On Fri, Oct 07, 2011 at 12:11:01AM -0700, Allison Henderson wrote:

This patch adds two new routines: ext4_secure_delete_pblks
and ext4_secure_delete_lblks.

ext4_secure_delete_pblks() will write zeros to the specified
physical blocks or random data if the EXT4_SECRM_RANDOM_FL flag is
set.  If the device supports secure discard, the secure
discard will be used instead. ext4_secure_delete_lblks handels walking

handles

the logical blocks of a file and calling ext4_secure_delete_pblks()
as needed.

Signed-off-by: Allison Henderson <redacted>
---
v1->v2
Removed check for discard mount option and replaced with
check for secure discard and discard_zeroes_data

Added BLKDEV_DISCARD_SECURE to the sb_issue_discard call

v2->v3
Removed code for discard.  A seperate patch will

separate

The fact that random secure delete produces zeroed blocks on discard devices is
documented somewhere user-visible, right?  Just in case someone actually
depends on the randomizing.

+ * inode: The files inode
+ * block: The physical block at which to start deleteing

deleting

+ * count: The number of blocks to delete
+ *
+ * Returns 0 on sucess or negative on error
+ */
+int ext4_secure_delete_pblks(struct inode *inode, ext4_fsblk_t block,
+		unsigned long count){
+
+	struct fstrim_range range;
+	ext4_fsblk_t iblock, last_block;
+	struct buffer_head *bh;
+	struct super_block *sb = inode->i_sb;
+	struct request_queue *q = bdev_get_queue(sb->s_bdev);
+	struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es;
+	int err = 0;
+
+	last_block = block + count;
+	/*
+	 * Check to see if the device supports secure discard,
+	 * And also that read after discard returns zeros
+	 */
+	if (blk_queue_secdiscard(q) && q->limits.discard_zeroes_data) {
+		err = sb_issue_discard(sb, block, count,
+			GFP_NOFS, BLKDEV_DISCARD_SECURE);
+		if (err)
+			goto zero_out;
+
+		range.start = block;
+		range.len = count;
+		range.minlen = 1;
+		err = ext4_trim_fs(sb, &range);
+
+		if (err)
+			goto zero_out;
+
+		return 0;
+	}
+
+	if (EXT4_I(inode)->i_flags & EXT4_SECRM_RANDOM_FL) {
+		for (iblock = block; iblock < last_block; iblock++) {
+			bh = sb_getblk(sb, iblock);
+			get_random_bytes(bh->b_data, bh->b_size);
+			set_buffer_dirty(bh);
+
+			sync_dirty_buffer(bh);
+			if (buffer_req(bh) && !buffer_uptodate(bh)) {
+				es->s_last_error_block =
+					cpu_to_le64(bh->b_blocknr);
+				ext4_error_inode(inode, __func__,
+					__LINE__, bh->b_blocknr,
+					"IO error syncing itable block");

itable block?

+				err = -EIO;
+				brelse(bh);
+				goto zero_out;
+			}
+			brelse(bh);
+		}
+		return 0;
+	}
+
+zero_out:
+	return sb_issue_zeroout(sb, block, count, GFP_NOFS);
+
+}
+
+/*
+ * ext4_secure_delete_lblks
+ *
+ * Secure deletes the data blocks of a file
+ * starting at the given logical block
+ *
+ * @inode: The files inode
+ * @first_block: Starting logical block
+ * @count: The number of blocks to secure delete
+ *
+ * Returns 0 on sucess or negative on error
+ */
+int ext4_secure_delete_lblks(struct inode *inode, ext4_lblk_t first_block,
+				unsigned long count){
+	handle_t *handle;
+	struct ext4_map_blocks map;
+	struct ext4_ext_cache cache_ex;
+	ext4_lblk_t num_blocks, max_blocks = 0;
+	ext4_lblk_t last_block = first_block + count;
+	ext4_lblk_t iblock = first_block;
+	int ret, credits, hole_len, err = 0;
+
+	credits = ext4_writepage_trans_blocks(inode);
+	handle = ext4_journal_start(inode, credits);
+	if (IS_ERR(handle))
+		return PTR_ERR(handle);
+
+	down_write(&EXT4_I(inode)->i_data_sem);
+	ext4_ext_invalidate_cache(inode);
+	ext4_discard_preallocations(inode);
+
+	/* Do not allow last_block to wrap when caller passes EXT_MAX_BLOCK */
+	if (last_block < first_block)
+		last_block = EXT_MAX_BLOCKS;
+
+	while (iblock < last_block) {
+		max_blocks = last_block - iblock;
+		num_blocks = 1;
+		memset(&map, 0, sizeof(map));
+		map.m_lblk = iblock;
+		map.m_len = max_blocks;
+
+		if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
+			ret = ext4_ext_map_blocks(handle, inode, &map, 0);
+		else
+			ret = ext4_ind_map_blocks(handle, inode, &map, 0);
+
+		if (ret > 0) {
+			err = ext4_secure_delete_pblks(inode,
+				map.m_pblk, map.m_len);
+			if (err)
+				break;
+			num_blocks = ret;
+		} else if (ret == 0) {
+			if (ext4_test_inode_flag(inode,
+				EXT4_INODE_EXTENTS)) {
+				/*
+				 * If map blocks could not find the block,
+				 * then it is in a hole.  If the hole was
+				 * not already cached, then map blocks should
+				 * put it in the cache.  So we can get the hole
+				 * out of the cache
+				 */
+				memset(&cache_ex, 0, sizeof(cache_ex));
+				if ((ext4_ext_check_cache(inode, iblock,
+					&cache_ex)) && !cache_ex.ec_start) {
+
+					/* The hole is cached */
+					num_blocks = cache_ex.ec_block +
+						cache_ex.ec_len - iblock;
+
+				} else {
+					/* reached EOF of extent file */
+					break;
+				}
+			} else {
+				hole_len = ext4_ind_hole_lookup(inode, iblock);
+
+				if (hole_len > 0) {
+					/* Skip over the hole */
+					num_blocks = hole_len;
+				} else if (hole_len == 0) {
+					/* No hole, EOF reached */
+					break;
+				} else {
+					/* Hole look up err */
+					err = hole_len;
+					break;
+				}
+			}
+		} else {
+			/* Map blocks error */
+			err = ret;
+			break;
+		}
+
+		if (num_blocks == 0) {
+			/* This condition should never happen */
+			ext_debug("Block lookup failed");
+			err = -EIO;
+			break;
+		}
+
+		iblock += num_blocks;
+	}
+
+	if (IS_SYNC(inode))
+		ext4_handle_sync(handle);
+
+	up_write(&EXT4_I(inode)->i_data_sem);
+
+	inode->i_mtime = inode->i_ctime = ext4_current_time(inode);
+	ext4_mark_inode_dirty(handle, inode);
+	ext4_journal_stop(handle);
+
+	return err;
+}
+
 struct buffer_head *ext4_bread(handle_t *handle, struct inode *inode,
 			       ext4_lblk_t block, int create, int *err)
 {
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html