1. 14 Jun, 2018 1 commit
  2. 14 May, 2018 1 commit
  3. 29 Jan, 2018 1 commit
  4. 15 Jan, 2018 1 commit
    • David Windsor's avatar
      exofs: Define usercopy region in exofs_inode_cache slab cache · 2b06a9e3
      David Windsor authored
      
      
      The exofs short symlink names, stored in struct exofs_i_info.i_data and
      therefore contained in the exofs_inode_cache slab cache, need to be copied
      to/from userspace.
      
      cache object allocation:
          fs/exofs/super.c:
              exofs_alloc_inode(...):
                  ...
                  oi = kmem_cache_alloc(exofs_inode_cachep, GFP_KERNEL);
                  ...
                  return &oi->vfs_inode;
      
          fs/exofs/namei.c:
              exofs_symlink(...):
                  ...
                  inode->i_link = (char *)oi->i_data;
      
      example usage trace:
          readlink_copy+0x43/0x70
          vfs_readlink+0x62/0x110
          SyS_readlinkat+0x100/0x130
      
          fs/namei.c:
              readlink_copy(..., link):
                  ...
                  copy_to_user(..., link, len);
      
              (inlined in vfs_readlink)
              generic_readlink(dentry, ...):
                  struct inode *inode = d_inode(dentry);
                  const char *link = inode->i_link;
                  ...
                  readlink_copy(..., link);
      
      In support of usercopy hardening, this patch defines a region in the
      exofs_inode_cache slab cache in which userspace copy operations are
      allowed.
      
      This region is known as the slab cache's usercopy region. Slab caches
      can now check that each dynamically sized copy operation involving
      cache-managed memory falls entirely within the slab's usercopy region.
      
      This patch is modified from Brad Spengler/PaX Team's PAX_USERCOPY
      whitelisting code in the last public patch of grsecurity/PaX based on my
      understanding of the code. Changes or omissions from the original code are
      mine and don't reflect the original grsecurity/PaX code.
      Signed-off-by: default avatarDavid Windsor <dave@nullcore.net>
      [kees: adjust commit log, provide usage trace]
      Cc: Boaz Harrosh <ooo@electrozaur.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      2b06a9e3
  5. 20 Apr, 2017 1 commit
  6. 18 Apr, 2016 1 commit
  7. 10 Apr, 2016 1 commit
  8. 15 Jan, 2016 1 commit
    • Vladimir Davydov's avatar
      kmemcg: account certain kmem allocations to memcg · 5d097056
      Vladimir Davydov authored
      
      
      Mark those kmem allocations that are known to be easily triggered from
      userspace as __GFP_ACCOUNT/SLAB_ACCOUNT, which makes them accounted to
      memcg.  For the list, see below:
      
       - threadinfo
       - task_struct
       - task_delay_info
       - pid
       - cred
       - mm_struct
       - vm_area_struct and vm_region (nommu)
       - anon_vma and anon_vma_chain
       - signal_struct
       - sighand_struct
       - fs_struct
       - files_struct
       - fdtable and fdtable->full_fds_bits
       - dentry and external_name
       - inode for all filesystems. This is the most tedious part, because
         most filesystems overwrite the alloc_inode method.
      
      The list is far from complete, so feel free to add more objects.
      Nevertheless, it should be close to "account everything" approach and
      keep most workloads within bounds.  Malevolent users will be able to
      breach the limit, but this was possible even with the former "account
      everything" approach (simply because it did not account everything in
      fact).
      
      [akpm@linux-foundation.org: coding-style fixes]
      Signed-off-by: default avatarVladimir Davydov <vdavydov@virtuozzo.com>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Greg Thelen <gthelen@google.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5d097056
  9. 15 Apr, 2015 1 commit
  10. 20 Jan, 2015 1 commit
  11. 19 Oct, 2014 1 commit
  12. 03 Apr, 2014 1 commit
  13. 04 Mar, 2013 1 commit
    • Eric W. Biederman's avatar
      fs: Limit sys_mount to only request filesystem modules. · 7f78e035
      Eric W. Biederman authored
      
      
      Modify the request_module to prefix the file system type with "fs-"
      and add aliases to all of the filesystems that can be built as modules
      to match.
      
      A common practice is to build all of the kernel code and leave code
      that is not commonly needed as modules, with the result that many
      users are exposed to any bug anywhere in the kernel.
      
      Looking for filesystems with a fs- prefix limits the pool of possible
      modules that can be loaded by mount to just filesystems trivially
      making things safer with no real cost.
      
      Using aliases means user space can control the policy of which
      filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf
      with blacklist and alias directives.  Allowing simple, safe,
      well understood work-arounds to known problematic software.
      
