extra_info->fscrypt_auth, > - ci->fscrypt_auth_len)) > + if ((ci->fscrypt_auth_len == 0) && > + (extra_info->fscrypt_auth_len > 0) && > + S_ISDIR(inode->i_mode) && > + (ci->i_rsubdirs + ci->i_rfiles == 1)) { > + /* > + * We'll get here when setting up an encrypted directory > + * but we don't have Fx in that directory, i.e. other > + * clients have accessed this directory too. > + */ > + ci->fscrypt_auth = kmemdup(extra_info->fscrypt_auth, > + extra_info->fscrypt_auth_len, > + GFP_KERNEL); > + if (ci->fscrypt_auth) { > + inode->i_flags |= S_ENCRYPTED; > + ci->fscrypt_auth_len = extra_info->fscrypt_auth_len; > + } else { > + pr_err("Failed to alloc memory for %llx.%llx fscrypt_auth\n", > + ceph_vinop(inode)); > + } > + dout("ino %llx.%llx is now encrypted\n", ceph_vinop(inode)); > + } else if (ci->fscrypt_auth_len != extra_info->fscrypt_auth_len || > + memcmp(ci->fscrypt_auth, extra_info->fscrypt_auth, > + ci->fscrypt_auth_len)) > pr_warn_ratelimited("%s: cap grant attempt to change fscrypt_auth on non-I_NEW inode (old len %d new len %d)\n", > __func__, ci->fscrypt_auth_len, extra_info->fscrypt_auth_len); > #endif Hi Luis, Thanks for your time on this bug. IMO we should fix this in ceph_fill_inode(): 995 #ifdef CONFIG_FS_ENCRYPTION 996 if (iinfo->fscrypt_auth_len && (inode->i_state & I_NEW)) { 997 kfree(ci->fscrypt_auth); 998 ci->fscrypt_auth_len = iinfo->fscrypt_auth_len; 999 ci->fscrypt_auth = iinfo->fscrypt_auth; 1000 iinfo->fscrypt_auth = NULL; 1001 iinfo->fscrypt_auth_len = 0; 1002 inode_set_flags(inode, S_ENCRYPTED, S_ENCRYPTED); 1003 } 1004 #endif The setattr will get a reply from MDS including the fscrypt auth info, I think the kclient just drop it here. If we fix it in handle_cap_grant() I am afraid this bug still exists. What if there is no any new caps will be issued or revoked recently and then access to the directory ? Thanks - Xiubo >
On Mon, Oct 31, 2022 at 05:15:51PM +0800, Xiubo Li wrote: > > On 27/10/2022 19:26, Luís Henriques wrote: > > If a client doesn't have Fx caps on a directory, it will get errors while > > trying encrypt it: > > > > ceph: handle_cap_grant: cap grant attempt to change fscrypt_auth on non-I_NEW inode (old len 0 new len 48) > > fscrypt (ceph, inode 1099511627812): Error -105 getting encryption context > > > > A simple way to reproduce this is to use two clients: > > > > client1 # mkdir /mnt/mydir > > > > client2 # ls /mnt/mydir > > > > client1 # fscrypt encrypt /mnt/mydir > > client1 # echo hello > /mnt/mydir/world > > > > This happens because, in __ceph_setattr(), we only initialize > > ci->fscrypt_auth if we have Ax. If we don't have, we'll need to do that > > later, in handle_cap_grant(). > > > > Signed-off-by: Luís Henriques <lhenriques@suse.de> > > --- > > Hi! > > > > To be honest, I'm not really sure about the conditions in the 'if': shall > > I bother checking it's really a dir and that it is empty? > > > > Cheers, > > -- > > Luís > > > > fs/ceph/caps.c | 26 +++++++++++++++++++++++--- > > 1 file changed, 23 insertions(+), 3 deletions(-) > > > > diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c > > index 443fce066d42..e33b5c276cf3 100644 > > --- a/fs/ceph/caps.c > > +++ b/fs/ceph/caps.c > > @@ -3511,9 +3511,29 @@ static void handle_cap_grant(struct inode *inode, > > from_kuid(&init_user_ns, inode->i_uid), > > from_kgid(&init_user_ns, inode->i_gid)); > > #if IS_ENABLED(CONFIG_FS_ENCRYPTION) > > - if (ci->fscrypt_auth_len != extra_info->fscrypt_auth_len || > > - memcmp(ci->fscrypt_auth, extra_info->fscrypt_auth, > > - ci->fscrypt_auth_len)) > > + if ((ci->fscrypt_auth_len == 0) && > > + (extra_info->fscrypt_auth_len > 0) && > > + S_ISDIR(inode->i_mode) && > > + (ci->i_rsubdirs + ci->i_rfiles == 1)) { > > + /* > > + * We'll get here when setting up an encrypted directory > > + * but we don't have Fx in that directory, i.e. other > > + * clients have accessed this directory too. > > + */ > > + ci->fscrypt_auth = kmemdup(extra_info->fscrypt_auth, > > + extra_info->fscrypt_auth_len, > > + GFP_KERNEL); > > + if (ci->fscrypt_auth) { > > + inode->i_flags |= S_ENCRYPTED; > > + ci->fscrypt_auth_len = extra_info->fscrypt_auth_len; > > + } else { > > + pr_err("Failed to alloc memory for %llx.%llx fscrypt_auth\n", > > + ceph_vinop(inode)); > > + } > > + dout("ino %llx.%llx is now encrypted\n", ceph_vinop(inode)); > > + } else if (ci->fscrypt_auth_len != extra_info->fscrypt_auth_len || > > + memcmp(ci->fscrypt_auth, extra_info->fscrypt_auth, > > + ci->fscrypt_auth_len)) > > pr_warn_ratelimited("%s: cap grant attempt to change fscrypt_auth on non-I_NEW inode (old len %d new len %d)\n", > > __func__, ci->fscrypt_auth_len, extra_info->fscrypt_auth_len); > > #endif > > Hi Luis, > > Thanks for your time on this bug. > > IMO we should fix this in ceph_fill_inode(): > > 995 #ifdef CONFIG_FS_ENCRYPTION > 996 if (iinfo->fscrypt_auth_len && (inode->i_state & I_NEW)) { > 997 kfree(ci->fscrypt_auth); > 998 ci->fscrypt_auth_len = iinfo->fscrypt_auth_len; > 999 ci->fscrypt_auth = iinfo->fscrypt_auth; > 1000 iinfo->fscrypt_auth = NULL; > 1001 iinfo->fscrypt_auth_len = 0; > 1002 inode_set_flags(inode, S_ENCRYPTED, S_ENCRYPTED); > 1003 } > 1004 #endif > > The setattr will get a reply from MDS including the fscrypt auth info, I > think the kclient just drop it here. I've done some testing and I don't really see this code kfree'ing a valid fscrypt_auth here. However, I guess it is possible to fix this issue here too, but in a different way, by changing that 'if' condition to: if (iinfo->fscrypt_auth_len && ((inode->i_state & I_NEW) || (ci->fscrypt_auth_len == 0))) { ... } I'm not really sure if this is sane though. When we loose the 'Ax' caps (another client as accessed the directory we're encrypting), we also seem to loose the I_NEW state. Using the above code seems to work for the testcase in my patch, but I'm not sure it won't break something else. Cheers, -- Luís > If we fix it in handle_cap_grant() I am afraid this bug still exists. What > if there is no any new caps will be issued or revoked recently and then > access to the directory ? > > Thanks > > - Xiubo > > > >
On 02/11/2022 19:48, Luís Henriques wrote: > On Mon, Oct 31, 2022 at 05:15:51PM +0800, Xiubo Li wrote: >> On 27/10/2022 19:26, Luís Henriques wrote: >>> If a client doesn't have Fx caps on a directory, it will get errors while >>> trying encrypt it: >>> >>> ceph: handle_cap_grant: cap grant attempt to change fscrypt_auth on non-I_NEW inode (old len 0 new len 48) >>> fscrypt (ceph, inode 1099511627812): Error -105 getting encryption context >>> >>> A simple way to reproduce this is to use two clients: >>> >>> client1 # mkdir /mnt/mydir >>> >>> client2 # ls /mnt/mydir >>> >>> client1 # fscrypt encrypt /mnt/mydir >>> client1 # echo hello > /mnt/mydir/world >>> >>> This happens because, in __ceph_setattr(), we only initialize >>> ci->fscrypt_auth if we have Ax. If we don't have, we'll need to do that >>> later, in handle_cap_grant(). >>> >>> Signed-off-by: Luís Henriques <lhenriques@suse.de> >>> --- >>> Hi! >>> >>> To be honest, I'm not really sure about the conditions in the 'if': shall >>> I bother checking it's really a dir and that it is empty? >>> >>> Cheers, >>> -- >>> Luís >>> >>> fs/ceph/caps.c | 26 +++++++++++++++++++++++--- >>> 1 file changed, 23 insertions(+), 3 deletions(-) >>> >>> diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c >>> index 443fce066d42..e33b5c276cf3 100644 >>> --- a/fs/ceph/caps.c >>> +++ b/fs/ceph/caps.c >>> @@ -3511,9 +3511,29 @@ static void handle_cap_grant(struct inode *inode, >>> from_kuid(&init_user_ns, inode->i_uid), >>> from_kgid(&init_user_ns, inode->i_gid)); >>> #if IS_ENABLED(CONFIG_FS_ENCRYPTION) >>> - if (ci->fscrypt_auth_len != extra_info->fscrypt_auth_len || >>> - memcmp(ci->fscrypt_auth, extra_info->fscrypt_auth, >>> - ci->fscrypt_auth_len)) >>> + if ((ci->fscrypt_auth_len == 0) && >>> + (extra_info->fscrypt_auth_len > 0) && >>> + S_ISDIR(inode->i_mode) && >>> + (ci->i_rsubdirs + ci->i_rfiles == 1)) { >>> + /* >>> + * We'll get here when setting up an encrypted directory >>> + * but we don't have Fx in that directory, i.e. other >>> + * clients have accessed this directory too. >>> + */ >>> + ci->fscrypt_auth = kmemdup(extra_info->fscrypt_auth, >>> + extra_info->fscrypt_auth_len, >>> + GFP_KERNEL); >>> + if (ci->fscrypt_auth) { >>> + inode->i_flags |= S_ENCRYPTED; >>> + ci->fscrypt_auth_len = extra_info->fscrypt_auth_len; >>> + } else { >>> + pr_err("Failed to alloc memory for %llx.