diff mbox series

fs/inode.c: make inode_init_always() initialize i_ino to 0

Message ID 20201031004420.87678-1-ebiggers@kernel.org (mailing list archive)
State Accepted
Headers show
Series fs/inode.c: make inode_init_always() initialize i_ino to 0 | expand

Commit Message

Eric Biggers Oct. 31, 2020, 12:44 a.m. UTC 
From: Eric Biggers <ebiggers@google.com>

Currently inode_init_always() doesn't initialize i_ino to 0.  This is
unexpected because unlike the other inode fields that aren't initialized
by inode_init_always(), i_ino isn't guaranteed to end up back at its
initial value after the inode is freed.  Only one filesystem (XFS)
actually sets set i_ino back to 0 when freeing its inodes.

So, callers of new_inode() see some random previous i_ino.  Normally
that's fine, since normally i_ino isn't accessed before being set.
There can be edge cases where that isn't necessarily true, though.

The one I've run into is that on ext4, when creating an encrypted file,
the new file's encryption key has to be set up prior to the jbd2
transaction, and thus prior to i_ino being set.  If something goes
wrong, fs/crypto/ may log warning or error messages, which normally
include i_ino.  So it needs to know whether it is valid to include i_ino
yet or not.  Also, on some files i_ino needs to be hashed for use in the
crypto, so fs/crypto/ needs to know whether that can be done yet or not.

There are ways this could be worked around, either in fs/crypto/ or in
fs/ext4/.  But, it seems there's no reason not to just fix
inode_init_always() to do the expected thing and initialize i_ino to 0.

So, do that, and also remove the initialization in jfs_fill_super() that
becomes redundant.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/inode.c     | 1 +
 fs/jfs/super.c | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)


base-commit: 5fc6b075e165f641fbc366b58b578055762d5f8c

Comments

Eric Biggers Nov. 6, 2020, 5:52 p.m. UTC | #1 
On Fri, Oct 30, 2020 at 05:44:20PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Currently inode_init_always() doesn't initialize i_ino to 0.  This is
> unexpected because unlike the other inode fields that aren't initialized
> by inode_init_always(), i_ino isn't guaranteed to end up back at its
> initial value after the inode is freed.  Only one filesystem (XFS)
> actually sets set i_ino back to 0 when freeing its inodes.
> 
> So, callers of new_inode() see some random previous i_ino.  Normally
> that's fine, since normally i_ino isn't accessed before being set.
> There can be edge cases where that isn't necessarily true, though.
> 
> The one I've run into is that on ext4, when creating an encrypted file,
> the new file's encryption key has to be set up prior to the jbd2
> transaction, and thus prior to i_ino being set.  If something goes
> wrong, fs/crypto/ may log warning or error messages, which normally
> include i_ino.  So it needs to know whether it is valid to include i_ino
> yet or not.  Also, on some files i_ino needs to be hashed for use in the
> crypto, so fs/crypto/ needs to know whether that can be done yet or not.
> 
> There are ways this could be worked around, either in fs/crypto/ or in
> fs/ext4/.  But, it seems there's no reason not to just fix
> inode_init_always() to do the expected thing and initialize i_ino to 0.
> 
> So, do that, and also remove the initialization in jfs_fill_super() that
> becomes redundant.
> 
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  fs/inode.c     | 1 +
>  fs/jfs/super.c | 1 -
>  2 files changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/inode.c b/fs/inode.c
> index 9d78c37b00b81..eb001129f157c 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -142,6 +142,7 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
>  	atomic_set(&inode->i_count, 1);
>  	inode->i_op = &empty_iops;
>  	inode->i_fop = &no_open_fops;
> +	inode->i_ino = 0;
>  	inode->__i_nlink = 1;
>  	inode->i_opflags = 0;
>  	if (sb->s_xattr)
> diff --git a/fs/jfs/super.c b/fs/jfs/super.c
> index b2dc4d1f9dcc5..1f0ffabbde566 100644
> --- a/fs/jfs/super.c
> +++ b/fs/jfs/super.c
> @@ -551,7 +551,6 @@ static int jfs_fill_super(struct super_block *sb, void *data, int silent)
>  		ret = -ENOMEM;
>  		goto out_unload;
>  	}
> -	inode->i_ino = 0;
>  	inode->i_size = i_size_read(sb->s_bdev->bd_inode);
>  	inode->i_mapping->a_ops = &jfs_metapage_aops;
>  	inode_fake_hash(inode);
> 

Al, any thoughts on this?

