Fix 'zfs change-key' with unencrypted child #9524

tcaputi · 2019-10-28T18:03:26Z

Currently, when you call 'zfs change-key' on an encrypted dataset
that has an unencrypted child, the code will trigger a VERIFY.
This VERIFY is leftover from before we allowed unencrypted
datasets to exist underneath encrypted ones. This patch fixes the
issue by simply replacing the VERIFY with an early return when
recursing through datasets.

Signed-off-by: Tom Caputi tcaputi@datto.com

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Performance enhancement (non-breaking change which improves efficiency)
Code cleanup (non-breaking change which makes code smaller or more readable)
Breaking change (fix or feature that would cause existing functionality to change)
Documentation (a change to man pages or other documentation)

Checklist:

My code follows the ZFS on Linux code style requirements.
I have updated the documentation accordingly.
I have read the contributing document.
I have added tests to cover my changes.
All new and existing tests passed.
All commit messages are properly formatted and contain Signed-off-by.

jasonbking · 2019-10-28T18:09:21Z

module/zfs/dsl_crypt.c

@@ -1452,7 +1452,11 @@ spa_keystore_change_key_sync_impl(uint64_t rddobj, uint64_t ddobj,
 	 * Stop recursing if this dsl dir didn't inherit from the root
 	 * or if this dd is a clone.
 	 */
-	VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj));
+	if (dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj) == ENOENT) {


What happens if this returns something other than 0 or ENOENT?

I should probably add a VERIFY0() after the check. We shouldn't be able to hit any other error case in syncing context, in theory. In reality, we can probably hit an IO error here which isn't checked in the check function. I'm not sure if it would be a good idea to do that check though, because that function might have to recurse through an arbitrary number of datasets. For now. I will just add a VERIFY0()

jasonbking · 2019-10-28T22:13:13Z

module/zfs/dsl_crypt.c

-	VERIFY0(dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj));
-	if (!skip && (curr_rddobj != rddobj || dsl_dir_is_clone(dd))) {
+
+	ret = dsl_dir_get_encryption_root_ddobj(dd, &curr_rddobj);


I don't know if it's a huge concern, but it looks like there's a chance a non-zero or non-ENOENT return could get past the VERIFY check by triggering the return path here (I realized that with my own attempt at this after my initial fix).

good catch. fixed.

codecov · 2019-10-29T02:24:11Z

Codecov Report

Merging #9524 into master will decrease coverage by 0.16%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #9524      +/-   ##
==========================================
- Coverage   79.16%      79%   -0.17%     
==========================================
  Files         416      416              
  Lines      123661   123663       +2     
==========================================
- Hits        97895    97697     -198     
- Misses      25766    25966     +200

Flag	Coverage Δ
#kernel	`79.69% <100%> (-0.06%)`	⬇️
#user	`66.47% <0%> (-0.47%)`	⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d46f0de...997916d. Read the comment docs.

ikozhukhov

tested on dilos by: https://bitbucket.org/dilos/dilos-illumos/commits/9f38b1c7dea629e73a8fb44bfbb722fc58746bad

Currently, when you call 'zfs change-key' on an encrypted dataset that has an unencrypted child, the code will trigger a VERIFY. This VERIFY is leftover from before we allowed unencrypted datasets to exist underneath encrypted ones. This patch fixes the issue by simply replacing the VERIFY with an early return when recursing through datasets. Signed-off-by: Tom Caputi <tcaputi@datto.com>

ikozhukhov

tested on dilos, no issues found

Currently, when you call 'zfs change-key' on an encrypted dataset that has an unencrypted child, the code will trigger a VERIFY. This VERIFY is leftover from before we allowed unencrypted datasets to exist underneath encrypted ones. This patch fixes the issue by simply replacing the VERIFY with an early return when recursing through datasets. Reviewed by: Jason King <jason.brian.king@gmail.com> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Igor Kozhukhov <igor@dilos.org> Signed-off-by: Tom Caputi <tcaputi@datto.com> Closes openzfs#9524

Currently, when you call 'zfs change-key' on an encrypted dataset that has an unencrypted child, the code will trigger a VERIFY. This VERIFY is leftover from before we allowed unencrypted datasets to exist underneath encrypted ones. This patch fixes the issue by simply replacing the VERIFY with an early return when recursing through datasets. Reviewed by: Jason King <jason.brian.king@gmail.com> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Igor Kozhukhov <igor@dilos.org> Signed-off-by: Tom Caputi <tcaputi@datto.com> Closes #9524

jasonbking reviewed Oct 28, 2019

View reviewed changes

behlendorf added the Status: Code Review Needed Ready for review and testing label Oct 28, 2019

tcaputi force-pushed the fix_change_key_unencrypted branch from 2702f39 to 543f9bc Compare October 28, 2019 19:54

jasonbking reviewed Oct 28, 2019

View reviewed changes

ikozhukhov approved these changes Oct 29, 2019

View reviewed changes

tcaputi force-pushed the fix_change_key_unencrypted branch from 543f9bc to 997916d Compare October 29, 2019 15:36

behlendorf approved these changes Oct 29, 2019

View reviewed changes

jasonbking approved these changes Oct 29, 2019

View reviewed changes

behlendorf added Status: Accepted Ready to integrate (reviewed, tested) and removed Status: Code Review Needed Ready for review and testing labels Oct 29, 2019

ikozhukhov approved these changes Oct 30, 2019

View reviewed changes

behlendorf merged commit bae11ba into openzfs:master Oct 30, 2019

behlendorf mentioned this pull request Jan 6, 2020

zfs change-key <fs> causes kernel panic on one (of many) encrypted filesystems #9808

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix 'zfs change-key' with unencrypted child #9524

Fix 'zfs change-key' with unencrypted child #9524

tcaputi commented Oct 28, 2019

jasonbking Oct 28, 2019

tcaputi Oct 28, 2019

jasonbking Oct 28, 2019

tcaputi Oct 29, 2019

codecov bot commented Oct 29, 2019 •

edited

Loading

ikozhukhov left a comment

ikozhukhov left a comment

Fix 'zfs change-key' with unencrypted child #9524

Fix 'zfs change-key' with unencrypted child #9524

Conversation

tcaputi commented Oct 28, 2019

Types of changes

Checklist:

jasonbking Oct 28, 2019

Choose a reason for hiding this comment

tcaputi Oct 28, 2019

Choose a reason for hiding this comment

jasonbking Oct 28, 2019

Choose a reason for hiding this comment

tcaputi Oct 29, 2019

Choose a reason for hiding this comment

codecov bot commented Oct 29, 2019 • edited Loading

Codecov Report

ikozhukhov left a comment

Choose a reason for hiding this comment

ikozhukhov left a comment

Choose a reason for hiding this comment

codecov bot commented Oct 29, 2019 •

edited

Loading