[PATCH 0/3] fs: Fix dangling dentries on casefold directories

[PATCH 0/3] fs: Fix dangling dentries on casefold directories

[André Almeida]

Hello,

This patchset fixes a bug in case-insensitive directories. When I
submitted a patchset for adding case-insensitive support for tmpfs[0],
Al Viro noted that my implementation didn't take in account previous
dentries that the directory could have created before being changed.
Further investigation showed that neither ext4 or f2fs also doesn't take
this case in consideration as well.

* Why can't we have negative dentries with casefold?

The assumption that the directory has no dentries can lead to a buggy
behavior (note that since the directory must be empty when setting the
casefold flag, all dentries there are negative). Imagine the following
operation on a mounted ext4 with casefold support enabled:

mkdir dir
mkdir dir/C	# creates a dentry for `C` (dentry D)
rm -r dir/C	# makes dentry D a negative one

Now, let's make it case-insensitive:

chattr +F dir/	# now dir/ is a casefold directory
mkdir dir/c	# if hash for `c` collides with dentry D
		# d_compare does a case-insensitive compare
		# and assumes that dentry D is the one to be used
ls dir/		# VFS uses the name at dentry D for the final file
C		# and here's the bug

In that way, all negative dentries at dir/ will become dangling dentries
that can't be trusted to be used an will just waste memory.

The problem with negative dentries is well-know, and both the current
code and commits documents it, but this case hasn't been taken in
consideration so far.

* Reproducing

Given that the bug only happens with a hash collision, I added the
following snippet at the beginning of generic_ci_d_hash():

str->hash = 0;
return 0;

This means that all dentries will have the same hash. This is not good
for performance, but it should not break anything AFAIK. Then, just run
the example showed in the latter section.

* Fixing

To fix this bug, I added a function that, given an inode, for each alias
of it, will remove all the sub-dentries at that directory. Given that
they are all negative dentries, we don't need to do the whole d_walk,
since they don't have children and are also ready to be d_droped and
dputed.

Then, at ext4 and f2fs, when a dir is going to turn on the casefold
flag, we call this function.

Thanks,
	André

[0] https://lore.kernel.org/linux-fsdevel/20210323195941.69720-1-andrealmeid@collabora.com/T/#m3265579197095b792ee8b8e8b7f84a58c25c456b

André Almeida (3):
  fs/dcache: Add d_clear_dir_neg_dentries()
  ext4: Prevent dangling dentries on casefold directories
  f2fs: Prevent dangling dentries on casefold directories

 fs/dcache.c            | 27 +++++++++++++++++++++++++++
 fs/ext4/ioctl.c        |  3 +++
 fs/f2fs/file.c         |  4 ++++
 include/linux/dcache.h |  1 +
 4 files changed, 35 insertions(+)

-- 
2.31.0

[PATCH 1/3] fs/dcache: Add d_clear_dir_neg_dentries()

[André Almeida]

For directories with negative dentries that are becoming case-insensitive
dirs, we need to remove all those negative dentries, otherwise they will
become dangling dentries. During the creation of a new file, if a d_hash
collision happens and the names match in a case-insensitive way, the name
of the file will be the name defined at the negative dentry, that may be
different from the specified by the user. To prevent this from
happening, we need to remove all dentries in a directory. Given that the
directory must be empty before we call this function we are sure that
all dentries there will be negative.

Create a function to remove all negative dentries from a directory, to
be used as explained above by filesystems that support case-insensitive
lookups.

Signed-off-by: André Almeida <andrealmeid@collabora.com>
---
 fs/dcache.c            | 27 +++++++++++++++++++++++++++
 include/linux/dcache.h |  1 +
 2 files changed, 28 insertions(+)

diff --git a/fs/dcache.c b/fs/dcache.c
index 7d24ff7eb206..fafb3016d6fd 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -1723,6 +1723,33 @@ void d_invalidate(struct dentry *dentry)
 }
 EXPORT_SYMBOL(d_invalidate);
 
+/**
+ * d_clear_dir_neg_dentries - Remove negative dentries in an inode
+ * @dir: Directory to clear negative dentries
+ *
+ * For directories with negative dentries that are becoming case-insensitive
+ * dirs, we need to remove all those negative dentries, otherwise they will
+ * become dangling dentries. During the creation of a new file, if a d_hash
+ * collision happens and the names match in a case-insensitive, the name of
+ * the file will be the name defined at the negative dentry, that can be
+ * different from the specified by the user. To prevent this from happening, we
+ * need to remove all dentries in a directory. Given that the directory must be
+ * empty before we call this function we are sure that all dentries there will
+ * be negative.
+ */
+void d_clear_dir_neg_dentries(struct inode *dir)
+{
+	struct dentry *alias, *dentry;
+
+	hlist_for_each_entry(alias, &dir->i_dentry, d_u.d_alias) {
+		list_for_each_entry(dentry, &alias->d_subdirs, d_child) {
+			d_drop(dentry);
+			dput(dentry);
+		}
+	}
+}
+EXPORT_SYMBOL(d_clear_dir_neg_dentries);
+
 /**
  * __d_alloc	-	allocate a dcache entry
  * @sb: filesystem it will belong to
diff --git a/include/linux/dcache.h b/include/linux/dcache.h
index c1e48014106f..c43cd0be077f 100644
--- a/include/linux/dcache.h
+++ b/include/linux/dcache.h
@@ -250,6 +250,7 @@ extern void shrink_dcache_sb(struct super_block *);
 extern void shrink_dcache_parent(struct dentry *);
 extern void shrink_dcache_for_umount(struct super_block *);
 extern void d_invalidate(struct dentry *);
+extern void d_clear_dir_neg_dentries(struct inode *);
 
 /* only used at mount-time */
 extern struct dentry * d_make_root(struct inode *);
-- 
2.31.0

Re: [PATCH 1/3] fs/dcache: Add d_clear_dir_neg_dentries()

[Matthew Wilcox]

On Sun, Mar 28, 2021 at 11:43:54AM -0300, André Almeida wrote:
> +/**
> + * d_clear_dir_neg_dentries - Remove negative dentries in an inode
> + * @dir: Directory to clear negative dentries
> + *
> + * For directories with negative dentries that are becoming case-insensitive
> + * dirs, we need to remove all those negative dentries, otherwise they will
> + * become dangling dentries. During the creation of a new file, if a d_hash
> + * collision happens and the names match in a case-insensitive, the name of
> + * the file will be the name defined at the negative dentry, that can be
> + * different from the specified by the user. To prevent this from happening, we
> + * need to remove all dentries in a directory. Given that the directory must be
> + * empty before we call this function we are sure that all dentries there will
> + * be negative.
> + */

This is quite the landmine of a function.  It _assumes_ that the directory
is empty, and clears all dentries in it.

> +void d_clear_dir_neg_dentries(struct inode *dir)
> +{
> +	struct dentry *alias, *dentry;
> +
> +	hlist_for_each_entry(alias, &dir->i_dentry, d_u.d_alias) {
> +		list_for_each_entry(dentry, &alias->d_subdirs, d_child) {
> +			d_drop(dentry);
> +			dput(dentry);
> +		}

I would be happier if it included a check for negativity.  d_is_negative()
or maybe this newfangled d_really_is_negative() (i haven't stayed up
to speed on the precise difference between the two)

> +	}
> +}
> +EXPORT_SYMBOL(d_clear_dir_neg_dentries);

I'd rather see this _GPL for such an internal thing.

