From patchwork Fri Jun 28 18:34:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 11023205 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B3D82112C for ; Fri, 28 Jun 2019 18:35:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7FD6428346 for ; Fri, 28 Jun 2019 18:35:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 738C32837D; Fri, 28 Jun 2019 18:35:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id E7D8E28346 for ; Fri, 28 Jun 2019 18:35:39 +0000 (UTC) Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5SIYUOL108908; Fri, 28 Jun 2019 18:35:15 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : date : message-id : in-reply-to : references : mime-version : cc : subject : list-id : list-unsubscribe : list-archive : list-post : list-help : list-subscribe : content-type : content-transfer-encoding : sender; s=corp-2018-07-02; bh=zbwTHNx4bDzthEEmW91CEIQsxKdu7RPmyGjMJ/0U5rY=; b=l/5HHdy2JkgEsmsC2/Q4g7nSUfhrwuoTD+5KITHkUkm1D9coSpLPVFx6Du0gFElVQ/iG ZShC6rF+vBpYKD6E9XmQ5EXFNuu6FtleXlc45fMa36CJOHCfgKU/nylYB3ONPo4gF143 GuB0BSVviN+I1O7AtHKiMQmiSa45OZfDS2O89UY8wbRHd5kRYFsM+yghfSSJDXq7rz2i fT7O0rZu9N4Ye1XT2tOea19fTw+IRCQHAPtTQJI+IksGoltMsrYwrRvV5XCC0qssIevR pYJMa4KGFNWRB1yOOQLJ5vGCD8moVfLl78xpKukqF3c2ycFT/HzhKAhv4XwM9Nznt8rk vQ== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2130.oracle.com with ESMTP id 2t9brtq3k3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Jun 2019 18:35:14 +0000 Received: from oss.oracle.com (oss-old-reserved.oracle.com [137.254.22.2]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x5SIZ98s028604 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Jun 2019 18:35:09 GMT Received: from localhost ([127.0.0.1] helo=lb-oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1hgviH-0003Xf-2x; Fri, 28 Jun 2019 11:35:09 -0700 Received: from aserp3030.oracle.com ([141.146.126.71]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1hgvhy-0003TB-6A for ocfs2-devel@oss.oracle.com; Fri, 28 Jun 2019 11:34:50 -0700 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5SIXclC078827 for ; Fri, 28 Jun 2019 18:34:50 GMT Authentication-Results: aserp3010.oracle.com; spf=pass smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass header.from=oracle.com Received: from pps.reinject (localhost [127.0.0.1]) by aserp3030.oracle.com with ESMTP id 2t9acdyec2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 28 Jun 2019 18:34:50 +0000 Received: from aserp3030.oracle.com (aserp3030.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.27/8.16.0.27) with SMTP id x5SIYdKZ080557 for ; Fri, 28 Jun 2019 18:34:49 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserp3030.oracle.com with ESMTP id 2t9acdyebu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Jun 2019 18:34:49 +0000 Received: from abhmp0020.oracle.com (abhmp0020.oracle.com [141.146.116.26]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x5SIYk5o021913; Fri, 28 Jun 2019 18:34:47 GMT Received: from localhost (/67.169.218.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 28 Jun 2019 11:34:46 -0700 From: "Darrick J. Wong" To: matthew.garrett@nebula.com, yuchao0@huawei.com, tytso@mit.edu, darrick.wong@oracle.com, ard.biesheuvel@linaro.org, josef@toxicpanda.com, hch@infradead.org, clm@fb.com, adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com, dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org Date: Fri, 28 Jun 2019 11:34:43 -0700 Message-ID: <156174688345.1557469.793195935067841912.stgit@magnolia> In-Reply-To: <156174687561.1557469.7505651950825460767.stgit@magnolia> References: <156174687561.1557469.7505651950825460767.