%llx fscrypt_auth\n", >>> + ceph_vinop(inode)); >>> + } >>> + dout("ino %llx.%llx is now encrypted\n", ceph_vinop(inode)); >>> + } else if (ci->fscrypt_auth_len != extra_info->fscrypt_auth_len || >>> + memcmp(ci->fscrypt_auth, extra_info->fscrypt_auth, >>> + ci->fscrypt_auth_len)) >>> pr_warn_ratelimited("%s: cap grant attempt to change fscrypt_auth on non-I_NEW inode (old len %d new len %d)\n", >>> __func__, ci->fscrypt_auth_len, extra_info->fscrypt_auth_len); >>> #endif >> Hi Luis, >> >> Thanks for your time on this bug. >> >> IMO we should fix this in ceph_fill_inode(): >> >> 995 #ifdef CONFIG_FS_ENCRYPTION >> 996 if (iinfo->fscrypt_auth_len && (inode->i_state & I_NEW)) { >> 997 kfree(ci->fscrypt_auth); >> 998 ci->fscrypt_auth_len = iinfo->fscrypt_auth_len; >> 999 ci->fscrypt_auth = iinfo->fscrypt_auth; >> 1000 iinfo->fscrypt_auth = NULL; >> 1001 iinfo->fscrypt_auth_len = 0; >> 1002 inode_set_flags(inode, S_ENCRYPTED, S_ENCRYPTED); >> 1003 } >> 1004 #endif >> >> The setattr will get a reply from MDS including the fscrypt auth info, I >> think the kclient just drop it here. > I've done some testing and I don't really see this code kfree'ing a valid > fscrypt_auth here. However, I guess it is possible to fix this issue here > too, but in a different way, by changing that 'if' condition to: > > if (iinfo->fscrypt_auth_len && > ((inode->i_state & I_NEW) || (ci->fscrypt_auth_len == 0))) { > ... > } > > I'm not really sure if this is sane though. When we loose the 'Ax' caps > (another client as accessed the directory we're encrypting), we also seem > to loose the I_NEW state. Using the above code seems to work for the > testcase in my patch, but I'm not sure it won't break something else. It should be okay IMO. The I_NEW is for new created directories, such as for mkdir request,etc. But currently the code didn't consider the setattr case. Please send you patch let's check and discuss there. Thanks! - Xiubo > Cheers, > -- > Luís > >> If we fix it in handle_cap_grant() I am afraid this bug still exists. What >> if there is no any new caps will be issued or revoked recently and then >> access to the directory ? >> >> Thanks >> >> - Xiubo >>
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c index 443fce066d42..e33b5c276cf3 100644 --- a/fs/ceph/caps.c +++ b/fs/ceph/caps.c @@ -3511,9 +3511,29 @@ static void handle_cap_grant(struct inode *inode, from_kuid(&init_user_ns, inode->i_uid), from_kgid(&init_user_ns, inode->i_gid)); #if IS_ENABLED(CONFIG_FS_ENCRYPTION) - if (ci->fscrypt_auth_len != extra_info->fscrypt_auth_len || - memcmp(ci->fscrypt_auth, extra_info->fscrypt_auth, - ci->fscrypt_auth_len)) + if ((ci->fscrypt_auth_len == 0) && + (extra_info->fscrypt_auth_len > 0) && + S_ISDIR(inode->i_mode) && + (ci->i_rsubdirs + ci->i_rfiles == 1)) { + /* + * We'll get here when setting up an encrypted directory + * but we don't have Fx in that directory, i.e. other + * clients have accessed this directory too. + */ + ci->fscrypt_auth = kmemdup(extra_info->fscrypt_auth, + extra_info->fscrypt_auth_len, + GFP_KERNEL); + if (ci->fscrypt_auth) { + inode->i_flags |= S_ENCRYPTED; + ci->fscrypt_auth_len = extra_info->fscrypt_auth_len; + } else { + pr_err("Failed to alloc memory for %llx.%llx fscrypt_auth\n", + ceph_vinop(inode)); + } + dout("ino %llx.%llx is now encrypted\n", ceph_vinop(inode)); + } else if (ci->fscrypt_auth_len != extra_info->fscrypt_auth_len || + memcmp(ci->fscrypt_auth, extra_info->fscrypt_auth, + ci->fscrypt_auth_len)) pr_warn_ratelimited("%s: cap grant attempt to change fscrypt_auth on non-I_NEW inode (old len %d new len %d)\n", __func__, ci->fscrypt_auth_len, extra_info->fscrypt_auth_len); #endif