git.maquefel.me Git - linux.git/commit

author	Darrick J. Wong <djwong@kernel.org>
	Mon, 15 Apr 2024 21:55:05 +0000 (14:55 -0700)
committer	Darrick J. Wong <djwong@kernel.org>
	Mon, 15 Apr 2024 21:58:59 +0000 (14:58 -0700)
commit	5f204051d998ec3d7306db0d749bddcbf4c97693
tree	fbf4b51ab481d698a0e7186efe382fed5ca87112	tree \| snapshot
parent	2935213a6831a0087442d406301c2cdcc87b0f61	commit \| diff

xfs: pin inodes that would otherwise overflow link count

The VFS inc_nlink function does not explicitly check for integer
overflows in the i_nlink field.  Instead, it checks the link count
against s_max_links in the vfs_{link,create,rename} functions.  XFS
sets the maximum link count to 2.1 billion, so integer overflows should
not be a problem.

However.  It's possible that online repair could find that a file has
more than four billion links, particularly if the link count got
corrupted while creating hardlinks to the file.  The di_nlinkv2 field is
not large enough to store a value larger than 2^32, so we ought to
define a magic pin value of ~0U which means that the inode never gets
deleted.  This will prevent a UAF error if the repair finds this
situation and users begin deleting links to the file.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>

fs/xfs/libxfs/xfs_format.h		diff \| blob \| history
fs/xfs/scrub/dir_repair.c		diff \| blob \| history
fs/xfs/scrub/nlinks.c		diff \| blob \| history
fs/xfs/scrub/nlinks_repair.c		diff \| blob \| history
fs/xfs/xfs_inode.c		diff \| blob \| history