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Cc: linux-efi@vger.kernel.org, Jan Kara , linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, reiserfs-devel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org, ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, devel@lists.orangefs.org Subject: [Ocfs2-devel] [PATCH 1/4] mm/fs: don't allow writes to immutable files X-BeenThere: ocfs2-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ocfs2-devel-bounces@oss.oracle.com Errors-To: ocfs2-devel-bounces@oss.oracle.com X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9302 signatures=668688 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=809 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906280210 X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong The chattr manpage has this to say about immutable files: "A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode." Once the flag is set, it is enforced for quite a few file operations, such as fallocate, fpunch, fzero, rm, touch, open, etc. However, we don't check for immutability when doing a write(), a PROT_WRITE mmap(), a truncate(), or a write to a previously established mmap. If a program has an open write fd to a file that the administrator subsequently marks immutable, the program still can change the file contents. Weird! The ability to write to an immutable file does not follow the manpage promise that immutable files cannot be modified. Worse yet it's inconsistent with the behavior of other syscalls which don't allow modifications of immutable files. Therefore, add the necessary checks to make the write, mmap, and truncate behavior consistent with what the manpage says and consistent with other syscalls on filesystems which support IMMUTABLE. Signed-off-by: Darrick J. Wong Reviewed-by: Jan Kara --- fs/attr.c | 13 ++++++------- mm/filemap.c | 3 +++ mm/memory.c | 4 ++++ mm/mmap.c | 8 ++++++-- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/fs/attr.c b/fs/attr.c index d22e8187477f..1fcfdcc5b367 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -233,19 +233,18 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de WARN_ON_ONCE(!inode_is_locked(inode)); - if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) { - if (IS_IMMUTABLE(inode) || IS_APPEND(inode)) - return -EPERM; - } + if (IS_IMMUTABLE(inode)) + return -EPERM; + + if ((ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID | ATTR_TIMES_SET)) && + IS_APPEND(inode)) + return -EPERM; /* * If utimes(2) and friends are called with times == NULL (or both * times are UTIME_NOW), then we need to check for write permission */ if (ia_valid & ATTR_TOUCH) { - if (IS_IMMUTABLE(inode)) - return -EPERM; - if (!inode_owner_or_capable(inode)) { error = inode_permission(inode, MAY_WRITE); if (error) diff --git a/mm/filemap.c b/mm/filemap.c index aac71aef4c61..dad85e10f5f8 100644 --- a/mm/filemap.c +++ b/mm/filemap.c @@ -2935,6 +2935,9 @@ inline ssize_t generic_write_checks(struct kiocb *iocb, struct iov_iter *from) loff_t count; int ret; + if (IS_IMMUTABLE(inode)) + return -EPERM; + if (!iov_iter_count(from)) return 0; diff --git a/mm/memory.c b/mm/memory.c index ddf20bd0c317..abf795277f36 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2235,6 +2235,10 @@ static vm_fault_t do_page_mkwrite(struct vm_fault *vmf) vmf->flags = FAULT_FLAG_WRITE|FAULT_FLAG_MKWRITE; + if (vmf->vma->vm_file && + IS_IMMUTABLE(vmf->vma->vm_file->f_mapping->host)) + return VM_FAULT_SIGBUS; + ret = vmf->vma->vm_ops->page_mkwrite(vmf); /* Restore original flags so that caller is not surprised */ vmf->flags = old_flags; diff --git a/mm/mmap.c b/mm/mmap.c index 7e8c3e8ae75f..b3ebca2702bf 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1483,8 +1483,12 @@ unsigned long do_mmap(struct file *file, unsigned long addr, case MAP_SHARED_VALIDATE: if (flags & ~flags_mask) return -EOPNOTSUPP; - if ((prot&PROT_WRITE) && !(file->f_mode&FMODE_WRITE)) - return -EACCES; + if (prot & PROT_WRITE) { + if (!(file->f_mode & FMODE_WRITE)) + return -EACCES; + if (IS_IMMUTABLE(file->f_mapping->host)) + return -EPERM; + } /* * Make sure we don't allow writing to an append-only From patchwork Fri Jun 28 18:34:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 11023185 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 01838112C for ; Fri, 28 Jun 2019 18:35:36 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C24DF28346 for ; Fri, 28 Jun 2019 18:35:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B5C5E2846C; Fri, 28 Jun 2019 18:35:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 3AD5928346 for ; Fri, 28 Jun 2019 