From patchwork Wed Nov  2 15:04:52 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Deepa Dinamani <deepa.kernel@gmail.com>
X-Patchwork-Id: 9409341
Return-Path: <linux-fsdevel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	E90E16022E for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed,  2 Nov 2016 15:06:45 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D85802A2DB
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed,  2 Nov 2016 15:06:45 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id CB8032A2E5; Wed,  2 Nov 2016 15:06:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_HI,T_DKIM_INVALID
	autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A2C942A2DB
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
	Wed,  2 Nov 2016 15:06:44 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755782AbcKBPGQ (ORCPT
	<rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
	Wed, 2 Nov 2016 11:06:16 -0400
Received: from mail-yb0-f195.google.com ([209.85.213.195]:33357 "EHLO
	mail-yb0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754004AbcKBPFL (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Wed, 2 Nov 2016 11:05:11 -0400
Received: by mail-yb0-f195.google.com with SMTP id v78so335831ybe.0;
	Wed, 02 Nov 2016 08:05:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=ibU5tgQf/J4Qc7DR6BZ2O6YC05vSxPjSfZZDY2/U2Xw=;
	b=R6dqpFDb+rdSlmGGd1bA+VY5ZqXNT6yKX6YgiVPhEfPYJgiZFdLH7x3wLCQK1FUsem
	CjrgZS92vhGTGYEFcuINnaLC22L9Ycrjh0CDjO2lvKgnltw1diVtf2HA85TkwxBDqWq1
	SS12yFlSDZX9x5SzliGL3dOe/IAS6D+8V13OBPKomMh7XA8qaCmSrHcHZvIQ5D6kJTJ9
	Ensfyo+C8a5WgMlQNednwGK3IBESz9V21tTTJuFgl5OV8ytsV1ND64MN1FJnGYy7tOYf
	9KPTOcst0g9P/+raW29zjKlsX8Cs81JjLYTld7bOqdI6BLox4XEJWslFt4/L35YgGENj
	lxoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=ibU5tgQf/J4Qc7DR6BZ2O6YC05vSxPjSfZZDY2/U2Xw=;
	b=Q/MgKUo6LFZ/1akoyIhfdhOThUFrp80IEyYBxhuWTeKtOWa2tkR8q2RP4ti12pNBDa
	KZAqisz9KyjcZ1r3IQABYwIgNQan1LMFSUAeSQ6mUYZr6YA5vRKhfMxuiMJT3jtgK9vp
	zYSb4+sunzVpc7EIdHouEakoOURp6+J3qI5f6+Ml7fD2/Dmlq4d97+d4B9utys45Cequ
	N3LzdJJZ9HS/3dyo6842Cxeg9HmldKm6N0WdE2mTEAl7hGw4dxYUaysH4gisOHOTMd5N
	D41uCIrQUml2WDaW2Y5RjPXcnJSK36kwilHKakcR22utViKvVfym4xuTzp38HHxjNnfG
	BcLA==
X-Gm-Message-State: 
 ABUngveLOJLLPG0xvQJCE/vfuFDbT+YvbwmoAVug2OlQUanquv0DyXiay107RVhVj3SzCQ==
X-Received: by 10.37.47.216 with SMTP id v207mr2982787ybv.152.1478099110374;
	Wed, 02 Nov 2016 08:05:10 -0700 (PDT)
Received: from deepa-ubuntu.hil-sfecghh.abq.wayport.net
	(ip-64-134-56-224.public.wayport.net. [64.134.56.224])
	by smtp.gmail.com with ESMTPSA id
	m126sm723358ywf.14.2016.11.02.08.05.08
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 02 Nov 2016 08:05:09 -0700 (PDT)
From: Deepa Dinamani <deepa.kernel@gmail.com>
To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: arnd@arndb.de, tglx@linutronix.de, gregkh@linuxfoundation.org,
	akpm@linux-foundation.org, tytso@mit.edu, viro@zeniv.linux.org.uk,
	y2038@lists.linaro.org
Subject: [RFC 2/6] vfs: Add checks for filesystem timestamp limits
Date: Wed,  2 Nov 2016 08:04:52 -0700
Message-Id: <1478099096-25637-3-git-send-email-deepa.kernel@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1478099096-25637-1-git-send-email-deepa.kernel@gmail.com>
References: <1478099096-25637-1-git-send-email-deepa.kernel@gmail.com>
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Allow read only mounts for filesystems that do not
have maximum timestamps beyond the y2038 expiry
timestamp.

Also, allow a sysctl override to all such filesystems
to be mounted with write permissions.

Alternatively, a mount option can be created to allow or
disallow range check based clamps and the least max
timestamp supported.

If we take the sysctl approach, then the plan is to also
add a boot param to support initial override of these
checks without recompilation.

