aboutsummaryrefslogtreecommitdiffstats
path: root/fs/ecryptfs
diff options
context:
space:
mode:
Diffstat (limited to 'fs/ecryptfs')
-rw-r--r--fs/ecryptfs/Kconfig2
-rw-r--r--fs/ecryptfs/crypto.c75
-rw-r--r--fs/ecryptfs/ecryptfs_kernel.h155
-rw-r--r--fs/ecryptfs/file.c30
-rw-r--r--fs/ecryptfs/inode.c136
-rw-r--r--fs/ecryptfs/keystore.c64
-rw-r--r--fs/ecryptfs/main.c23
-rw-r--r--fs/ecryptfs/miscdev.c56
-rw-r--r--fs/ecryptfs/read_write.c37
9 files changed, 281 insertions, 297 deletions
diff --git a/fs/ecryptfs/Kconfig b/fs/ecryptfs/Kconfig
index 1cd6d9d3e29..cc16562654d 100644
--- a/fs/ecryptfs/Kconfig
+++ b/fs/ecryptfs/Kconfig
@@ -1,6 +1,6 @@
1config ECRYPT_FS 1config ECRYPT_FS
2 tristate "eCrypt filesystem layer support (EXPERIMENTAL)" 2 tristate "eCrypt filesystem layer support (EXPERIMENTAL)"
3 depends on EXPERIMENTAL && KEYS && CRYPTO 3 depends on EXPERIMENTAL && KEYS && CRYPTO && (ENCRYPTED_KEYS || ENCRYPTED_KEYS=n)
4 select CRYPTO_ECB 4 select CRYPTO_ECB
5 select CRYPTO_CBC 5 select CRYPTO_CBC
6 select CRYPTO_MD5 6 select CRYPTO_MD5
diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
index 58609bde3b9..68b19ab0481 100644
--- a/fs/ecryptfs/crypto.c
+++ b/fs/ecryptfs/crypto.c
@@ -417,17 +417,6 @@ static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
417 (unsigned long long)(extent_base + extent_offset), rc); 417 (unsigned long long)(extent_base + extent_offset), rc);
418 goto out; 418 goto out;
419 } 419 }
420 if (unlikely(ecryptfs_verbosity > 0)) {
421 ecryptfs_printk(KERN_DEBUG, "Encrypting extent "
422 "with iv:\n");
423 ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);
424 ecryptfs_printk(KERN_DEBUG, "First 8 bytes before "
425 "encryption:\n");
426 ecryptfs_dump_hex((char *)
427 (page_address(page)
428 + (extent_offset * crypt_stat->extent_size)),
429 8);
430 }
431 rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0, 420 rc = ecryptfs_encrypt_page_offset(crypt_stat, enc_extent_page, 0,
432 page, (extent_offset 421 page, (extent_offset
433 * crypt_stat->extent_size), 422 * crypt_stat->extent_size),
@@ -440,14 +429,6 @@ static int ecryptfs_encrypt_extent(struct page *enc_extent_page,
440 goto out; 429 goto out;
441 } 430 }
442 rc = 0; 431 rc = 0;
443 if (unlikely(ecryptfs_verbosity > 0)) {
444 ecryptfs_printk(KERN_DEBUG, "Encrypt extent [0x%.16llx]; "
445 "rc = [%d]\n",
446 (unsigned long long)(extent_base + extent_offset), rc);
447 ecryptfs_printk(KERN_DEBUG, "First 8 bytes after "
448 "encryption:\n");
449 ecryptfs_dump_hex((char *)(page_address(enc_extent_page)), 8);
450 }
451out: 432out:
452 return rc; 433 return rc;
453} 434}
@@ -543,17 +524,6 @@ static int ecryptfs_decrypt_extent(struct page *page,
543 (unsigned long long)(extent_base + extent_offset), rc); 524 (unsigned long long)(extent_base + extent_offset), rc);
544 goto out; 525 goto out;
545 } 526 }
546 if (unlikely(ecryptfs_verbosity > 0)) {
547 ecryptfs_printk(KERN_DEBUG, "Decrypting extent "
548 "with iv:\n");
549 ecryptfs_dump_hex(extent_iv, crypt_stat->iv_bytes);
550 ecryptfs_printk(KERN_DEBUG, "First 8 bytes before "
551 "decryption:\n");
552 ecryptfs_dump_hex((char *)
553 (page_address(enc_extent_page)
554 + (extent_offset * crypt_stat->extent_size)),
555 8);
556 }
557 rc = ecryptfs_decrypt_page_offset(crypt_stat, page, 527 rc = ecryptfs_decrypt_page_offset(crypt_stat, page,
558 (extent_offset 528 (extent_offset
559 * crypt_stat->extent_size), 529 * crypt_stat->extent_size),
@@ -567,16 +537,6 @@ static int ecryptfs_decrypt_extent(struct page *page,
567 goto out; 537 goto out;
568 } 538 }
569 rc = 0; 539 rc = 0;
570 if (unlikely(ecryptfs_verbosity > 0)) {
571 ecryptfs_printk(KERN_DEBUG, "Decrypt extent [0x%.16llx]; "
572 "rc = [%d]\n",
573 (unsigned long long)(extent_base + extent_offset), rc);
574 ecryptfs_printk(KERN_DEBUG, "First 8 bytes after "
575 "decryption:\n");
576 ecryptfs_dump_hex((char *)(page_address(page)
577 + (extent_offset
578 * crypt_stat->extent_size)), 8);
579 }
580out: 540out:
581 return rc; 541 return rc;
582} 542}
@@ -967,7 +927,7 @@ static void ecryptfs_set_default_crypt_stat_vals(
967 927
968/** 928/**
969 * ecryptfs_new_file_context 929 * ecryptfs_new_file_context
970 * @ecryptfs_dentry: The eCryptfs dentry 930 * @ecryptfs_inode: The eCryptfs inode
971 * 931 *
972 * If the crypto context for the file has not yet been established, 932 * If the crypto context for the file has not yet been established,
973 * this is where we do that. Establishing a new crypto context 933 * this is where we do that. Establishing a new crypto context
@@ -984,13 +944,13 @@ static void ecryptfs_set_default_crypt_stat_vals(
984 * 944 *
985 * Returns zero on success; non-zero otherwise 945 * Returns zero on success; non-zero otherwise
986 */ 946 */
987int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry) 947int ecryptfs_new_file_context(struct inode *ecryptfs_inode)
988{ 948{
989 struct ecryptfs_crypt_stat *crypt_stat = 949 struct ecryptfs_crypt_stat *crypt_stat =
990 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; 950 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
991 struct ecryptfs_mount_crypt_stat *mount_crypt_stat = 951 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
992 &ecryptfs_superblock_to_private( 952 &ecryptfs_superblock_to_private(
993 ecryptfs_dentry->d_sb)->mount_crypt_stat; 953 ecryptfs_inode->i_sb)->mount_crypt_stat;
994 int cipher_name_len; 954 int cipher_name_len;
995 int rc = 0; 955 int rc = 0;
996 956
@@ -1299,12 +1259,12 @@ static int ecryptfs_write_headers_virt(char *page_virt, size_t max,
1299} 1259}
1300 1260
1301static int 1261static int
1302ecryptfs_write_metadata_to_contents(struct dentry *ecryptfs_dentry, 1262ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode,
1303 char *virt, size_t virt_len) 1263 char *virt, size_t virt_len)
1304{ 1264{
1305 int rc; 1265 int rc;
1306 1266
1307 rc = ecryptfs_write_lower(ecryptfs_dentry->d_inode, virt, 1267 rc = ecryptfs_write_lower(ecryptfs_inode, virt,
1308 0, virt_len); 1268 0, virt_len);
1309 if (rc < 0) 1269 if (rc < 0)
1310 printk(KERN_ERR "%s: Error attempting to write header " 1270 printk(KERN_ERR "%s: Error attempting to write header "
@@ -1338,7 +1298,8 @@ static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,
1338 1298
1339/** 1299/**
1340 * ecryptfs_write_metadata 1300 * ecryptfs_write_metadata
1341 * @ecryptfs_dentry: The eCryptfs dentry 1301 * @ecryptfs_dentry: The eCryptfs dentry, which should be negative
1302 * @ecryptfs_inode: The newly created eCryptfs inode
1342 * 1303 *
1343 * Write the file headers out. This will likely involve a userspace 1304 * Write the file headers out. This will likely involve a userspace
1344 * callout, in which the session key is encrypted with one or more 1305 * callout, in which the session key is encrypted with one or more
@@ -1348,10 +1309,11 @@ static unsigned long ecryptfs_get_zeroed_pages(gfp_t gfp_mask,
1348 * 1309 *
1349 * Returns zero on success; non-zero on error 1310 * Returns zero on success; non-zero on error
1350 */ 1311 */
1351int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry) 1312int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry,
1313 struct inode *ecryptfs_inode)
1352{ 1314{
1353 struct ecryptfs_crypt_stat *crypt_stat = 1315 struct ecryptfs_crypt_stat *crypt_stat =
1354 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; 1316 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
1355 unsigned int order; 1317 unsigned int order;
1356 char *virt; 1318 char *virt;
1357 size_t virt_len; 1319 size_t virt_len;
@@ -1391,7 +1353,7 @@ int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry)
1391 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt, 1353 rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt,
1392 size); 1354 size);
1393 else 1355 else
1394 rc = ecryptfs_write_metadata_to_contents(ecryptfs_dentry, virt, 1356 rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt,
1395 virt_len); 1357 virt_len);
1396 if (rc) { 1358 if (rc) {
1397 printk(KERN_ERR "%s: Error writing metadata out to lower file; " 1359 printk(KERN_ERR "%s: Error writing metadata out to lower file; "
@@ -1618,7 +1580,8 @@ int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1618 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode); 1580 rc = ecryptfs_read_xattr_region(page_virt, ecryptfs_inode);
1619 if (rc) { 1581 if (rc) {
1620 printk(KERN_DEBUG "Valid eCryptfs headers not found in " 1582 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1621 "file header region or xattr region\n"); 1583 "file header region or xattr region, inode %lu\n",
1584 ecryptfs_inode->i_ino);
1622 rc = -EINVAL; 1585 rc = -EINVAL;
1623 goto out; 1586 goto out;
1624 } 1587 }
@@ -1627,7 +1590,8 @@ int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1627 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE); 1590 ECRYPTFS_DONT_VALIDATE_HEADER_SIZE);
1628 if (rc) { 1591 if (rc) {
1629 printk(KERN_DEBUG "Valid eCryptfs headers not found in " 1592 printk(KERN_DEBUG "Valid eCryptfs headers not found in "
1630 "file xattr region either\n"); 1593 "file xattr region either, inode %lu\n",
1594 ecryptfs_inode->i_ino);
1631 rc = -EINVAL; 1595 rc = -EINVAL;
1632 } 1596 }
1633 if (crypt_stat->mount_crypt_stat->flags 1597 if (crypt_stat->mount_crypt_stat->flags
@@ -1638,7 +1602,8 @@ int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry)
1638 "crypto metadata only in the extended attribute " 1602 "crypto metadata only in the extended attribute "
1639 "region, but eCryptfs was mounted without " 1603 "region, but eCryptfs was mounted without "
1640 "xattr support enabled. eCryptfs will not treat " 1604 "xattr support enabled. eCryptfs will not treat "
1641 "this like an encrypted file.\n"); 1605 "this like an encrypted file, inode %lu\n",
1606 ecryptfs_inode->i_ino);
1642 rc = -EINVAL; 1607 rc = -EINVAL;
1643 } 1608 }
1644 } 1609 }
@@ -1943,7 +1908,7 @@ static unsigned char *portable_filename_chars = ("-.0123456789ABCD"
1943 1908
1944/* We could either offset on every reverse map or just pad some 0x00's 1909/* We could either offset on every reverse map or just pad some 0x00's
1945 * at the front here */ 1910 * at the front here */
1946static const unsigned char filename_rev_map[] = { 1911static const unsigned char filename_rev_map[256] = {
1947 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 7 */ 1912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 7 */
1948 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 15 */ 1913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 15 */
1949 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 23 */ 1914 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 23 */
@@ -1959,7 +1924,7 @@ static const unsigned char filename_rev_map[] = {
1959 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, /* 103 */ 1924 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, /* 103 */
1960 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, /* 111 */ 1925 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, /* 111 */
1961 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, /* 119 */ 1926 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, /* 119 */
1962 0x3D, 0x3E, 0x3F 1927 0x3D, 0x3E, 0x3F /* 123 - 255 initialized to 0x00 */
1963}; 1928};
1964 1929
1965/** 1930/**
diff --git a/fs/ecryptfs/ecryptfs_kernel.h b/fs/ecryptfs/ecryptfs_kernel.h
index 43c7c43b06f..9ce1e92c7d9 100644
--- a/fs/ecryptfs/ecryptfs_kernel.h
+++ b/fs/ecryptfs/ecryptfs_kernel.h
@@ -29,6 +29,7 @@
29#define ECRYPTFS_KERNEL_H 29#define ECRYPTFS_KERNEL_H
30 30
31#include <keys/user-type.h> 31#include <keys/user-type.h>
32#include <keys/encrypted-type.h>
32#include <linux/fs.h> 33#include <linux/fs.h>
33#include <linux/fs_stack.h> 34#include <linux/fs_stack.h>
34#include <linux/namei.h> 35#include <linux/namei.h>
@@ -36,125 +37,18 @@
36#include <linux/hash.h> 37#include <linux/hash.h>
37#include <linux/nsproxy.h> 38#include <linux/nsproxy.h>
38#include <linux/backing-dev.h> 39#include <linux/backing-dev.h>
40#include <linux/ecryptfs.h>
39 41
40/* Version verification for shared data structures w/ userspace */
41#define ECRYPTFS_VERSION_MAJOR 0x00
42#define ECRYPTFS_VERSION_MINOR 0x04
43#define ECRYPTFS_SUPPORTED_FILE_VERSION 0x03
44/* These flags indicate which features are supported by the kernel
45 * module; userspace tools such as the mount helper read
46 * ECRYPTFS_VERSIONING_MASK from a sysfs handle in order to determine
47 * how to behave. */
48#define ECRYPTFS_VERSIONING_PASSPHRASE 0x00000001
49#define ECRYPTFS_VERSIONING_PUBKEY 0x00000002
50#define ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH 0x00000004
51#define ECRYPTFS_VERSIONING_POLICY 0x00000008
52#define ECRYPTFS_VERSIONING_XATTR 0x00000010
53#define ECRYPTFS_VERSIONING_MULTKEY 0x00000020
54#define ECRYPTFS_VERSIONING_DEVMISC 0x00000040
55#define ECRYPTFS_VERSIONING_HMAC 0x00000080
56#define ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION 0x00000100
57#define ECRYPTFS_VERSIONING_GCM 0x00000200
58#define ECRYPTFS_VERSIONING_MASK (ECRYPTFS_VERSIONING_PASSPHRASE \
59 | ECRYPTFS_VERSIONING_PLAINTEXT_PASSTHROUGH \
60 | ECRYPTFS_VERSIONING_PUBKEY \
61 | ECRYPTFS_VERSIONING_XATTR \
62 | ECRYPTFS_VERSIONING_MULTKEY \
63 | ECRYPTFS_VERSIONING_DEVMISC \
64 | ECRYPTFS_VERSIONING_FILENAME_ENCRYPTION)
65#define ECRYPTFS_MAX_PASSWORD_LENGTH 64
66#define ECRYPTFS_MAX_PASSPHRASE_BYTES ECRYPTFS_MAX_PASSWORD_LENGTH
67#define ECRYPTFS_SALT_SIZE 8
68#define ECRYPTFS_SALT_SIZE_HEX (ECRYPTFS_SALT_SIZE*2)
69/* The original signature size is only for what is stored on disk; all
70 * in-memory representations are expanded hex, so it better adapted to
71 * be passed around or referenced on the command line */
72#define ECRYPTFS_SIG_SIZE 8
73#define ECRYPTFS_SIG_SIZE_HEX (ECRYPTFS_SIG_SIZE*2)
74#define ECRYPTFS_PASSWORD_SIG_SIZE ECRYPTFS_SIG_SIZE_HEX
75#define ECRYPTFS_MAX_KEY_BYTES 64
76#define ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES 512
77#define ECRYPTFS_DEFAULT_IV_BYTES 16 42#define ECRYPTFS_DEFAULT_IV_BYTES 16
78#define ECRYPTFS_FILE_VERSION 0x03
79#define ECRYPTFS_DEFAULT_EXTENT_SIZE 4096 43#define ECRYPTFS_DEFAULT_EXTENT_SIZE 4096
80#define ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE 8192 44#define ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE 8192
81#define ECRYPTFS_DEFAULT_MSG_CTX_ELEMS 32 45#define ECRYPTFS_DEFAULT_MSG_CTX_ELEMS 32
82#define ECRYPTFS_DEFAULT_SEND_TIMEOUT HZ 46#define ECRYPTFS_DEFAULT_SEND_TIMEOUT HZ
83#define ECRYPTFS_MAX_MSG_CTX_TTL (HZ*3) 47#define ECRYPTFS_MAX_MSG_CTX_TTL (HZ*3)
84#define ECRYPTFS_MAX_PKI_NAME_BYTES 16
85#define ECRYPTFS_DEFAULT_NUM_USERS 4 48#define ECRYPTFS_DEFAULT_NUM_USERS 4
86#define ECRYPTFS_MAX_NUM_USERS 32768 49#define ECRYPTFS_MAX_NUM_USERS 32768
87#define ECRYPTFS_XATTR_NAME "user.ecryptfs" 50#define ECRYPTFS_XATTR_NAME "user.ecryptfs"
88 51
89#define RFC2440_CIPHER_DES3_EDE 0x02
90#define RFC2440_CIPHER_CAST_5 0x03
91#define RFC2440_CIPHER_BLOWFISH 0x04
92#define RFC2440_CIPHER_AES_128 0x07
93#define RFC2440_CIPHER_AES_192 0x08
94#define RFC2440_CIPHER_AES_256 0x09
95#define RFC2440_CIPHER_TWOFISH 0x0a
96#define RFC2440_CIPHER_CAST_6 0x0b
97
98#define RFC2440_CIPHER_RSA 0x01
99
100/**
101 * For convenience, we may need to pass around the encrypted session
102 * key between kernel and userspace because the authentication token
103 * may not be extractable. For example, the TPM may not release the
104 * private key, instead requiring the encrypted data and returning the
105 * decrypted data.