18:35:35 +0000 (UTC) Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5SIYLoj027892; Fri, 28 Jun 2019 18:35:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : date : message-id : in-reply-to : references : mime-version : cc : subject : list-id : list-unsubscribe : list-archive : list-post : list-help : list-subscribe : content-type : content-transfer-encoding : sender; s=corp-2018-07-02; bh=IzffXaVhodc+ZwZLvJP69Qva32V8jc2x4zVxENHM5eU=; b=eAj00YJusZ+Bw7uS0aITAQgQt+IA3RqPjx0Z1wFZR8liPT8khSVgHYbZ+hYBa1DNcoNp DEf0M7BNwXTvyvlgRlQOMAXRye8F2jtG2fSFFdkxTOQeJgU+5WQIICnVzMbqZtGrRhKe Dn0TShX89fK4q+mprnBg191ss3kNFN+HnnCC+sgO2oTvR2J8nwBbkOPKdrLkM+damVQy 1NZwO93fIw/TDzF6gZuTLHIwtoN8gm8FXRMehsZLHUF7OkyTraKQ/nFaynXAO1iwz3d8 xBkRJYsw+qvAH7qs5mYK2fdakXFW5aZ7QJjylRxPxCIV118OQX5LW9zo/WCconvSsmc5 IQ== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp2120.oracle.com with ESMTP id 2t9c9q72sp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Jun 2019 18:35:10 +0000 Received: from oss.oracle.com (oss-old-reserved.oracle.com [137.254.22.2]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id x5SIZ9Sl025734 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Jun 2019 18:35:09 GMT Received: from localhost ([127.0.0.1] helo=lb-oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1hgviH-0003YI-5T; Fri, 28 Jun 2019 11:35:09 -0700 Received: from userp3020.oracle.com ([156.151.31.79]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1hgvi5-0003Tb-0J for ocfs2-devel@oss.oracle.com; Fri, 28 Jun 2019 11:34:57 -0700 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5SIXemZ001136 for ; Fri, 28 Jun 2019 18:34:56 GMT Authentication-Results: aserp3010.oracle.com; spf=pass smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass header.from=oracle.com Received: from pps.reinject (localhost [127.0.0.1]) by userp3020.oracle.com with ESMTP id 2tat7e3gaa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 28 Jun 2019 18:34:56 +0000 Received: from userp3020.oracle.com (userp3020.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.27/8.16.0.27) with SMTP id x5SIYuM7003117 for ; Fri, 28 Jun 2019 18:34:56 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3020.oracle.com with ESMTP id 2tat7e3ga7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Jun 2019 18:34:56 +0000 Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x5SIYsCq029052; Fri, 28 Jun 2019 18:34:54 GMT Received: from localhost (/67.169.218.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 28 Jun 2019 11:34:54 -0700 From: "Darrick J. Wong" To: matthew.garrett@nebula.com, yuchao0@huawei.com, tytso@mit.edu, darrick.wong@oracle.com, ard.biesheuvel@linaro.org, josef@toxicpanda.com, hch@infradead.org, clm@fb.com, adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com, dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org Date: Fri, 28 Jun 2019 11:34:51 -0700 Message-ID: <156174689192.1557469.17945809794748607270.stgit@magnolia> In-Reply-To: <156174687561.1557469.7505651950825460767.stgit@magnolia> References: <156174687561.1557469.7505651950825460767.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Cc: linux-efi@vger.kernel.org, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, reiserfs-devel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org, ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, devel@lists.orangefs.org Subject: [Ocfs2-devel] [PATCH 2/4] vfs: flush and wait for io when setting the immutable flag via SETFLAGS X-BeenThere: ocfs2-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ocfs2-devel-bounces@oss.oracle.com Errors-To: ocfs2-devel-bounces@oss.oracle.com X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9302 signatures=668688 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906280210 X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong When we're using FS_IOC_SETFLAGS to set the immutable flag on a file, we need to ensure that userspace can't continue to write the file after the file becomes immutable. To make that happen, we have to flush all the dirty pagecache pages to disk to ensure that we can fail a page fault on a mmap'd region, wait for pending directio to complete, and hope the caller locked out any new writes by holding the inode lock. Signed-off-by: Darrick J. Wong --- fs/inode.c | 21 +++++++++++++++++++-- include/linux/fs.h | 11 +++++++++++ 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/fs/inode.c b/fs/inode.c index f08711b34341..65a412af3ffb 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2193,7 +2193,8 @@ EXPORT_SYMBOL(current_time); /* * Generic function to check FS_IOC_SETFLAGS values and reject any invalid - * configurations. + * configurations. Once we're done, prepare the inode for whatever changes + * are coming down the pipeline. * * Note: the caller should be holding i_mutex, or else be sure that they have * exclusive access to the inode structure. @@ -2201,6 +2202,8 @@ EXPORT_SYMBOL(current_time); int vfs_ioc_setflags_prepare(struct inode *inode, unsigned int oldflags, unsigned int flags) { + int ret; + /* * The IMMUTABLE and APPEND_ONLY flags can only be changed by * the relevant capability. @@ -2211,7 +2214,21 @@ int vfs_ioc_setflags_prepare(struct inode *inode, unsigned int oldflags, !capable(CAP_LINUX_IMMUTABLE)) return -EPERM; - return 0; + /* + * Now that we're done checking the new flags, flush all pending IO and + * dirty mappings before setting S_IMMUTABLE on an inode via + * FS_IOC_SETFLAGS. If the flush fails we'll clear the flag before + * returning error. + */ + if (!S_ISREG(inode->i_mode) || IS_IMMUTABLE(inode) || + !(flags & FS_IMMUTABLE_FL)) + return 0; + + inode_set_flags(inode, S_IMMUTABLE, S_IMMUTABLE); + ret = inode_drain_writes(inode); + if (ret) + inode_set_flags(inode, 0, S_IMMUTABLE); + return ret; } EXPORT_SYMBOL(vfs_ioc_setflags_prepare); diff --git a/include/linux/fs.h b/include/linux/fs.h index 91482ab4556a..0efe749de577 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3567,4 +3567,15 @@ static inline void simple_fill_fsxattr(struct fsxattr *fa, __u32 xflags) fa->fsx_xflags = xflags; } +/* + * Flush file data before changing attributes. Caller must hold any locks + * required to prevent further writes to this file until we're done setting + * flags. + */ +static inline int inode_drain_writes(struct inode *inode) +{ + inode_dio_wait(inode); + return filemap_write_and_wait(inode->i_mapping); +} + #endif /* _LINUX_FS_H */ From patchwork Fri Jun 28 18:34:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 11023193 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BA7F6138D for ; Fri, 28 Jun 2019 18:35:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8607B28346 for ; Fri, 28 Jun 2019 18:35:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 797352846C; Fri, 28 Jun 2019 18:35:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id AEF5B2837D for ; Fri, 28 Jun 2019 18:35:36 +0000 (UTC) Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5SIYLlO027889; Fri, 28 Jun 2019 18:35:11 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : date : message-id : in-reply-to : references : mime-version : cc : subject : list-id : list-unsubscribe : list-archive : list-post : list-help : list-subscribe : content-type : content-transfer-encoding : sender; s=corp-2018-07-02; bh=8wtk3bxpWswan1Y8W39egRSRBg8ldDX4Mnn82hJCv6I=; b=say3sNyGLecEMgRcx0jIkFAqlm3acRKSH4puAMsMtCxk8Bo7NlR51uoS+basAn5TvpAs 9VfBEj2QxQ0DSQ4VdTYOf2NhOLQBYoBQMbdk680XtOW+KR0I0BHDmhMDOJl2XkscQ9nU UOLdVPj8c88+oxVQ1KjGgkdRmr36WaNQdH/8MSXp3mWnwJZcDUfKgEf8c1TnwlDO+tai dgZ8tqfjjTBtyTVA7Yqd/slSZ/xmkWleW/vMSKQ8MRRPCNjvjmio906BK2LIQsx9/GYw XrLuQNCKstN2rJEqMMh/bc1ciFx1HO+eWttwoq3GxgK9/xSBJ+QYvnarFEY3FX6HqIX3 Pw== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp2120.oracle.com with ESMTP id 2t9c9q72ss-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Jun 2019 18:35:11 +0000 Received: from oss.oracle.com (oss-old-reserved.oracle.com [137.254.22.2]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id x5SIZASc025789 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Jun 2019 18:35:10 GMT Received: from localhost ([127.0.0.1] helo=lb-oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1hgviI-0003Yz-8S; Fri, 28 Jun 2019 11:35:10 -0700 