Re: [PATCH 1/3] fs/dcache: Add d_clear_dir_neg_dentries()

[André Almeida]

Às 12:07 de 28/03/21, Matthew Wilcox escreveu:
> On Sun, Mar 28, 2021 at 11:43:54AM -0300, André Almeida wrote:
>> +/**
>> + * d_clear_dir_neg_dentries - Remove negative dentries in an inode
>> + * @dir: Directory to clear negative dentries
>> + *
>> + * For directories with negative dentries that are becoming case-insensitive
>> + * dirs, we need to remove all those negative dentries, otherwise they will
>> + * become dangling dentries. During the creation of a new file, if a d_hash
>> + * collision happens and the names match in a case-insensitive, the name of
>> + * the file will be the name defined at the negative dentry, that can be
>> + * different from the specified by the user. To prevent this from happening, we
>> + * need to remove all dentries in a directory. Given that the directory must be
>> + * empty before we call this function we are sure that all dentries there will
>> + * be negative.
>> + */
> 
> This is quite the landmine of a function.  It _assumes_ that the directory
> is empty, and clears all dentries in it.
> 
>> +void d_clear_dir_neg_dentries(struct inode *dir)
>> +{
>> +	struct dentry *alias, *dentry;
>> +
>> +	hlist_for_each_entry(alias, &dir->i_dentry, d_u.d_alias) {
>> +		list_for_each_entry(dentry, &alias->d_subdirs, d_child) {
>> +			d_drop(dentry);
>> +			dput(dentry);
>> +		}
> 
> I would be happier if it included a check for negativity.  d_is_negative()
> or maybe this newfangled d_really_is_negative() (i haven't stayed up
> to speed on the precise difference between the two)
> 

Makes sense. And given that this only makes sense if the directory is 
empty, if it founds a non-negative dentry, it should return some error 
right?

>> +	}
>> +}
>> +EXPORT_SYMBOL(d_clear_dir_neg_dentries);
> 
> I'd rather see this _GPL for such an internal thing.
> 

Re: [PATCH 1/3] fs/dcache: Add d_clear_dir_neg_dentries()

[Al Viro]

On Sun, Mar 28, 2021 at 11:43:54AM -0300, André Almeida wrote:

> +/**
> + * d_clear_dir_neg_dentries - Remove negative dentries in an inode
> + * @dir: Directory to clear negative dentries
> + *
> + * For directories with negative dentries that are becoming case-insensitive
> + * dirs, we need to remove all those negative dentries, otherwise they will
> + * become dangling dentries. During the creation of a new file, if a d_hash
> + * collision happens and the names match in a case-insensitive, the name of
> + * the file will be the name defined at the negative dentry, that can be
> + * different from the specified by the user. To prevent this from happening, we
> + * need to remove all dentries in a directory. Given that the directory must be
> + * empty before we call this function we are sure that all dentries there will
> + * be negative.
> + */
> +void d_clear_dir_neg_dentries(struct inode *dir)
> +{
> +	struct dentry *alias, *dentry;
> +
> +	hlist_for_each_entry(alias, &dir->i_dentry, d_u.d_alias) {
> +		list_for_each_entry(dentry, &alias->d_subdirs, d_child) {
> +			d_drop(dentry);
> +			dput(dentry);
> +		}
> +	}
> +}

That makes no sense whatsoever.
	1) directories can never have more than one alias
	2) what the hell are you doing to refcounts on those children?

Re: [PATCH 1/3] fs/dcache: Add d_clear_dir_neg_dentries()

[Eric Biggers]

