[029/115] xfs: pin inodes that would otherwise overflow link count

Commit Message

Darrick J. Wong July 30, 2024, 12:31 a.m. UTC

From: Darrick J. Wong <djwong@kernel.org>

Source kernel commit: 5f204051d998ec3d7306db0d749bddcbf4c97693

The VFS inc_nlink function does not explicitly check for integer
overflows in the i_nlink field.  Instead, it checks the link count
against s_max_links in the vfs_{link,create,rename} functions.  XFS
sets the maximum link count to 2.1 billion, so integer overflows should
not be a problem.

However.  It's possible that online repair could find that a file has
more than four billion links, particularly if the link count got
corrupted while creating hardlinks to the file.  The di_nlinkv2 field is
not large enough to store a value larger than 2^32, so we ought to
define a magic pin value of ~0U which means that the inode never gets
deleted.  This will prevent a UAF error if the repair finds this
situation and users begin deleting links to the file.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
---
 libxfs/xfs_format.h |    6 ++++++
 1 file changed, 6 insertions(+)

Patch

diff --git a/libxfs/xfs_format.h b/libxfs/xfs_format.h
index 10153ce11..f1818c54a 100644
--- a/libxfs/xfs_format.h
+++ b/libxfs/xfs_format.h
@@ -899,6 +899,12 @@  static inline uint xfs_dinode_size(int version)
  */
 #define	XFS_MAXLINK		((1U << 31) - 1U)
 
+/*
+ * Any file that hits the maximum ondisk link count should be pinned to avoid
+ * a use-after-free situation.
+ */
+#define	XFS_NLINK_PINNED	(~0U)
+
 /*
  * Values for di_format
  *