add new system file

hc

2024-02-20 102a0743326a03cd1a1202ceda21e175b7d3575c

 kernel/fs/verity/enable.c
..
..
@@ -177,7 +177,7 @@
177
177
 	 * (level 0) and ascending to the root node (level 'num_levels - 1').
178
178
 	 * Then at the end (level 'num_levels'), calculate the root hash.
179
179
 	 */
180
-	blocks = (inode->i_size + params->block_size - 1) >>
180
+	blocks = ((u64)inode->i_size + params->block_size - 1) >>
181
181
 		 params->log_blocksize;
182
182
 	for (level = 0; level <= params->num_levels; level++) {
183
183
 		err = build_merkle_tree_level(filp, level, blocks, params,
..
..
@@ -356,7 +356,7 @@
356
356
 	if (arg.block_size != PAGE_SIZE)
357
357
 		return -EINVAL;
358
358
 
359
-	if (arg.salt_size > FIELD_SIZEOF(struct fsverity_descriptor, salt))
359
+	if (arg.salt_size > sizeof_field(struct fsverity_descriptor, salt))
360
360
 		return -EMSGSIZE;
361
361
 
362
362
 	if (arg.sig_size > FS_VERITY_MAX_SIGNATURE_SIZE)
..
..
@@ -391,25 +391,27 @@
391
391
 		goto out_drop_write;
392
392
 
393
393
 	err = enable_verity(filp, &arg);
394
-	if (err)
395
-		goto out_allow_write_access;
396
394
 
397
395
 	/*
398
-	 * Some pages of the file may have been evicted from pagecache after
399
-	 * being used in the Merkle tree construction, then read into pagecache
400
-	 * again by another process reading from the file concurrently.  Since
401
-	 * these pages didn't undergo verification against the file digest which
402
-	 * fs-verity now claims to be enforcing, we have to wipe the pagecache
403
-	 * to ensure that all future reads are verified.
396
+	 * We no longer drop the inode's pagecache after enabling verity.  This
397
+	 * used to be done to try to avoid a race condition where pages could be
398
+	 * evicted after being used in the Merkle tree construction, then
399
+	 * re-instantiated by a concurrent read.  Such pages are unverified, and
400
+	 * the backing storage could have filled them with different content, so
401
+	 * they shouldn't be used to fulfill reads once verity is enabled.
402
+	 *
403
+	 * But, dropping the pagecache has a big performance impact, and it
404
+	 * doesn't fully solve the race condition anyway.  So for those reasons,
405
+	 * and also because this race condition isn't very important relatively
406
+	 * speaking (especially for small-ish files, where the chance of a page
407
+	 * being used, evicted, *and* re-instantiated all while enabling verity
408
+	 * is quite small), we no longer drop the inode's pagecache.
404
409
 	 */
405
-	filemap_write_and_wait(inode->i_mapping);
406
-	invalidate_inode_pages2(inode->i_mapping);
407
410
 
408
411
 	/*
409
412
 	 * allow_write_access() is needed to pair with deny_write_access().
410
413
 	 * Regardless, the filesystem won't allow writing to verity files.
411
414
 	 */
412
-out_allow_write_access:
413
415
 	allow_write_access(filp);
414
416
 out_drop_write:
415
417
 	mnt_drop_write_file(filp);