- Eric
Jeff Layton Nov. 10, 2020, 3:55 p.m. UTC | #2 
On Fri, 2020-10-30 at 17:44 -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Currently inode_init_always() doesn't initialize i_ino to 0.  This is
> unexpected because unlike the other inode fields that aren't initialized
> by inode_init_always(), i_ino isn't guaranteed to end up back at its
> initial value after the inode is freed.  Only one filesystem (XFS)
> actually sets set i_ino back to 0 when freeing its inodes.
> 
> So, callers of new_inode() see some random previous i_ino.  Normally
> that's fine, since normally i_ino isn't accessed before being set.
> There can be edge cases where that isn't necessarily true, though.
> 
> The one I've run into is that on ext4, when creating an encrypted file,
> the new file's encryption key has to be set up prior to the jbd2
> transaction, and thus prior to i_ino being set.  If something goes
> wrong, fs/crypto/ may log warning or error messages, which normally
> include i_ino.  So it needs to know whether it is valid to include i_ino
> yet or not.  Also, on some files i_ino needs to be hashed for use in the
> crypto, so fs/crypto/ needs to know whether that can be done yet or not.
> 
> There are ways this could be worked around, either in fs/crypto/ or in
> fs/ext4/.  But, it seems there's no reason not to just fix
> inode_init_always() to do the expected thing and initialize i_ino to 0.
> 
> So, do that, and also remove the initialization in jfs_fill_super() that
> becomes redundant.
> 
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  fs/inode.c     | 1 +
>  fs/jfs/super.c | 1 -
>  2 files changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/inode.c b/fs/inode.c
> index 9d78c37b00b81..eb001129f157c 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -142,6 +142,7 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
>  	atomic_set(&inode->i_count, 1);
>  	inode->i_op = &empty_iops;
>  	inode->i_fop = &no_open_fops;
> +	inode->i_ino = 0;
>  	inode->__i_nlink = 1;
>  	inode->i_opflags = 0;
>  	if (sb->s_xattr)
> diff --git a/fs/jfs/super.c b/fs/jfs/super.c
> index b2dc4d1f9dcc5..1f0ffabbde566 100644
> --- a/fs/jfs/super.c
> +++ b/fs/jfs/super.c
> @@ -551,7 +551,6 @@ static int jfs_fill_super(struct super_block *sb, void *data, int silent)
>  		ret = -ENOMEM;
>  		goto out_unload;
>  	}
> -	inode->i_ino = 0;
>  	inode->i_size = i_size_read(sb->s_bdev->bd_inode);
>  	inode->i_mapping->a_ops = &jfs_metapage_aops;
>  	inode_fake_hash(inode);
> 
> base-commit: 5fc6b075e165f641fbc366b58b578055762d5f8c

This seems like a reasonable thing to do.

Acked-by: Jeff Layton <jlayton@kernel.org>
Eric Biggers Nov. 20, 2020, 6:50 p.m. UTC | #3 
On Fri, Nov 06, 2020 at 09:52:05AM -0800, Eric Biggers wrote:
> On Fri, Oct 30, 2020 at 05:44:20PM -0700, Eric Biggers wrote:
> > From: Eric Biggers <ebiggers@google.com>
> > 
> > Currently inode_init_always() doesn't initialize i_ino to 0.  This is
> > unexpected because unlike the other inode fields that aren't initialized
> > by inode_init_always(), i_ino isn't guaranteed to end up back at its
> > initial value after the inode is freed.  Only one filesystem (XFS)
> > actually sets set i_ino back to 0 when freeing its inodes.
> > 
> > So, callers of new_inode() see some random previous i_ino.  Normally
> > that's fine, since normally i_ino isn't accessed before being set.
> > There can be edge cases where that isn't necessarily true, though.
> > 
> > The one I've run into is that on ext4, when creating an encrypted file,
> > the new file's encryption key has to be set up prior to the jbd2
> > transaction, and thus prior to i_ino being set.  If something goes
> > wrong, fs/crypto/ may log warning or error messages, which normally
> > include i_ino.  So it needs to know whether it is valid to include i_ino
> > yet or not.  Also, on some files i_ino needs to be hashed for use in the
> > crypto, so fs/crypto/ needs to know whether that can be done yet or not.
> > 
> > There are ways this could be worked around, either in fs/crypto/ or in
> > fs/ext4/.  But, it seems there's no reason not to just fix
> > inode_init_always() to do the expected thing and initialize i_ino to 0.
> > 
> > So, do that, and also remove the initialization in jfs_fill_super() that
> > becomes redundant.
> > 
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > ---
> >  fs/inode.c     | 1 +
> >  fs/jfs/super.c | 1 -
> >  2 files changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/fs/inode.c b/fs/inode.c
> > index 9d78c37b00b81..eb001129f157c 100644
> > --- a/fs/inode.c
> > +++ b/fs/inode.c
> > @@ -142,6 +142,7 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
> >  	atomic_set(&inode->i_count, 1);
> >  	inode->i_op = &empty_iops;
> >  	inode->i_fop = &no_open_fops;
> > +	inode->i_ino = 0;
> >  	inode->__i_nlink = 1;
> >  	inode->i_opflags = 0;
> >  	if (sb->s_xattr)
> > diff --git a/fs/jfs/super.c b/fs/jfs/super.c
> > index b2dc4d1f9dcc5..1f0ffabbde566 100644
> > --- a/fs/jfs/super.c
> > +++ b/fs/jfs/super.c
> > @@ -551,7 +551,6 @@ static int jfs_fill_super(struct super_block *sb, void *data, int silent)
> >  		ret = -ENOMEM;
> >  		goto out_unload;
> >  	}
> > -	inode->i_ino = 0;
> >  	inode->i_size = i_size_read(sb->s_bdev->bd_inode);
> >  	inode->i_mapping->a_ops = &jfs_metapage_aops;
> >  	inode_fake_hash(inode);
> > 
> 
> Al, any thoughts on this?
> 

Ping?
Eric Biggers Dec. 2, 2020, 9:19 p.m. UTC | #4 
On Fri, Nov 20, 2020 at 10:50:30AM -0800, Eric Biggers wrote:
> On Fri, Nov 06, 2020 at 09:52:05AM -0800, Eric Biggers wrote:
> > On Fri, Oct 30, 2020 at 05:44:20PM -0700, Eric Biggers wrote:
> > > From: Eric Biggers <ebiggers@google.com>
> > > 
> > > Currently inode_init_always() doesn't initialize i_ino to 0.  This is
> > > unexpected because unlike the other inode fields that aren't initialized
> > > by inode_init_always(), i_ino isn't guaranteed to end up back at its
> > > initial value after the inode is freed.  Only one filesystem (XFS)
> > > actually sets set i_ino back to 0 when freeing its inodes.
> > > 
> > > So, callers of new_inode() see some random previous i_ino.  Normally
> > > that's fine, since normally i_ino isn't accessed before being set.
> > > There can be edge cases where that isn't necessarily true, though.
> > > 
> > > The one I've run into is that on ext4, when creating an encrypted file,
> > > the new file's encryption key has to be set up prior to the jbd2
> > > transaction, and thus prior to i_ino being set.  If something goes
> > > wrong, fs/crypto/ may log warning or error messages, which normally
> > > include i_ino.  So it needs to know whether it is valid to include i_ino
> > > yet or not.  Also, on some files i_ino needs to be hashed for use in the
> > > crypto, so fs/crypto/ needs to know whether that can be done yet or not.
> > > 
> > > There are ways this could be worked around, either in fs/crypto/ or in
> > > fs/ext4/.  But, it seems there's no reason not to just fix
> > > inode_init_always() to do the expected thing and initialize i_ino to 0.
> > > 
> > > So, do that, and also remove the initialization in jfs_fill_super() that
> > > becomes redundant.
> > > 
> > > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > > ---
> > >  fs/inode.c     | 1 +
> > >  fs/jfs/super.c | 1 -
> > >  2 files changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/fs/inode.c b/fs/inode.c
> > > index 9d78c37b00b81..eb001129f157c 100644
> > > --- a/fs/inode.c
> > > +++ b/fs/inode.c
> > > @@ -142,6 +142,7 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
> > >  	atomic_set(&inode->i_count, 1);
> > >  	inode->i_op = &empty_iops;
> > >  	inode->i_fop = &no_open_fops;
> > > +	inode->i_ino = 0;
> > >  	inode->__i_nlink = 1;
> > >  	inode->i_opflags = 0;
> > >  	if (sb->s_xattr)
> > > diff --git a/fs/jfs/super.c b/fs/jfs/super.c
> > > index b2dc4d1f9dcc5..1f0ffabbde566 100644
> > > --- a/fs/jfs/super.c
> > > +++ b/fs/jfs/super.c
> > > @@ -551,7 +551,6 @@ static int jfs_fill_super(struct super_block *sb, void *data, int silent)
> > >  		ret = -ENOMEM;
> > >  		goto out_unload;
> > >  	}
> > > -	inode->i_ino = 0;
> > >  	inode->i_size = i_size_read(sb->s_bdev->bd_inode);
> > >  	inode->i_mapping->a_ops = &jfs_metapage_aops;
> > >  	inode_fake_hash(inode);
> > > 
> > 
> > Al, any thoughts on this?

Ping.
Eric Biggers Jan. 4, 2021, 6:54 p.m. UTC | #5 
On Wed, Dec 02, 2020 at 01:19:15PM -0800, Eric Biggers wrote:
> On Fri, Nov 20, 2020 at 10:50:30AM -0800, Eric Biggers wrote:
> > On Fri, Nov 06, 2020 at 09:52:05AM -0800, Eric Biggers wrote:
> > > On Fri, Oct 30, 2020 at 05:44:20PM -0700, Eric Biggers wrote:
> > > > From: Eric Biggers <ebiggers@google.com>
> > > > 
> > > > Currently inode_init_always() doesn't initialize i_ino to 0.  This is
> > > > unexpected because unlike the other inode fields that aren't initialized
> > > > by inode_init_always(), i_ino isn't guaranteed to end up back at its
> > > > initial value after the inode is freed.  Only one filesystem (XFS)
> > > > actually sets set i_ino back to 0 when freeing its inodes.
> > > > 
> > > > So, callers of new_inode() see some random previous i_ino.  Normally
> > > > that's fine, since normally i_ino isn't accessed before being set.
> > > > There can be edge cases where that isn't necessarily true, though.
> > > > 
> > > > The one I've run into is that on ext4, when creating an encrypted file,
> > > > the new file's encryption key has to be set up prior to the jbd2
> > > > transaction, and thus prior to i_ino being set.  If something goes
> > > > wrong, fs/crypto/ may log warning or error messages, which normally
> > > > include i_ino.  So it needs to know whether it is valid to include i_ino
> > > > yet or not.  Also, on some files i_ino needs to be hashed for use in the
> > > > crypto, so fs/crypto/ needs to know whether that can be done yet or not.
> > > > 
> > > > There are ways this could be worked around, either in fs/crypto/ or in
> > > > fs/ext4/.  But, it seems there's no reason not to just fix
> > > > inode_init_always() to do the expected thing and initialize i_ino to 0.
> > > > 
> > > > So, do that, and also remove the initialization in jfs_fill_super() that
> > > > becomes redundant.
> > > > 
> > > > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > > > ---
> > > >  fs/inode.c     | 1 +
> > > >  fs/jfs/super.c | 1 -
> > > >  2 files changed, 1 insertion(+), 1 deletion(-)
> > > > 
> > > > diff --git a/fs/inode.c b/fs/inode.c
> > > > index 9d78c37b00b81..eb001129f157c 100644
> > > > --- a/fs/inode.c
> > > > +++ b/fs/inode.c
> > > > @@ -142,6 +142,7 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
> > > >  	atomic_set(&inode->i_count, 1);
> > > >  	inode->i_op = &empty_iops;
> > > >  	inode->i_fop = &no_open_fops;
> > > > +	inode->i_ino = 0;
> > > >  	inode->__i_nlink = 1;
> > > >  	inode->i_opflags = 0;
> > > >  	if (sb->s_xattr)
> > > > diff --git a/fs/jfs/super.c b/fs/jfs/super.c
> > > > index b2dc4d1f9dcc5..1f0ffabbde566 100644
> > > > --- a/fs/jfs/super.c
> > > > +++ b/fs/jfs/super.c
> > > > @@ -551,7 +551,6 @@ static int jfs_fill_super(struct super_block *sb, void *data, int silent)
> > > >  		ret = -ENOMEM;
> > > >  		goto out_unload;
> > > >  	}
> > > > -	inode->i_ino = 0;
> > > >  	inode->i_size = i_size_read(sb->s_bdev->bd_inode);
> > > >  	inode->i_mapping->a_ops = &jfs_metapage_aops;
> > > >  	inode_fake_hash(inode);
> > > > 
> > > 
> > > Al, any thoughts on this?
> 
> Ping.

