Syzbot recently found a number of issues related to incremental-fs
(see bug numbers below). All have to do with the fact that incr-fs
allows mounts of the same source and target multiple times.
This is a design decision and the user space component "Data Loader"
expects this to work for app re-install use case.
The mounting depth needs to be controlled, however, and only allowed
to be two levels deep. In case of more than two mount attempts the
driver needs to return an error.
In case of the issues listed below the common pattern is that the
reproducer calls:
mount("./file0", "./file0", "incremental-fs", 0, NULL)
many times and then invokes a file operation like chmod, setxattr,
or open on the ./file0. This causes a recursive call for all the
mounted instances, which eventually causes a stack overflow and
a kernel crash:
BUG: stack guard page was hit at ffffc90000c0fff8
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
This change also cleans up the mount error path to properly clean
allocated resources and call deactivate_locked_super(), which
causes the incfs_kill_sb() to be called, where the sb is freed.
Bug: 211066171
Bug: 213140206
Bug: 213215835
Bug: 211914587
Bug: 211213635
Bug: 213137376
Bug: 211161296
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: I08d9b545a2715423296bf4beb67bdbbed78d1be1
The reverts in commits 07630c8073 (Revert "ANDROID: incremental-fs:
fix mount_fs issue") and 5db3e72c57 (Revert "ANDROID: incremental-fs:
remove index and incomplete dir on umount") were applied out of order,
resulting in a spurious call to kfree() being left over. Remove it.
Bug: 218732047
Signed-off-by: Steve Muckle <smuckle@google.com>
Change-Id: I6ae8d8a9775981a88d28e462b64b259bca905ffb
This reverts commit 6f915dd2af.
This is follow up cleanup after revert of:
"Revert "ANDROID: incremental-fs: fix mount_fs issue"
Bug: 220805927
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: I2ff42145dd586ae6ae4c76c3136e1fad14c08952
This reverts commit 93717b608dd30f9d41b15a72e809238807c68026.
Test: Can now install the same apk twice, and repeated installs are
stable
Bug: 217661925
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I86871c364c17a0d1107b3891a574b72edcf04ea2
(cherry picked from commit d107cd06f26b4d45b1079c7eb857815905198076)
Signed-off-by: Steve Muckle <smuckle@google.com>
Cleanup incremental-fs left overs on umount, otherwise incr-fs will
complain as below:
BUG: Dentry {i=47a,n=.incomplete} still in use [unmount of incremental-fs]
This requires vfs_rmdir() of the special index and incomplete dirs.
Also free options.sysfs_name in incfs_mount_fs() instead of in
incfs_free_mount_info() to make it consistent with incfs_remount_fs().
Since set_anon_super() was used in incfs_mount_fs() the incfs_kill_sb()
should use kill_anon_super() instead of generic_shutdown_super()
otherwise it will leak the pseudo dev_t that set_anon_super() allocates.
Bug: 211066171
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: I7ea54db63513fc130e1997cbf79121015ee12405
It is possible that fget returns NULL. This needs to be handled
correctly in ioctl_permit_fill.
Bug: 212821226
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: Iec8be21982afeab6794b78ab1a542671c52acea2
Syzbot recently found a number of issues related to incremental-fs
(see bug numbers below). All have to do with the fact that incr-fs
allows mounts of the same source and target multiple times.
The correct behavior for a file system is to allow only one such
mount, and then every subsequent attempt should fail with a -EBUSY
error code. In case of the issues listed below the common pattern
is that the reproducer calls:
mount("./file0", "./file0", "incremental-fs", 0, NULL)
many times and then invokes a file operation like chmod, setxattr,
or open on the ./file0. This causes a recursive call for all the
mounted instances, which eventually causes a stack overflow and
a kernel crash:
BUG: stack guard page was hit at ffffc90000c0fff8
kernel stack overflow (double-fault): 0000 [#1] PREEMPT SMP KASAN
The reason why many mounts with the same source and target are
possible is because the incfs_mount_fs() as it is allocates a new
super_block for every call, regardless of whether a given mount already
exists or not. This happens every time the sget() function is called
with a test param equal to NULL.
The correct behavior for an FS mount implementation is to call
appropriate mount vfs call for it's type, i.e. mount_bdev() for
a block device backed FS, mount_single() for a pseudo file system,
like sysfs that is mounted in a single, well know location, or
mount_nodev() for other special purpose FS like overlayfs.
In case of incremental-fs the open coded mount logic doesn't check
for abusive mount attempts such as overlays.
To fix this issue the logic needs to be changed to pass a proper
test function to sget() call, which then checks if a super_block
for a mount instance has already been allocated and also allows
the VFS to properly verify invalid mount attempts.
Bug: 211066171
Bug: 213140206
Bug: 213215835
Bug: 211914587
Bug: 211213635
Bug: 213137376
Bug: 211161296
Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Change-Id: I66cfc3f1b5aaffb32b0845b2dad3ff26fe952e27
We have namespaces, so use them for all vfs-exported namespaces so that
filesystems can use them, but not anything else.
Some in-kernel drivers that do direct filesystem accesses (because they
serve up files) are also allowed access to these symbols to keep 'make
allmodconfig' builds working properly, but it is not needed for Android
kernel images.
Bug: 157965270
Bug: 210074446
Cc: Matthias Maennich <maennich@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iaf6140baf3a18a516ab2d5c3966235c42f3f70de
This effectively locks down OWNERS approval to a small group to guard
the code base against unintentional breakages.
Bug: 194314089
Signed-off-by: Matthias Maennich <maennich@google.com>
Change-Id: Ifd1ea97639a622320ea83f901f6451e2e52b38d4
Prior change
ANDROID: Incremental fs: stat should return actual used blocks
adds blocks to getattr. Unfortunately the code always looks for the
backing file, and pseudo files don't have backing files, so getattr
fails for pseudo files.
Bug: 186567511
Test: incfs_test passes, can do incremental installs on test device
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Ia3df87f3683e095d05c822b69747515963c95f1c
(cherry picked from commit 9d00e67d8b1145d0dff809b6194faa3c11e10615)
Sparse complains about casting a five byte number to a ulong on 32-bit
platorms. Fix by anding the constant with ULONG_MAX
Bug: 186015158
Test: incfs_test passes, sparse reports no warnings on 32 & 64 bit builds
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Ic83e03626b7f290370d75b3aaba187b8392fb344
Adding seven sysfs entries per mount:
reads_failed_timed_out
reads_failed_hash_verification
reads_failed_other
reads_delayed_pending
reads_delayed_pending_us
reads_delayed_min
reads_delayed_min_us
to allow for status monitoring from userland
Change-Id: I50677511c2af4778ba0c574bb80323f31425b4d0
Test: incfs_test passes
Bug: 160634343
Bug: 184291759
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Compiler (arm-linux-gnueabihf-gcc 8.3.0) complains about an invalid cast
of an __aligned_u64 integer to a pointer on 32-bit architectures. Using
u64_to_user_ptr() for the cast fixes the following warning:
fs/incfs/pseudo_files.c: In function ‘ioctl_create_file’:
fs/incfs/pseudo_files.c:656:10: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
656 | (u8 __user *)args.signature_info,
| ^
Bug: 183339614
Fixes: bc6a70e849 (ANDROID: Incremental fs: Remove signature checks from kernel)
Reported-by: kernelci.org bot <bot@kernelci.org>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: I98a987fb83c160740796c0b4b3fdd7551880e12a
Use the correct printk specifier [%zu] for size_t variable.
This fixes the following warning:
fs/incfs/format.c: In function ‘incfs_read_next_metadata_record’:
./include/linux/kern_levels.h:5:18: warning: format ‘%ld’ expects argument of type ‘long int’, but argument 2 has type ‘size_t’ {aka ‘unsigned int’} [-Wformat=]
fs/incfs/format.c:669:3: note: in expansion of macro ‘pr_warn’
669 | pr_warn("incfs: The record is too large. Size: %ld",
| ^~~~~~~
Bug: 183339614
Fixes: c6819dd778 (ANDROID: Initial commit of Incremental FS)
Reported-by: kernelci.org bot <bot@kernelci.org>
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Change-Id: Ia784a9ced9fb6bc76e2f1baa495b3ccf568e3b1d
(cherry picked from commit d83b0684e15113d6053ba2dfdcac903d7038f707)
Backing file needs to have write permissions for all users
even though the mounted view doesn't - otherwise incfs can't
change the internal file data.