Suggested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
---
 fs/inode.c              |  5 +++++
 fs/internal.h           |  2 ++
 fs/namespace.c          | 12 ++++++++++++
 fs/super.c              |  6 ++++++
 include/linux/fs.h      |  1 +
 include/linux/time64.h  |  4 ++++
 include/uapi/linux/fs.h |  6 +++++-
 kernel/sysctl.c         |  7 +++++++
 8 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/fs/inode.c b/fs/inode.c
index 88110fd..7b2b78d 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -75,6 +75,11 @@ static DEFINE_PER_CPU(unsigned long, nr_unused);
 
 static struct kmem_cache *inode_cachep __read_mostly;
 
+struct vfs_max_timestamp_check timestamp_check = {
+	.timestamp_supported = Y2038_EXPIRY_TIMESTAMP,
+	.check_on = 1,
+};
+
 static long get_nr_inodes(void)
 {
 	int i;
diff --git a/fs/internal.h b/fs/internal.h
index f4da334..5a144a8 100644
--- a/fs/internal.h
+++ b/fs/internal.h
@@ -67,6 +67,8 @@ extern int finish_automount(struct vfsmount *, struct path *);
 
 extern int sb_prepare_remount_readonly(struct super_block *);
 
+extern bool sb_file_times_updatable(struct super_block *sb);
+
 extern void __init mnt_init(void);
 
 extern int __mnt_want_write(struct vfsmount *);
diff --git a/fs/namespace.c b/fs/namespace.c
index e6c234b..b784b95 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -542,6 +542,18 @@ static void __mnt_unmake_readonly(struct mount *mnt)
 	unlock_mount_hash();
 }
 
+bool sb_file_times_updatable(struct super_block *sb)
+{
+
+	if (!timestamp_check.check_on)
+		return true;
+
+	else if (sb->s_time_max > timestamp_check.timestamp_supported)
+		return true;
+
+	return false;
+}
+
 int sb_prepare_remount_readonly(struct super_block *sb)
 {
 	struct mount *mnt;
diff --git a/fs/super.c b/fs/super.c
index 27c973e..5073d70 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1199,6 +1199,12 @@ mount_fs(struct file_system_type *type, int flags, const char *name, void *data)
 	WARN((sb->s_maxbytes < 0), "%s set sb->s_maxbytes to "
 		"negative value (%lld)\n", type->name, sb->s_maxbytes);
 
+	if (!(sb->s_flags & MS_RDONLY) && !sb_file_times_updatable(sb)) {
+		WARN(1, "File times cannot be updated on the filesystem.\n");
+		WARN(1, "Retry mounting the filesystem readonly.\n");
+		goto out_sb;
+	}
+
 	up_write(&sb->s_umount);
 	free_secdata(secdata);
 	return root;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 6d1346b..a079393 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -68,6 +68,7 @@ extern struct inodes_stat_t inodes_stat;
 extern int leases_enable, lease_break_time;
 extern int sysctl_protected_symlinks;
 extern int sysctl_protected_hardlinks;
+extern struct vfs_max_timestamp_check timestamp_check;
 
 struct buffer_head;
 typedef int (get_block_t)(struct inode *inode, sector_t iblock,
diff --git a/include/linux/time64.h b/include/linux/time64.h
index 25433b18..906e0b3 100644
--- a/include/linux/time64.h
+++ b/include/linux/time64.h
@@ -43,6 +43,10 @@ struct itimerspec64 {
 #define KTIME_MAX			((s64)~((u64)1 << 63))
 #define KTIME_SEC_MAX			(KTIME_MAX / NSEC_PER_SEC)
 
+/* Timestamps on boundary */
+#define Y2038_EXPIRY_TIMESTAMP		S32_MAX /* 2147483647 */
+#define Y2106_EXPIRY_TIMESTAMP		U32_MAX /* 4294967295 */
+
 #if __BITS_PER_LONG == 64
 
 static inline struct timespec timespec64_to_timespec(const struct timespec64 ts64)
diff --git a/include/uapi/linux/fs.h b/include/uapi/linux/fs.h
index acb2b61..60482b1 100644
--- a/include/uapi/linux/fs.h
+++ b/include/uapi/linux/fs.h
@@ -91,6 +91,11 @@ struct files_stat_struct {
 	unsigned long max_files;		/* tunable */
 };
 
+struct vfs_max_timestamp_check {
+	time64_t timestamp_supported;
+	int check_on;
+};
+
 struct inodes_stat_t {
 	long nr_inodes;
 	long nr_unused;
@@ -100,7 +105,6 @@ struct inodes_stat_t {
 
 #define NR_FILE  8192	/* this can well be larger on a larger system */
 
-
 /*
  * These are the fs-independent mount-flags: up to 32 flags are supported
  */
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 706309f..e65e6b9 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1681,6 +1681,13 @@ static struct ctl_table fs_table[] = {
 		.proc_handler	= proc_doulongvec_minmax,
 	},
 	{
+		.procname	= "fs-timestamp-check-on",
+		.data		= &timestamp_check.check_on,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec,
+	},
+	{
 		.procname	= "nr_open",
 		.data		= &sysctl_nr_open,
 		.maxlen		= sizeof(unsigned int),