On Sun, Mar 28, 2021 at 11:43:54AM -0300, André Almeida wrote:
> For directories with negative dentries that are becoming case-insensitive
> dirs, we need to remove all those negative dentries, otherwise they will
> become dangling dentries. During the creation of a new file, if a d_hash
> collision happens and the names match in a case-insensitive way, the name
> of the file will be the name defined at the negative dentry, that may be
> different from the specified by the user. To prevent this from
> happening, we need to remove all dentries in a directory. Given that the
> directory must be empty before we call this function we are sure that
> all dentries there will be negative.
> 
> Create a function to remove all negative dentries from a directory, to
> be used as explained above by filesystems that support case-insensitive
> lookups.
> 
> Signed-off-by: André Almeida <andrealmeid@collabora.com>
> ---
>  fs/dcache.c            | 27 +++++++++++++++++++++++++++
>  include/linux/dcache.h |  1 +
>  2 files changed, 28 insertions(+)
> 
> diff --git a/fs/dcache.c b/fs/dcache.c
> index 7d24ff7eb206..fafb3016d6fd 100644
> --- a/fs/dcache.c
> +++ b/fs/dcache.c
> @@ -1723,6 +1723,33 @@ void d_invalidate(struct dentry *dentry)
>  }
>  EXPORT_SYMBOL(d_invalidate);
>  
> +/**
> + * d_clear_dir_neg_dentries - Remove negative dentries in an inode
> + * @dir: Directory to clear negative dentries
> + *
> + * For directories with negative dentries that are becoming case-insensitive
> + * dirs, we need to remove all those negative dentries, otherwise they will
> + * become dangling dentries. During the creation of a new file, if a d_hash
> + * collision happens and the names match in a case-insensitive, the name of
> + * the file will be the name defined at the negative dentry, that can be
> + * different from the specified by the user. To prevent this from happening, we
> + * need to remove all dentries in a directory. Given that the directory must be
> + * empty before we call this function we are sure that all dentries there will
> + * be negative.
> + */
> +void d_clear_dir_neg_dentries(struct inode *dir)
> +{
> +	struct dentry *alias, *dentry;
> +
> +	hlist_for_each_entry(alias, &dir->i_dentry, d_u.d_alias) {
> +		list_for_each_entry(dentry, &alias->d_subdirs, d_child) {
> +			d_drop(dentry);
> +			dput(dentry);
> +		}
> +	}
> +}
> +EXPORT_SYMBOL(d_clear_dir_neg_dentries);

As Al already pointed out, this doesn't work as intended, for a number of
different reasons.

Did you consider just using shrink_dcache_parent()?  That already does what you
are trying to do here, I think.

The harder part (which I don't think you've considered) is how to ensure that
all negative dentries really get invalidated even if there are lookups of them
happening concurrently.  Concurrent lookups can take temporary references to the
negative dentries, preventing them from being invalidated.

- Eric

Re: [PATCH 1/3] fs/dcache: Add d_clear_dir_neg_dentries()

[André Almeida]

Hi Eric,

Às 22:48 de 29/03/21, Eric Biggers escreveu:
> On Sun, Mar 28, 2021 at 11:43:54AM -0300, André Almeida wrote:
>> For directories with negative dentries that are becoming case-insensitive
>> dirs, we need to remove all those negative dentries, otherwise they will
>> become dangling dentries. During the creation of a new file, if a d_hash
>> collision happens and the names match in a case-insensitive way, the name
>> of the file will be the name defined at the negative dentry, that may be
>> different from the specified by the user. To prevent this from
>> happening, we need to remove all dentries in a directory. Given that the
>> directory must be empty before we call this function we are sure that
>> all dentries there will be negative.
>>
>> Create a function to remove all negative dentries from a directory, to
>> be used as explained above by filesystems that support case-insensitive
>> lookups.
>>
>> Signed-off-by: André Almeida <andrealmeid@collabora.com>
>> ---
>>   fs/dcache.c            | 27 +++++++++++++++++++++++++++
>>   include/linux/dcache.h |  1 +
>>   2 files changed, 28 insertions(+)
>>
>> diff --git a/fs/dcache.c b/fs/dcache.c
>> index 7d24ff7eb206..fafb3016d6fd 100644
>> --- a/fs/dcache.c
>> +++ b/fs/dcache.c
>> @@ -1723,6 +1723,33 @@ void d_invalidate(struct dentry *dentry)
>>   }
>>   EXPORT_SYMBOL(d_invalidate);
>>   
>> +/**
>> + * d_clear_dir_neg_dentries - Remove negative dentries in an inode
>> + * @dir: Directory to clear negative dentries
>> + *
>> + * For directories with negative dentries that are becoming case-insensitive
>> + * dirs, we need to remove all those negative dentries, otherwise they will
>> + * become dangling dentries. During the creation of a new file, if a d_hash
>> + * collision happens and the names match in a case-insensitive, the name of
>> + * the file will be the name defined at the negative dentry, that can be
>> + * different from the specified by the user. To prevent this from happening, we
>> + * need to remove all dentries in a directory. Given that the directory must be
>> + * empty before we call this function we are sure that all dentries there will
>> + * be negative.
>> + */
>> +void d_clear_dir_neg_dentries(struct inode *dir)
>> +{
>> +	struct dentry *alias, *dentry;
>> +
>> +	hlist_for_each_entry(alias, &dir->i_dentry, d_u.d_alias) {
>> +		list_for_each_entry(dentry, &alias->d_subdirs, d_child) {
>> +			d_drop(dentry);
>> +			dput(dentry);
>> +		}
>> +	}
>> +}
>> +EXPORT_SYMBOL(d_clear_dir_neg_dentries);
> 
> As Al already pointed out, this doesn't work as intended, for a number of
> different reasons.
> 
> Did you consider just using shrink_dcache_parent()?  That already does what you
> are trying to do here, I think.

