1. Patchew
  2. linux
  3. View series

[PATCH] f2fs: validate compress cache inode only when enabled

Wenjie Qi posted 1 patch 3 days, 17 hours ago 
fs/f2fs/inode.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
[PATCH] f2fs: validate compress cache inode only when enabled
Posted by Wenjie Qi 3 days, 17 hours ago 
F2FS_COMPRESS_INO() uses NM_I(sbi)->max_nid as the synthetic inode
number for the compressed page cache inode. That inode only exists when
the compress_cache mount option is enabled.

When compress_cache is disabled, max_nid is outside the valid inode
range. A corrupted directory entry that points to ino == max_nid should
therefore be rejected by f2fs_check_nid_range(). However, is_meta_ino()
currently treats F2FS_COMPRESS_INO() as a meta inode unconditionally,
so f2fs_iget() bypasses do_read_inode() and its nid range check, and
instantiates a fake internal inode instead.

Gate the compressed cache inode case on COMPRESS_CACHE, matching
f2fs_init_compress_inode(). With compress_cache disabled, ino ==
max_nid now follows the normal inode path and is rejected as an
out-of-range nid.

Fixes: 6ce19aff0b8c ("f2fs: compress: add compress_inode to cache compressed blocks")
Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>
---
 fs/f2fs/inode.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 12f982f87f1..c6623d70e28 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -564,8 +564,13 @@ static int do_read_inode(struct inode *inode)
 
 static bool is_meta_ino(struct f2fs_sb_info *sbi, unsigned int ino)
 {
-	return ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi) ||
-		ino == F2FS_COMPRESS_INO(sbi);
+	if (ino == F2FS_NODE_INO(sbi) || ino == F2FS_META_INO(sbi))
+		return true;
+#ifdef CONFIG_F2FS_FS_COMPRESSION
+	if (test_opt(sbi, COMPRESS_CACHE) && ino == F2FS_COMPRESS_INO(sbi))
+		return true;
+#endif
+	return false;
 }
 
 static void f2fs_mapping_set_large_folio(struct inode *inode)
-- 
2.43.0
Re: [PATCH] f2fs: validate compress cache inode only when enabled
Posted by Chao Yu 3 days, 11 hours ago 
On 5/21/26 11:16, Wenjie Qi wrote:
> F2FS_COMPRESS_INO() uses NM_I(sbi)->max_nid as the synthetic inode
> number for the compressed page cache inode. That inode only exists when
> the compress_cache mount option is enabled.
> 
> When compress_cache is disabled, max_nid is outside the valid inode
> range. A corrupted directory entry that points to ino == max_nid should
> therefore be rejected by f2fs_check_nid_range(). However, is_meta_ino()
> currently treats F2FS_COMPRESS_INO() as a meta inode unconditionally,
> so f2fs_iget() bypasses do_read_inode() and its nid range check, and
> instantiates a fake internal inode instead.
> 
> Gate the compressed cache inode case on COMPRESS_CACHE, matching
> f2fs_init_compress_inode(). With compress_cache disabled, ino ==
> max_nid now follows the normal inode path and is rejected as an
> out-of-range nid.
> 

Cc: stable@kernel.org

> Fixes: 6ce19aff0b8c ("f2fs: compress: add compress_inode to cache compressed blocks")
> Signed-off-by: Wenjie Qi <qiwenjie@xiaomi.com>

Reviewed-by: Chao Yu <chao@kernel.org>

Thanks,

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.