Commit af440f52 authored by Eric Sandeen's avatar Eric Sandeen Committed by Linus Torvalds

ecryptfs: check for existing key_tfm at mount time

Jeff Moyer pointed out that a mount; umount loop of ecryptfs, with the same
cipher & other mount options, created a new ecryptfs_key_tfm_cache item
each time, and the cache could grow quite large this way.

Looking at this with mhalcrow, we saw that ecryptfs_parse_options()
unconditionally called ecryptfs_add_new_key_tfm(), which is what was adding
these items.

Refactor ecryptfs_get_tfm_and_mutex_for_cipher_name() to create a new
helper function, ecryptfs_tfm_exists(), which checks for the cipher on the
cached key_tfm_list, and sets a pointer to it if it exists.  This can then
be called from ecryptfs_parse_options(), and new key_tfm's can be added
only when a cached one is not found.

With list locking changes suggested by akpm.
Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
Cc: Michael Halcrow <mhalcrow@us.ibm.com>
Cc: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 19e66a67
...@@ -1779,7 +1779,7 @@ ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm, ...@@ -1779,7 +1779,7 @@ ecryptfs_process_key_cipher(struct crypto_blkcipher **key_tfm,
struct kmem_cache *ecryptfs_key_tfm_cache; struct kmem_cache *ecryptfs_key_tfm_cache;
static struct list_head key_tfm_list; static struct list_head key_tfm_list;
static struct mutex key_tfm_list_mutex; struct mutex key_tfm_list_mutex;
int ecryptfs_init_crypto(void) int ecryptfs_init_crypto(void)
{ {
...@@ -1788,6 +1788,11 @@ int ecryptfs_init_crypto(void) ...@@ -1788,6 +1788,11 @@ int ecryptfs_init_crypto(void)
return 0; return 0;
} }
/**
* ecryptfs_destroy_crypto - free all cached key_tfms on key_tfm_list
*
* Called only at module unload time
*/
int ecryptfs_destroy_crypto(void) int ecryptfs_destroy_crypto(void)
{ {
struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp; struct ecryptfs_key_tfm *key_tfm, *key_tfm_tmp;
...@@ -1811,6 +1816,8 @@ ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name, ...@@ -1811,6 +1816,8 @@ ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
struct ecryptfs_key_tfm *tmp_tfm; struct ecryptfs_key_tfm *tmp_tfm;
int rc = 0; int rc = 0;
BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL); tmp_tfm = kmem_cache_alloc(ecryptfs_key_tfm_cache, GFP_KERNEL);
if (key_tfm != NULL) if (key_tfm != NULL)
(*key_tfm) = tmp_tfm; (*key_tfm) = tmp_tfm;
...@@ -1837,13 +1844,50 @@ ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name, ...@@ -1837,13 +1844,50 @@ ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
(*key_tfm) = NULL; (*key_tfm) = NULL;
goto out; goto out;
} }
mutex_lock(&key_tfm_list_mutex);
list_add(&tmp_tfm->key_tfm_list, &key_tfm_list); list_add(&tmp_tfm->key_tfm_list, &key_tfm_list);
mutex_unlock(&key_tfm_list_mutex);
out: out:
return rc; return rc;
} }
/**
* ecryptfs_tfm_exists - Search for existing tfm for cipher_name.
* @cipher_name: the name of the cipher to search for
* @key_tfm: set to corresponding tfm if found
*
* Searches for cached key_tfm matching @cipher_name
* Must be called with &key_tfm_list_mutex held
* Returns 1 if found, with @key_tfm set
* Returns 0 if not found, with @key_tfm set to NULL
*/
int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm)
{
struct ecryptfs_key_tfm *tmp_key_tfm;
BUG_ON(!mutex_is_locked(&key_tfm_list_mutex));
list_for_each_entry(tmp_key_tfm, &key_tfm_list, key_tfm_list) {
if (strcmp(tmp_key_tfm->cipher_name, cipher_name) == 0) {
if (key_tfm)
(*key_tfm) = tmp_key_tfm;
return 1;
}
}
if (key_tfm)
(*key_tfm) = NULL;
return 0;
}
/**
* ecryptfs_get_tfm_and_mutex_for_cipher_name
*
* @tfm: set to cached tfm found, or new tfm created
* @tfm_mutex: set to mutex for cached tfm found, or new tfm created
* @cipher_name: the name of the cipher to search for and/or add
*
