From: Xiubo Li <xiubli@redhat.com>
To: Jeff Layton <jlayton@kernel.org>,
ceph-devel@vger.kernel.org, linux-fscrypt@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org, idryomov@gmail.com
Subject: Re: [RFC PATCH v10 11/48] ceph: decode alternate_name in lease info
Date: Tue, 1 Mar 2022 22:30:43 +0800 [thread overview]
Message-ID: <d4ba779e-fc38-647f-da9c-e1fdcc818914@redhat.com> (raw)
In-Reply-To: <0d067adf7893b7378d13cde3902eb7608c11282c.camel@kernel.org>
On 3/1/22 10:14 PM, Jeff Layton wrote:
> On Tue, 2022-03-01 at 22:07 +0800, Xiubo Li wrote:
>> On 3/1/22 9:57 PM, Jeff Layton wrote:
>>> On Tue, 2022-03-01 at 21:51 +0800, Xiubo Li wrote:
>>>> On 3/1/22 9:10 PM, Jeff Layton wrote:
>>>>> On Tue, 2022-03-01 at 18:57 +0800, Xiubo Li wrote:
>>>>>> On 1/12/22 3:15 AM, Jeff Layton wrote:
>>>>>>> Ceph is a bit different from local filesystems, in that we don't want
>>>>>>> to store filenames as raw binary data, since we may also be dealing
>>>>>>> with clients that don't support fscrypt.
>>>>>>>
>>>>>>> We could just base64-encode the encrypted filenames, but that could
>>>>>>> leave us with filenames longer than NAME_MAX. It turns out that the
>>>>>>> MDS doesn't care much about filename length, but the clients do.
>>>>>>>
>>>>>>> To manage this, we've added a new "alternate name" field that can be
>>>>>>> optionally added to any dentry that we'll use to store the binary
>>>>>>> crypttext of the filename if its base64-encoded value will be longer
>>>>>>> than NAME_MAX. When a dentry has one of these names attached, the MDS
>>>>>>> will send it along in the lease info, which we can then store for
>>>>>>> later usage.
>>>>>>>
>>>>>>> Signed-off-by: Jeff Layton <jlayton@kernel.org>
>>>>>>> ---
>>>>>>> fs/ceph/mds_client.c | 40 ++++++++++++++++++++++++++++++----------
>>>>>>> fs/ceph/mds_client.h | 11 +++++++----
>>>>>>> 2 files changed, 37 insertions(+), 14 deletions(-)
>>>>>>>
>>>>>>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>>>>>>> index 34a4f6dbac9d..709f3f654555 100644
>>>>>>> --- a/fs/ceph/mds_client.c
>>>>>>> +++ b/fs/ceph/mds_client.c
>>>>>>> @@ -306,27 +306,44 @@ static int parse_reply_info_dir(void **p, void *end,
>>>>>>>
>>>>>>> static int parse_reply_info_lease(void **p, void *end,
>>>>>>> struct ceph_mds_reply_lease **lease,
>>>>>>> - u64 features)
>>>>>>> + u64 features, u32 *altname_len, u8 **altname)
>>>>>>> {
>>>>>>> + u8 struct_v;
>>>>>>> + u32 struct_len;
>>>>>>> +
>>>>>>> if (features == (u64)-1) {
>>>>>>> - u8 struct_v, struct_compat;
>>>>>>> - u32 struct_len;
>>>>>>> + u8 struct_compat;
>>>>>>> +
>>>>>>> ceph_decode_8_safe(p, end, struct_v, bad);
>>>>>>> ceph_decode_8_safe(p, end, struct_compat, bad);
>>>>>>> +
>>>>>>> /* struct_v is expected to be >= 1. we only understand
>>>>>>> * encoding whose struct_compat == 1. */
>>>>>>> if (!struct_v || struct_compat != 1)
>>>>>>> goto bad;
>>>>>>> +
>>>>>>> ceph_decode_32_safe(p, end, struct_len, bad);
>>>>>>> - ceph_decode_need(p, end, struct_len, bad);
>>>>>>> - end = *p + struct_len;
>>>>>> Hi Jeff,
>>>>>>
>>>>>> This is buggy, more detail please see https://tracker.ceph.com/issues/54430.
>>>>>>
>>>>>> The following patch will fix it. We should skip the extra memories anyway.
>>>>>>
>>>>>>
>>>>>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>>>>>> index 94b4c6508044..3dea96df4769 100644
>>>>>> --- a/fs/ceph/mds_client.c
>>>>>> +++ b/fs/ceph/mds_client.c
>>>>>> @@ -326,6 +326,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>>>> goto bad;
>>>>>>
>>>>>> ceph_decode_32_safe(p, end, struct_len, bad);
>>>>>> + end = *p + struct_len;
>>>>> There may be a bug here,
>>>> Yeah, this will be crash when I use the PR
>>>> https://github.com/ceph/ceph/pull/45208.
>>>>
>>>>
>>>>> but this doesn't look like the right fix. "end"
>>>>> denotes the end of the buffer we're decoding. We don't generally want to
>>>>> go changing it like this. Consider what would happen if the original
>>>>> "end" was shorter than *p + struct_len.
>>>> I missed you have also set the struct_len in the else branch.
>>>>>> } else {
>>>>>> struct_len = sizeof(**lease);
>>>>>> *altname_len = 0;
>>>>>> @@ -346,6 +347,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>>>> *altname = NULL;
>>>>>> *altname_len = 0;
>>>>>> }
>>>>>> + *p = end;
>>>>> I think we just have to do the math here. Maybe this should be something
>>>>> like this?
>>>>>
>>>>> *p += struct_len - sizeof(**lease) - *altname_len;
>>>> This is correct, but in future if we are adding tens of new fields we
>>>> must minus them all here.
>>>>
>>>> How about this one:
>>>>
>>>>
>>>> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
>>>> index 94b4c6508044..608d077f2eeb 100644
>>>> --- a/fs/ceph/mds_client.c
>>>> +++ b/fs/ceph/mds_client.c
>>>> @@ -313,6 +313,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>> {
>>>> u8 struct_v;
>>>> u32 struct_len;
>>>> + void *lend;
>>>>
>>>> if (features == (u64)-1) {
>>>> u8 struct_compat;
>>>> @@ -332,6 +333,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>> *altname = NULL;
>>>> }
>>>>
>>>> + lend = *p + struct_len;
>>> Looks reasonable. Maybe also add a check like this?
>>>
>>> if (lend > end)
>>> return -EIO;
>> I don't think this is needed because the:
>>
>> ceph_decode_need(p, end, struct_len, bad);
>>
>> before it will help check it ?
>>
>>
> Oh, right....good point. That patch looks fine then.
Cool, I will send out one separate patch to fix it in wip-fscrypt branch.
- Xiubo
>
>>>
>>>> ceph_decode_need(p, end, struct_len, bad);
>>>> *lease = *p;
>>>> *p += sizeof(**lease);
>>>> @@ -347,6 +349,7 @@ static int parse_reply_info_lease(void **p, void *end,
>>>> *altname_len = 0;
>>>> }
>>>> }
>>>> + *p = lend;
>>>> return 0;
>>>> bad:
>>>> return -EIO;
>>>>
>>>>
>>>>>> }
>>>>>> return 0;
>>>>>> bad:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> + } else {
>>>>>>> + struct_len = sizeof(**lease);
>>>>>>> + *altname_len = 0;
>>>>>>> + *altname = NULL;
>>>>>>> }
>>>>>>>
>>>>>>> - ceph_decode_need(p, end, sizeof(**lease), bad);
>>>>>>> + ceph_decode_need(p, end, struct_len, bad);
>>>>>>> *lease = *p;
>>>>>>> *p += sizeof(**lease);
>>>>>>> - if (features == (u64)-1)
>>>>>>> - *p = end;
>>>>>>> +
>>>>>>> + if (features == (u64)-1) {
>>>>>>> + if (struct_v >= 2) {
>>>>>>> + ceph_decode_32_safe(p, end, *altname_len, bad);
>>>>>>> + ceph_decode_need(p, end, *altname_len, bad);
>>>>>>> + *altname = *p;
>>>>>>> + *p += *altname_len;
>>>>>>> + } else {
>>>>>>> + *altname = NULL;
>>>>>>> + *altname_len = 0;
>>>>>>> + }
>>>>>>> + }
>>>>>>> return 0;
>>>>>>> bad:
>>>>>>> return -EIO;
>>>>>>> @@ -356,7 +373,8 @@ static int parse_reply_info_trace(void **p, void *end,
>>>>>>> info->dname = *p;
>>>>>>> *p += info->dname_len;
>>>>>>>
>>>>>>> - err = parse_reply_info_lease(p, end, &info->dlease, features);
>>>>>>> + err = parse_reply_info_lease(p, end, &info->dlease, features,
>>>>>>> + &info->altname_len, &info->altname);
>>>>>>> if (err < 0)
>>>>>>> goto out_bad;
>>>>>>> }
>>>>>>> @@ -423,9 +441,11 @@ static int parse_reply_info_readdir(void **p, void *end,
>>>>>>> dout("parsed dir dname '%.*s'\n", rde->name_len, rde->name);
>>>>>>>
>>>>>>> /* dentry lease */
>>>>>>> - err = parse_reply_info_lease(p, end, &rde->lease, features);
>>>>>>> + err = parse_reply_info_lease(p, end, &rde->lease, features,
>>>>>>> + &rde->altname_len, &rde->altname);
>>>>>>> if (err)
>>>>>>> goto out_bad;
>>>>>>> +
>>>>>>> /* inode */
>>>>>>> err = parse_reply_info_in(p, end, &rde->inode, features);
>>>>>>> if (err < 0)
>>>>>>> diff --git a/fs/ceph/mds_client.h b/fs/ceph/mds_client.h
>>>>>>> index e7d2c8a1b9c1..128901a847af 100644
>>>>>>> --- a/fs/ceph/mds_client.h
>>>>>>> +++ b/fs/ceph/mds_client.h
>>>>>>> @@ -29,8 +29,8 @@ enum ceph_feature_type {
>>>>>>> CEPHFS_FEATURE_MULTI_RECONNECT,
>>>>>>> CEPHFS_FEATURE_DELEG_INO,
>>>>>>> CEPHFS_FEATURE_METRIC_COLLECT,
>>>>>>> -
>>>>>>> - CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_METRIC_COLLECT,
>>>>>>> + CEPHFS_FEATURE_ALTERNATE_NAME,
>>>>>>> + CEPHFS_FEATURE_MAX = CEPHFS_FEATURE_ALTERNATE_NAME,
>>>>>>> };
>>>>>>>
>>>>>>> /*
>>>>>>> @@ -45,8 +45,7 @@ enum ceph_feature_type {
>>>>>>> CEPHFS_FEATURE_MULTI_RECONNECT, \
>>>>>>> CEPHFS_FEATURE_DELEG_INO, \
>>>>>>> CEPHFS_FEATURE_METRIC_COLLECT, \
>>>>>>> - \
>>>>>>> - CEPHFS_FEATURE_MAX, \
>>>>>>> + CEPHFS_FEATURE_ALTERNATE_NAME, \
>>>>>>> }
>>>>>>> #define CEPHFS_FEATURES_CLIENT_REQUIRED {}
>>>>>>>
>>>>>>> @@ -98,7 +97,9 @@ struct ceph_mds_reply_info_in {
>>>>>>>
>>>>>>> struct ceph_mds_reply_dir_entry {
>>>>>>> char *name;
>>>>>>> + u8 *altname;
>>>>>>> u32 name_len;
>>>>>>> + u32 altname_len;
>>>>>>> struct ceph_mds_reply_lease *lease;
>>>>>>> struct ceph_mds_reply_info_in inode;
>>>>>>> loff_t offset;
>>>>>>> @@ -117,7 +118,9 @@ struct ceph_mds_reply_info_parsed {
>>>>>>> struct ceph_mds_reply_info_in diri, targeti;
>>>>>>> struct ceph_mds_reply_dirfrag *dirfrag;
>>>>>>> char *dname;
>>>>>>> + u8 *altname;
>>>>>>> u32 dname_len;
>>>>>>> + u32 altname_len;
>>>>>>> struct ceph_mds_reply_lease *dlease;
>>>>>>>
>>>>>>> /* extra */
next prev parent reply other threads:[~2022-03-01 14:31 UTC|newest]
Thread overview: 84+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-11 19:15 [RFC PATCH v10 00/48] ceph+fscrypt: full support Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 01/48] vfs: export new_inode_pseudo Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 02/48] fscrypt: export fscrypt_base64url_encode and fscrypt_base64url_decode Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 03/48] fscrypt: export fscrypt_fname_encrypt and fscrypt_fname_encrypted_size Jeff Layton
2022-01-27 1:58 ` Eric Biggers
2022-01-11 19:15 ` [RFC PATCH v10 04/48] fscrypt: add fscrypt_context_for_new_inode Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 05/48] ceph: preallocate inode for ops that may create one Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 06/48] ceph: crypto context handling for ceph Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 07/48] ceph: parse new fscrypt_auth and fscrypt_file fields in inode traces Jeff Layton
2022-02-17 8:25 ` Xiubo Li
2022-02-17 11:39 ` Jeff Layton
2022-02-18 1:09 ` Xiubo Li
2022-01-11 19:15 ` [RFC PATCH v10 08/48] ceph: add fscrypt_* handling to caps.c Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 09/48] ceph: add ability to set fscrypt_auth via setattr Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 10/48] ceph: implement -o test_dummy_encryption mount option Jeff Layton
2022-02-11 13:50 ` Luís Henriques
2022-02-11 14:52 ` Jeff Layton
2022-02-14 9:29 ` Luís Henriques
2022-01-11 19:15 ` [RFC PATCH v10 11/48] ceph: decode alternate_name in lease info Jeff Layton
2022-03-01 10:57 ` Xiubo Li
2022-03-01 11:18 ` Xiubo Li
2022-03-01 13:10 ` Jeff Layton
2022-03-01 13:51 ` Xiubo Li
2022-03-01 13:57 ` Jeff Layton
2022-03-01 14:07 ` Xiubo Li
2022-03-01 14:14 ` Jeff Layton
2022-03-01 14:30 ` Xiubo Li [this message]
2022-01-11 19:15 ` [RFC PATCH v10 12/48] ceph: add fscrypt ioctls Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 13/48] ceph: make ceph_msdc_build_path use ref-walk Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 14/48] ceph: add encrypted fname handling to ceph_mdsc_build_path Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 15/48] ceph: send altname in MClientRequest Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 16/48] ceph: encode encrypted name in dentry release Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 17/48] ceph: properly set DCACHE_NOKEY_NAME flag in lookup Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 18/48] ceph: make d_revalidate call fscrypt revalidator for encrypted dentries Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 19/48] ceph: add helpers for converting names for userland presentation Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 20/48] ceph: add fscrypt support to ceph_fill_trace Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 21/48] ceph: add support to readdir for encrypted filenames Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 22/48] ceph: create symlinks with encrypted and base64-encoded targets Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 23/48] ceph: make ceph_get_name decrypt filenames Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 24/48] ceph: add a new ceph.fscrypt.auth vxattr Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 25/48] ceph: add some fscrypt guardrails Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 26/48] ceph: don't allow changing layout on encrypted files/directories Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 27/48] libceph: add CEPH_OSD_OP_ASSERT_VER support Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 28/48] ceph: size handling for encrypted inodes in cap updates Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 29/48] ceph: fscrypt_file field handling in MClientRequest messages Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 30/48] ceph: get file size from fscrypt_file when present in inode traces Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 31/48] ceph: handle fscrypt fields in cap messages from MDS Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 32/48] ceph: add __ceph_get_caps helper support Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 33/48] ceph: add __ceph_sync_read " Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 34/48] ceph: add object version support for sync read Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 35/48] ceph: add infrastructure for file encryption and decryption Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 36/48] ceph: add truncate size handling support for fscrypt Jeff Layton
2022-01-12 8:41 ` Xiubo Li
2022-01-11 19:15 ` [RFC PATCH v10 37/48] libceph: allow ceph_osdc_new_request to accept a multi-op read Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 38/48] ceph: disable fallocate for encrypted inodes Jeff Layton
2022-01-11 19:15 ` [RFC PATCH v10 39/48] ceph: disable copy offload on " Jeff Layton
2022-01-11 19:16 ` [RFC PATCH v10 40/48] ceph: don't use special DIO path for " Jeff Layton
2022-01-11 19:16 ` [RFC PATCH v10 41/48] ceph: set encryption context on open Jeff Layton
2022-01-11 19:16 ` [RFC PATCH v10 42/48] ceph: align data in pages in ceph_sync_write Jeff Layton
2022-01-11 19:16 ` [RFC PATCH v10 43/48] ceph: add read/modify/write to ceph_sync_write Jeff Layton
2022-01-19 3:21 ` Xiubo Li
2022-01-19 5:08 ` Xiubo Li
2022-01-19 11:06 ` Jeff Layton
2022-01-11 19:16 ` [RFC PATCH v10 44/48] ceph: plumb in decryption during sync reads Jeff Layton
2022-01-19 5:18 ` Xiubo Li
2022-01-19 18:49 ` Jeff Layton
2022-01-11 19:16 ` [RFC PATCH v10 45/48] ceph: set i_blkbits to crypto block size for encrypted inodes Jeff Layton
2022-01-11 19:16 ` [RFC PATCH v10 46/48] ceph: add fscrypt decryption support to ceph_netfs_issue_op Jeff Layton
2022-01-11 19:16 ` [RFC PATCH v10 47/48] ceph: add encryption support to writepage Jeff Layton
2022-01-11 19:16 ` [RFC PATCH v10 48/48] ceph: fscrypt support for writepages Jeff Layton
2022-01-11 19:26 ` [RFC PATCH v10 00/48] ceph+fscrypt: full support Jeff Layton
2022-01-27 2:14 ` Eric Biggers
2022-01-27 11:08 ` Jeff Layton
2022-01-28 20:39 ` Eric Biggers
2022-01-28 20:47 ` Jeff Layton
2022-02-14 9:37 ` Xiubo Li
2022-02-14 11:33 ` Jeff Layton
2022-02-14 12:08 ` Xiubo Li
2022-02-15 0:44 ` Xiubo Li
2022-02-14 17:57 ` Luís Henriques
2022-02-14 18:39 ` Jeff Layton
2022-02-14 21:00 ` Luís Henriques
2022-02-14 21:10 ` Jeff Layton
2022-02-16 16:13 ` Luís Henriques
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d4ba779e-fc38-647f-da9c-e1fdcc818914@redhat.com \
--to=xiubli@redhat.com \
--cc=ceph-devel@vger.kernel.org \
--cc=idryomov@gmail.com \
--cc=jlayton@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).