lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <daff127b-08b0-4a3a-8faa-7e44f99189f9@gmail.com>
Date: Wed, 4 Feb 2026 22:55:39 +0100
From: Simon Weber <simon.weber.39@...il.com>
To: Eric Biggers <ebiggers@...nel.org>
Cc: linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
 Theodore Ts'o <tytso@....edu>, Andreas Dilger <adilger.kernel@...ger.ca>,
 anthonydev@...tmail.com
Subject: Re: [PATCH v1] ext4: fix journal credit check when setting fscrypt
 context xattr

Thank you for your comments, Eric!

On 04.02.26 21:59, Eric Biggers wrote:
> This patch doesn't actually apply to the stated base-commit, likely
> because of corrupted whitespace.  Make sure to use 'git send-email' as
> described in Documentation/process/submitting-patches.rst.
>
> The commit message should be broken into paragraphs, and ideally
> shortened a bit.  The code comment maybe could be shortened as well.
Excuse me for the patch formatting! This is my first kernel contribution, so please bear with me. The patch applied correctly on my end when I sent it to myself, but I seem to have mangled it when sending it to the mailing list. I'll make sure to adapt the patch itself, the commit message and code comment in v2.
> Since this is a bug fix, please include an appropriate Fixes tag.
I'm not sure which commit I should put in the "Fixes:" tag, since the bug arises from the combination of two commits: Firstly, commit 2f8f5e76c7da7871 introduced passing the handle through fs_data, and secondly, commit c1a5d5f6ab21eb7e introduced the check for sufficient credits in ext4_xattr_set_handle. Should I put the chronologically later commit (which would be the latter)?
> The specific scenario I'm concerned about is:
>
>     - FS_IOC_SET_ENCRYPTION_POLICY tries to set a directory to encrypted
>     - A crash occurs (in no-journal mode), leaving the inode having an
>       encryption xattr on-disk but not the encrypt flag
>     - e2fsck doesn't correct the inconsistency
>     - Userspace sees that the directory isn't encrypted yet and retries
>       FS_IOC_SET_ENCRYPTION_POLICY.  Due to XATTR_CREATE, it fails.

I think the scenario you describe is somewhat unlikely, but that doesn't mean that we shouldn't be able to deal with it cleanly of course. However the current patch does not have an issue with this scenario, since when ext4_set_context is called through the path from FS_IOC_SET_ENCRYPTION_POLICY, fs_data(=handle) is NULL and therefore my changed line is not executed. The flag would not be set and the ioctl would execute successfully. My commit message was a bit misleading here, making it sound like the ioctl-path actually reaches my suggested change.

I think the assumption "fs_data!=NULL implies that encryption xattr MUST NOT be present" would have to be documented clearly to prevent future issues. I see a few alternative possible approaches to ensuring this more cleanly, let me know if you think this is necessary, and if yes, which solution fits the best into the existing philosophy:
- Adapt e2fsck to remove encryption xattrs from inodes which do not have the encrypt flag. This might just be a good idea in general.
- Adapt fscrypt_get_policy to fix this issue itself on any inodes it is called on, which happens to check before a new context is set in the ioctl-path. I don't like this approach since it would make a getter function have side effects.
- We could also change the void *fs_data argument of ext4_set_context from a handle_t to a new struct containing a flag int as well as a handle_t. Then the given flag (if present) could simply be passed down to ext4_xattr_set_handle, or 0 if no fs_data is given. __ext4_new_inode could then pass that flag through the detour through fs/crypto. This would somewhat "self-document" away the assumption (if someone passes the struct with a flag int, they will know not to set XATTR_CREATE if the xattr is possibly already present).

Looking forward to your insights!

- Simon

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