Ping.
Al Viro Jan. 4, 2021, 7:10 p.m. UTC | #6 
On Mon, Jan 04, 2021 at 10:54:02AM -0800, Eric Biggers wrote:
> On Wed, Dec 02, 2020 at 01:19:15PM -0800, Eric Biggers wrote:
> > On Fri, Nov 20, 2020 at 10:50:30AM -0800, Eric Biggers wrote:
> > > On Fri, Nov 06, 2020 at 09:52:05AM -0800, Eric Biggers wrote:
> > > > On Fri, Oct 30, 2020 at 05:44:20PM -0700, Eric Biggers wrote:
> > > > > From: Eric Biggers <ebiggers@google.com>
> > > > > 
> > > > > Currently inode_init_always() doesn't initialize i_ino to 0.  This is
> > > > > unexpected because unlike the other inode fields that aren't initialized
> > > > > by inode_init_always(), i_ino isn't guaranteed to end up back at its
> > > > > initial value after the inode is freed.  Only one filesystem (XFS)
> > > > > actually sets set i_ino back to 0 when freeing its inodes.
> > > > > 
> > > > > So, callers of new_inode() see some random previous i_ino.  Normally
> > > > > that's fine, since normally i_ino isn't accessed before being set.
> > > > > There can be edge cases where that isn't necessarily true, though.
> > > > > 
> > > > > The one I've run into is that on ext4, when creating an encrypted file,
> > > > > the new file's encryption key has to be set up prior to the jbd2
> > > > > transaction, and thus prior to i_ino being set.  If something goes
> > > > > wrong, fs/crypto/ may log warning or error messages, which normally
> > > > > include i_ino.  So it needs to know whether it is valid to include i_ino
> > > > > yet or not.  Also, on some files i_ino needs to be hashed for use in the
> > > > > crypto, so fs/crypto/ needs to know whether that can be done yet or not.
> > > > > 
> > > > > There are ways this could be worked around, either in fs/crypto/ or in
> > > > > fs/ext4/.  But, it seems there's no reason not to just fix
> > > > > inode_init_always() to do the expected thing and initialize i_ino to 0.
> > > > > 
> > > > > So, do that, and also remove the initialization in jfs_fill_super() that
> > > > > becomes redundant.
> > > > > 
> > > > > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > > > > ---
> > > > >  fs/inode.c     | 1 +
> > > > >  fs/jfs/super.c | 1 -
> > > > >  2 files changed, 1 insertion(+), 1 deletion(-)
> > > > > 
> > > > > diff --git a/fs/inode.c b/fs/inode.c
> > > > > index 9d78c37b00b81..eb001129f157c 100644
> > > > > --- a/fs/inode.c
> > > > > +++ b/fs/inode.c
> > > > > @@ -142,6 +142,7 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
> > > > >  	atomic_set(&inode->i_count, 1);
> > > > >  	inode->i_op = &empty_iops;
> > > > >  	inode->i_fop = &no_open_fops;
> > > > > +	inode->i_ino = 0;
> > > > >  	inode->__i_nlink = 1;
> > > > >  	inode->i_opflags = 0;
> > > > >  	if (sb->s_xattr)
> > > > > diff --git a/fs/jfs/super.c b/fs/jfs/super.c
> > > > > index b2dc4d1f9dcc5..1f0ffabbde566 100644
> > > > > --- a/fs/jfs/super.c
> > > > > +++ b/fs/jfs/super.c
> > > > > @@ -551,7 +551,6 @@ static int jfs_fill_super(struct super_block *sb, void *data, int silent)
> > > > >  		ret = -ENOMEM;
> > > > >  		goto out_unload;
> > > > >  	}
> > > > > -	inode->i_ino = 0;
> > > > >  	inode->i_size = i_size_read(sb->s_bdev->bd_inode);
> > > > >  	inode->i_mapping->a_ops = &jfs_metapage_aops;
> > > > >  	inode_fake_hash(inode);
> > > > > 
> > > > 
> > > > Al, any thoughts on this?
> > 
> > Ping.
> 
> Ping.

Applied.
diff mbox series

Patch

diff --git a/fs/inode.c b/fs/inode.c
index 9d78c37b00b81..eb001129f157c 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -142,6 +142,7 @@  int inode_init_always(struct super_block *sb, struct inode *inode)
 	atomic_set(&inode->i_count, 1);
 	inode->i_op = &empty_iops;
 	inode->i_fop = &no_open_fops;
+	inode->i_ino = 0;
 	inode->__i_nlink = 1;
 	inode->i_opflags = 0;
 	if (sb->s_xattr)
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index b2dc4d1f9dcc5..1f0ffabbde566 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -551,7 +551,6 @@  static int jfs_fill_super(struct super_block *sb, void *data, int silent)
 		ret = -ENOMEM;
 		goto out_unload;
 	}
-	inode->i_ino = 0;
 	inode->i_size = i_size_read(sb->s_bdev->bd_inode);
 	inode->i_mapping->a_ops = &jfs_metapage_aops;
 	inode_fake_hash(inode);