From: Eric Biggers <ebiggers@kernel.org>
To: Christoph Hellwig <hch@lst.de>
Cc: linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org
Subject: Re: RFC: what to do about fscrypt vs block device interaction
Date: Fri, 22 Jul 2022 01:28:57 -0700 [thread overview]
Message-ID: <YtpfyZ8Dr9duVr45@sol.localdomain> (raw)
In-Reply-To: <20220721125929.1866403-1-hch@lst.de>
On Thu, Jul 21, 2022 at 02:59:29PM +0200, Christoph Hellwig wrote:
> Hi Eric,
>
> fscrypt is the last major user of request_queues in file system code.
> A lot of this would be easy to fix, and I have some pending patches,
> but the major roadblocker is that the fscrypt_blk_crypto_key tries
> to hold it's own refefrences to the request_queue. The reason for
> that is documented in the code, as in that the master key can outlive
> the super_block. But can you explain why we need to do that? I
> think evicting the key on unmount would be very much the expected
> behavior. With that we could rework how fscrypt interacts with the
> file systems for inline encryption and avoid the nasty returning
> of the devics in the get_devices method. See my draft patch below,
> for which I'm stuck at how to find a super_block for the evict side,
> which seems to require larger logic changes.
Yes, evicting the blk-crypto keys at unmount is the expected behavior. And it
basically is the actual behavior as well, but as currently implemented there can
be a slight delay. There are two reasons for the delay, both probably solvable.
The first is that ->s_master_keys isn't released until __put_super(). It
probably should be moved earlier, maybe to generic_shutdown_super().
The second reason is that the keyrings subsystem is being used to keep track of
the superblock's master keys (for several reasons, such as integrating with the
key quotas), and a side effect of that we get the delay of the keyring's
subsystem garbage collector before the destroy callbacks of the keys actually
run. That delays the eviction of the blk-crypto keys.
To avoid that, I think we could go through and evict all the blk_crypto_keys
(i.e. call fscrypt_destroy_prepared_key() on the fscrypt_prepared_keys embedded
in each fscrypt_master_key) during the unmount itself, separating it from the
destruction of the key objects from the keyring subsystem's perspective.
That could happen in the moved call to fscrypt_sb_free().
I don't remember any specific reason why this wasn't done originally.
blk-crypto support was added later on, so when it was added I think we just
defaulted to keeping the same lifecycle for everything as before.
- Eric
next prev parent reply other threads:[~2022-07-22 8:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-21 12:59 RFC: what to do about fscrypt vs block device interaction Christoph Hellwig
2022-07-22 8:28 ` Eric Biggers [this message]
2022-07-22 16:03 ` Christoph Hellwig
2022-07-22 18:24 ` Eric Biggers
2022-08-17 0:28 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YtpfyZ8Dr9duVr45@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=hch@lst.de \
--cc=linux-block@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox