Commit 4f1e308d authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux 

Pull fscrypt fix from Eric Biggers:
 "Fix a bug where when a filesystem was being unmounted, the fscrypt
  keyring was destroyed before inodes have been released by the Landlock
  LSM.

  This bug was found by syzbot"

* tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/linux:
  fscrypt: check for NULL keyring in fscrypt_put_master_key_activeref()
  fscrypt: improve fscrypt_destroy_keyring() documentation
  fscrypt: destroy keyring after security_sb_delete()
parents 7d31677b 4bcf6f82

fs/crypto/keyring.c

+13 −10
Original line number Diff line number Diff line
@@ -92,6 +92,8 @@ void fscrypt_put_master_key_activeref(struct super_block *sb, 
	 * destroying any subkeys embedded in it.

	 */



	if (WARN_ON(!sb->s_master_keys))

		return;

	spin_lock(&sb->s_master_keys->lock);

	hlist_del_rcu(&mk->mk_node);

	spin_unlock(&sb->s_master_keys->lock);
@@ -207,10 +209,11 @@ static int allocate_filesystem_keyring(struct super_block *sb) 
 * Release all encryption keys that have been added to the filesystem, along

 * with the keyring that contains them.

 *

 * This is called at unmount time.  The filesystem's underlying block device(s)

 * are still available at this time; this is important because after user file

 * accesses have been allowed, this function may need to evict keys from the

 * keyslots of an inline crypto engine, which requires the block device(s).

 * This is called at unmount time, after all potentially-encrypted inodes have

 * been evicted.  The filesystem's underlying block device(s) are still

 * available at this time; this is important because after user file accesses

 * have been allowed, this function may need to evict keys from the keyslots of

 * an inline crypto engine, which requires the block device(s).

 */

void fscrypt_destroy_keyring(struct super_block *sb)

{
@@ -227,12 +230,12 @@ void fscrypt_destroy_keyring(struct super_block *sb) 


		hlist_for_each_entry_safe(mk, tmp, bucket, mk_node) {

			/*

			 * Since all inodes were already evicted, every key

			 * remaining in the keyring should have an empty inode

			 * list, and should only still be in the keyring due to

			 * the single active ref associated with ->mk_secret.

			 * There should be no structural refs beyond the one

			 * associated with the active ref.

			 * Since all potentially-encrypted inodes were already

			 * evicted, every key remaining in the keyring should

			 * have an empty inode list, and should only still be in

			 * the keyring due to the single active ref associated

			 * with ->mk_secret.  There should be no structural refs

			 * beyond the one associated with the active ref.

			 */

			WARN_ON(refcount_read(&mk->mk_active_refs) != 1);

			WARN_ON(refcount_read(&mk->mk_struct_refs) != 1);

fs/super.c

+12 −3
Original line number Diff line number Diff line
@@ -475,13 +475,22 @@ void generic_shutdown_super(struct super_block *sb) 


		cgroup_writeback_umount();



		/* evict all inodes with zero refcount */

		/* Evict all inodes with zero refcount. */

		evict_inodes(sb);

		/* only nonzero refcount inodes can have marks */



		/*

		 * Clean up and evict any inodes that still have references due

		 * to fsnotify or the security policy.

		 */

		fsnotify_sb_delete(sb);

		fscrypt_destroy_keyring(sb);

		security_sb_delete(sb);



		/*

		 * Now that all potentially-encrypted inodes have been evicted,

		 * the fscrypt keyring can be destroyed.

		 */

		fscrypt_destroy_keyring(sb);



		if (sb->s_dio_done_wq) {

			destroy_workqueue(sb->s_dio_done_wq);

			sb->s_dio_done_wq = NULL;