106 */
107struct ecryptfs_session_key {
108#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_DECRYPT 0x00000001
109#define ECRYPTFS_USERSPACE_SHOULD_TRY_TO_ENCRYPT 0x00000002
110#define ECRYPTFS_CONTAINS_DECRYPTED_KEY 0x00000004
111#define ECRYPTFS_CONTAINS_ENCRYPTED_KEY 0x00000008
112 u32 flags;
113 u32 encrypted_key_size;
114 u32 decrypted_key_size;
115 u8 encrypted_key[ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES];
116 u8 decrypted_key[ECRYPTFS_MAX_KEY_BYTES];
117};
118
119struct ecryptfs_password {
120 u32 password_bytes;
121 s32 hash_algo;
122 u32 hash_iterations;
123 u32 session_key_encryption_key_bytes;
124#define ECRYPTFS_PERSISTENT_PASSWORD 0x01
125#define ECRYPTFS_SESSION_KEY_ENCRYPTION_KEY_SET 0x02
126 u32 flags;
127 /* Iterated-hash concatenation of salt and passphrase */
128 u8 session_key_encryption_key[ECRYPTFS_MAX_KEY_BYTES];
129 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
130 /* Always in expanded hex */
131 u8 salt[ECRYPTFS_SALT_SIZE];
132};
133
134enum ecryptfs_token_types {ECRYPTFS_PASSWORD, ECRYPTFS_PRIVATE_KEY};
135
136struct ecryptfs_private_key {
137 u32 key_size;
138 u32 data_len;
139 u8 signature[ECRYPTFS_PASSWORD_SIG_SIZE + 1];
140 char pki_type[ECRYPTFS_MAX_PKI_NAME_BYTES + 1];
141 u8 data[];
142};
143
144/* May be a password or a private key */
145struct ecryptfs_auth_tok {
146 u16 version; /* 8-bit major and 8-bit minor */
147 u16 token_type;
148#define ECRYPTFS_ENCRYPT_ONLY 0x00000001
149 u32 flags;
150 struct ecryptfs_session_key session_key;
151 u8 reserved[32];
152 union {
153 struct ecryptfs_password password;
154 struct ecryptfs_private_key private_key;
155 } token;
156} __attribute__ ((packed));
157
158void ecryptfs_dump_auth_tok(struct ecryptfs_auth_tok *auth_tok); 52void ecryptfs_dump_auth_tok(struct ecryptfs_auth_tok *auth_tok);
159extern void ecryptfs_to_hex(char *dst, char *src, size_t src_size); 53extern void ecryptfs_to_hex(char *dst, char *src, size_t src_size);
160extern void ecryptfs_from_hex(char *dst, char *src, int dst_size); 54extern void ecryptfs_from_hex(char *dst, char *src, int dst_size);
@@ -185,11 +79,47 @@ struct ecryptfs_page_crypt_context {
185 } param; 79 } param;
186}; 80};
187 81
82#if defined(CONFIG_ENCRYPTED_KEYS) || defined(CONFIG_ENCRYPTED_KEYS_MODULE)
83static inline struct ecryptfs_auth_tok *
84ecryptfs_get_encrypted_key_payload_data(struct key *key)
85{
86 if (key->type == &key_type_encrypted)
87 return (struct ecryptfs_auth_tok *)
88 (&((struct encrypted_key_payload *)key->payload.data)->payload_data);
89 else
90 return NULL;
91}
92
93static inline struct key *ecryptfs_get_encrypted_key(char *sig)
94{
95 return request_key(&key_type_encrypted, sig, NULL);
96}
97
98#else
99static inline struct ecryptfs_auth_tok *
100ecryptfs_get_encrypted_key_payload_data(struct key *key)
101{
102 return NULL;
103}
104
105static inline struct key *ecryptfs_get_encrypted_key(char *sig)
106{
107 return ERR_PTR(-ENOKEY);
108}
109
110#endif /* CONFIG_ENCRYPTED_KEYS */
111
188static inline struct ecryptfs_auth_tok * 112static inline struct ecryptfs_auth_tok *
189ecryptfs_get_key_payload_data(struct key *key) 113ecryptfs_get_key_payload_data(struct key *key)
190{ 114{
191 return (struct ecryptfs_auth_tok *) 115 struct ecryptfs_auth_tok *auth_tok;
192 (((struct user_key_payload*)key->payload.data)->data); 116
117 auth_tok = ecryptfs_get_encrypted_key_payload_data(key);
118 if (!auth_tok)
119 return (struct ecryptfs_auth_tok *)
120 (((struct user_key_payload *)key->payload.data)->data);
121 else
122 return auth_tok;
193} 123}
194 124
195#define ECRYPTFS_MAX_KEYSET_SIZE 1024 125#define ECRYPTFS_MAX_KEYSET_SIZE 1024
@@ -654,9 +584,10 @@ int ecryptfs_init_crypt_ctx(struct ecryptfs_crypt_stat *crypt_stat);
654int ecryptfs_write_inode_size_to_metadata(struct inode *ecryptfs_inode); 584int ecryptfs_write_inode_size_to_metadata(struct inode *ecryptfs_inode);
655int ecryptfs_encrypt_page(struct page *page); 585int ecryptfs_encrypt_page(struct page *page);
656int ecryptfs_decrypt_page(struct page *page); 586int ecryptfs_decrypt_page(struct page *page);
657int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry); 587int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry,
588 struct inode *ecryptfs_inode);
658int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry); 589int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry);
659int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry); 590int ecryptfs_new_file_context(struct inode *ecryptfs_inode);
660void ecryptfs_write_crypt_stat_flags(char *page_virt, 591void ecryptfs_write_crypt_stat_flags(char *page_virt,
661 struct ecryptfs_crypt_stat *crypt_stat, 592 struct ecryptfs_crypt_stat *crypt_stat,
662 size_t *written); 593 size_t *written);
diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
index 4ec9eb00a24..d3f95f941c4 100644
--- a/fs/ecryptfs/file.c
+++ b/fs/ecryptfs/file.c
@@ -139,6 +139,27 @@ out:
139 return rc; 139 return rc;
140} 140}
141 141
142static void ecryptfs_vma_close(struct vm_area_struct *vma)
143{
144 filemap_write_and_wait(vma->vm_file->f_mapping);
145}
146
147static const struct vm_operations_struct ecryptfs_file_vm_ops = {
148 .close = ecryptfs_vma_close,
149 .fault = filemap_fault,
150};
151
152static int ecryptfs_file_mmap(struct file *file, struct vm_area_struct *vma)
153{
154 int rc;
155
156 rc = generic_file_mmap(file, vma);
157 if (!rc)
158 vma->vm_ops = &ecryptfs_file_vm_ops;
159
160 return rc;
161}
162
142struct kmem_cache *ecryptfs_file_info_cache; 163struct kmem_cache *ecryptfs_file_info_cache;
143 164
144/** 165/**
@@ -270,14 +291,15 @@ static int ecryptfs_release(struct inode *inode, struct file *file)
270} 291}
271 292
272static int 293static int
273ecryptfs_fsync(struct file *file, int datasync) 294ecryptfs_fsync(struct file *file, loff_t start, loff_t end, int datasync)
274{ 295{
275 int rc = 0; 296 int rc = 0;
276 297
277 rc = generic_file_fsync(file, datasync); 298 rc = generic_file_fsync(file, start, end, datasync);
278 if (rc) 299 if (rc)
279 goto out; 300 goto out;
280 rc = vfs_fsync(ecryptfs_file_to_lower(file), datasync); 301 rc = vfs_fsync_range(ecryptfs_file_to_lower(file), start, end,
302 datasync);
281out: 303out:
282 return rc; 304 return rc;
283} 305}
@@ -348,7 +370,7 @@ const struct file_operations ecryptfs_main_fops = {
348#ifdef CONFIG_COMPAT 370#ifdef CONFIG_COMPAT
349 .compat_ioctl = ecryptfs_compat_ioctl, 371 .compat_ioctl = ecryptfs_compat_ioctl,
350#endif 372#endif
351 .mmap = generic_file_mmap, 373 .mmap = ecryptfs_file_mmap,
352 .open = ecryptfs_open, 374 .open = ecryptfs_open,
353 .flush = ecryptfs_flush, 375 .flush = ecryptfs_flush,
354 .release = ecryptfs_release, 376 .release = ecryptfs_release,
diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
index 7349ade17de..19b1f9035b0 100644
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -69,6 +69,7 @@ static int ecryptfs_inode_set(struct inode *inode, void *opaque)
69 inode->i_ino = lower_inode->i_ino; 69 inode->i_ino = lower_inode->i_ino;
70 inode->i_version++; 70 inode->i_version++;
71 inode->i_mapping->a_ops = &ecryptfs_aops; 71 inode->i_mapping->a_ops = &ecryptfs_aops;
72 inode->i_mapping->backing_dev_info = inode->i_sb->s_bdi;
72 73
73 if (S_ISLNK(inode->i_mode)) 74 if (S_ISLNK(inode->i_mode))
74 inode->i_op = &ecryptfs_symlink_iops; 75 inode->i_op = &ecryptfs_symlink_iops;
@@ -147,7 +148,6 @@ static int ecryptfs_interpose(struct dentry *lower_dentry,
147 * @lower_dir_inode: inode of the parent in the lower fs of the new file 148 * @lower_dir_inode: inode of the parent in the lower fs of the new file
148 * @dentry: New file's dentry 149 * @dentry: New file's dentry
149 * @mode: The mode of the new file 150 * @mode: The mode of the new file
150 * @nd: nameidata of ecryptfs' parent's dentry & vfsmount
151 * 151 *
152 * Creates the file in the lower file system. 152 * Creates the file in the lower file system.
