* [PATCH] f2fs: read COW data with the original inode during atomic write
@ 2026-06-05 10:38 Mikhail Lobanov
2026-06-15 7:47 ` Chao Yu
0 siblings, 1 reply; 2+ messages in thread
From: Mikhail Lobanov @ 2026-06-05 10:38 UTC (permalink / raw)
To: jaegeuk, Chao Yu
Cc: daehojeong, linux-f2fs-devel, linux-kernel, stable, lvc-project
When updating an atomic-write file, f2fs_write_begin() may read the
previously written data back from the COW inode:
prepare_atomic_write_begin() locates the block in the COW inode and sets
use_cow, and the read bio is then built with the COW inode:
f2fs_submit_page_read(use_cow ? F2FS_I(inode)->cow_inode : inode,
...);
and f2fs_grab_read_bio() decides whether to schedule fs-layer decryption
(STEP_DECRYPT) for the bio based on that inode via
fscrypt_inode_uses_fs_layer_crypto().
However, the folio being filled belongs to the original inode
(folio->mapping->host == inode), and the data stored in the COW block was
encrypted (or left as plaintext) using the original inode's context, not
the COW inode's -- see f2fs_encrypt_one_page(), which keys off
fio->page->mapping->host. fscrypt_decrypt_pagecache_blocks() likewise
operates on folio->mapping->host.
The COW inode is created as a tmpfile in the parent directory and inherits
its encryption policy from there. With test_dummy_encryption the newly
created COW inode gets the dummy policy and becomes encrypted, while a
pre-existing regular file -- created before the policy applied, e.g.
already present in the on-disk image -- stays unencrypted. The read
path then sets STEP_DECRYPT based on the encrypted COW inode and calls
fscrypt_decrypt_pagecache_blocks() on a folio whose host (the unencrypted
original inode) has a NULL ->i_crypt_info, dereferencing it:
Oops: general protection fault, probably for non-canonical address ...
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
RIP: 0010:fscrypt_decrypt_pagecache_blocks+0xa0/0x310
Workqueue: f2fs_post_read_wq f2fs_post_read_work
Call Trace:
fscrypt_decrypt_bio+0x1eb/0x340
f2fs_post_read_work+0xba/0x140
process_one_work+0x91c/0x1a40
worker_thread+0x677/0xe90
kthread+0x2bc/0x3a0
The COW inode is only needed to locate the on-disk block, and that block
address is already resolved into @blkaddr; the data's crypto state belongs
to the original inode. Read with the original inode so the post-read
decryption decision matches the folio's owner. This also makes the inline
crypto path use the correct (original inode's) key.
Fixes: 591fc34e1f98 ("f2fs: use cow inode data when updating atomic write")
Cc: stable@vger.kernel.org
Signed-off-by: Mikhail Lobanov <m.lobanov@rosa.ru>
---
fs/f2fs/data.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index cf05014fa5e3..8f6c22537e9f 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -3961,8 +3961,18 @@ static int f2fs_write_begin(const struct kiocb *iocb,
err = -EFSCORRUPTED;
goto put_folio;
}
- f2fs_submit_page_read(use_cow ? F2FS_I(inode)->cow_inode :
- inode,
+ /*
+ * Although the block is stored in the COW inode, the folio
+ * belongs to @inode and its data was encrypted (or left as
+ * plaintext) using @inode's context, not the COW inode's; see
+ * f2fs_encrypt_one_page(), which keys off fio->page->mapping->
+ * host. fscrypt_decrypt_pagecache_blocks() likewise operates
+ * on folio->mapping->host. Read with @inode so the post-read
+ * decryption decision matches the folio's owner; otherwise an
+ * unencrypted @inode whose COW inode is encrypted would hit a
+ * NULL ->i_crypt_info during decryption.
+ */
+ f2fs_submit_page_read(inode,
NULL, /* can't write to fsverity files */
folio, blkaddr, 0, true);
--
2.39.5 (Apple Git-154)
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] f2fs: read COW data with the original inode during atomic write
2026-06-05 10:38 [PATCH] f2fs: read COW data with the original inode during atomic write Mikhail Lobanov
@ 2026-06-15 7:47 ` Chao Yu
0 siblings, 0 replies; 2+ messages in thread
From: Chao Yu @ 2026-06-15 7:47 UTC (permalink / raw)
To: Mikhail Lobanov, jaegeuk
Cc: chao, daehojeong, linux-f2fs-devel, linux-kernel, stable, lvc-project
On 6/5/26 18:38, Mikhail Lobanov wrote:
> When updating an atomic-write file, f2fs_write_begin() may read the
> previously written data back from the COW inode:
> prepare_atomic_write_begin() locates the block in the COW inode and sets
> use_cow, and the read bio is then built with the COW inode:
>
> f2fs_submit_page_read(use_cow ? F2FS_I(inode)->cow_inode : inode,
> ...);
>
> and f2fs_grab_read_bio() decides whether to schedule fs-layer decryption
> (STEP_DECRYPT) for the bio based on that inode via
> fscrypt_inode_uses_fs_layer_crypto().
>
> However, the folio being filled belongs to the original inode
> (folio->mapping->host == inode), and the data stored in the COW block was
> encrypted (or left as plaintext) using the original inode's context, not
> the COW inode's -- see f2fs_encrypt_one_page(), which keys off
> fio->page->mapping->host. fscrypt_decrypt_pagecache_blocks() likewise
> operates on folio->mapping->host.
>
> The COW inode is created as a tmpfile in the parent directory and inherits
> its encryption policy from there. With test_dummy_encryption the newly
> created COW inode gets the dummy policy and becomes encrypted, while a
> pre-existing regular file -- created before the policy applied, e.g.
> already present in the on-disk image -- stays unencrypted. The read
> path then sets STEP_DECRYPT based on the encrypted COW inode and calls
> fscrypt_decrypt_pagecache_blocks() on a folio whose host (the unencrypted
> original inode) has a NULL ->i_crypt_info, dereferencing it:
>
> Oops: general protection fault, probably for non-canonical address ...
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> RIP: 0010:fscrypt_decrypt_pagecache_blocks+0xa0/0x310
> Workqueue: f2fs_post_read_wq f2fs_post_read_work
> Call Trace:
> fscrypt_decrypt_bio+0x1eb/0x340
> f2fs_post_read_work+0xba/0x140
> process_one_work+0x91c/0x1a40
> worker_thread+0x677/0xe90
> kthread+0x2bc/0x3a0
>
> The COW inode is only needed to locate the on-disk block, and that block
> address is already resolved into @blkaddr; the data's crypto state belongs
> to the original inode. Read with the original inode so the post-read
> decryption decision matches the folio's owner. This also makes the inline
> crypto path use the correct (original inode's) key.
>
> Fixes: 591fc34e1f98 ("f2fs: use cow inode data when updating atomic write")
> Cc: stable@vger.kernel.org
> Signed-off-by: Mikhail Lobanov <m.lobanov@rosa.ru>
It leaves use_cow as no useful variable in f2fs_write_begin(), can we drop it in
f2fs_write_begin() and prepare_atomic_write_begin()?
Anyway, it's about cleanup, the fix itself looks good to me.
Reviewed-by: Chao Yu <chao@kernel.org>
Thanks,
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-15 7:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-05 10:38 [PATCH] f2fs: read COW data with the original inode during atomic write Mikhail Lobanov
2026-06-15 7:47 ` Chao Yu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome