fusefronted_reverse: fix ino collision between .name and .diriv files

A directory with a long name has two associated virtual files:
the .name file and the .diriv files.

These used to get the same inode number:

  $ ls -di1  * */*
             33313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw
  1000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw/gocryptfs.diriv
  1000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw.name

With this change we use another prefix (2 instead of 1) for .name files.

  $ ls -di1 * */*
             33313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw
  1000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw/gocryptfs.diriv
  2000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw.name

3 files changed, 26 insertions, 12 deletions

diff --git a/internal/fusefrontend_reverse/reverse_longnames.go b/internal/fusefrontend_reverse/reverse_longnames.go
index 7e26c90..3b2ddea 100644
--- a/internal/fusefrontend_reverse/reverse_longnames.go
+++ b/internal/fusefrontend_reverse/reverse_longnames.go
@@ -100,5 +100,5 @@ func (rfs *ReverseFS) newNameFile(relPath string) (nodefs.File, fuse.Status) {
 	}
 	content := []byte(rfs.nameTransform.EncryptName(pName, dirIV))
 	parentFile := filepath.Join(rfs.args.Cipherdir, pDir, pName)
-	return rfs.newVirtualFile(content, parentFile)
+	return rfs.newVirtualFile(content, parentFile, inoBaseNameFile)
 }
diff --git a/internal/fusefrontend_reverse/rfs.go b/internal/fusefrontend_reverse/rfs.go
index 3c84e15..76b1361 100644
--- a/internal/fusefrontend_reverse/rfs.go
+++ b/internal/fusefrontend_reverse/rfs.go
@@ -162,9 +162,9 @@ func (rfs *ReverseFS) GetAttr(relPath string, context *fuse.Context) (*fuse.Attr
 		return nil, fuse.ToStatus(err)
 	}
 	// Instead of risking an inode number collision, we return an error.
-	if st.Ino > virtualInoBase {
+	if st.Ino > inoBaseMin {
 		tlog.Warn.Printf("GetAttr %q: backing file inode number %d crosses reserved space, max=%d. Returning EOVERFLOW.",
-			relPath, st.Ino, virtualInoBase)
+			relPath, st.Ino, inoBaseMin)
 		return nil, fuse.ToStatus(syscall.EOVERFLOW)
 	}
 	var a fuse.Attr
diff --git a/internal/fusefrontend_reverse/virtualfile.go b/internal/fusefrontend_reverse/virtualfile.go
index 5d5d80d..05b8349 100644
--- a/internal/fusefrontend_reverse/virtualfile.go
+++ b/internal/fusefrontend_reverse/virtualfile.go
@@ -1,6 +1,7 @@
 package fusefrontend_reverse
 
 import (
+	"log"
 	"syscall"
 
 	"github.com/hanwen/go-fuse/fuse"
@@ -14,12 +15,19 @@ const (
 	// virtualFileMode is the mode to use for virtual files (gocryptfs.diriv and
 	// *.name). They are always readable, as stated in func Access
 	virtualFileMode = syscall.S_IFREG | 0444
-	// virtualInoBase is the start of the inode number range that is used
-	// for virtual files.
+	// inoBaseDirIV is the start of the inode number range that is used
+	// for virtual gocryptfs.diriv files. inoBaseNameFile is the thing for
+	// *.name files.
 	// The value 10^19 is just below 2^60. A power of 10 has been chosen so the
 	// "ls -li" output (which is base-10) is easy to read.
-	// 10^19 is the largest power of 10 that is smaller than UINT64_MAX/2.
-	virtualInoBase = uint64(1000000000000000000)
+	// 10^19 is the largest power of 10 that is smaller than
+	// INT64_MAX (=UINT64_MAX/2). This avoids signedness issues.
+	inoBaseDirIV    = uint64(1000000000000000000)
+	inoBaseNameFile = uint64(2000000000000000000)
+	// inoBaseMin marks the start of the inode number space that is
+	// reserved for virtual files. It is the lowest of the inoBaseXXX values
+	// above.
+	inoBaseMin = inoBaseDirIV
 )
 
 func (rfs *ReverseFS) newDirIVFile(cRelPath string) (nodefs.File, fuse.Status) {
@@ -28,7 +36,7 @@ func (rfs *ReverseFS) newDirIVFile(cRelPath string) (nodefs.File, fuse.Status) {
 	if err != nil {
 		return nil, fuse.ToStatus(err)
 	}
-	return rfs.newVirtualFile(pathiv.Derive(cDir, pathiv.PurposeDirIV), absDir)
+	return rfs.newVirtualFile(pathiv.Derive(cDir, pathiv.PurposeDirIV), absDir, inoBaseDirIV)
 }
 
 type virtualFile struct {
@@ -38,17 +46,23 @@ type virtualFile struct {
 	content []byte
 	// absolute path to a parent file
 	parentFile string
+	// inode number of a virtual file is inode of parent file plus inoBase
+	inoBase uint64
 }
 
 // newVirtualFile creates a new in-memory file that does not have a representation
 // on disk. "content" is the file content. Timestamps and file owner are copied
 // from "parentFile" (absolute plaintext path). For a "gocryptfs.diriv" file, you
 // would use the parent directory as "parentFile".
-func (rfs *ReverseFS) newVirtualFile(content []byte, parentFile string) (nodefs.File, fuse.Status) {
+func (rfs *ReverseFS) newVirtualFile(content []byte, parentFile string, inoBase uint64) (nodefs.File, fuse.Status) {
+	if inoBase < inoBaseMin {
+		log.Panicf("BUG: virtual inode number base %d is below reserved space", inoBase)
+	}
 	return &virtualFile{
 		File:       nodefs.NewDefaultFile(),
 		content:    content,
 		parentFile: parentFile,
+		inoBase:    inoBase,
 	}, fuse.OK
 }
 
@@ -72,12 +86,12 @@ func (f *virtualFile) GetAttr(a *fuse.Attr) fuse.Status {
 		tlog.Debug.Printf("GetAttr: Lstat %q: %v\n", f.parentFile, err)
 		return fuse.ToStatus(err)
 	}
-	if st.Ino > virtualInoBase {
+	if st.Ino > inoBaseMin {
 		tlog.Warn.Printf("virtualFile.GetAttr: parent file inode number %d crosses reserved space, max=%d. Returning EOVERFLOW.",
-			st.Ino, virtualInoBase)
+			st.Ino, inoBaseMin)
 		return fuse.ToStatus(syscall.EOVERFLOW)
 	}
-	st.Ino = st.Ino + virtualInoBase
+	st.Ino = st.Ino + f.inoBase
 	st.Size = int64(len(f.content))
 	st.Mode = virtualFileMode
 	st.Nlink = 1