153 * 153 *
@@ -155,31 +155,10 @@ static int ecryptfs_interpose(struct dentry *lower_dentry,
155 */ 155 */
156static int 156static int
157ecryptfs_create_underlying_file(struct inode *lower_dir_inode, 157ecryptfs_create_underlying_file(struct inode *lower_dir_inode,
158 struct dentry *dentry, int mode, 158 struct dentry *dentry, int mode)
159 struct nameidata *nd)
160{ 159{
161 struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry); 160 struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry);
162 struct vfsmount *lower_mnt = ecryptfs_dentry_to_lower_mnt(dentry); 161 return vfs_create(lower_dir_inode, lower_dentry, mode, NULL);
163 struct dentry *dentry_save;
164 struct vfsmount *vfsmount_save;
165 unsigned int flags_save;
166 int rc;
167
168 if (nd) {
169 dentry_save = nd->path.dentry;
170 vfsmount_save = nd->path.mnt;
171 flags_save = nd->flags;
172 nd->path.dentry = lower_dentry;
173 nd->path.mnt = lower_mnt;
174 nd->flags &= ~LOOKUP_OPEN;
175 }
176 rc = vfs_create(lower_dir_inode, lower_dentry, mode, nd);
177 if (nd) {
178 nd->path.dentry = dentry_save;
179 nd->path.mnt = vfsmount_save;
180 nd->flags = flags_save;
181 }
182 return rc;
183} 162}
184 163
185/** 164/**
@@ -193,44 +172,43 @@ ecryptfs_create_underlying_file(struct inode *lower_dir_inode,
193 * it. It will also update the eCryptfs directory inode to mimic the 172 * it. It will also update the eCryptfs directory inode to mimic the
194 * stat of the lower directory inode. 173 * stat of the lower directory inode.
195 * 174 *
196 * Returns zero on success; non-zero on error condition 175 * Returns the new eCryptfs inode on success; an ERR_PTR on error condition
197 */ 176 */
198static int 177static struct inode *
199ecryptfs_do_create(struct inode *directory_inode, 178ecryptfs_do_create(struct inode *directory_inode,
200 struct dentry *ecryptfs_dentry, int mode, 179 struct dentry *ecryptfs_dentry, int mode)
201 struct nameidata *nd)
202{ 180{
203 int rc; 181 int rc;
204 struct dentry *lower_dentry; 182 struct dentry *lower_dentry;
205 struct dentry *lower_dir_dentry; 183 struct dentry *lower_dir_dentry;
184 struct inode *inode;
206 185
207 lower_dentry = ecryptfs_dentry_to_lower(ecryptfs_dentry); 186 lower_dentry = ecryptfs_dentry_to_lower(ecryptfs_dentry);
208 lower_dir_dentry = lock_parent(lower_dentry); 187 lower_dir_dentry = lock_parent(lower_dentry);
209 if (IS_ERR(lower_dir_dentry)) { 188 if (IS_ERR(lower_dir_dentry)) {
210 ecryptfs_printk(KERN_ERR, "Error locking directory of " 189 ecryptfs_printk(KERN_ERR, "Error locking directory of "
211 "dentry\n"); 190 "dentry\n");
212 rc = PTR_ERR(lower_dir_dentry); 191 inode = ERR_CAST(lower_dir_dentry);
213 goto out; 192 goto out;
214 } 193 }
215 rc = ecryptfs_create_underlying_file(lower_dir_dentry->d_inode, 194 rc = ecryptfs_create_underlying_file(lower_dir_dentry->d_inode,
216 ecryptfs_dentry, mode, nd); 195 ecryptfs_dentry, mode);
217 if (rc) { 196 if (rc) {
218 printk(KERN_ERR "%s: Failure to create dentry in lower fs; " 197 printk(KERN_ERR "%s: Failure to create dentry in lower fs; "
219 "rc = [%d]\n", __func__, rc); 198 "rc = [%d]\n", __func__, rc);
199 inode = ERR_PTR(rc);
220 goto out_lock; 200 goto out_lock;
221 } 201 }
222 rc = ecryptfs_interpose(lower_dentry, ecryptfs_dentry, 202 inode = __ecryptfs_get_inode(lower_dentry->d_inode,
223 directory_inode->i_sb); 203 directory_inode->i_sb);
224 if (rc) { 204 if (IS_ERR(inode))
225 ecryptfs_printk(KERN_ERR, "Failure in ecryptfs_interpose\n");
226 goto out_lock; 205 goto out_lock;
227 }
228 fsstack_copy_attr_times(directory_inode, lower_dir_dentry->d_inode); 206 fsstack_copy_attr_times(directory_inode, lower_dir_dentry->d_inode);
229 fsstack_copy_inode_size(directory_inode, lower_dir_dentry->d_inode); 207 fsstack_copy_inode_size(directory_inode, lower_dir_dentry->d_inode);
230out_lock: 208out_lock:
231 unlock_dir(lower_dir_dentry); 209 unlock_dir(lower_dir_dentry);
232out: 210out:
233 return rc; 211 return inode;
234} 212}
235 213
236/** 214/**
@@ -241,26 +219,26 @@ out:
241 * 219 *
242 * Returns zero on success 220 * Returns zero on success
243 */ 221 */
244static int ecryptfs_initialize_file(struct dentry *ecryptfs_dentry) 222static int ecryptfs_initialize_file(struct dentry *ecryptfs_dentry,
223 struct inode *ecryptfs_inode)
245{ 224{
246 struct ecryptfs_crypt_stat *crypt_stat = 225 struct ecryptfs_crypt_stat *crypt_stat =
247 &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; 226 &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat;
248 int rc = 0; 227 int rc = 0;
249 228
250 if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) { 229 if (S_ISDIR(ecryptfs_inode->i_mode)) {
251 ecryptfs_printk(KERN_DEBUG, "This is a directory\n"); 230 ecryptfs_printk(KERN_DEBUG, "This is a directory\n");
252 crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED); 231 crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED);
253 goto out; 232 goto out;
254 } 233 }
255 ecryptfs_printk(KERN_DEBUG, "Initializing crypto context\n"); 234 ecryptfs_printk(KERN_DEBUG, "Initializing crypto context\n");
256 rc = ecryptfs_new_file_context(ecryptfs_dentry); 235 rc = ecryptfs_new_file_context(ecryptfs_inode);
257 if (rc) { 236 if (rc) {
258 ecryptfs_printk(KERN_ERR, "Error creating new file " 237 ecryptfs_printk(KERN_ERR, "Error creating new file "
259 "context; rc = [%d]\n", rc); 238 "context; rc = [%d]\n", rc);
260 goto out; 239 goto out;
261 } 240 }
262 rc = ecryptfs_get_lower_file(ecryptfs_dentry, 241 rc = ecryptfs_get_lower_file(ecryptfs_dentry, ecryptfs_inode);
263 ecryptfs_dentry->d_inode);
264 if (rc) { 242 if (rc) {
265 printk(KERN_ERR "%s: Error attempting to initialize " 243 printk(KERN_ERR "%s: Error attempting to initialize "
266 "the lower file for the dentry with name " 244 "the lower file for the dentry with name "
@@ -268,10 +246,10 @@ static int ecryptfs_initialize_file(struct dentry *ecryptfs_dentry)
268 ecryptfs_dentry->d_name.name, rc); 246 ecryptfs_dentry->d_name.name, rc);
269 goto out; 247 goto out;
270 } 248 }
271 rc = ecryptfs_write_metadata(ecryptfs_dentry); 249 rc = ecryptfs_write_metadata(ecryptfs_dentry, ecryptfs_inode);
272 if (rc) 250 if (rc)
273 printk(KERN_ERR "Error writing headers; rc = [%d]\n", rc); 251 printk(KERN_ERR "Error writing headers; rc = [%d]\n", rc);
274 ecryptfs_put_lower_file(ecryptfs_dentry->d_inode); 252 ecryptfs_put_lower_file(ecryptfs_inode);
275out: 253out:
276 return rc; 254 return rc;
277} 255}
@@ -291,18 +269,28 @@ static int
291ecryptfs_create(struct inode *directory_inode, struct dentry *ecryptfs_dentry, 269ecryptfs_create(struct inode *directory_inode, struct dentry *ecryptfs_dentry,
292 int mode, struct nameidata *nd) 270 int mode, struct nameidata *nd)
293{ 271{
272 struct inode *ecryptfs_inode;
294 int rc; 273 int rc;
295 274
296 /* ecryptfs_do_create() calls ecryptfs_interpose() */ 275 ecryptfs_inode = ecryptfs_do_create(directory_inode, ecryptfs_dentry,
297 rc = ecryptfs_do_create(directory_inode, ecryptfs_dentry, mode, nd); 276 mode);
298 if (unlikely(rc)) { 277 if (unlikely(IS_ERR(ecryptfs_inode))) {
299 ecryptfs_printk(KERN_WARNING, "Failed to create file in" 278 ecryptfs_printk(KERN_WARNING, "Failed to create file in"
300 "lower filesystem\n"); 279 "lower filesystem\n");
280 rc = PTR_ERR(ecryptfs_inode);
301 goto out; 281 goto out;
302 } 282 }
303 /* At this point, a file exists on "disk"; we need to make sure 283 /* At this point, a file exists on "disk"; we need to make sure
304 * that this on disk file is prepared to be an ecryptfs file */ 284 * that this on disk file is prepared to be an ecryptfs file */
305 rc = ecryptfs_initialize_file(ecryptfs_dentry); 285 rc = ecryptfs_initialize_file(ecryptfs_dentry, ecryptfs_inode);
286 if (rc) {
287 drop_nlink(ecryptfs_inode);
288 unlock_new_inode(ecryptfs_inode);
289 iput(ecryptfs_inode);
290 goto out;
291 }
292 d_instantiate(ecryptfs_dentry, ecryptfs_inode);
293 unlock_new_inode(ecryptfs_inode);
306out: 294out:
307 return rc; 295 return rc;
308} 296}
@@ -853,18 +841,6 @@ static int truncate_upper(struct dentry *dentry, struct iattr *ia,
853 size_t num_zeros = (PAGE_CACHE_SIZE 841 size_t num_zeros = (PAGE_CACHE_SIZE
854 - (ia->ia_size & ~PAGE_CACHE_MASK)); 842 - (ia->ia_size & ~PAGE_CACHE_MASK));
855 843
856
857 /*
858 * XXX(truncate) this should really happen at the begginning
859 * of ->setattr. But the code is too messy to that as part
860 * of a larger patch. ecryptfs is also totally missing out
861 * on the inode_change_ok check at the beginning of
862 * ->setattr while would include this.
863 */
864 rc = inode_newsize_ok(inode, ia->ia_size);
865 if (rc)
866 goto out;
867
868 if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) { 844 if (!(crypt_stat->flags & ECRYPTFS_ENCRYPTED)) {
869 truncate_setsize(inode, ia->ia_size); 845 truncate_setsize(inode, ia->ia_size);
870 lower_ia->ia_size = ia->ia_size; 846 lower_ia->ia_size = ia->ia_size;
@@ -914,6 +890,28 @@ out:
914 return rc; 890 return rc;
915} 891}
916 892
893static int ecryptfs_inode_newsize_ok(struct inode *inode, loff_t offset)
894{
895 struct ecryptfs_crypt_stat *crypt_stat;
896 loff_t lower_oldsize, lower_newsize;
897
898 crypt_stat = &ecryptfs_inode_to_private(inode)->crypt_stat;
899 lower_oldsize = upper_size_to_lower_size(crypt_stat,
900 i_size_read(inode));
901 lower_newsize = upper_size_to_lower_size(crypt_stat, offset);
902 if (lower_newsize > lower_oldsize) {
903 /*
904 * The eCryptfs inode and the new *lower* size are mixed here
905 * because we may not have the lower i_mutex held and/or it may
906 * not be appropriate to call inode_newsize_ok() with inodes
907 * from other filesystems.
908 */
909 return inode_newsize_ok(inode, lower_newsize);
910 }
911
912 return 0;
913}
914
917/** 915/**
918 * ecryptfs_truncate 916 * ecryptfs_truncate
919 * @dentry: The ecryptfs layer dentry 917 * @dentry: The ecryptfs layer dentry
@@ -930,6 +928,10 @@ int ecryptfs_truncate(struct dentry *dentry, loff_t new_length)
930 struct iattr lower_ia = { .ia_valid = 0 }; 928 struct iattr lower_ia = { .ia_valid = 0 };
931 int rc; 929 int rc;
932 930
931 rc = ecryptfs_inode_newsize_ok(dentry->d_inode, new_length);
932 if (rc)
933 return rc;
934
933 rc = truncate_upper(dentry, &ia, &lower_ia); 935 rc = truncate_upper(dentry, &ia, &lower_ia);
934 if (!rc && lower_ia.ia_valid & ATTR_SIZE) { 936 if (!rc && lower_ia.ia_valid & ATTR_SIZE) {
935 struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry); 937 struct dentry *lower_dentry = ecryptfs_dentry_to_lower(dentry);
@@ -942,10 +944,8 @@ int ecryptfs_truncate(struct dentry *dentry, loff_t new_length)
942} 944}
943 945
944static int 946static int
945ecryptfs_permission(struct inode *inode, int mask, unsigned int flags) 947ecryptfs_permission(struct inode *inode, int mask)
946{ 948{
947 if (flags & IPERM_FLAG_RCU)
948 return -ECHILD;
949 return inode_permission(ecryptfs_inode_to_lower(inode), mask); 949 return inode_permission(ecryptfs_inode_to_lower(inode), mask);
950} 950}
951 951
@@ -1011,6 +1011,16 @@ static int ecryptfs_setattr(struct dentry *dentry, struct iattr *ia)
1011 } 1011 }
1012 } 1012 }
1013 mutex_unlock(&crypt_stat->cs_mutex); 1013 mutex_unlock(&crypt_stat->cs_mutex);
1014
1015 rc = inode_change_ok(inode, ia);
1016 if (rc)
1017 goto out;
1018 if (ia->ia_valid & ATTR_SIZE) {
1019 rc = ecryptfs_inode_newsize_ok(inode, ia->ia_size);
1020 if (rc)
1021 goto out;
1022 }
1023
1014 if (S_ISREG(inode->i_mode)) { 1024 if (S_ISREG(inode->i_mode)) {
1015 rc = filemap_write_and_wait(inode->i_mapping); 1025 rc = filemap_write_and_wait(inode->i_mapping);
1016 if (rc) 1026 if (rc)
diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c
index 27a7fefb83e..ac1ad48c237 100644
--- a/fs/ecryptfs/keystore.c
+++ b/fs/ecryptfs/keystore.c
@@ -1635,11 +1635,14 @@ int ecryptfs_keyring_auth_tok_for_sig(struct key **auth_tok_key,
1635 1635
1636 (*auth_tok_key) = request_key(&key_type_user, sig, NULL); 1636 (*auth_tok_key) = request_key(&key_type_user, sig, NULL);
1637 if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) { 1637 if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) {
1638 printk(KERN_ERR "Could not find key with description: [%s]\n", 1638 (*auth_tok_key) = ecryptfs_get_encrypted_key(sig);
1639 sig); 1639 if (!(*auth_tok_key) || IS_ERR(*auth_tok_key)) {
1640 rc = process_request_key_err(PTR_ERR(*auth_tok_key)); 1640 printk(KERN_ERR "Could not find key with description: [%s]\n",
1641 (*auth_tok_key) = NULL; 1641 sig);
1642 goto out; 1642 rc = process_request_key_err(PTR_ERR(*auth_tok_key));
1643 (*auth_tok_key) = NULL;
1644 goto out;
1645 }
1643 } 1646 }
1644 down_write(&(*auth_tok_key)->sem); 1647 down_write(&(*auth_tok_key)->sem);
1645 rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok); 1648 rc = ecryptfs_verify_auth_tok_from_key(*auth_tok_key, auth_tok);
@@ -1868,11 +1871,6 @@ int ecryptfs_parse_packet_set(struct ecryptfs_crypt_stat *crypt_stat,
1868 * just one will be sufficient to decrypt to get the FEK. */ 1871 * just one will be sufficient to decrypt to get the FEK. */
1869find_next_matching_auth_tok: 1872find_next_matching_auth_tok:
1870 found_auth_tok = 0; 1873 found_auth_tok = 0;
1871 if (auth_tok_key) {
1872 up_write(&(auth_tok_key->sem));
1873 key_put(auth_tok_key);
1874 auth_tok_key = NULL;
1875 }
1876 list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) { 1874 list_for_each_entry(auth_tok_list_item, &auth_tok_list, list) {
1877 candidate_auth_tok = &auth_tok_list_item->auth_tok; 1875 candidate_auth_tok = &auth_tok_list_item->auth_tok;
1878 if (unlikely(ecryptfs_verbosity > 0)) { 1876 if (unlikely(ecryptfs_verbosity > 0)) {
@@ -1909,14 +1907,22 @@ found_matching_auth_tok:
1909 memcpy(&(candidate_auth_tok->token.private_key), 1907 memcpy(&(candidate_auth_tok->token.private_key),
1910 &(matching_auth_tok->token.private_key), 1908 &(matching_auth_tok->token.private_key),
1911 sizeof(struct ecryptfs_private_key)); 1909 sizeof(struct ecryptfs_private_key));
1910 up_write(&(auth_tok_key->sem));
1911 key_put(auth_tok_key);
1912 rc = decrypt_pki_encrypted_session_key(candidate_auth_tok, 1912 rc = decrypt_pki_encrypted_session_key(candidate_auth_tok,
1913 crypt_stat); 1913 crypt_stat);
1914 } else if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD) { 1914 } else if (candidate_auth_tok->token_type == ECRYPTFS_PASSWORD) {
1915 memcpy(&(candidate_auth_tok->token.password), 1915 memcpy(&(candidate_auth_tok->token.password),
1916 &(matching_auth_tok->token.password), 1916 &(matching_auth_tok->token.password),
1917 sizeof(struct ecryptfs_password)); 1917 sizeof(struct ecryptfs_password));
1918 up_write(&(auth_tok_key->sem));
1919 key_put(auth_tok_key);
1918 rc = decrypt_passphrase_encrypted_session_key( 1920 rc = decrypt_passphrase_encrypted_session_key(
1919 candidate_auth_tok, crypt_stat); 1921 candidate_auth_tok, crypt_stat);
1922 } else {
1923 up_write(&(auth_tok_key->sem));
1924 key_put(auth_tok_key);
1925 rc = -EINVAL;
1920 } 1926 }
1921 if (rc) { 1927 if (rc) {
1922 struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp; 1928 struct ecryptfs_auth_tok_list_item *auth_tok_list_item_tmp;
@@ -1956,21 +1962,18 @@ found_matching_auth_tok:
1956out_wipe_list: 1962out_wipe_list:
1957 wipe_auth_tok_list(&auth_tok_list); 1963 wipe_auth_tok_list(&auth_tok_list);
1958out: 1964out:
1959 if (auth_tok_key) {
1960 up_write(&(auth_tok_key->sem));
1961 key_put(auth_tok_key);
1962 }
1963 return rc; 1965 return rc;
1964} 1966}
1965 1967
1966static int 1968static int
1967pki_encrypt_session_key(struct ecryptfs_auth_tok *auth_tok, 1969pki_encrypt_session_key(struct key *auth_tok_key,
1970 struct ecryptfs_auth_tok *auth_tok,
1968 struct ecryptfs_crypt_stat *crypt_stat, 1971 struct ecryptfs_crypt_stat *crypt_stat,
1969 struct ecryptfs_key_record *key_rec) 1972 struct ecryptfs_key_record *key_rec)
1970{ 1973{
1971 struct ecryptfs_msg_ctx *msg_ctx = NULL; 1974 struct ecryptfs_msg_ctx *msg_ctx = NULL;
1972 char *payload = NULL; 1975 char *payload = NULL;
1973 size_t payload_len; 1976 size_t payload_len = 0;
1974 struct ecryptfs_message *msg; 1977 struct ecryptfs_message *msg;
1975 int rc; 1978 int rc;
1976 1979
@@ -1979,6 +1982,8 @@ pki_encrypt_session_key(struct ecryptfs_auth_tok *auth_tok,
1979 crypt_stat->cipher, 1982 crypt_stat->cipher,
1980 crypt_stat->key_size), 1983 crypt_stat->key_size),
1981 crypt_stat, &payload, &payload_len); 1984 crypt_stat, &payload, &payload_len);
1985 up_write(&(auth_tok_key->sem));
1986 key_put(auth_tok_key);
1982 if (rc) { 1987 if (rc) {
1983 ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n"); 1988 ecryptfs_printk(KERN_ERR, "Error generating tag 66 packet\n");
1984 goto out; 1989 goto out;
@@ -2008,6 +2013,8 @@ out:
2008 * write_tag_1_packet - Write an RFC2440-compatible tag 1 (public key) packet 2013 * write_tag_1_packet - Write an RFC2440-compatible tag 1 (public key) packet
2009 * @dest: Buffer into which to write the packet 2014 * @dest: Buffer into which to write the packet
2010 * @remaining_bytes: Maximum number of bytes that can be writtn 2015 * @remaining_bytes: Maximum number of bytes that can be writtn
2016 * @auth_tok_key: The authentication token key to unlock and put when done with
2017 * @auth_tok
2011 * @auth_tok: The authentication token used for generating the tag 1 packet 2018 * @auth_tok: The authentication token used for generating the tag 1 packet
2012 * @crypt_stat: The cryptographic context 2019 * @crypt_stat: The cryptographic context
2013 * @key_rec: The key record struct for the tag 1 packet 2020 * @key_rec: The key record struct for the tag 1 packet
@@ -2018,7 +2025,7 @@ out:
2018 */ 2025 */
2019static int 2026static int
2020write_tag_1_packet(char *dest, size_t *remaining_bytes, 2027write_tag_1_packet(char *dest, size_t *remaining_bytes,
2021 struct ecryptfs_auth_tok *auth_tok, 2028 struct key *auth_tok_key, struct ecryptfs_auth_tok *auth_tok,
2022 struct ecryptfs_crypt_stat *crypt_stat, 2029 struct ecryptfs_crypt_stat *crypt_stat,
2023 struct ecryptfs_key_record *key_rec, size_t *packet_size) 2030 struct ecryptfs_key_record *key_rec, size_t *packet_size)
2024{ 2031{
@@ -2039,12 +2046,15 @@ write_tag_1_packet(char *dest, size_t *remaining_bytes,
2039 memcpy(key_rec->enc_key, 2046 memcpy(key_rec->enc_key,
2040 auth_tok->session_key.encrypted_key, 2047 auth_tok->session_key.encrypted_key,
2041 auth_tok->session_key.encrypted_key_size); 2048 auth_tok->session_key.encrypted_key_size);
2049 up_write(&(auth_tok_key->sem));
2050 key_put(auth_tok_key);
2042 goto encrypted_session_key_set; 2051 goto encrypted_session_key_set;
2043 } 2052 }
2044 if (auth_tok->session_key.encrypted_key_size == 0) 2053 if (auth_tok->session_key.encrypted_key_size == 0)
2045 auth_tok->session_key.encrypted_key_size = 2054 auth_tok->session_key.encrypted_key_size =
2046 auth_tok->token.private_key.key_size; 2055 auth_tok->token.private_key.key_size;
2047 rc = pki_encrypt_session_key(auth_tok, crypt_stat, key_rec); 2056 rc = pki_encrypt_session_key(auth_tok_key, auth_tok, crypt_stat,
2057 key_rec);
2048 if (rc) { 2058 if (rc) {
2049 printk(KERN_ERR "Failed to encrypt session key via a key " 2059 printk(KERN_ERR "Failed to encrypt session key via a key "
2050 "module; rc = [%d]\n", rc); 2060 "module; rc = [%d]\n", rc);
@@ -2248,7 +2258,7 @@ write_tag_3_packet(char *dest, size_t *remaining_bytes,
2248 auth_tok->token.password.session_key_encryption_key, 2258 auth_tok->token.password.session_key_encryption_key,
2249 crypt_stat->key_size); 2259 crypt_stat->key_size);
2250 ecryptfs_printk(KERN_DEBUG, 2260 ecryptfs_printk(KERN_DEBUG,
2251 "Cached session key " "encryption key: \n"); 2261 "Cached session key encryption key:\n");
2252 if (ecryptfs_verbosity > 0) 2262 if (ecryptfs_verbosity > 0)
2253 ecryptfs_dump_hex(session_key_encryption_key, 16); 2263 ecryptfs_dump_hex(session_key_encryption_key, 16);
2254 } 2264 }
@@ -2421,6 +2431,8 @@ ecryptfs_generate_key_packet_set(char *dest_base,
2421 &max, auth_tok, 2431 &max, auth_tok,
2422 crypt_stat, key_rec, 2432 crypt_stat, key_rec,
2423 &written); 2433 &written);
2434 up_write(&(auth_tok_key->sem));
2435 key_put(auth_tok_key);
2424 if (rc) { 2436 if (rc) {
2425 ecryptfs_printk(KERN_WARNING, "Error " 2437 ecryptfs_printk(KERN_WARNING, "Error "
2426 "writing tag 3 packet\n"); 2438 "writing tag 3 packet\n");
@@ -2438,8 +2450,8 @@ ecryptfs_generate_key_packet_set(char *dest_base,
2438 } 2450 }
2439 (*len) += written; 2451 (*len) += written;
2440 } else if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) { 2452 } else if (auth_tok->token_type == ECRYPTFS_PRIVATE_KEY) {
2441 rc = write_tag_1_packet(dest_base + (*len), 2453 rc = write_tag_1_packet(dest_base + (*len), &max,
2442 &max, auth_tok, 2454 auth_tok_key, auth_tok,
2443 crypt_stat, key_rec, &written); 2455 crypt_stat, key_rec, &written);
2444 if (rc) { 2456 if (rc) {
2445 ecryptfs_printk(KERN_WARNING, "Error " 2457 ecryptfs_printk(KERN_WARNING, "Error "
@@ -2448,14 +2460,13 @@ ecryptfs_generate_key_packet_set(char *dest_base,
2448 } 2460 }
2449 (*len) += written; 2461 (*len) += written;
2450 } else { 2462 } else {
2463 up_write(&(auth_tok_key->sem));
2464 key_put(auth_tok_key);
2451 ecryptfs_printk(KERN_WARNING, "Unsupported " 2465 ecryptfs_printk(KERN_WARNING, "Unsupported "
2452 "authentication token type\n"); 2466 "authentication token type\n");
2453 rc = -EINVAL; 2467 rc = -EINVAL;
2454 goto out_free; 2468 goto out_free;
2455 } 2469 }
2456 up_write(&(auth_tok_key->sem));
2457 key_put(auth_tok_key);
2458 auth_tok_key = NULL;
2459 } 2470 }
2460 if (likely(max > 0)) { 2471 if (likely(max > 0)) {
2461 dest_base[(*len)] = 0x00; 2472 dest_base[(*len)] = 0x00;
@@ -2468,11 +2479,6 @@ out_free:
2468out: 2479out:
2469 if (rc) 2480 if (rc)
2470 (*len) = 0; 2481 (*len) = 0;
2471 if (auth_tok_key) {
2472 up_write(&(auth_tok_key->sem));
2473 key_put(auth_tok_key);
2474 }
2475
2476 mutex_unlock(&crypt_stat->keysig_list_mutex); 2482 mutex_unlock(&crypt_stat->keysig_list_mutex);
2477 return rc; 2483 return rc;
2478} 2484}
diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c
index 9f1bb747d77..b4a6befb121 100644
--- a/fs/ecryptfs/main.c
+++ b/fs/ecryptfs/main.c
@@ -175,6 +175,7 @@ enum { ecryptfs_opt_sig, ecryptfs_opt_ecryptfs_sig,
175 ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig, 175 ecryptfs_opt_encrypted_view, ecryptfs_opt_fnek_sig,
176 ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes, 176 ecryptfs_opt_fn_cipher, ecryptfs_opt_fn_cipher_key_bytes,
177 ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only, 177 ecryptfs_opt_unlink_sigs, ecryptfs_opt_mount_auth_tok_only,
178 ecryptfs_opt_check_dev_ruid,
178 ecryptfs_opt_err }; 179 ecryptfs_opt_err };
179 180
180static const match_table_t tokens = { 181static const match_table_t tokens = {
@@ -191,6 +192,7 @@ static const match_table_t tokens = {
191 {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"}, 192 {ecryptfs_opt_fn_cipher_key_bytes, "ecryptfs_fn_key_bytes=%u"},
192 {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"}, 193 {ecryptfs_opt_unlink_sigs, "ecryptfs_unlink_sigs"},
193 {ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"}, 194 {ecryptfs_opt_mount_auth_tok_only, "ecryptfs_mount_auth_tok_only"},
195 {ecryptfs_opt_check_dev_ruid, "ecryptfs_check_dev_ruid"},
194 {ecryptfs_opt_err, NULL} 196 {ecryptfs_opt_err, NULL}
195}; 197};
196 198
@@ -236,6 +238,7 @@ static void ecryptfs_init_mount_crypt_stat(
236 * ecryptfs_parse_options 238 * ecryptfs_parse_options
237 * @sb: The ecryptfs super block 239 * @sb: The ecryptfs super block
238 * @options: The options passed to the kernel 240 * @options: The options passed to the kernel
241 * @check_ruid: set to 1 if device uid should be checked against the ruid
239 * 242 *
240 * Parse mount options: 243 * Parse mount options:
241 * debug=N - ecryptfs_verbosity level for debug output 244 * debug=N - ecryptfs_verbosity level for debug output
@@ -251,7 +254,8 @@ static void ecryptfs_init_mount_crypt_stat(
251 * 254 *
252 * Returns zero on success; non-zero on error 255 * Returns zero on success; non-zero on error
253 */ 256 */
254static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options) 257static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options,
258 uid_t *check_ruid)
255{ 259{
256 char *p; 260 char *p;
257 int rc = 0; 261 int rc = 0;
@@ -276,6 +280,8 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
276 char *cipher_key_bytes_src; 280 char *cipher_key_bytes_src;
277 char *fn_cipher_key_bytes_src; 281 char *fn_cipher_key_bytes_src;
278 282
283 *check_ruid = 0;
284
279 if (!options) { 285 if (!options) {
280 rc = -EINVAL; 286 rc = -EINVAL;
281 goto out; 287 goto out;
@@ -380,6 +386,9 @@ static int ecryptfs_parse_options(struct ecryptfs_sb_info *sbi, char *options)
380 mount_crypt_stat->flags |= 386 mount_crypt_stat->flags |=
381 ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY; 387 ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY;
382 break; 388 break;
389 case ecryptfs_opt_check_dev_ruid:
390 *check_ruid = 1;
391 break;
383 case ecryptfs_opt_err: 392 case ecryptfs_opt_err:
384 default: 393 default:
385 printk(KERN_WARNING 394 printk(KERN_WARNING
@@ -475,6 +484,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
475 const char *err = "Getting sb failed"; 484 const char *err = "Getting sb failed";
476 struct inode *inode; 485 struct inode *inode;
477 struct path path; 486 struct path path;
487 uid_t check_ruid;
478 int rc; 488 int rc;
479 489
480 sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL); 490 sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL);
@@ -483,7 +493,7 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
483 goto out; 493 goto out;
484 } 494 }
485 495
486 rc = ecryptfs_parse_options(sbi, raw_data); 496 rc = ecryptfs_parse_options(sbi, raw_data, &check_ruid);
487 if (rc) { 497 if (rc) {
488 err = "Error parsing options"; 498 err = "Error parsing options";
489 goto out; 499 goto out;
@@ -521,6 +531,15 @@ static struct dentry *ecryptfs_mount(struct file_system_type *fs_type, int flags
521 "known incompatibilities\n"); 531 "known incompatibilities\n");
522 goto out_free; 532 goto out_free;
523 } 533 }
534
535 if (check_ruid && path.dentry->d_inode->i_uid != current_uid()) {
536 rc = -EPERM;
537 printk(KERN_ERR "Mount of device (uid: %d) not owned by "
538 "requested user (uid: %d)\n",
539 path.dentry->d_inode->i_uid, current_uid());
540 goto out_free;
541 }
542
524 ecryptfs_set_superblock_lower(s, path.dentry->d_sb); 543 ecryptfs_set_superblock_lower(s, path.dentry->d_sb);
525 s->s_maxbytes = path.dentry->d_sb->s_maxbytes; 544 s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
526 s->s_blocksize = path.dentry->d_sb->s_blocksize; 545 s->s_blocksize = path.dentry->d_sb->s_blocksize;
