On Wed, Feb 28, 2024 at 09:26:00AM -0800, Christoph Hellwig wrote: > On Mon, Feb 26, 2024 at 06:32:51PM -0800, Darrick J. Wong wrote: > > From: Darrick J. Wong <djwong@xxxxxxxxxx> > > > > If a symbolic link target looks bad, try to sift through the rubble to > > find as much of the target buffer that we can, and stage a new target > > (short or remote format as needed) in a temporary file and use the > > atomic extent swapping mechanism to commit the results. > > So this basically injects new link paths, which looks really dangerous > to me, as it creates odd attack vectors. I'd much prefer to not > "repair" the path, but mark the link bad so that any access but unlike > returns -EIO. Ah, you're worried about a symlink foo -> bar getting corrupted and being repaired into foo -> b, especially if there's actually a "b". Going back to [1] from last year, I finally /did/ find a magic symlink target that actually does trip EIO. That solution is to set the buffer contents to a string that is so long that it exceeds NAME_MAX. Userspace can readlink this string, but it will never resolve anywhere in the directory tree. What if this unconditionally set the link target to DUMMY_TARGET instead of salvaging partial targets? --D [1] https://lore.kernel.org/linux-xfs/20231213013644.GC361584@frogsfrogsfrogs/
