Merge tag 'dm-3.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-dm

Pull device-mapper fixes from Alasdair G Kergon:
 "Four minor thin provisioning fixes and correct and update dm-verity
  documentation."

* tag 'dm-3.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-dm:
  dm: verity fix documentation
  dm persistent data: fix allocation failure in space map checker init
  dm persistent data: handle space map checker creation failure
  dm persistent data: fix shadow_info_leak on dm_tm_destroy
  dm thin: commit metadata before creating metadata snapshot

5 files changed, 103 insertions, 111 deletions

diff --git a/Documentation/device-mapper/verity.txt b/Documentation/device-mapper/verity.txt
index 32e48797a14f..9884681535ee 100644
--- a/Documentation/device-mapper/verity.txt
+++ b/Documentation/device-mapper/verity.txt
@@ -7,39 +7,39 @@ This target is read-only.
 
 Construction Parameters
 =======================
-    <version> <dev> <hash_dev> <hash_start>
+    <version> <dev> <hash_dev>
     <data_block_size> <hash_block_size>
     <num_data_blocks> <hash_start_block>
     <algorithm> <digest> <salt>
 
 <version>
-    This is the version number of the on-disk format.
+    This is the type of the on-disk hash format.
 
     0 is the original format used in the Chromium OS.
-        The salt is appended when hashing, digests are stored continuously and
-        the rest of the block is padded with zeros.
+      The salt is appended when hashing, digests are stored continuously and
+      the rest of the block is padded with zeros.
 
     1 is the current format that should be used for new devices.
-        The salt is prepended when hashing and each digest is
-        padded with zeros to the power of two.
+      The salt is prepended when hashing and each digest is
+      padded with zeros to the power of two.
 
 <dev>
-    This is the device containing the data the integrity of which needs to be
+    This is the device containing data, the integrity of which needs to be
     checked.  It may be specified as a path, like /dev/sdaX, or a device number,
     <major>:<minor>.
 
 <hash_dev>
-    This is the device that that supplies the hash tree data.  It may be
+    This is the device that supplies the hash tree data.  It may be
     specified similarly to the device path and may be the same device.  If the
-    same device is used, the hash_start should be outside of the dm-verity
-    configured device size.
+    same device is used, the hash_start should be outside the configured
+    dm-verity device.
 
 <data_block_size>
-    The block size on a data device.  Each block corresponds to one digest on
-    the hash device.
+    The block size on a data device in bytes.
+    Each block corresponds to one digest on the hash device.
 
 <hash_block_size>
-    The size of a hash block.
+    The size of a hash block in bytes.
 
 <num_data_blocks>
     The number of data blocks on the data device.  Additional blocks are
@@ -65,7 +65,7 @@ Construction Parameters
 Theory of operation
 ===================
 
-dm-verity is meant to be setup as part of a verified boot path.  This
+dm-verity is meant to be set up as part of a verified boot path.  This
 may be anything ranging from a boot using tboot or trustedgrub to just
 booting from a known-good device (like a USB drive or CD).
 
@@ -73,20 +73,20 @@ When a dm-verity device is configured, it is expected that the caller
 has been authenticated in some way (cryptographic signatures, etc).
 After instantiation, all hashes will be verified on-demand during
 disk access.  If they cannot be verified up to the root node of the
-tree, the root hash, then the I/O will fail.  This should identify
+tree, the root hash, then the I/O will fail.  This should detect
 tampering with any data on the device and the hash data.
 
 Cryptographic hashes are used to assert the integrity of the device on a
-per-block basis.  This allows for a lightweight hash computation on first read
-into the page cache.  Block hashes are stored linearly-aligned to the nearest
-block the size of a page.
+per-block basis. This allows for a lightweight hash computation on first read
+into the page cache. Block hashes are stored linearly, aligned to the nearest
+block size.
 
 Hash Tree
 ---------
 
 Each node in the tree is a cryptographic hash.  If it is a leaf node, the hash
-is of some block data on disk.  If it is an intermediary node, then the hash is
-of a number of child nodes.
+of some data block on disk is calculated. If it is an intermediary node,
+the hash of a number of child nodes is calculated.
 
 Each entry in the tree is a collection of neighboring nodes that fit in one
 block.  The number is determined based on block_size and the size of the
@@ -110,63 +110,23 @@ alg = sha256, num_blocks = 32768, block_size = 4096
 On-disk format
 ==============
 
-Below is the recommended on-disk format. The verity kernel code does not
-read the on-disk header. It only reads the hash blocks which directly
-follow the header. It is expected that a user-space tool will verify the
-integrity of the verity_header and then call dmsetup with the correct
-parameters. Alternatively, the header can be omitted and the dmsetup
-parameters can be passed via the kernel command-line in a rooted chain
-of trust where the command-line is verified.
+The verity kernel code does not read the verity metadata on-disk header.
+It only reads the hash blocks which directly follow the header.
+It is expected that a user-space tool will verify the integrity of the
+verity header.
 
-The on-disk format is especially useful in cases where the hash blocks
-are on a separate partition. The magic number allows easy identification
-of the partition contents. Alternatively, the hash blocks can be stored
-in the same partition as the data to be verified. In such a configuration
-the filesystem on the partition would be sized a little smaller than
-the full-partition, leaving room for the hash blocks.
-
-struct superblock {
-        uint8_t signature[8]
-                "verity\0\0";
-
-        uint8_t version;
-                1 - current format
-
-        uint8_t data_block_bits;
-                log2(data block size)
-
-        uint8_t hash_block_bits;
-                log2(hash block size)
-
-        uint8_t pad1[1];
-                zero padding
-
-        uint16_t salt_size;
-                big-endian salt size
-
-        uint8_t pad2[2];
-                zero padding
-
-        uint32_t data_blocks_hi;
-                big-endian high 32 bits of the 64-bit number of data blocks
-
-        uint32_t data_blocks_lo;
-                big-endian low 32 bits of the 64-bit number of data blocks
-
-        uint8_t algorithm[16];
-                cryptographic algorithm
-
-        uint8_t salt[384];
-                salt (the salt size is specified above)
-
-        uint8_t pad3[88];
-                zero padding to 512-byte boundary
-}
+Alternatively, the header can be omitted and the dmsetup parameters can
+be passed via the kernel command-line in a rooted chain of trust where
+the command-line is verified.
 
 Directly following the header (and with sector number padded to the next hash
 block boundary) are the hash blocks which are stored a depth at a time
 (starting from the root), sorted in order of increasing index.
 
+The full specification of kernel parameters and on-disk metadata format
+is available at the cryptsetup project's wiki page
+  http://code.google.com/p/cryptsetup/wiki/DMVerity
+
 Status
 ======
 V (for Valid) is returned if every check performed so far was valid.
@@ -174,21 +134,22 @@ If any check failed, C (for Corruption) is returned.
 
 Example
 =======
-
-Setup a device:
-  dmsetup create vroot --table \
-    "0 2097152 "\
-    "verity 1 /dev/sda1 /dev/sda2 4096 4096 2097152 1 "\
+Set up a device:
+  # dmsetup create vroot --readonly --table \
+    "0 2097152 verity 1 /dev/sda1 /dev/sda2 4096 4096 262144 1 sha256 "\
     "4392712ba01368efdf14b05c76f9e4df0d53664630b5d48632ed17a137f39076 "\
     "1234000000000000000000000000000000000000000000000000000000000000"
 
 A command line tool veritysetup is available to compute or verify
-the hash tree or activate the kernel driver.  This is available from
-the LVM2 upstream repository and may be supplied as a package called
-device-mapper-verity-tools:
-    git://sources.redhat.com/git/lvm2
-    http://sourceware.org/git/?p=lvm2.git
-    http://sourceware.org/cgi-bin/cvsweb.cgi/LVM2/verity?cvsroot=lvm2
-
-veritysetup -a vroot /dev/sda1 /dev/sda2 \
-        4392712ba01368efdf14b05c76f9e4df0d53664630b5d48632ed17a137f39076
+the hash tree or activate the kernel device. This is available from
+the cryptsetup upstream repository http://code.google.com/p/cryptsetup/
+(as a libcryptsetup extension).
+
+Create hash on the device:
+  # veritysetup format /dev/sda1 /dev/sda2
+  ...
+  Root hash: 4392712ba01368efdf14b05c76f9e4df0d53664630b5d48632ed17a137f39076
+
+Activate the device:
+  # veritysetup create vroot /dev/sda1 /dev/sda2 \
+    4392712ba01368efdf14b05c76f9e4df0d53664630b5d48632ed17a137f39076
diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c
index 37fdaf81bd1f..ce59824fb414 100644
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -2292,6 +2292,13 @@ static int process_reserve_metadata_snap_mesg(unsigned argc, char **argv, struct
         if (r)
                 return r;
 