Bug: 180535478
Test: adb install <apk>
Signed-off-by: Yurii Zubrytskyi <zyy@google.com>
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I5d7915b28072cff1508ba45b56e844cb678ca466
For incfs files that were created without a merkle tree, enabling verity
requires building a merkle tree first. Although this is the same logic
as verity performs, it is not that easy to reconcile the two given that
incfs has the merkle tree potentially when verity is not enabled.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Ia15a4051fa3362820846d65859e3af76b77f8cc4
Add ioctl to return the verity file digest, compatible with the identical
ioctl in fs/verity/.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I1bc2dc975b9be122e1c831a25a1d44f27a360f3c
Now fsverity state is preserved across inode eviction.
Added incfs.verity xattr to track when a file is fs-verity enabled.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I41d90abd55527884d9eff642c9834ad837ff6918
Add FS_IOC_GETFLAGS ioctl to incfs. Currently this will only get the
S_VERITY flag.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Id79add0db0d66f604ca0f222fe5faec91450ade5
Add FS_IOC_ENABLE_VERITY ioctl
When called, calculate measurement, validate signature against fsverity,
and set S_VERITY flag.
This does not (yet) preserve the verity status once the inode is
evicted.
Bug: 160634504
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I88af2721f650098accc72a64528c7d85b753c7f6
Bug: 177075428
Test: incfs_test passes
atest GtsIncrementalInstallTestCases has only 8 failures
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I73accfc1982aec1cd7947996c25a23e4a97cfdac
.blocks_writen file handling was missing some operations:
SELinux xattr handlers, safety checks for it being a
pseudo file etc.
This CL generalizes pseudo file handling so that all such
files work in a generic way and next time it should be
easier to add all operations at once.
Bug: 175823975
Test: incfs_tests pass
Change-Id: Id2b1936018c81c62c8ab4cdbaa8827e2679b513f
Signed-off-by: Yurii Zubrytskyi <zyy@google.com>
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Bug: 174692664
Test: incfs_test passes, incremental installs work with ag/13082306
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Ib1c924bbaff759f58f7d83bad8e23d7224ba7ed9
Roll report_uid feature flag into v2 feature flag
Bug: 174478527
Test: Feature flag present on boot
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I41ee9715904560004e25cc83a5ccc1eb1bdd2b1f
Rmove bc_mutex used to protect metadata chain, now that is only
read at file open time
Remove certain unused mount options
Bug: 172482559
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Id70e5a5d08e5de79f391e19ea97e356f39a3ed51
report_uid was not being initialized, leading to random behavior
Bug: 172480517
Test: incfs_test passes
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: Ib121136d6f570f99e9060bdde9aa43ff2995514e
Found by sparse:
fs/incfs/format.c:416:21: warning: incorrect type in assignment (different base types)
fs/incfs/format.c:416:21: expected restricted __le32 [assigned] [usertype] fh_flags
fs/incfs/format.c:416:21: got int
fs/incfs/pseudo_files.c:925:25: warning: incorrect type in argument 4 (different base types)
fs/incfs/pseudo_files.c:925:25: expected unsigned long long [usertype] size
fs/incfs/pseudo_files.c:925:25: got restricted __le64 [addressable] [assigned] [usertype] size_attr_value
fs/incfs/pseudo_files.c:925:42: warning: incorrect type in argument 5 (different base types)
fs/incfs/pseudo_files.c:925:42: expected unsigned long long [usertype] offset
fs/incfs/pseudo_files.c:925:42: got restricted __le64 [usertype]
fs/incfs/pseudo_files.c:1111:24: warning: incorrect type in return expression (different base types)
fs/incfs/pseudo_files.c:1111:24: expected restricted __poll_t
fs/incfs/pseudo_files.c:1111:24: got int
Bug: 169258814
Fixes: Sparse errors introduced by 3f4938108a, 8334d69e65 and cb776f4576
Test: incfs_test passes, sparse shows no errors
Signed-off-by: Paul Lawrence <paullawrence@google.com>
Change-Id: I48596e9521069fc77bf38c345a568529d61c77dc
