Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp8779113rwp; Wed, 19 Jul 2023 15:29:27 -0700 (PDT) X-Google-Smtp-Source: APBJJlGNPowrOvyIAWFij8mTSsjecnbaEcBeD47MUHd4HyOcvZXnWmDOG4nqI0TTJjSBmNPSO/E1 X-Received: by 2002:aa7:c44b:0:b0:518:6a99:cac3 with SMTP id n11-20020aa7c44b000000b005186a99cac3mr3376137edr.31.1689805766729; Wed, 19 Jul 2023 15:29:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689805766; cv=none; d=google.com; s=arc-20160816; b=vt0TwJMdAyjEtxlNMicDOGPelwi3WZCZ2HhKKlvT3lc4bYusKYhrF1jqhxuJb48Zdg k0Z7ppj3Z1N1zbWyBz9vpwsZmfNuua2+9zOiQHBE6eaVxsAq82nIfktHTghc65sijp0P 6IN7R1XLMBR9ogQ+/0K1kipeDLB7i11JudZol+Fa6EiVw96IUGH34ckg9UGBOC0IAX26 v0oetauL/bqajaDhoowzHbdoYwnddl/n+6hOp0+sdmAwVgCeDItx93pWLaqXPQPK6hlF eZd7NTdao1HYV0V5i+ZY/pKJ3CLHMUMk6QPrUNF/BHWHMxynP+//1rKfvz1R+UvOsC6M mpzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=M4N/dCF5EYbxPk5QcgdReto7C0f6ZT5aB5kgR17CLu8=; fh=HFDFbc5lRXwuu0vgGURCiLYm5ywsvQKdSNBX4pGxTs4=; b=nh2o+nJ+i5DArYItTiolVLTpnlTxO3tF2R/W1GHkKHzmOrGnSbcWR0GzmzxDihzslt o7LAHjlL6G7zX1WSRs4IQ4ckfMGhZgYnmdZWJRVr7Y+w1p0ssPfUG9QmR3FsLlLTXoi0 XXmQLtOaCjQ48HenV+zEKI0jwGmhCMrgY3Kz47esBR6Mu5tkjvLJNs0RKYYaIqhp2Awq 0S6Iq7eNxHL7bdxSgGh06h3Y0gwiRmtd2yd2MNBw8hyW1qGnDQE2K/89n66lbSBU5PEa inz/jB/nCYoCMbvqPdM+vXfqmSSseswh91IT8v+0dh2W82Nf/SePTwL5FD9+3vxN+fKl ieqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=Zy03tGDv; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i1-20020a50fc01000000b0051e2486c1ecsi3495112edr.252.2023.07.19.15.29.02; Wed, 19 Jul 2023 15:29:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=Zy03tGDv; dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229592AbjGSWTk (ORCPT + 99 others); Wed, 19 Jul 2023 18:19:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53666 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229936AbjGSWTh (ORCPT ); Wed, 19 Jul 2023 18:19:37 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B7C61BCF; Wed, 19 Jul 2023 15:19:36 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id D01AB222D8; Wed, 19 Jul 2023 22:19:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa; t=1689805174; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=M4N/dCF5EYbxPk5QcgdReto7C0f6ZT5aB5kgR17CLu8=; b=Zy03tGDv7kKXMm6ixKTC494h49WMMpRuDWriMyVelM0GRihZfjG/mgzv10o/IslFmAgHdp p5tvg4SjPZzxvmWzAMmKjVdhQBwqKsmPw5j642Rv2zD+gF9X/QKBt88jK2NQhMQJKzFDYX OiQzj/GgvyNsbZBtJc+Exydd5c+zsjc= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_ed25519; t=1689805174; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=M4N/dCF5EYbxPk5QcgdReto7C0f6ZT5aB5kgR17CLu8=; b=YzTwAebjNAjddO7F5kVBuhXxCIDpmXueP9mpfiw4VB+XgPWtn2Le53QpbZ3idNPkadymBq agOuPkcUiFFZRrDA== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 989721361C; Wed, 19 Jul 2023 22:19:34 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id l/2bH3ZhuGQVJgAAMHmgww (envelope-from ); Wed, 19 Jul 2023 22:19:34 +0000 From: Gabriel Krisman Bertazi To: viro@zeniv.linux.org.uk, brauner@kernel.org, tytso@mit.edu, ebiggers@kernel.org, jaegeuk@kernel.org Cc: linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Gabriel Krisman Bertazi , Gabriel Krisman Bertazi Subject: [PATCH v3 3/7] libfs: Validate negative dentries in case-insensitive directories Date: Wed, 19 Jul 2023 18:19:14 -0400 Message-ID: <20230719221918.8937-4-krisman@suse.de> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230719221918.8937-1-krisman@suse.de> References: <20230719221918.8937-1-krisman@suse.