• Jan Kara's avatar
    ext4: fix checksum errors with indexed dirs · c9df707c
    Jan Kara authored
    BugLink: https://bugs.launchpad.net/bugs/1868627
    
    commit 48a34311 upstream.
    
    DIR_INDEX has been introduced as a compat ext4 feature. That means that
    even kernels / tools that don't understand the feature may modify the
    filesystem. This works because for kernels not understanding indexed dir
    format, internal htree nodes appear just as empty directory entries.
    Index dir aware kernels then check the htree structure is still
    consistent before using the data. This all worked reasonably well until
    metadata checksums were introduced. The problem is that these
    effectively made DIR_INDEX only ro-compatible because internal htree
    nodes store checksums in a different place than normal directory blocks.
    Thus any modification ignorant to DIR_INDEX (or just clearing
    EXT4_INDEX_FL from the inode) will effectively cause checksum mismatch
    and trigger kernel errors. So we have to be more careful when dealing
    with indexed directories on filesystems with checksumming enabled.
    
    1) We just disallow loading any directory inodes with EXT4_INDEX_FL when
    DIR_INDEX is not enabled. This is harsh but it should be very rare (it
    means someone disabled DIR_INDEX on existing filesystem and didn't run
    e2fsck), e2fsck can fix the problem, and we don't want to answer the
    difficult question: "Should we rather corrupt the directory more or
    should we ignore that DIR_INDEX feature is not set?"
    
    2) When we find out htree structure is corrupted (but the filesystem and
    the directory should in support htrees), we continue just ignoring htree
    information for reading but we refuse to add new entries to the
    directory to avoid corrupting it more.
    
    Link: https://lore.kernel.org/r/20200210144316.22081-1-jack@suse.cz
    Fixes: dbe89444 ("ext4: Calculate and verify checksums for htree nodes")
    Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
    Signed-off-by: default avatarJan Kara <jack@suse.cz>
    Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
    Cc: stable@kernel.org
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
    Signed-off-by: default avatarKelsey Skunberg <kelsey.skunberg@canonical.com>
    c9df707c
dir.c 17 KB