tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork

Configure Feed

Select the types of activity you want to include in your feed.

ext4: don't treat fhandle lookup of ea_inode as FS corruption

A file handle that userspace provides to open_by_handle_at() can
legitimately contain an outdated inode number that has since been reused
for another purpose - that's why the file handle also contains a generation
number.

But if the inode number has been reused for an ea_inode, check_igot_inode()
will notice, __ext4_iget() will go through ext4_error_inode(), and if the
inode was newly created, it will also be marked as bad by iget_failed().
This all happens before the point where the inode generation is checked.

ext4_error_inode() is supposed to only be used on filesystem corruption; it
should not be used when userspace just got unlucky with a stale file
handle. So when this happens, let __ext4_iget() just return an error.

Fixes: b3e6bcb94590 ("ext4: add EA_INODE checking to ext4_iget()")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20241129-ext4-ignore-ea-fhandle-v1-1-e532c0d1cee0@google.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

authored by

Jann Horn and committed by
Theodore Ts'o 642335f3 d5e20677

+48 -20
+48 -20
fs/ext4/inode.c
··· 4732 4732 inode_set_iversion_queried(inode, val); 4733 4733 } 4734 4734 4735 - static const char *check_igot_inode(struct inode *inode, ext4_iget_flags flags) 4736 - 4735 + static int check_igot_inode(struct inode *inode, ext4_iget_flags flags, 4736 + const char *function, unsigned int line) 4737 4737 { 4738 + const char *err_str; 4739 + 4738 4740 if (flags & EXT4_IGET_EA_INODE) { 4739 - if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) 4740 - return "missing EA_INODE flag"; 4741 + if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) { 4742 + err_str = "missing EA_INODE flag"; 4743 + goto error; 4744 + } 4741 4745 if (ext4_test_inode_state(inode, EXT4_STATE_XATTR) || 4742 - EXT4_I(inode)->i_file_acl) 4743 - return "ea_inode with extended attributes"; 4746 + EXT4_I(inode)->i_file_acl) { 4747 + err_str = "ea_inode with extended attributes"; 4748 + goto error; 4749 + } 4744 4750 } else { 4745 - if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) 4746 - return "unexpected EA_INODE flag"; 4751 + if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) { 4752 + /* 4753 + * open_by_handle_at() could provide an old inode number 4754 + * that has since been reused for an ea_inode; this does 4755 + * not indicate filesystem corruption 4756 + */ 4757 + if (flags & EXT4_IGET_HANDLE) 4758 + return -ESTALE; 4759 + err_str = "unexpected EA_INODE flag"; 4760 + goto error; 4761 + } 4747 4762 } 4748 - if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) 4749 - return "unexpected bad inode w/o EXT4_IGET_BAD"; 4750 - return NULL; 4763 + if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) { 4764 + err_str = "unexpected bad inode w/o EXT4_IGET_BAD"; 4765 + goto error; 4766 + } 4767 + return 0; 4768 + 4769 + error: 4770 + ext4_error_inode(inode, function, line, 0, err_str); 4771 + return -EFSCORRUPTED; 4751 4772 } 4752 4773 4753 4774 struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ··· 4780 4759 struct ext4_inode_info *ei; 4781 4760 struct ext4_super_block *es = EXT4_SB(sb)->s_es; 4782 4761 struct inode *inode; 4783 - const char *err_str; 4784 4762 journal_t *journal = EXT4_SB(sb)->s_journal; 4785 4763 long ret; 4786 4764 loff_t size; ··· 4808 4788 if (!inode) 4809 4789 return ERR_PTR(-ENOMEM); 4810 4790 if (!(inode->i_state & I_NEW)) { 4811 - if ((err_str = check_igot_inode(inode, flags)) != NULL) { 4812 - ext4_error_inode(inode, function, line, 0, err_str); 4791 + ret = check_igot_inode(inode, flags, function, line); 4792 + if (ret) { 4813 4793 iput(inode); 4814 - return ERR_PTR(-EFSCORRUPTED); 4794 + return ERR_PTR(ret); 4815 4795 } 4816 4796 return inode; 4817 4797 } ··· 5093 5073 ret = -EFSCORRUPTED; 5094 5074 goto bad_inode; 5095 5075 } 5096 - if ((err_str = check_igot_inode(inode, flags)) != NULL) { 5097 - ext4_error_inode(inode, function, line, 0, err_str); 5098 - ret = -EFSCORRUPTED; 5099 - goto bad_inode; 5076 + ret = check_igot_inode(inode, flags, function, line); 5077 + /* 5078 + * -ESTALE here means there is nothing inherently wrong with the inode, 5079 + * it's just not an inode we can return for an fhandle lookup. 5080 + */ 5081 + if (ret == -ESTALE) { 5082 + brelse(iloc.bh); 5083 + unlock_new_inode(inode); 5084 + iput(inode); 5085 + return ERR_PTR(-ESTALE); 5100 5086 } 5101 - 5087 + if (ret) 5088 + goto bad_inode; 5102 5089 brelse(iloc.bh); 5090 + 5103 5091 unlock_new_inode(inode); 5104 5092 return inode; 5105 5093