ntfs: update index root allocated size before shrink

ntfs_ir_truncate() currently shrinks the resident $INDEX_ROOT value first
and only updates index.allocated_size after re-looking up the attribute.
During that relookup, the resident value_length can already be smaller
while index.allocated_size still contains the old larger size.

That leaves a transiently inconsistent $INDEX_ROOT layout and prevents
lookup-time $INDEX_ROOT validation from being enabled: validation can
correctly reject allocated_size extending past the newly shrunk resident
value.

When shrinking, lower index.allocated_size before shrinking value_length.
If the truncate fails, restore the old allocated_size. Keep the existing
grow ordering because the old allocated_size remains within the enlarged
resident value until it is updated after the relookup. The shrink path is
safe because the new value_length still covers struct index_root, so the
index.allocated_size field remains present while it is updated first.

Cc: stable@vger.kernel.org # v7.1
Signed-off-by: DaeMyung Kang <charsyam@gmail.com>
Reviewed-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>

diff --git a/fs/ntfs/index.c b/fs/ntfs/index.c
index 052d80fddbbc7134f88736e988c41a66313afc0d..c5f2cf75b750e998fcc8ec0b339cd2dffbe8dd57 100644 (file)
--- a/fs/ntfs/index.c
+++ b/fs/ntfs/index.c
@@ -1365,9 +1365,16 @@ out:
 static int ntfs_ir_truncate(struct ntfs_index_context *icx, int data_size)
 {
        int ret;
+       u32 old_allocated_size;
+       bool shrink;
 
        ntfs_debug("Entering\n");
 
+       old_allocated_size = le32_to_cpu(icx->ir->index.allocated_size);
+       shrink = data_size < old_allocated_size;
+       if (shrink)
+               icx->ir->index.allocated_size = cpu_to_le32(data_size);
+
        /*
         *  INDEX_ROOT must be resident and its entries can be moved to
         *  struct index_block, so ENOSPC isn't a real error.
@@ -1379,9 +1386,14 @@ static int ntfs_ir_truncate(struct ntfs_index_context *icx, int data_size)
                if (!icx->ir)
                        return -ENOENT;
 
-               icx->ir->index.allocated_size = cpu_to_le32(data_size);
-       } else if (ret != -ENOSPC)
-               ntfs_error(icx->idx_ni->vol->sb, "Failed to truncate INDEX_ROOT");
+               if (!shrink)
+                       icx->ir->index.allocated_size = cpu_to_le32(data_size);
+       } else {
+               if (shrink)
+                       icx->ir->index.allocated_size = cpu_to_le32(old_allocated_size);
+               if (ret != -ENOSPC)
+                       ntfs_error(icx->idx_ni->vol->sb, "Failed to truncate INDEX_ROOT");
+       }
 
        return ret;
 }