+        r = dm_pool_commit_metadata(pool->pmd);
+        if (r) {
+                DMERR("%s: dm_pool_commit_metadata() failed, error = %d",
+                      __func__, r);
+                return r;
+        }
+
         r = dm_pool_reserve_metadata_snap(pool->pmd);
         if (r)
                 DMWARN("reserve_metadata_snap message failed.");
diff --git a/drivers/md/persistent-data/dm-space-map-checker.c b/drivers/md/persistent-data/dm-space-map-checker.c
index 50ed53bf4aa2..fc90c11620ad 100644
--- a/drivers/md/persistent-data/dm-space-map-checker.c
+++ b/drivers/md/persistent-data/dm-space-map-checker.c
@@ -8,6 +8,7 @@
 
 #include <linux/device-mapper.h>
 #include <linux/export.h>
+#include <linux/vmalloc.h>
 
 #ifdef CONFIG_DM_DEBUG_SPACE_MAPS
 
@@ -89,13 +90,23 @@ static int ca_create(struct count_array *ca, struct dm_space_map *sm)
 
         ca->nr = nr_blocks;
         ca->nr_free = nr_blocks;
-        ca->counts = kzalloc(sizeof(*ca->counts) * nr_blocks, GFP_KERNEL);
-        if (!ca->counts)
-                return -ENOMEM;
+
+        if (!nr_blocks)
+                ca->counts = NULL;
+        else {
+                ca->counts = vzalloc(sizeof(*ca->counts) * nr_blocks);
+                if (!ca->counts)
+                        return -ENOMEM;
+        }
 
         return 0;
 }
 
+static void ca_destroy(struct count_array *ca)
+{
+        vfree(ca->counts);
+}
+
 static int ca_load(struct count_array *ca, struct dm_space_map *sm)
 {
         int r;
@@ -126,12 +137,14 @@ static int ca_load(struct count_array *ca, struct dm_space_map *sm)
 static int ca_extend(struct count_array *ca, dm_block_t extra_blocks)
 {
         dm_block_t nr_blocks = ca->nr + extra_blocks;
-        uint32_t *counts = kzalloc(sizeof(*counts) * nr_blocks, GFP_KERNEL);
+        uint32_t *counts = vzalloc(sizeof(*counts) * nr_blocks);
         if (!counts)
                 return -ENOMEM;
 
-        memcpy(counts, ca->counts, sizeof(*counts) * ca->nr);
-        kfree(ca->counts);
+        if (ca->counts) {
+                memcpy(counts, ca->counts, sizeof(*counts) * ca->nr);
+                ca_destroy(ca);
+        }
         ca->nr = nr_blocks;
         ca->nr_free += extra_blocks;
         ca->counts = counts;
@@ -151,11 +164,6 @@ static int ca_commit(struct count_array *old, struct count_array *new)
         return 0;
 }
 
-static void ca_destroy(struct count_array *ca)
-{
-        kfree(ca->counts);
-}
-
 /*----------------------------------------------------------------*/
 
 struct sm_checker {
@@ -343,25 +351,25 @@ struct dm_space_map *dm_sm_checker_create(struct dm_space_map *sm)
         int r;
         struct sm_checker *smc;
 
-        if (!sm)
-                return NULL;
+        if (IS_ERR_OR_NULL(sm))
+                return ERR_PTR(-EINVAL);
 
         smc = kmalloc(sizeof(*smc), GFP_KERNEL);
         if (!smc)
-                return NULL;
+                return ERR_PTR(-ENOMEM);
 
         memcpy(&smc->sm, &ops_, sizeof(smc->sm));
         r = ca_create(&smc->old_counts, sm);
         if (r) {
                 kfree(smc);
-                return NULL;
+                return ERR_PTR(r);
         }
 
         r = ca_create(&smc->counts, sm);
         if (r) {
                 ca_destroy(&smc->old_counts);
                 kfree(smc);
-                return NULL;
+                return ERR_PTR(r);
         }
 
