Re: [PATCH 3/9] fs/ext4: Disallow encryption if inode is DAX
From: Eric Biggers
Date: Mon May 18 2020 - 12:24:52 EST
On Sun, May 17, 2020 at 10:03:15PM -0700, Ira Weiny wrote:
> On Fri, May 15, 2020 at 07:02:53PM -0700, Eric Biggers wrote:
> > On Tue, May 12, 2020 at 10:43:18PM -0700, ira.weiny@xxxxxxxxx wrote:
> > > From: Ira Weiny <ira.weiny@xxxxxxxxx>
> > >
> > > Encryption and DAX are incompatible. Changing the DAX mode due to a
> > > change in Encryption mode is wrong without a corresponding
> > > address_space_operations update.
> > >
> > > Make the 2 options mutually exclusive by returning an error if DAX was
> > > set first.
> > >
> > > Furthermore, clarify the documentation of the exclusivity and how that
> > > will work.
> > >
> > > Signed-off-by: Ira Weiny <ira.weiny@xxxxxxxxx>
> > >
> > > ---
> > > Changes:
> > > remove WARN_ON_ONCE
> > > Add documentation to the encrypt doc WRT DAX
> > > ---
> > > Documentation/filesystems/fscrypt.rst | 4 +++-
> > > fs/ext4/super.c | 10 +---------
> > > 2 files changed, 4 insertions(+), 10 deletions(-)
> > >
> > > diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst
> > > index aa072112cfff..1475b8d52fef 100644
> > > --- a/Documentation/filesystems/fscrypt.rst
> > > +++ b/Documentation/filesystems/fscrypt.rst
> > > @@ -1038,7 +1038,9 @@ astute users may notice some differences in behavior:
> > > - The ext4 filesystem does not support data journaling with encrypted
> > > regular files. It will fall back to ordered data mode instead.
> > >
> > > -- DAX (Direct Access) is not supported on encrypted files.
> > > +- DAX (Direct Access) is not supported on encrypted files. Attempts to enable
> > > + DAX on an encrypted file will fail. Mount options will _not_ enable DAX on
> > > + encrypted files.
> > >
> > > - The st_size of an encrypted symlink will not necessarily give the
> > > length of the symlink target as required by POSIX. It will actually
> > > diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> > > index bf5fcb477f66..9873ab27e3fa 100644
> > > --- a/fs/ext4/super.c
> > > +++ b/fs/ext4/super.c
> > > @@ -1320,7 +1320,7 @@ static int ext4_set_context(struct inode *inode, const void *ctx, size_t len,
> > > if (inode->i_ino == EXT4_ROOT_INO)
> > > return -EPERM;
> > >
> > > - if (WARN_ON_ONCE(IS_DAX(inode) && i_size_read(inode)))
> > > + if (IS_DAX(inode))
> > > return -EINVAL;
> > >
> > > res = ext4_convert_inline_data(inode);
> > > @@ -1344,10 +1344,6 @@ static int ext4_set_context(struct inode *inode, const void *ctx, size_t len,
> > > ext4_set_inode_flag(inode, EXT4_INODE_ENCRYPT);
> > > ext4_clear_inode_state(inode,
> > > EXT4_STATE_MAY_INLINE_DATA);
> > > - /*
> > > - * Update inode->i_flags - S_ENCRYPTED will be enabled,
> > > - * S_DAX may be disabled
> > > - */
> > > ext4_set_inode_flags(inode);
> > > }
> > > return res;
> > > @@ -1371,10 +1367,6 @@ static int ext4_set_context(struct inode *inode, const void *ctx, size_t len,
> > > ctx, len, 0);
> > > if (!res) {
> > > ext4_set_inode_flag(inode, EXT4_INODE_ENCRYPT);
> > > - /*
> > > - * Update inode->i_flags - S_ENCRYPTED will be enabled,
> > > - * S_DAX may be disabled
> > > - */
> > > ext4_set_inode_flags(inode);
> > > res = ext4_mark_inode_dirty(handle, inode);
> > > if (res)
> >
> > I'm confused by the ext4_set_context() change.
> >
> > ext4_set_context() is only called when FS_IOC_SET_ENCRYPTION_POLICY sets an
> > encryption policy on an empty directory, *or* when a new inode (regular, dir, or
> > symlink) is created in an encrypted directory (thus inheriting encryption from
> > its parent).
>
> I don't see the check which prevents FS_IOC_SET_ENCRYPTION_POLICY on a file?
It's in fscrypt_ioctl_set_policy().
>
> On inode creation, encryption will always usurp S_DAX...
>
> >
> > So when is it reachable when IS_DAX()? Is the issue that the DAX flag can now
> > be set on directories? The commit message doesn't seem to be talking about
> > directories. Is the behavior we want is that on an (empty) directory with the
> > DAX flag set, FS_IOC_SET_ENCRYPTION_POLICY should fail with EINVAL?
>
> We would want that but AFIAK S_DAX is never set on directories. Perhaps this
> is another place where S_DAX needs to be changed to the new inode flag?
> However, this would not be appropriate at this point in the series. At this
> point in the series S_DAX is still set based on the mount option and I'm 99%
> sure that only happens on regular files, not directories. So I'm confused now.
S_DAX is only set by ext4_set_inode_flags() which only sets it on regular files.
>
> This is, AFAICS, not going to affect correctness. It will only be confusing
> because the user will be able to set both DAX and encryption on the directory
> but files there will only see encryption being used... :-(
>
> Assuming you are correct about this call path only being valid on directories.
> It seems this IS_DAX() needs to be changed to check for EXT4_DAX_FL in
> "fs/ext4: Introduce DAX inode flag"? Then at that point we can prevent DAX and
> encryption on a directory. ... and at this point IS_DAX() could be removed at
> this point in the series???
I haven't read the whole series, but if you are indeed trying to prevent a
directory with EXT4_DAX_FL from being encrypted, then it does look like you'd
need to check EXT4_DAX_FL, not S_DAX.
The other question is what should happen when a file is created in an encrypted
directory when the filesystem is mounted with -o dax. Actually, I think I
missed something there. Currently (based on reading the code) the DAX flag will
get set first, and then ext4_set_context() will see IS_DAX() && i_size == 0 and
clear the DAX flag when setting the encrypt flag. So, the i_size == 0 check is
actually needed. Your patch (AFAICS) just makes creating an encrypted file fail
when '-o dax'. Is that intended? If not, maybe you should change it to check
S_NEW instead of i_size == 0 to make it clearer?
- Eric