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,T_FILL_THIS_FORM_SHORT,T_SCC_BODY_TEXT_LINE, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org From: Gabriel Krisman Bertazi Introduce a dentry revalidation helper to be used by case-insensitive filesystems to check if it is safe to reuse a negative dentry. A negative dentry is safe to be reused on a case-insensitive lookup if it was created during a case-insensitive lookup and this is not a lookup that will instantiate a dentry. If this is a creation lookup, we also need to make sure the name matches sensitively the name under lookup in order to assure the name preserving semantics. dentry->d_name is only checked by the case-insensitive d_revalidate hook in the LOOKUP_CREATE/LOOKUP_RENAME_TARGET case since, for these cases, d_revalidate is always called with the parent inode locked, and therefore the name cannot change from under us. d_revalidate is only called in 4 places: lookup_dcache, __lookup_slow, lookup_open and lookup_fast: - lookup_dcache always calls it with zeroed flags, with the exception of when coming from __lookup_hash, which needs the parent locked already, for instance in the open/creation path, which is locked in open_last_lookups. - In __lookup_slow, either the parent inode is locked by the caller (lookup_slow), or it is called with no flags (lookup_one/lookup_one_len). - lookup_open also requires the parent to be locked in the creation case, which is done in open_last_lookups. - lookup_fast will indeed be called with the parent unlocked, but it shouldn't be called with LOOKUP_CREATE. Either it is called in the link_path_walk, where nd->flags doesn't have LOOKUP_CREATE yet or in open_last_lookups. But, in this case, it also never has LOOKUP_CREATE, because it is only called on the !O_CREAT case, which means op->intent doesn't have LOOKUP_CREAT (set in build_open_flags only if O_CREAT is set). Finally, for the LOOKUP_RENAME_TARGET, we are doing a rename, so the parents inodes are also be locked. Reviewed-by: Theodore Ts'o Signed-off-by: Gabriel Krisman Bertazi --- Changes since v2: - Add comments to all rejection cases (eric) - safeguard against filesystem creating dentries without LOOKUP flags --- fs/libfs.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/fs/libfs.c b/fs/libfs.c index 5b851315eeed..dd213f446427 100644 --- a/fs/libfs.c +++ b/fs/libfs.c @@ -1462,9 +1462,57 @@ static int generic_ci_d_hash(const struct dentry *dentry, struct qstr *str) return 0; } +static inline int generic_ci_d_revalidate(struct dentry *dentry, + const struct qstr *name, + unsigned int flags) +{ + if (d_is_negative(dentry)) { + const struct dentry *parent = READ_ONCE(dentry->d_parent); + const struct inode *dir = READ_ONCE(parent->d_inode); + + if (dir && needs_casefold(dir)) { + /* + * Filesystems will call into d_revalidate without + * setting LOOKUP_ flags even for file creation(see + * lookup_one* variants). Reject negative dentries in + * this case, since we can't know for sure it won't be + * used for creation. + */ + if (!flags) + return 0; + + /* + * Negative dentries created prior to turning the + * directory case-insensitive cannot be trusted, since + * they don't ensure any possible case version of the + * filename doesn't exist. + */ + if (!d_is_casefold_lookup(dentry)) + return 0; + + if (flags & (LOOKUP_CREATE | LOOKUP_RENAME_TARGET)) { + /* + * ->d_name won't change from under us in the + * creation path only, since d_revalidate during + * creation and renames is always called with + * the parent inode locked. It isn't the case + * for all lookup callpaths, so ->d_name must + * not be touched outside + * (LOOKUP_CREATE|LOOKUP_RENAME_TARGET) context. + */ + if (dentry->d_name.len != name->len || + memcmp(dentry->d_name.name, name->name, name->len)) + return 0; + } + } + } + return 1; +} + static const struct dentry_operations generic_ci_dentry_ops = { .d_hash = generic_ci_d_hash, .d_compare = generic_ci_d_compare, + .d_revalidate_name = generic_ci_d_revalidate, }; #endif -- 2.41.0