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
index 940a82e63dc..0dc5a3d554a 100644
--- a/fs/ecryptfs/miscdev.c
+++ b/fs/ecryptfs/miscdev.c
@@ -409,11 +409,47 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
409 ssize_t sz = 0; 409 ssize_t sz = 0;
410 char *data; 410 char *data;
411 uid_t euid = current_euid(); 411 uid_t euid = current_euid();
412 unsigned char packet_size_peek[3];
412 int rc; 413 int rc;
413 414
414 if (count == 0) 415 if (count == 0) {
415 goto out; 416 goto out;
417 } else if (count == (1 + 4)) {
418 /* Likely a harmless MSG_HELO or MSG_QUIT - no packet length */
419 goto memdup;
420 } else if (count < (1 + 4 + 1)
421 || count > (1 + 4 + 2 + sizeof(struct ecryptfs_message) + 4
422 + ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES)) {
423 printk(KERN_WARNING "%s: Acceptable packet size range is "
424 "[%d-%lu], but amount of data written is [%zu].",
425 __func__, (1 + 4 + 1),
426 (1 + 4 + 2 + sizeof(struct ecryptfs_message) + 4
427 + ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES), count);
428 return -EINVAL;
429 }
430
431 if (copy_from_user(packet_size_peek, (buf + 1 + 4),
432 sizeof(packet_size_peek))) {
433 printk(KERN_WARNING "%s: Error while inspecting packet size\n",
434 __func__);
435 return -EFAULT;
436 }
437
438 rc = ecryptfs_parse_packet_length(packet_size_peek, &packet_size,
439 &packet_size_length);
440 if (rc) {
441 printk(KERN_WARNING "%s: Error parsing packet length; "
442 "rc = [%d]\n", __func__, rc);
443 return rc;
444 }
445
446 if ((1 + 4 + packet_size_length + packet_size) != count) {
447 printk(KERN_WARNING "%s: Invalid packet size [%zu]\n", __func__,
448 packet_size);
449 return -EINVAL;
450 }
416 451
452memdup:
417 data = memdup_user(buf, count); 453 data = memdup_user(buf, count);
418 if (IS_ERR(data)) { 454 if (IS_ERR(data)) {
419 printk(KERN_ERR "%s: memdup_user returned error [%ld]\n", 455 printk(KERN_ERR "%s: memdup_user returned error [%ld]\n",
@@ -435,23 +471,7 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
435 } 471 }
436 memcpy(&counter_nbo, &data[i], 4); 472 memcpy(&counter_nbo, &data[i], 4);
437 seq = be32_to_cpu(counter_nbo); 473 seq = be32_to_cpu(counter_nbo);
438 i += 4; 474 i += 4 + packet_size_length;
439 rc = ecryptfs_parse_packet_length(&data[i], &packet_size,
440 &packet_size_length);
441 if (rc) {
442 printk(KERN_WARNING "%s: Error parsing packet length; "
443 "rc = [%d]\n", __func__, rc);
444 goto out_free;
445 }
446 i += packet_size_length;
447 if ((1 + 4 + packet_size_length + packet_size) != count) {
448 printk(KERN_WARNING "%s: (1 + packet_size_length([%zd])"
449 " + packet_size([%zd]))([%zd]) != "
450 "count([%zd]). Invalid packet format.\n",
451 __func__, packet_size_length, packet_size,
452 (1 + packet_size_length + packet_size), count);
453 goto out_free;
454 }
455 rc = ecryptfs_miscdev_response(&data[i], packet_size, 475 rc = ecryptfs_miscdev_response(&data[i], packet_size,
456 euid, current_user_ns(), 476 euid, current_user_ns(),
457 task_pid(current), seq); 477 task_pid(current), seq);
diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
index 85d43096311..54eb14caad7 100644
--- a/fs/ecryptfs/read_write.c
+++ b/fs/ecryptfs/read_write.c
@@ -39,15 +39,16 @@
39int ecryptfs_write_lower(struct inode *ecryptfs_inode, char *data, 39int ecryptfs_write_lower(struct inode *ecryptfs_inode, char *data,
40 loff_t offset, size_t size) 40 loff_t offset, size_t size)
41{ 41{
42 struct ecryptfs_inode_info *inode_info; 42 struct file *lower_file;
43 mm_segment_t fs_save; 43 mm_segment_t fs_save;
44 ssize_t rc; 44 ssize_t rc;
45 45
46 inode_info = ecryptfs_inode_to_private(ecryptfs_inode); 46 lower_file = ecryptfs_inode_to_private(ecryptfs_inode)->lower_file;
47 BUG_ON(!inode_info->lower_file); 47 if (!lower_file)
48 return -EIO;
48 fs_save = get_fs(); 49 fs_save = get_fs();
49 set_fs(get_ds()); 50 set_fs(get_ds());
50 rc = vfs_write(inode_info->lower_file, data, size, &offset); 51 rc = vfs_write(lower_file, data, size, &offset);
51 set_fs(fs_save); 52 set_fs(fs_save);
52 mark_inode_dirty_sync(ecryptfs_inode); 53 mark_inode_dirty_sync(ecryptfs_inode);
53 return rc; 54 return rc;
@@ -131,6 +132,11 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
131 size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page); 132 size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
132 size_t total_remaining_bytes = ((offset + size) - pos); 133 size_t total_remaining_bytes = ((offset + size) - pos);
133 134
135 if (fatal_signal_pending(current)) {
136 rc = -EINTR;
137 break;
138 }
139
134 if (num_bytes > total_remaining_bytes) 140 if (num_bytes > total_remaining_bytes)
135 num_bytes = total_remaining_bytes; 141 num_bytes = total_remaining_bytes;
136 if (pos < offset) { 142 if (pos < offset) {
@@ -192,15 +198,19 @@ int ecryptfs_write(struct inode *ecryptfs_inode, char *data, loff_t offset,
192 } 198 }
193 pos += num_bytes; 199 pos += num_bytes;
194 } 200 }
195 if ((offset + size) > ecryptfs_file_size) { 201 if (pos > ecryptfs_file_size) {
196 i_size_write(ecryptfs_inode, (offset + size)); 202 i_size_write(ecryptfs_inode, pos);
197 if (crypt_stat->flags & ECRYPTFS_ENCRYPTED) { 203 if (crypt_stat->flags & ECRYPTFS_ENCRYPTED) {
198 rc = ecryptfs_write_inode_size_to_metadata( 204 int rc2;
205
206 rc2 = ecryptfs_write_inode_size_to_metadata(
199 ecryptfs_inode); 207 ecryptfs_inode);
200 if (rc) { 208 if (rc2) {
201 printk(KERN_ERR "Problem with " 209 printk(KERN_ERR "Problem with "
202 "ecryptfs_write_inode_size_to_metadata; " 210 "ecryptfs_write_inode_size_to_metadata; "
203 "rc = [%d]\n", rc); 211 "rc = [%d]\n", rc2);
212 if (!rc)
213 rc = rc2;
204 goto out; 214 goto out;
205 } 215 }
206 } 216 }
@@ -225,15 +235,16 @@ out:
225int ecryptfs_read_lower(char *data, loff_t offset, size_t size, 235int ecryptfs_read_lower(char *data, loff_t offset, size_t size,
226 struct inode *ecryptfs_inode) 236 struct inode *ecryptfs_inode)
227{ 237{
228 struct ecryptfs_inode_info *inode_info = 238 struct file *lower_file;
229 ecryptfs_inode_to_private(ecryptfs_inode);
230 mm_segment_t fs_save; 239 mm_segment_t fs_save;
231 ssize_t rc; 240 ssize_t rc;
232 241
233 BUG_ON(!inode_info->lower_file); 242 lower_file = ecryptfs_inode_to_private(ecryptfs_inode)->lower_file;
243 if (!lower_file)
244 return -EIO;
234 fs_save = get_fs(); 245 fs_save = get_fs();
235 set_fs(get_ds()); 246 set_fs(get_ds());
236 rc = vfs_read(inode_info->lower_file, data, size, &offset); 247 rc = vfs_read(lower_file, data, size, &offset);
237 set_fs(fs_save); 248 set_fs(fs_save);
238 return rc; 249 return rc;
239} 250}
generated by cgit v1.2.2 (git 2.25.0) at 2025-07-24 10:43:32 -0400