ext4: make sure the first directory block is not a hole

The syzbot constructs a directory that has no dirblock but is non-inline,
i.e. the first directory block is a hole. And no errors are reported when
creating files in this directory in the following flow.

    ext4_mknod
     ...
      ext4_add_entry
        // Read block 0
        ext4_read_dirblock(dir, block, DIRENT)
          bh = ext4_bread(NULL, inode, block, 0)
          if (!bh && (type == INDEX || type == DIRENT_HTREE))
          // The first directory block is a hole
          // But type == DIRENT, so no error is reported.

After that, we get a directory block without '.' and '..' but with a valid
dentry. This may cause some code that relies on dot or dotdot (such as
make_indexed_dir()) to crash.

Therefore when ext4_read_dirblock() finds that the first directory block
is a hole report that the filesystem is corrupted and return an error to
avoid loading corrupted data from disk causing something bad.

Reported-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ae688d469e36fb5138d0
Fixes: 4e19d6b65fb4 ("ext4: allow directory holes")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240702132349.2600605-3-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 6917c1de8f412f4ea9020fcfc5478a76a3c9ae37..1311ad0464b2a66d68e678b3b01e6f8fd0595067 100644 (file)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -151,10 +151,11 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode,
 
                return bh;
        }
-       if (!bh && (type == INDEX || type == DIRENT_HTREE)) {
+       /* The first directory block must not be a hole. */
+       if (!bh && (type == INDEX || type == DIRENT_HTREE || block == 0)) {
                ext4_error_inode(inode, func, line, block,
-                                "Directory hole found for htree %s block",
-                                (type == INDEX) ? "index" : "leaf");
+                                "Directory hole found for htree %s block %u",
+                                (type == INDEX) ? "index" : "leaf", block);
                return ERR_PTR(-EFSCORRUPTED);
        }
        if (!bh)
@@ -3129,10 +3130,7 @@ bool ext4_empty_dir(struct inode *inode)
                EXT4_ERROR_INODE(inode, "invalid size");
                return false;
        }
-       /* The first directory block must not be a hole,
-        * so treat it as DIRENT_HTREE
-        */
-       bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE);
+       bh = ext4_read_dirblock(inode, 0, EITHER);
        if (IS_ERR(bh))
                return false;
 
@@ -3577,10 +3575,7 @@ static struct buffer_head *ext4_get_first_dir_block(handle_t *handle,
                struct ext4_dir_entry_2 *de;
                unsigned int offset;
 
-               /* The first directory block must not be a hole, so
-                * treat it as DIRENT_HTREE
-                */
-               bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE);
+               bh = ext4_read_dirblock(inode, 0, EITHER);
                if (IS_ERR(bh)) {
                        *retval = PTR_ERR(bh);
                        return NULL;