         smc->real_sm = sm;
@@ -371,7 +379,7 @@ struct dm_space_map *dm_sm_checker_create(struct dm_space_map *sm)
                 ca_destroy(&smc->counts);
                 ca_destroy(&smc->old_counts);
                 kfree(smc);
-                return NULL;
+                return ERR_PTR(r);
         }
 
         r = ca_commit(&smc->old_counts, &smc->counts);
@@ -379,7 +387,7 @@ struct dm_space_map *dm_sm_checker_create(struct dm_space_map *sm)
                 ca_destroy(&smc->counts);
                 ca_destroy(&smc->old_counts);
                 kfree(smc);
-                return NULL;
+                return ERR_PTR(r);
         }
 
         return &smc->sm;
@@ -391,25 +399,25 @@ struct dm_space_map *dm_sm_checker_create_fresh(struct dm_space_map *sm)
         int r;
         struct sm_checker *smc;
 
-        if (!sm)
-                return NULL;
+        if (IS_ERR_OR_NULL(sm))
+                return ERR_PTR(-EINVAL);
 
         smc = kmalloc(sizeof(*smc), GFP_KERNEL);
         if (!smc)
-                return NULL;
+                return ERR_PTR(-ENOMEM);
 
         memcpy(&smc->sm, &ops_, sizeof(smc->sm));
         r = ca_create(&smc->old_counts, sm);
         if (r) {
                 kfree(smc);
-                return NULL;
+                return ERR_PTR(r);
         }
 
         r = ca_create(&smc->counts, sm);
         if (r) {
                 ca_destroy(&smc->old_counts);
                 kfree(smc);
-                return NULL;
+                return ERR_PTR(r);
         }
 
         smc->real_sm = sm;
diff --git a/drivers/md/persistent-data/dm-space-map-disk.c b/drivers/md/persistent-data/dm-space-map-disk.c
index fc469ba9f627..3d0ed5332883 100644
--- a/drivers/md/persistent-data/dm-space-map-disk.c
+++ b/drivers/md/persistent-data/dm-space-map-disk.c
@@ -290,7 +290,16 @@ struct dm_space_map *dm_sm_disk_create(struct dm_transaction_manager *tm,
                                        dm_block_t nr_blocks)
 {
         struct dm_space_map *sm = dm_sm_disk_create_real(tm, nr_blocks);
-        return dm_sm_checker_create_fresh(sm);
+        struct dm_space_map *smc;
+
+        if (IS_ERR_OR_NULL(sm))
+                return sm;
+
+        smc = dm_sm_checker_create_fresh(sm);
+        if (IS_ERR(smc))
+                dm_sm_destroy(sm);
+
+        return smc;
 }
 EXPORT_SYMBOL_GPL(dm_sm_disk_create);
 
diff --git a/drivers/md/persistent-data/dm-transaction-manager.c b/drivers/md/persistent-data/dm-transaction-manager.c
index 400fe144c0cd..e5604b32d91f 100644
--- a/drivers/md/persistent-data/dm-transaction-manager.c
+++ b/drivers/md/persistent-data/dm-transaction-manager.c
@@ -138,6 +138,9 @@ EXPORT_SYMBOL_GPL(dm_tm_create_non_blocking_clone);
 
 void dm_tm_destroy(struct dm_transaction_manager *tm)
 {
+        if (!tm->is_clone)
+                wipe_shadow_table(tm);
+
         kfree(tm);
 }
 EXPORT_SYMBOL_GPL(dm_tm_destroy);
@@ -344,8 +347,10 @@ static int dm_tm_create_internal(struct dm_block_manager *bm,
                 }
 
                 *sm = dm_sm_checker_create(inner);
-                if (!*sm)
+                if (IS_ERR(*sm)) {
+                        r = PTR_ERR(*sm);
                         goto bad2;
+                }
 
         } else {
                 r = dm_bm_write_lock(dm_tm_get_bm(*tm), sb_location,
@@ -364,8 +369,10 @@ static int dm_tm_create_internal(struct dm_block_manager *bm,
                 }
 
                 *sm = dm_sm_checker_create(inner);
-                if (!*sm)
+                if (IS_ERR(*sm)) {
+                        r = PTR_ERR(*sm);
                         goto bad2;
+                }
         }
 
         return 0;