When I wrote this patch, I didn't know it, but after Al Viro comments I 
get back to the code and found it, and it seems do do what I intend 
indeed, and my test is happy as well.

> 
> The harder part (which I don't think you've considered) is how to ensure that
> all negative dentries really get invalidated even if there are lookups of them
> happening concurrently.  Concurrent lookups can take temporary references to the
> negative dentries, preventing them from being invalidated.
> 

I didn't consider that, thanks for the feedback. So this means that 
those lookups will increase the refcount of the dentry, and it will only 
get really invalidated when refcount reaches 0? Or do would I need to 
call d_invalidate() again, until I succeed?

> - Eric
> 

[PATCH 2/3] ext4: Prevent dangling dentries on casefold directories

[André Almeida]

Before making a folder a case-insensitive one, this folder could have
been used before and created some negative dentries (given that the
folder needs to be empty before making it case-insensitive, all detries
there are negative ones). During a new file creation, if a d_hash()
collision happens and the name matches a negative dentry, the new file
might have a name different than the specified by user.

To prevent this from happening, remove all negative dentries in a
directory before making it a case-folded one.

Fixes: b886ee3e778e ("ext4: Support case-insensitive file name lookups")
Signed-off-by: André Almeida <andrealmeid@collabora.com>
---
 fs/ext4/ioctl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index a2cf35066f46..0eede4c93c22 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -381,6 +381,9 @@ static int ext4_ioctl_setflags(struct inode *inode,
 			err = -ENOTEMPTY;
 			goto flags_out;
 		}
+
+		if (!(oldflags & EXT4_CASEFOLD_FL) && (flags & EXT4_CASEFOLD_FL))
+			d_clear_dir_neg_dentries(inode);
 	}
 
 	/*
-- 
2.31.0

[PATCH 3/3] f2fs: Prevent dangling dentries on casefold directories

[André Almeida]

Before making a folder a case-insensitive one, this folder could have
been used before and created some negative dentries (given that the
folder needs to be empty before making it case-insensitive, all detries
there are negative ones). During a new file creation, if a d_hash()
collision happens and the name matches a negative dentry, the new file
might have a name different than the specified by user.

To prevent this from happening, remove all negative dentries in a
directory before making it a case-folded one.

Fixes: 2c2eb7a300cd ("f2fs: Support case-insensitive file name lookups")
Signed-off-by: André Almeida <andrealmeid@collabora.com>
---
 fs/f2fs/file.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index d26ff2ae3f5e..616b7eb43795 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1826,6 +1826,10 @@ static int f2fs_setflags_common(struct inode *inode, u32 iflags, u32 mask)
 			return -EOPNOTSUPP;
 		if (!f2fs_empty_dir(inode))
 			return -ENOTEMPTY;
+
+		if (!(masked_flags & F2FS_CASEFOLD_FL) &&
+		    (iflags & F2FS_CASEFOLD_FL))
+			d_clear_dir_neg_dentries(inode);
 	}
 
 	if (iflags & (F2FS_COMPR_FL | F2FS_NOCOMP_FL)) {
-- 
2.31.0