ext4: Improve feature checking

Evaluate the filesystem incompat and ro_compat bit fields to judge whether the filesystem can be read or written. For the read side only a scary warning is shown so far. I'd love to abort mounting too, but I fear this will break some setups where the driver works by chance. Signed-off-by: Richard Weinberger <richard@nod.at>
2025-04-15 17:34:43 +00:00 · 2024-07-29 23:37:31 +02:00 · 2024-07-29 23:37:31 +02:00 · faf73fb70d
commit faf73fb70d
parent 37dc8c2e98
3 changed files with 76 additions and 3 deletions
--- a/fs/ext4/ext4_common.c
+++ b/fs/ext4/ext4_common.c
@ -2383,6 +2383,20 @@ int ext4fs_mount(void)
 		fs->inodesz = 128;
 		fs->gdsize = 32;
 	} else {
+		int missing = __le32_to_cpu(data->sblock.feature_incompat) &
+			      ~(EXT4_FEATURE_INCOMPAT_SUPP |
+				EXT4_FEATURE_INCOMPAT_SUPP_LAZY_RO);
+
+		if (missing) {
+			/*
+			 * This code used to be relaxed about feature flags.
+			 * We don't stop the mount to avoid breaking existing setups.
+			 * But, incompatible features can cause serious read errors.
+			 */
+			log_err("fs uses incompatible features: %08x, ignoring\n",
+				missing);
+		}
+
 		debug("EXT4 features COMPAT: %08x INCOMPAT: %08x RO_COMPAT: %08x\n",
 		      __le32_to_cpu(data->sblock.feature_compatibility),
 		      __le32_to_cpu(data->sblock.feature_incompat),
--- a/fs/ext4/ext4_write.c
+++ b/fs/ext4/ext4_write.c
@ -866,6 +866,7 @@ int ext4fs_write(const char *fname, const char *buffer,
 	ALLOC_CACHE_ALIGN_BUFFER(char, filename, 256);
 	bool store_link_in_inode = false;
 	memset(filename, 0x00, 256);
+	int missing_feat;

 	if (type != FILETYPE_REG && type != FILETYPE_SYMLINK)
 		return -1;
@ -879,8 +880,15 @@ int ext4fs_write(const char *fname, const char *buffer,
 		return -1;
 	}

-	if (le32_to_cpu(fs->sb->feature_ro_compat) & EXT4_FEATURE_RO_COMPAT_METADATA_CSUM) {
-		printf("Unsupported feature metadata_csum found, not writing.\n");
+	missing_feat = le32_to_cpu(fs->sb->feature_incompat) & ~EXT4_FEATURE_INCOMPAT_SUPP;
+	if (missing_feat) {
+		log_err("Unsupported features found %08x, not writing.\n", missing_feat);
+		return -1;
+	}
+
+	missing_feat = le32_to_cpu(fs->sb->feature_ro_compat) & ~EXT4_FEATURE_RO_COMPAT_SUPP;
+	if (missing_feat) {
+		log_err("Unsupported RO compat features found %08x, not writing.\n", missing_feat);
 		return -1;
 	}

--- a/include/ext4fs.h
+++ b/include/ext4fs.h
@ -34,12 +34,63 @@ struct disk_partition;
 #define EXT4_TOPDIR_FL		0x00020000 /* Top of directory hierarchies*/
 #define EXT4_EXTENTS_FL		0x00080000 /* Inode uses extents */
 #define EXT4_EXT_MAGIC			0xf30a
-#define EXT4_FEATURE_RO_COMPAT_GDT_CSUM	0x0010
+
+#define EXT4_FEATURE_RO_COMPAT_SPARSE_SUPER  0x0001
+#define EXT4_FEATURE_RO_COMPAT_LARGE_FILE    0x0002
+#define EXT4_FEATURE_RO_COMPAT_BTREE_DIR     0x0004
+#define EXT4_FEATURE_RO_COMPAT_HUGE_FILE     0x0008
+#define EXT4_FEATURE_RO_COMPAT_GDT_CSUM      0x0010
+#define EXT4_FEATURE_RO_COMPAT_DIR_NLINK     0x0020
+#define EXT4_FEATURE_RO_COMPAT_EXTRA_ISIZE   0x0040
+#define EXT4_FEATURE_RO_COMPAT_QUOTA         0x0100
+#define EXT4_FEATURE_RO_COMPAT_BIGALLOC      0x0200
 #define EXT4_FEATURE_RO_COMPAT_METADATA_CSUM 0x0400
+
+#define EXT4_FEATURE_INCOMPAT_FILETYPE  0x0002
+#define EXT4_FEATURE_INCOMPAT_RECOVER   0x0004
 #define EXT4_FEATURE_INCOMPAT_EXTENTS	0x0040
 #define EXT4_FEATURE_INCOMPAT_64BIT	0x0080
+#define EXT4_FEATURE_INCOMPAT_MMP       0x0100
+#define EXT4_FEATURE_INCOMPAT_FLEX_BG   0x0200
+#define EXT4_FEATURE_INCOMPAT_CSUM_SEED 0x2000
+#define EXT4_FEATURE_INCOMPAT_ENCRYPT   0x10000
+
 #define EXT4_INDIRECT_BLOCKS		12

+/*
+ * Incompat features supported by this implementation.
+ */
+#define EXT4_FEATURE_INCOMPAT_SUPP (EXT4_FEATURE_INCOMPAT_FILETYPE | \
+				   EXT4_FEATURE_INCOMPAT_RECOVER | \
+				   EXT4_FEATURE_INCOMPAT_EXTENTS | \
+				   EXT4_FEATURE_INCOMPAT_64BIT | \
+				   EXT4_FEATURE_INCOMPAT_FLEX_BG)
+
+/*
+ * Incompat features supported by this implementation only in a lazy
+ * way, good enough for reading files.
+ *
+ * - Multi mount protection (mmp) is not supported, but for read-only
+ *   we get away with it.
+ * - Same for metadata_csum_seed and metadata_csum.
+ * - The implementation has also no clue about fscrypt, but it can read
+ *   unencrypted files. Reading encrypted files will read garbage.
+ */
+#define EXT4_FEATURE_INCOMPAT_SUPP_LAZY_RO (EXT4_FEATURE_INCOMPAT_MMP | \
+					   EXT4_FEATURE_INCOMPAT_CSUM_SEED | \
+					   EXT4_FEATURE_INCOMPAT_ENCRYPT)
+
+/*
+ * Read-only compat features we support.
+ * If unknown ro compat features are detected, writing to the fs is denied.
+ */
+#define EXT4_FEATURE_RO_COMPAT_SUPP (EXT4_FEATURE_RO_COMPAT_SPARSE_SUPER | \
+				    EXT4_FEATURE_RO_COMPAT_LARGE_FILE | \
+				    EXT4_FEATURE_RO_COMPAT_HUGE_FILE | \
+				    EXT4_FEATURE_RO_COMPAT_GDT_CSUM | \
+				    EXT4_FEATURE_RO_COMPAT_DIR_NLINK | \
+				    EXT4_FEATURE_RO_COMPAT_EXTRA_ISIZE)
+
 #define EXT4_BG_INODE_UNINIT		0x0001
 #define EXT4_BG_BLOCK_UNINIT		0x0002
 #define EXT4_BG_INODE_ZEROED		0x0004