      This also addresses a rare but unfortunate problem where the filesystem
      name is not the same as it's module name and module auto-loading
      would not work.  While writing this patch I saw a handful of such
      cases.  The most significant being autofs that lives in the module
      autofs4.
      
      This is relevant to user namespaces because we can reach the request
      module in get_fs_type() without having any special permissions, and
      people get uncomfortable when a user specified string (in this case
      the filesystem type) goes all of the way to request_module.
      
      After having looked at this issue I don't think there is any
      particular reason to perform any filtering or permission checks beyond
      making it clear in the module request that we want a filesystem
      module.  The common pattern in the kernel is to call request_module()
      without regards to the users permissions.  In general all a filesystem
      module does once loaded is call register_filesystem() and go to sleep.
      Which means there is not much attack surface exposed by loading a
      filesytem module unless the filesystem is mounted.  In a user
      namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT,
      which most filesystems do not set today.
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Reported-by: default avatarKees Cook <keescook@google.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      7f78e035
  14. 10 Oct, 2012 1 commit
  15. 03 Oct, 2012 1 commit
  16. 02 Aug, 2012 1 commit
  17. 21 May, 2012 1 commit
    • Sachin Bhamare's avatar
      exofs: Add SYSFS info for autologin/pNFS export · 8b56a30c
      Sachin Bhamare authored
      
      
      Introduce sysfs infrastructure for exofs cluster filesystem.
      
      Each OSD target shows up as below in the sysfs hierarchy:
      	/sys/fs/exofs/<osdname>_<partition_id>/devX
      
      Where <osdname>_<partition_id> is the unique identification
      of a Superblock.
      
      Where devX: 0 <= X < device_table_size. They are ordered
      in device-table order as specified to the mkfs.exofs command
      
      Each OSD device  devX has following attributes :
      	osdname - ReadOnly
      	systemid - ReadOnly
      	uri - Read/Write
      
      It is up to user-mode to update devX/uri for support of
      autologin.
      
      These sysfs information are used both for autologin as well
      as support for exporting exofs via a pNFSD server in user-mode.
      (.eg NFS-Ganesha)
      Signed-off-by: default avatarSachin Bhamare <sbhamare@panasas.com>
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      8b56a30c
  18. 20 May, 2012 1 commit
    • Boaz Harrosh's avatar
      exofs: Fix CRASH on very early IO errors. · 6abe4a87
      Boaz Harrosh authored
      
      
      If at exofs_fill_super() we had an early termination
      do to any error, like an IO error while reading the
      super-block. We would crash inside exofs_free_sbi().
      
      This is because sbi->oc.numdevs was set to 1, before
      we actually have a device table at all.
      
      Fix it by moving the sbi->oc.numdevs = 1 to after the
      allocation of the device table.
      Reported-by: default avatarJohannes Schild <JSchild@gmx.de>
      
      Stable: This is a bug since v3.2.0
      CC: Stable Tree <stable@kernel.org>
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      6abe4a87
  19. 21 Mar, 2012 2 commits
  20. 19 Mar, 2012 3 commits
  21. 09 Jan, 2012 1 commit
  22. 04 Jan, 2012 1 commit
    • Al Viro's avatar
      vfs: fix the stupidity with i_dentry in inode destructors · 6b520e05
      Al Viro authored
      
      
      Seeing that just about every destructor got that INIT_LIST_HEAD() copied into
      it, there is no point whatsoever keeping this INIT_LIST_HEAD in inode_init_once();
      the cost of taking it into inode_init_always() will be negligible for pipes
      and sockets and negative for everything else.  Not to mention the removal of
      boilerplate code from ->destroy_inode() instances...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      6b520e05
  23. 31 Oct, 2011 1 commit
    • Paul Gortmaker's avatar
      fs: add module.h to files that were implicitly using it · 143cb494
      Paul Gortmaker authored
      
      
      Some files were using the complete module.h infrastructure without
      actually including the header at all.  Fix them up in advance so
      once the implicit presence is removed, we won't get failures like this:
      
        CC [M]  fs/nfsd/nfssvc.o
      fs/nfsd/nfssvc.c: In function 'nfsd_create_serv':
      fs/nfsd/nfssvc.c:335: error: 'THIS_MODULE' undeclared (first use in this function)
      fs/nfsd/nfssvc.c:335: error: (Each undeclared identifier is reported only once
      fs/nfsd/nfssvc.c:335: error: for each function it appears in.)
      fs/nfsd/nfssvc.c: In function 'nfsd':
      fs/nfsd/nfssvc.c:555: error: implicit declaration of function 'module_put_and_exit'
      make[3]: *** [fs/nfsd/nfssvc.o] Error 1
      Signed-off-by: default avatarPaul Gortmaker <paul.gortmaker@windriver.com>
      143cb494
  24. 14 Oct, 2011 1 commit
    • Boaz Harrosh's avatar
      ore/exofs: Define new ore_verify_layout · 5a51c0c7
      Boaz Harrosh authored
      
      
      All users of the ore will need to check if current code
      supports the given layout. For example RAID5/6 is not
      currently supported.
      