* Sets pointers to @tfm & @tfm_mutex matching @cipher_name.
* Searches for cached item first, and creates new if not found.
* Returns 0 on success, non-zero if adding new cipher failed
*/
int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm, int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm,
struct mutex **tfm_mutex, struct mutex **tfm_mutex,
char *cipher_name) char *cipher_name)
...@@ -1853,22 +1897,17 @@ int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm, ...@@ -1853,22 +1897,17 @@ int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm,
(*tfm) = NULL; (*tfm) = NULL;
(*tfm_mutex) = NULL; (*tfm_mutex) = NULL;
mutex_lock(&key_tfm_list_mutex); mutex_lock(&key_tfm_list_mutex);
list_for_each_entry(key_tfm, &key_tfm_list, key_tfm_list) { if (!ecryptfs_tfm_exists(cipher_name, &key_tfm)) {
if (strcmp(key_tfm->cipher_name, cipher_name) == 0) {
(*tfm) = key_tfm->key_tfm;
(*tfm_mutex) = &key_tfm->key_tfm_mutex;
mutex_unlock(&key_tfm_list_mutex);
goto out;
}
}
mutex_unlock(&key_tfm_list_mutex);
rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0); rc = ecryptfs_add_new_key_tfm(&key_tfm, cipher_name, 0);
if (rc) { if (rc) {
printk(KERN_ERR "Error adding new key_tfm to list; rc = [%d]\n", printk(KERN_ERR "Error adding new key_tfm to list; "
rc); "rc = [%d]\n", rc);
goto out; goto out;
} }
}
mutex_unlock(&key_tfm_list_mutex);
(*tfm) = key_tfm->key_tfm; (*tfm) = key_tfm->key_tfm;
(*tfm_mutex) = &key_tfm->key_tfm_mutex; (*tfm_mutex) = &key_tfm->key_tfm_mutex;
out: out:
......
...@@ -323,6 +323,8 @@ struct ecryptfs_key_tfm { ...@@ -323,6 +323,8 @@ struct ecryptfs_key_tfm {
unsigned char cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE + 1]; unsigned char cipher_name[ECRYPTFS_MAX_CIPHER_NAME_SIZE + 1];
}; };
extern struct mutex key_tfm_list_mutex;
/** /**
* This struct is to enable a mount-wide passphrase/salt combo. This * This struct is to enable a mount-wide passphrase/salt combo. This
* is more or less a stopgap to provide similar functionality to other * is more or less a stopgap to provide similar functionality to other
...@@ -617,6 +619,7 @@ ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name, ...@@ -617,6 +619,7 @@ ecryptfs_add_new_key_tfm(struct ecryptfs_key_tfm **key_tfm, char *cipher_name,
size_t key_size); size_t key_size);
int ecryptfs_init_crypto(void); int ecryptfs_init_crypto(void);
int ecryptfs_destroy_crypto(void); int ecryptfs_destroy_crypto(void);
int ecryptfs_tfm_exists(char *cipher_name, struct ecryptfs_key_tfm **key_tfm);
int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm, int ecryptfs_get_tfm_and_mutex_for_cipher_name(struct crypto_blkcipher **tfm,
struct mutex **tfm_mutex, struct mutex **tfm_mutex,
char *cipher_name); char *cipher_name);
......
...@@ -410,9 +410,13 @@ static int ecryptfs_parse_options(struct super_block *sb, char *options) ...@@ -410,9 +410,13 @@ static int ecryptfs_parse_options(struct super_block *sb, char *options)
if (!cipher_key_bytes_set) { if (!cipher_key_bytes_set) {
mount_crypt_stat->global_default_cipher_key_size = 0; mount_crypt_stat->global_default_cipher_key_size = 0;
} }
mutex_lock(&key_tfm_list_mutex);
if (!ecryptfs_tfm_exists(mount_crypt_stat->global_default_cipher_name,
NULL))
rc = ecryptfs_add_new_key_tfm( rc = ecryptfs_add_new_key_tfm(
NULL, mount_crypt_stat->global_default_cipher_name, NULL, mount_crypt_stat->global_default_cipher_name,
mount_crypt_stat->global_default_cipher_key_size); mount_crypt_stat->global_default_cipher_key_size);
mutex_unlock(&key_tfm_list_mutex);
if (rc) { if (rc) {
printk(KERN_ERR "Error attempting to initialize cipher with " printk(KERN_ERR "Error attempting to initialize cipher with "
"name = [%s] and key size = [%td]; rc = [%d]\n", "name = [%s] and key size = [%td]; rc = [%d]\n",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment