Commit f9683400 authored Nov 18, 2025 by Omar Sandoval Committed by David Sterba Nov 25, 2025

btrfs: disable various operations on encrypted inodes

Initially, only normal data extents will be encrypted. This change
forbids various other bits:

- allows reflinking only if both inodes have the same encryption status
- disable inline data on encrypted inodes

Note: The patch was taken from v5 of fscrypt patchset
(https://lore.kernel.org/linux-btrfs/cover.1706116485.git.josef@toxicpanda.com/

)
which was handled over time by various people: Omar Sandoval, Sweet Tea
Dorminy, Josef Bacik.

Signed-off-by: Omar Sandoval <osandov@osandov.com>
Signed-off-by: Daniel Vacek <neelx@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ add note ]
Signed-off-by: David Sterba <dsterba@suse.com>

parent 4357dd76

fs/btrfs/inode.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -592,6 +592,10 @@ static bool can_cow_file_range_inline(struct btrfs_inode *inode,
		if (size < i_size_read(&inode->vfs_inode))
		return false;

		/* Encrypted file cannot be inlined. */
		if (IS_ENCRYPTED(&inode->vfs_inode))
		return false;

		return true;
		}

fs/btrfs/reflink.c

+5 −0

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0

		#include <linux/blkdev.h>
		#include <linux/fscrypt.h>
		#include <linux/iversion.h>
		#include "ctree.h"
		#include "fs.h"
		@@ -789,6 +790,10 @@ static int btrfs_remap_file_range_prep(struct file *file_in, loff_t pos_in,
		ASSERT(inode_in->vfs_inode.i_sb == inode_out->vfs_inode.i_sb);
		}

		/* Can only reflink encrypted files if both files are encrypted. */
		if (IS_ENCRYPTED(&inode_in->vfs_inode) != IS_ENCRYPTED(&inode_out->vfs_inode))
		return -EINVAL;

		/* Don't make the dst file partly checksummed */
		if ((inode_in->flags & BTRFS_INODE_NODATASUM) !=
		(inode_out->flags & BTRFS_INODE_NODATASUM)) {