      So move all the checks from exofs/super.c to a new
      ore_verify_layout() to be used by ore users.
      
      Note that any new layout should be passed through the
      ore_verify_layout() because the ore engine will prepare
      and verify some internal members of ore_layout, and
      assumes it's called.
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      5a51c0c7
  25. 04 Oct, 2011 1 commit
    • Boaz Harrosh's avatar
      ore/exofs: Change the type of the devices array (API change) · d866d875
      Boaz Harrosh authored
      
      
      In the pNFS obj-LD the device table at the layout level needs
      to point to a device_cache node, where it is possible and likely
      that many layouts will point to the same device-nodes.
      
      In Exofs we have a more orderly structure where we have a single
      array of devices that repeats twice for a round-robin view of the
      device table
      
      This patch moves to a model that can be used by the pNFS obj-LD
      where struct ore_components holds an array of ore_dev-pointers.
      (ore_dev is newly defined and contains a struct osd_dev *od
       member)
      
      Each pointer in the array of pointers will point to a bigger
      user-defined dev_struct. That can be accessed by use of the
      container_of macro.
      
      In Exofs an __alloc_dev_table() function allocates the
      ore_dev-pointers array as well as an exofs_dev array, in one
      allocation and does the addresses dance to set everything pointing
      correctly. It still keeps the double allocation trick for the
      inodes round-robin view of the table.
      
      The device table is always allocated dynamically, also for the
      single device case. So it is unconditionally freed at umount.
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      d866d875
  26. 03 Oct, 2011 3 commits
  27. 07 Aug, 2011 3 commits
    • Boaz Harrosh's avatar
      exofs: Rename raid engine from exofs/ios.c => ore · 8ff660ab
      Boaz Harrosh authored
      
      
      ORE stands for "Objects Raid Engine"
      
      This patch is a mechanical rename of everything that was in ios.c
      and its API declaration to an ore.c and an osd_ore.h header. The ore
      engine will later be used by the pnfs objects layout driver.
      
      * File ios.c => ore.c
      
      * Declaration of types and API are moved from exofs.h to a new
        osd_ore.h
      
      * All used types are prefixed by ore_ from their exofs_ name.
      
      * Shift includes from exofs.h to osd_ore.h so osd_ore.h is
        independent, include it from exofs.h.
      
      Other than a pure rename there are no other changes. Next patch
      will move the ore into it's own module and will export the API
      to be used by exofs and later the layout driver
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      8ff660ab
    • Boaz Harrosh's avatar
      exofs: ios: Move to a per inode components & device-table · 9e9db456
      Boaz Harrosh authored
      
      
      Exofs raid engine was saving on memory space by having a single layout-info,
      single pid, and a single device-table, global to the filesystem. Then passing
      a credential and object_id info at the io_state level, private for each
      inode. It would also devise this contraption of rotating the device table
      view for each inode->ino to spread out the device usage.
      
      This is not compatible with the pnfs-objects standard, demanding that
      each inode can have it's own layout-info, device-table, and each object
      component it's own pid, oid and creds.
      
      So: Bring exofs raid engine to be usable for generic pnfs-objects use by:
      
      * Define an exofs_comp structure that holds obj_id and credential info.
      
      * Break up exofs_layout struct to an exofs_components structure that holds a
        possible array of exofs_comp and the array of devices + the size of the
        arrays.
      
      * Add a "comps" parameter to get_io_state() that specifies the ids creds
        and device array to use for each IO.
      
        This enables to keep the layout global, but the device-table view, creds
        and IDs at the inode level. It only adds two 64bit to each inode, since
        some of these members already existed in another form.
      
      * ios raid engine now access layout-info and comps-info through the passed
        pointers. Everything is pre-prepared by caller for generic access of
        these structures and arrays.
      
      At the exofs Level:
      
      * Super block holds an exofs_components struct that holds the device
        array, previously in layout. The devices there are in device-table
        order. The device-array is twice bigger and repeats the device-table
        twice so now each inode's device array can point to a random device
        and have a round-robin view of the table, making it compatible to
        previous exofs versions.
      
      * Each inode has an exofs_components struct that is initialized at
        load time, with it's own view of the device table IDs and creds.
        When doing IO this gets passed to the io_state together with the
        layout.
      
      While preforming this change. Bugs where found where credentials with the
      wrong IDs where used to access the different SB objects (super.c). As well
      as some dead code. It was never noticed because the target we use does not
      check the credentials.
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      9e9db456
    • Boaz Harrosh's avatar
      exofs: Move exofs specific osd operations out of ios.c · 85e44df4
      Boaz Harrosh authored
      
      
      ios.c will be moving to an external library, for use by the
      objects-layout-driver. Remove from it some exofs specific functions.
      
      Also g_attr_logical_length is used both by inode.c and ios.c
      move definition to the later, to keep it independent
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      85e44df4
  28. 04 Aug, 2011 2 commits
    • Boaz Harrosh's avatar
      exofs: Small cleanup of exofs_fill_super · 9ce73047
      Boaz Harrosh authored
      
      
      Small cleanup that unifies duplicated code used in both the
      error and success cases
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      9ce73047
    • Boaz Harrosh's avatar
      exofs: BUG: Avoid sbi realloc · 6d4073e8
      Boaz Harrosh authored
      
      
      Since the beginning we realloced the sbi structure when a bigger
      then one device table was specified. (I know that was really stupid).
      
      Then much later when "register bdi" was added (By Jens) it was
      registering the pointer to sbi->bdi before the realloc.
      
      We never saw this problem because up till now the realloc did not
      do anything since the device table was small enough to fit in the
      original allocation. But once we starting testing with large device
      tables (Bigger then 28) we noticed the crash of writeback operating
      on a deallocated pointer.
      
      * Avoid the all mess by allocating the device-table as a second array
        and get rid of the variable-sized structure and the rest of this
        mess.
      * Take the chance to clean near by structures and comments.
      * Add a needed dprint on startup to indicate the loaded layout.
      * Also move the bdi registration to the very end because it will
        only fail in a low memory, which will probably fail before hand.
        There are many more likely causes to not load before that. This
        way the error handling is made simpler. (Just doing this would be
        enough to fix the BUG)
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      6d4073e8
  29. 18 Jul, 2011 1 commit
  30. 15 Mar, 2011 3 commits
    • Boaz Harrosh's avatar
      exofs: deprecate the commands pending counter · a49fb4c3
      Boaz Harrosh authored
      
      
      One leftover from the days of IBM's original code, is an SB counter
      that counts in-flight asynchronous commands. And a piece of code that
      waits for the counter to reach zero at unmount. I guess it might have
      been needed then, cause of some reference missing or something.
      
      I'm not removing it yet but am putting a warning message if ever this
      counter triggers at unmount. If I'll never see it triggers or reported
      I'll remove the counter for good.
      (I had this print as a debug output for a long time and never had it
       trigger)
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      a49fb4c3
    • Boaz Harrosh's avatar
      exofs: Write sbi->s_nextid as part of the Create command · 1cea312a
      Boaz Harrosh authored
      
      
      Before when creating a new inode, we'd set the sb->s_dirt flag,
      and sometime later the system would write out s_nextid as part
      of the sb_info. Also on inode sync we would force the sb sync
      as well.
      
      Define the s_nextid as a new partition attribute and set it
      every time we create a new object.
      At mount we read it from it's new place.
      
      We now never set sb->s_dirt anywhere in exofs. write_super
      is actually never called. The call to exofs_write_super from
      exofs_put_super is also removed because the VFS always calls
      ->sync_fs before calling ->put_super twice.
      
      To stay backward-and-forward compatible we also write the old
      s_nextid in the super_block object at unmount, and support zero
      length attribute on mount.
      
      This also fixes a BUG where in layouts when group_width was not
      a divisor of EXOFS_SUPER_ID (0x10000) the s_nextid was not read
      from the device it was written to. Because of the sliding window
      layout trick, and because the read was always done from the 0
      device but the write was done via the raid engine that might slide
      the device view. Now we read and write through the raid engine.
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      1cea312a
    • Boaz Harrosh's avatar
      exofs: Add option to mount by osdname · 9ed96484
      Boaz Harrosh authored
      
      
      If /dev/osd* devices are shuffled because more devices
      where added, and/or login order has changed. It is hard to
      mount the FS you want.
      
      Add an option to mount by osdname. osdname is any osd-device's
      osdname as specified to the mkfs.exofs command when formatting
      the osd-devices.
      The new mount format is:
      	OPT="osdname=$UUID0,pid=$PID,_netdev"
      	mount -t exofs -o $OPT $DEV_OSD0 $MOUNTDIR
      
      if "osdname=" is specified in options above $DEV_OSD0 is
      ignored and can be empty.
      
      Also while at it: Removed some old unused Opt_* enums.
      Signed-off-by: default avatarBoaz Harrosh <bharrosh@panasas.com>
      9ed96484