Received: from aserp3020.oracle.com ([141.146.126.70]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1hgviD-0003VI-5i for ocfs2-devel@oss.oracle.com; Fri, 28 Jun 2019 11:35:05 -0700 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5SIYtIP152361 for ; Fri, 28 Jun 2019 18:35:05 GMT Authentication-Results: aserp3010.oracle.com; spf=pass smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass header.from=oracle.com Received: from pps.reinject (localhost [127.0.0.1]) by aserp3020.oracle.com with ESMTP id 2t9p6w235r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 28 Jun 2019 18:35:05 +0000 Received: from aserp3020.oracle.com (aserp3020.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.27/8.16.0.27) with SMTP id x5SIZ4ud152605 for ; Fri, 28 Jun 2019 18:35:04 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserp3020.oracle.com with ESMTP id 2t9p6w2359-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Jun 2019 18:35:04 +0000 Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x5SIZ2qU029171; Fri, 28 Jun 2019 18:35:02 GMT Received: from localhost (/67.169.218.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 28 Jun 2019 11:35:02 -0700 From: "Darrick J. Wong" To: matthew.garrett@nebula.com, yuchao0@huawei.com, tytso@mit.edu, darrick.wong@oracle.com, ard.biesheuvel@linaro.org, josef@toxicpanda.com, hch@infradead.org, clm@fb.com, adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com, dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org Date: Fri, 28 Jun 2019 11:34:59 -0700 Message-ID: <156174689965.1557469.9018924813461417576.stgit@magnolia> In-Reply-To: <156174687561.1557469.7505651950825460767.stgit@magnolia> References: <156174687561.1557469.7505651950825460767.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Cc: linux-efi@vger.kernel.org, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, reiserfs-devel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org, ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, devel@lists.orangefs.org Subject: [Ocfs2-devel] [PATCH 3/4] vfs: flush and wait for io when setting the immutable flag via FSSETXATTR X-BeenThere: ocfs2-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ocfs2-devel-bounces@oss.oracle.com Errors-To: ocfs2-devel-bounces@oss.oracle.com X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9302 signatures=668688 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906280210 X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong When we're using FS_IOC_FSSETXATTR to set the immutable flag on a file, we need to ensure that userspace can't continue to write the file after the file becomes immutable. To make that happen, we have to flush all the dirty pagecache pages to disk to ensure that we can fail a page fault on a mmap'd region, wait for pending directio to complete, and hope the caller locked out any new writes by holding the inode lock. XFS has more complex locking than other FSSETXATTR implementations so we have to keep the checking and preparation code in different functions. Signed-off-by: Darrick J. Wong --- fs/btrfs/ioctl.c | 2 + fs/ext4/ioctl.c | 2 + fs/f2fs/file.c | 2 + fs/inode.c | 31 +++++++++++++++++++++++ fs/xfs/xfs_ioctl.c | 71 +++++++++++++++++++++++++++++++++++++++------------- include/linux/fs.h | 3 ++ 6 files changed, 90 insertions(+), 21 deletions(-) diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 3cd66efdb99d..aeffe3fd99c4 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -420,7 +420,7 @@ static int btrfs_ioctl_fssetxattr(struct file *file, void __user *arg) simple_fill_fsxattr(&old_fa, btrfs_inode_flags_to_xflags(binode->flags)); - ret = vfs_ioc_fssetxattr_check(inode, &old_fa, &fa); + ret = vfs_ioc_fssetxattr_prepare(inode, &old_fa, &fa); if (ret) goto out_unlock; diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c index 566dfac28b3f..69810e59f89a 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -1109,7 +1109,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) inode_lock(inode); ext4_fill_fsxattr(inode, &old_fa); - err = vfs_ioc_fssetxattr_check(inode, &old_fa, &fa); + err = vfs_ioc_fssetxattr_prepare(inode, &old_fa, &fa); if (err) goto out; flags = (ei->i_flags & ~EXT4_FL_XFLAG_VISIBLE) | diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index 8799468724f9..b47f22eb483e 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -2825,7 +2825,7 @@ static int f2fs_ioc_fssetxattr(struct file *filp, unsigned long arg) inode_lock(inode); f2fs_fill_fsxattr(inode, &old_fa); - err = vfs_ioc_fssetxattr_check(inode, &old_fa, &fa); + err = vfs_ioc_fssetxattr_prepare(inode, &old_fa, &fa); if (err) goto out; flags = (fi->i_flags & ~F2FS_FL_XFLAG_VISIBLE) | diff --git a/fs/inode.c b/fs/inode.c index 65a412af3ffb..cf07378e5731 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2293,3 +2293,34 @@ int vfs_ioc_fssetxattr_check(struct inode *inode, const struct fsxattr *old_fa, return 0; } EXPORT_SYMBOL(vfs_ioc_fssetxattr_check); + +/* + * Generic function to check FS_IOC_FSSETXATTR values and reject any invalid + * configurations. If none are found, flush all pending IO and dirty mappings + * before setting S_IMMUTABLE on an inode. If the flush fails we'll clear the + * flag before returning error. + * + * Note: the caller must hold whatever locks are necessary to block any other + * threads from starting a write to the file. + */ +int vfs_ioc_fssetxattr_prepare(struct inode *inode, + const struct fsxattr *old_fa, + struct fsxattr *fa) +{ + int ret; + + ret = vfs_ioc_fssetxattr_check(inode, old_fa, fa); + if (ret) + return ret; + + if (!S_ISREG(inode->i_mode) || IS_IMMUTABLE(inode) || + !(fa->fsx_xflags & FS_XFLAG_IMMUTABLE)) + return 0; + + inode_set_flags(inode, S_IMMUTABLE, S_IMMUTABLE); + ret = inode_drain_writes(inode); + if (ret) + inode_set_flags(inode, 0, S_IMMUTABLE); + return ret; +} +EXPORT_SYMBOL(vfs_ioc_fssetxattr_prepare); diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index fe29aa61293c..552f18554c48 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -1057,6 +1057,30 @@ xfs_ioctl_setattr_xflags( return 0; } +/* + * If we're setting immutable on a regular file, we need to prevent new writes. + * Once we've done that, we must wait for all the other writes to complete. + * + * The caller must use @join_flags to release the locks which are held on @ip + * regardless of return value. + */ +static int +xfs_ioctl_setattr_drain_writes( + struct xfs_inode *ip, + const struct fsxattr *fa, + int *join_flags) +{ + struct inode *inode = VFS_I(ip); + + if (!S_ISREG(inode->i_mode) || !(fa->fsx_xflags & FS_XFLAG_IMMUTABLE)) + return 0; + + *join_flags = XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL; + xfs_ilock(ip, *join_flags); + + return inode_drain_writes(inode); +} + /* * If we are changing DAX flags, we have to ensure the file is clean and any * cached objects in the address space are invalidated and removed. This @@ -1064,6 +1088,9 @@ xfs_ioctl_setattr_xflags( * operation. The locks need to be held until the transaction has been committed * so that the cache invalidation is atomic with respect to the DAX flag * manipulation. + * + * The caller must use @join_flags to release the locks which are held on @ip + * regardless of return value. */ static int xfs_ioctl_setattr_dax_invalidate( @@ -1075,8 +1102,6 @@ xfs_ioctl_setattr_dax_invalidate( struct super_block *sb = inode->i_sb; int error; - *join_flags = 0; - /* * It is only valid to set the DAX flag on regular files and * directories on filesystems where the block size is equal to the page @@ -1102,21 +1127,15 @@ xfs_ioctl_setattr_dax_invalidate( return 0; /* lock, flush and invalidate mapping in preparation for flag change */ - xfs_ilock(ip, XFS_MMAPLOCK_EXCL | XFS_IOLOCK_EXCL); - error = filemap_write_and_wait(inode->i_mapping); - if (error) - goto out_unlock; - error = invalidate_inode_pages2(inode->i_mapping); - if (error) - goto out_unlock; - - *join_flags = XFS_MMAPLOCK_EXCL | XFS_IOLOCK_EXCL; - return 0; - -out_unlock: - xfs_iunlock(ip, XFS_MMAPLOCK_EXCL | XFS_IOLOCK_EXCL); - return error; + if (*join_flags == 0) { + *join_flags = XFS_MMAPLOCK_EXCL | XFS_IOLOCK_EXCL; + xfs_ilock(ip, *join_flags); + error = filemap_write_and_wait(inode->i_mapping); + if (error) + return error; + } + return invalidate_inode_pages2(inode->i_mapping); } /* @@ -1325,6 +1344,12 @@ xfs_ioctl_setattr( return code; } + code = xfs_ioctl_setattr_drain_writes(ip, fa, &join_flags); + if (code) { + xfs_iunlock(ip, join_flags); + goto error_free_dquots; + } + /* * Changing DAX config may require inode locking for mapping * invalidation. These need to be held all the way to transaction commit @@ -1333,8 +1358,10 @@ xfs_ioctl_setattr( * appropriately. */ code = xfs_ioctl_setattr_dax_invalidate(ip, fa, &join_flags); - if (code) + if (code) { + xfs_iunlock(ip, join_flags); goto error_free_dquots; + } tp = xfs_ioctl_setattr_get_trans(ip, join_flags); if (IS_ERR(tp)) { @@ -1484,6 +1511,12 @@ xfs_ioc_setxflags( if (error) return error; + error = xfs_ioctl_setattr_drain_writes(ip, &fa, &join_flags); + if (error) { + xfs_iunlock(ip, join_flags); + goto out_drop_write; + } + /* * Changing DAX config may require inode locking for mapping * invalidation. These need to be held all the way to transaction commit @@ -1492,8 +1525,10 @@ xfs_ioc_setxflags( * appropriately. */ error = xfs_ioctl_setattr_dax_invalidate(ip, &fa, &join_flags); - if (error) + if (error) { + xfs_iunlock(ip, join_flags); goto out_drop_write; + } tp = xfs_ioctl_setattr_get_trans(ip, join_flags); if (IS_ERR(tp)) { diff --git a/include/linux/fs.h b/include/linux/fs.h index 0efe749de577..73a8bd789e36 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -3560,6 +3560,9 @@ int vfs_ioc_setflags_prepare(struct inode *inode, unsigned int oldflags, int vfs_ioc_fssetxattr_check(struct inode *inode, const struct fsxattr *old_fa, struct fsxattr *fa); +int vfs_ioc_fssetxattr_prepare(struct inode *inode, + const struct fsxattr *old_fa, + struct fsxattr *fa); static inline void simple_fill_fsxattr(struct fsxattr *fa, __u32 xflags) { From patchwork Fri Jun 28 18:35:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 11023203 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 857B1138D for ; Fri, 28 Jun 2019 18:35:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 53E6628174 for ; Fri, 28 Jun 2019 18:35:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4812A2846C; Fri, 28 Jun 2019 18:35:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id E0D8C28174 for ; Fri, 28 Jun 2019 18:35:39 +0000 (UTC) Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5SIZ53a109318; Fri, 28 Jun 2019 18:35:15 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : date : message-id : in-reply-to : references : mime-version : cc : subject : list-id : list-unsubscribe : list-archive : list-post : list-help : list-subscribe : content-type : content-transfer-encoding : sender; s=corp-2018-07-02; bh=dcqvClx2AIhxuzaQbwVbhi03RZsNiZEYTFmr+CuIdjo=; b=ZN7yeZRJgquNWWKb7x8vGtg7uj4Rm82KnXX5XQIt7G0qe4wTYUYDIq3y/ZoIkDs4KsKd GhPS1kAH8f31FbWhrb+nOYaOdwT/mjkxASQtZMK2wuA/ot5KxJboyE9HMsfX2p/zrrzw Yuz1xL2yCcEic1gynvnqxEIAIKYxHyBcYiz3WXWQHHLJlqn1aygycQ5BAdrDkrYzhbrX 3WZVQP1OvESqEcdV4J34f12gSPySVHHdNzP88Lgx4GtYXWTbxuv11C0Dbl8KtYD8vqI7 VMkIg8H6yInHTrNqMX9yXSWLxRYmOWINI0w45sdp54TK41aALGaM32430fZbtNkMZ+9E Jg== Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp2130.oracle.com with ESMTP id 2t9brtq3k4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Jun 2019 18:35:15 +0000 Received: from oss.oracle.com (oss-old-reserved.oracle.com [137.254.22.2]) by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id x5SIZEJI004357 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 28 Jun 2019 18:35:14 GMT Received: from localhost ([127.0.0.1] helo=lb-oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1hgviM-0003cR-KU; Fri, 28 Jun 2019 11:35:14 -0700 Received: from aserp3030.oracle.com ([141.146.126.71]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1hgviK-0003Zy-Ud for ocfs2-devel@oss.oracle.com; Fri, 28 Jun 2019 11:35:12 -0700 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x5SIXp6s079251 for ; Fri, 28 Jun 2019 18:35:12 GMT Authentication-Results: aserp3010.oracle.com; spf=pass smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass header.from=oracle.com Received: from pps.reinject (localhost [127.0.0.1]) by aserp3030.oracle.com with ESMTP id 2t9acdyegm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 28 Jun 2019 18:35:12 +0000 Received: from aserp3030.oracle.com (aserp3030.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.27/8.16.0.27) with SMTP id x5SIZCBm081341 for ; Fri, 28 Jun 2019 18:35:12 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserp3030.oracle.com with ESMTP id 2t9acdyegg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 28 Jun 2019 18:35:12 +0000 Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x5SIZA31029198; Fri, 28 Jun 2019 18:35:10 GMT Received: from localhost (/67.169.218.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 28 Jun 2019 11:35:10 -0700 From: "Darrick J. Wong" To: matthew.garrett@nebula.com, yuchao0@huawei.com, tytso@mit.edu, darrick.wong@oracle.com, ard.biesheuvel@linaro.org, josef@toxicpanda.com, hch@infradead.org, clm@fb.com, adilger.kernel@dilger.ca, viro@zeniv.linux.org.uk, jack@suse.com, dsterba@suse.com, jaegeuk@kernel.org, jk@ozlabs.org Date: Fri, 28 Jun 2019 11:35:07 -0700 Message-ID: <156174690758.1557469.9258105121276292687.stgit@magnolia> In-Reply-To: <156174687561.1557469.7505651950825460767.stgit@magnolia> References: <156174687561.1557469.7505651950825460767.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Cc: linux-efi@vger.kernel.org, linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, reiserfs-devel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-nilfs@vger.kernel.org, linux-mtd@lists.infradead.org, ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, devel@lists.orangefs.org Subject: [Ocfs2-devel] [PATCH 4/4] vfs: don't allow most setxattr to immutable files X-BeenThere: ocfs2-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ocfs2-devel-bounces@oss.oracle.com Errors-To: ocfs2-devel-bounces@oss.oracle.com X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9302 signatures=668688 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906280210 X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong The chattr manpage has this to say about immutable files: "A file with the 'i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode." However, we don't actually check the immutable flag in the setattr code, which means that we can update inode flags and project ids and extent size hints on supposedly immutable files. Therefore, reject setflags and fssetxattr calls on an immutable file if the file is immutable and will remain that way. Signed-off-by: Darrick J. Wong --- fs/inode.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/fs/inode.c b/fs/inode.c index cf07378e5731..4261c709e50e 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -2214,6 +2214,14 @@ int vfs_ioc_setflags_prepare(struct inode *inode, unsigned int oldflags, !capable(CAP_LINUX_IMMUTABLE)) return -EPERM; + /* + * We aren't allowed to change any other flags if the immutable flag is + * already set and is not being unset. + */ + if ((oldflags & FS_IMMUTABLE_FL) && (flags & FS_IMMUTABLE_FL) && + oldflags != flags) + return -EPERM; + /* * Now that we're done checking the new flags, flush all pending IO and * dirty mappings before setting S_IMMUTABLE on an inode via @@ -2284,6 +2292,25 @@ int vfs_ioc_fssetxattr_check(struct inode *inode, const struct fsxattr *old_fa, !(S_ISREG(inode->i_mode) || S_ISDIR(inode->i_mode))) return -EINVAL; + /* + * We aren't allowed to change any fields if the immutable flag is + * already set and is not being unset. + */ + if ((old_fa->fsx_xflags & FS_XFLAG_IMMUTABLE) && + (fa->fsx_xflags & FS_XFLAG_IMMUTABLE)) { + if (old_fa->fsx_xflags != fa->fsx_xflags) + return -EPERM; + if (old_fa->fsx_projid != fa->fsx_projid) + return -EPERM; + if ((fa->fsx_xflags & (FS_XFLAG_EXTSIZE | + FS_XFLAG_EXTSZINHERIT)) && + old_fa->fsx_extsize != fa->fsx_extsize) + return -EPERM; + if ((old_fa->fsx_xflags & FS_XFLAG_COWEXTSIZE) && + old_fa->fsx_cowextsize != fa->fsx_cowextsize) + return -EPERM; + } + /* Extent size hints of zero turn off the flags. */ if (fa->fsx_extsize == 0) fa->fsx_xflags &= ~(FS_XFLAG_EXTSIZE | FS_XFLAG_EXTSZINHERIT);