From: Darrick J. Wong <djwong@xxxxxxxxxx>
Provide a new function call so that validation errors can be reported
back to the filesystem.
Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
---
fs/verity/verify.c | 14 +++++++++++++-
include/linux/fsverity.h | 11 +++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/fs/verity/verify.c b/fs/verity/verify.c
index 99b1529bbb50b..4acfd02b0e42d 100644
--- a/fs/verity/verify.c
+++ b/fs/verity/verify.c
@@ -258,6 +258,15 @@ verify_data_block(struct inode *inode, struct fsverity_info *vi,
return false;
}
+static void fsverity_fail_validation(struct inode *inode, loff_t pos,
+ size_t len)
+{
+ const struct fsverity_operations *vops = inode->i_sb->s_vop;
+
+ if (vops->fail_validation)
+ vops->fail_validation(inode, pos, len);
+}
+
static bool
verify_data_blocks(struct folio *data_folio, size_t len, size_t offset,
unsigned long max_ra_bytes)
@@ -280,8 +289,11 @@ verify_data_blocks(struct folio *data_folio, size_t len, size_t offset,
valid = verify_data_block(inode, vi, data, pos + offset,
max_ra_bytes);
kunmap_local(data);
- if (!valid)
+ if (!valid) {
+ fsverity_fail_validation(inode, pos + offset,
+ block_size);
return false;
+ }
offset += block_size;
len -= block_size;
} while (len);
diff --git a/include/linux/fsverity.h b/include/linux/fsverity.h
index 761a0b76eefec..dcf9d9cffcb9f 100644
--- a/include/linux/fsverity.h
+++ b/include/linux/fsverity.h
@@ -236,6 +236,17 @@ struct fsverity_operations {
* be implemented.
*/
void (*drop_merkle_tree_block)(struct fsverity_blockbuf *block);
+
+ /**
+ * Notify the filesystem that file data validation failed
+ *
+ * @inode: the inode being validated
+ * @pos: the file position of the invalid data
+ * @len: the length of the invalid data
+ *
+ * This is called when fs-verity cannot validate the file contents.
+ */
+ void (*fail_validation)(struct inode *inode, loff_t pos, size_t len);
};
#ifdef CONFIG_FS_VERITY
