[PATCH 0/8] Superblock read and verify cleanups

[PATCH 0/8] Superblock read and verify cleanups

[Anand Jain]

Patch 1-4/8 are preparatory patches adds cleanups and nonstatic requisites.

Patch 5/8 makes sure that all copies of the superblock have the same fsid
when we scan the device.

Patch 6/8 verifies superblock csum when we read it in the scan context.

Patch 7/8 fixes a bug that we weren't verifying the superblock csum for
the non-latest_bdev.

And 8/8 patch drops the redundant invalidate_bdev() call during mount.

There is a btrfs-progs patch which is a kind of related, as its found that
we weren't wiping the non-overwritten superblock, so it could cause
confusion during the superblock recovery process. So the patch btrfs-progs
1/1 adds code to wipe superblock if we aren't overwriting it.

Now since kernel patch 5/8 checks if all the superblock copies are
pointing to the same fsid on the disk, so the scan will fail if without
the above 1/1 btrfs-progs, as in the example below [1]. However the simple
workaround is to wipe the superblock manually [2] or apply the btrfs-progs
patch below.

[1]
 mkfs.btrfs -qf /dev/sdb <-- 1T disk
 mkfs.btrfs -b 256M  /dev/sdb
 ERROR: device scan failed on /dev/sdb

[2]
 dd if=/dev/zero of=<dev> seek=274877906944 ibs=1 obs=1 count4K

Unfortunately, the error messages should have been failed to register
[3] device into the kernel to be more appropriate to the error.

[3]
        ret = ioctl(fd, BTRFS_IOC_SCAN_DEV, &args);
        if (ret < 0) {
                error("device scan failed on '%s': %m", fname);
                ret = -errno;
        }


Patches 1-7/8 were sent independently before. And  I found few more things
to fix alongs the line, and since they are related, so I am sending these
all together. Also, as there are minor changes, like in pr_err strings,
and splitting the unrelated changes into a separate patch, so though I am
thankful for the received reviewed-by, I couldn't include them here. Sorry.

Finally, here I am including the function relations [4] so that it will help
to review the code. And this flow is before these patches were applied.

[4]
In the long term, I suggest deprecating ioctl args which pass device path
(where possible), like in delete-device/replace. And
btrfs_read_dev_one_super() should replace btrfs_read_disk_super()

delete-device/replace:
btrfs_rm_device() || btrfs_dev_replace_by_ioctl()
|_btrfs_find_device_by_devspec()
  |_btrfs_find_device_missing_or_by_path()
    |_btrfs_find_device_by_path()
      |_btrfs_get_bdev_and_sb()
        |_btrfs_read_dev_super()
          |_btrfs_read_dev_one_super()
            |___bread()

btrfs_mount_root()
 |
 |_btrfs_parse_early_options (-o device only)
 | |_btrfs_scan_one_device
 |   |_btrfs_read_disk_super()
 |     |_read_cache_page_gfp()
 |
 |_btrfs_scan_one_device(mount-arg-dev only)
 | |_btrfs_read_disk_super()
 |   |_read_cache_page_gfp()
 |
 |
 |_btrfs_open_devices(fsid:all)
 |  |_btrfs_open_one_device()
 |    |_btrfs_get_bdev_and_sb()  <--- invalidate_bdev(fsid:all)
 |      |_btrfs_read_dev_super()
 |        |_btrfs_read_dev_one_super()
 |          |___bread()
 |
 |_btrfs_fill_super()
   |_btrfs_open_ctree()   <-- invalidate_bdev(latest_bdev) <-- redundant
     |_btrfs_read_dev_super(latest_bdev only)
     | |_btrfs_read_dev_one_super(latest_bdev only)
     |   |___bread(latest_bdev)
     |
     |_btrfs_check_super_csum(latest_bdev only) [*]
     |
     |_btrfs_read_chunk_tree
     | |_read_one_dev()
     |   |_open_seed_devices()
     |     |_btrfs_open_devices(fs_devices->seed only)

scan/ready
|
|_btrfs_scan_one_device(ioctl-arg-dev only)
   |_btrfs_read_disk_super()
     |_read_cache_page_gfp()


Anand Jain (8):
  btrfs: cleanup btrfs_check_super_csum() for better code flow
  btrfs: return required error from btrfs_check_super_csum
  btrfs: cleanup btrfs_read_disk_super() to return std error
  btrfs: make btrfs_check_super_csum() non static
  btrfs: check if the fsid in the primary sb and copy sb are same
  btrfs: verify checksum when superblock is read for scan
  btrfs: verify checksum for all devices in mount context
  btrfs: drop the redundant invalidate_bdev()

 fs/btrfs/disk-io.c | 72 +++++++++++++++++++++++-----------------------
 fs/btrfs/disk-io.h |  1 +
 fs/btrfs/volumes.c | 84 ++++++++++++++++++++++++++++++++++++++++++------------
 3 files changed, 102 insertions(+), 55 deletions(-)

Anand Jain (1):
  btrfs-progs: wipe copies of the stale superblock beyond -b size

 utils.c | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

-- 
2.7.0

[PATCH 1/8] btrfs: cleanup btrfs_check_super_csum() for better code flow

[Anand Jain]

We check the %csum_type twice. Drop one. Check for the csum_type and
then for the csum. Which also matches with the progs which have better
logic. This is preparatory patch to get proper error code from
btrfs_check_super_csum().

Signed-off-by: Anand Jain <anand.jain@oracle.com>
---
 fs/btrfs/disk-io.c | 38 +++++++++++++++++---------------------
 1 file changed, 17 insertions(+), 21 deletions(-)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 1657d6aa4fa6..b9b435579527 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -399,32 +399,28 @@ static int btrfs_check_super_csum(struct btrfs_fs_info *fs_info,
 	struct btrfs_super_block *disk_sb =
 		(struct btrfs_super_block *)raw_disk_sb;
 	u16 csum_type = btrfs_super_csum_type(disk_sb);
-	int ret = 0;
-
-	if (csum_type == BTRFS_CSUM_TYPE_CRC32) {
-		u32 crc = ~(u32)0;
-		char result[sizeof(crc)];
-
-		/*
-		 * The super_block structure does not span the whole
-		 * BTRFS_SUPER_INFO_SIZE range, we expect that the unused space
-		 * is filled with zeros and is included in the checksum.
-		 */
-		crc = btrfs_csum_data(raw_disk_sb + BTRFS_CSUM_SIZE,
-				crc, BTRFS_SUPER_INFO_SIZE - BTRFS_CSUM_SIZE);
-		btrfs_csum_final(crc, result);
-
-		if (memcmp(raw_disk_sb, result, sizeof(result)))
-			ret = 1;
-	}
+	u32 crc = ~(u32)0;
+	char result[sizeof(crc)];
 
 	if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes)) {
 		btrfs_err(fs_info, "unsupported checksum algorithm %u",
-				csum_type);
-		ret = 1;
+			  csum_type);
+		return 1;
 	}
 
-	return ret;
+	/*
+	 * The super_block structure does not span the whole
+	 * BTRFS_SUPER_INFO_SIZE range, we expect that the unused space
+	 * is filled with zeros and is included in the checksum.
+	 */
+	crc = btrfs_csum_data(raw_disk_sb + BTRFS_CSUM_SIZE,
+			      crc, BTRFS_SUPER_INFO_SIZE - BTRFS_CSUM_SIZE);
+	btrfs_csum_final(crc, result);
+
+	if (memcmp(raw_disk_sb, result, sizeof(result)))
+		return 1;
+
+	return 0;
 }
 
 /*
-- 
2.7.0

Re: [PATCH 1/8] btrfs: cleanup btrfs_check_super_csum() for better code flow

[Nikolay Borisov]

On 26.03.2018 11:27, Anand Jain wrote:
> We check the %csum_type twice. Drop one. Check for the csum_type and
> then for the csum. Which also matches with the progs which have better
> logic. This is preparatory patch to get proper error code from
> btrfs_check_super_csum().
> 
> Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
> ---
>  fs/btrfs/disk-io.c | 38 +++++++++++++++++---------------------
>  1 file changed, 17 insertions(+), 21 deletions(-)
> 
> diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
> index 1657d6aa4fa6..b9b435579527 100644
> --- a/fs/btrfs/disk-io.c
> +++ b/fs/btrfs/disk-io.c
> @@ -399,32 +399,28 @@ static int btrfs_check_super_csum(struct btrfs_fs_info *fs_info,
>  	struct btrfs_super_block *disk_sb =
>  		(struct btrfs_super_block *)raw_disk_sb;
>  	u16 csum_type = btrfs_super_csum_type(disk_sb);
> -	int ret = 0;
> -
> -	if (csum_type == BTRFS_CSUM_TYPE_CRC32) {
> -		u32 crc = ~(u32)0;
> -		char result[sizeof(crc)];
> -
> -		/*
> -		 * The super_block structure does not span the whole
> -		 * BTRFS_SUPER_INFO_SIZE range, we expect that the unused space
> -		 * is filled with zeros and is included in the checksum.
> -		 */
> -		crc = btrfs_csum_data(raw_disk_sb + BTRFS_CSUM_SIZE,
> -				crc, BTRFS_SUPER_INFO_SIZE - BTRFS_CSUM_SIZE);
> -		btrfs_csum_final(crc, result);
> -
> -		if (memcmp(raw_disk_sb, result, sizeof(result)))
> -			ret = 1;
> -	}
> +	u32 crc = ~(u32)0;
> +	char result[sizeof(crc)];
>  
>  	if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes)) {
>  		btrfs_err(fs_info, "unsupported checksum algorithm %u",
> -				csum_type);
> -		ret = 1;
> +			  csum_type);
> +		return 1;
>  	}
>  
> -	return ret;
> +	/*
> +	 * The super_block structure does not span the whole
> +	 * BTRFS_SUPER_INFO_SIZE range, we expect that the unused space
> +	 * is filled with zeros and is included in the checksum.
> +	 */
> +	crc = btrfs_csum_data(raw_disk_sb + BTRFS_CSUM_SIZE,
> +			      crc, BTRFS_SUPER_INFO_SIZE - BTRFS_CSUM_SIZE);
> +	btrfs_csum_final(crc, result);
> +
> +	if (memcmp(raw_disk_sb, result, sizeof(result)))
> +		return 1;
> +
> +	return 0;
>  }
>  
>  /*
> 

[PATCH 2/8] btrfs: return required error from btrfs_check_super_csum

[Anand Jain]

Return the required -EINVAL and -EUCLEAN from the function
btrfs_check_super_csum(). And more the error log into the
parent function.

Signed-off-by: Anand Jain <anand.jain@oracle.com>
---
 fs/btrfs/disk-io.c | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index b9b435579527..8b4e602ed60a 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -392,9 +392,10 @@ static int verify_parent_transid(struct extent_io_tree *io_tree,
 /*
  * Return 0 if the superblock checksum type matches the checksum value of that
  * algorithm. Pass the raw disk superblock data.
+ * Otherwise: -EINVAL  if csum type is not found
+ * 	      -EUCLEAN if csum does not match
  */
-static int btrfs_check_super_csum(struct btrfs_fs_info *fs_info,
-				  char *raw_disk_sb)
+static int btrfs_check_super_csum(char *raw_disk_sb)
 {
 	struct btrfs_super_block *disk_sb =
 		(struct btrfs_super_block *)raw_disk_sb;
@@ -402,11 +403,8 @@ static int btrfs_check_super_csum(struct btrfs_fs_info *fs_info,
 	u32 crc = ~(u32)0;
 	char result[sizeof(crc)];
 
-	if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes)) {
-		btrfs_err(fs_info, "unsupported checksum algorithm %u",
-			  csum_type);
-		return 1;
-	}
+	if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes))
+		return -EINVAL;
 
 	/*
 	 * The super_block structure does not span the whole
@@ -418,7 +416,7 @@ static int btrfs_check_super_csum(struct btrfs_fs_info *fs_info,
 	btrfs_csum_final(crc, result);
 
 	if (memcmp(raw_disk_sb, result, sizeof(result)))
-		return 1;
+		return -EUCLEAN;
 
 	return 0;
 }
@@ -2570,9 +2568,16 @@ int open_ctree(struct super_block *sb,
 	 * We want to check superblock checksum, the type is stored inside.
 	 * Pass the whole disk block of size BTRFS_SUPER_INFO_SIZE (4k).
 	 */
-	if (btrfs_check_super_csum(fs_info, bh->b_data)) {
-		btrfs_err(fs_info, "superblock checksum mismatch");
-		err = -EINVAL;
+	err = btrfs_check_super_csum(bh->b_data);
+	if (err) {
+		if (err == -EINVAL)
+			pr_err("BTRFS error (device %pg): "\
+				"unsupported checksum algorithm",
+				fs_devices->latest_bdev);
+		else
+			pr_err("BTRFS error (device %pg): "\
+				"superblock checksum mismatch",
+				fs_devices->latest_bdev);
 		brelse(bh);
 		goto fail_alloc;
 	}
-- 
2.7.0

Re: [PATCH 2/8] btrfs: return required error from btrfs_check_super_csum

[Nikolay Borisov]

On 26.03.2018 11:27, Anand Jain wrote:
> Return the required -EINVAL and -EUCLEAN from the function
> btrfs_check_super_csum(). And more the error log into the
> parent function.
> 
> Signed-off-by: Anand Jain <anand.jain@oracle.com>
> ---
>  fs/btrfs/disk-io.c | 27 ++++++++++++++++-----------
>  1 file changed, 16 insertions(+), 11 deletions(-)
> 
> diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
> index b9b435579527..8b4e602ed60a 100644
> --- a/fs/btrfs/disk-io.c
> +++ b/fs/btrfs/disk-io.c
> @@ -392,9 +392,10 @@ static int verify_parent_transid(struct extent_io_tree *io_tree,
>  /*
>   * Return 0 if the superblock checksum type matches the checksum value of that
>   * algorithm. Pass the raw disk superblock data.
> + * Otherwise: -EINVAL  if csum type is not found
> + * 	      -EUCLEAN if csum does not match
>   */
> -static int btrfs_check_super_csum(struct btrfs_fs_info *fs_info,
> -				  char *raw_disk_sb)
> +static int btrfs_check_super_csum(char *raw_disk_sb)
>  {
>  	struct btrfs_super_block *disk_sb =
>  		(struct btrfs_super_block *)raw_disk_sb;
> @@ -402,11 +403,8 @@ static int btrfs_check_super_csum(struct btrfs_fs_info *fs_info,
>  	u32 crc = ~(u32)0;
>  	char result[sizeof(crc)];
>  
> -	if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes)) {
> -		btrfs_err(fs_info, "unsupported checksum algorithm %u",
> -			  csum_type);
> -		return 1;
> -	}
> +	if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes))
> +		return -EINVAL;
>  
>  	/*
>  	 * The super_block structure does not span the whole
> @@ -418,7 +416,7 @@ static int btrfs_check_super_csum(struct btrfs_fs_info *fs_info,
>  	btrfs_csum_final(crc, result);
>  
>  	if (memcmp(raw_disk_sb, result, sizeof(result)))
> -		return 1;
> +		return -EUCLEAN;
>  
>  	return 0;
>  }
> @@ -2570,9 +2568,16 @@ int open_ctree(struct super_block *sb,
>  	 * We want to check superblock checksum, the type is stored inside.
>  	 * Pass the whole disk block of size BTRFS_SUPER_INFO_SIZE (4k).
>  	 */
> -	if (btrfs_check_super_csum(fs_info, bh->b_data)) {
> -		btrfs_err(fs_info, "superblock checksum mismatch");
> -		err = -EINVAL;
> +	err = btrfs_check_super_csum(bh->b_data);
> +	if (err) {
> +		if (err == -EINVAL)
> +			pr_err("BTRFS error (device %pg): "\
> +				"unsupported checksum algorithm",
> +				fs_devices->latest_bdev);

I don't think strings should be idented. I.e the correct thing here
should be to have only fs_devices->latest_bdev on a new line, even if
the string goes above the char limit of 80. In any case the \ is not
needed due to gcc's support for string literal concatenation:

pr_err("BTRFS error (device %pg): "
       "unsupported checksum algorithm",
       fs_devices->latest_bdev)

should work equally well. But as I said I don't think this is even
needed. Let's wait and see what David says.

> +		else
> +			pr_err("BTRFS error (device %pg): "\
> +				"superblock checksum mismatch",
> +				fs_devices->latest_bdev);
>  		brelse(bh);
>  		goto fail_alloc;
>  	}
> 

Re: [PATCH 2/8] btrfs: return required error from btrfs_check_super_csum

[David Sterba]

On Tue, Mar 27, 2018 at 11:05:53AM +0300, Nikolay Borisov wrote:
> > +	if (err) {
> > +		if (err == -EINVAL)
> > +			pr_err("BTRFS error (device %pg): "\
> > +				"unsupported checksum algorithm",
> > +				fs_devices->latest_bdev);
> 
> I don't think strings should be idented. I.e the correct thing here
> should be to have only fs_devices->latest_bdev on a new line, even if
> the string goes above the char limit of 80. In any case the \ is not
> needed due to gcc's support for string literal concatenation:
> 
> pr_err("BTRFS error (device %pg): "
>        "unsupported checksum algorithm",
>        fs_devices->latest_bdev)
> 
> should work equally well. But as I said I don't think this is even
> needed. Let's wait and see what David says.

The strings should not be split, because we want to be able to grep the
sources for the error messages. If the string does not fit 80 chars
per line, then it can be moved to the next line and un-indented to the
left. Plenty of examples.

Re: [PATCH 2/8] btrfs: return required error from btrfs_check_super_csum

[Anand Jain]

On 03/28/2018 03:16 AM, David Sterba wrote:
> On Tue, Mar 27, 2018 at 11:05:53AM +0300, Nikolay Borisov wrote:
>>> +	if (err) {
>>> +		if (err == -EINVAL)
>>> +			pr_err("BTRFS error (device %pg): "\
>>> +				"unsupported checksum algorithm",
>>> +				fs_devices->latest_bdev);
>>
>> I don't think strings should be idented. I.e the correct thing here
>> should be to have only fs_devices->latest_bdev on a new line, even if
>> the string goes above the char limit of 80. In any case the \ is not
>> needed due to gcc's support for string literal concatenation:
>>
>> pr_err("BTRFS error (device %pg): "
>>         "unsupported checksum algorithm",
>>         fs_devices->latest_bdev)
>>
>> should work equally well. But as I said I don't think this is even
>> needed. Let's wait and see what David says.
> 
> The strings should not be split, because we want to be able to grep the
> sources for the error messages. If the string does not fit 80 chars
> per line, then it can be moved to the next line and un-indented to the
> left. Plenty of examples.

  I understand reason behind string should not be split, but I
  thought here will be an exception, as if you want to search
  for the string you will still use "unsupported checksum algorithm"
  which is still in one line.
  About the grep not able to find the string which are split,
  I look at it as fixing the wrong end of the problem. That is Grep
  end problem being fixes at the c code end. Anyway as its kind of
  linux general guidlines, I shall fix my patch.

Thanks, Anand

Re: [PATCH 2/8] btrfs: return required error from btrfs_check_super_csum

[David Sterba]

On Wed, Mar 28, 2018 at 04:43:02AM +0800, Anand Jain wrote:
>   I understand reason behind string should not be split, but I
>   thought here will be an exception, as if you want to search
>   for the string you will still use "unsupported checksum algorithm"
>   which is still in one line.
>   About the grep not able to find the string which are split,
>   I look at it as fixing the wrong end of the problem. That is Grep
>   end problem being fixes at the c code end. Anyway as its kind of
>   linux general guidlines, I shall fix my patch.

It's not just grep, but any other similar line-oriented searching tool
or internal searches in editors or IDEs. Searching for fragments of the
string will likely lead to the result but splitting lines makes it
unnecessarily more difficult.

[PATCH 3/8] btrfs: cleanup btrfs_read_disk_super() to return std error

[Anand Jain]

The only caller btrfs_scan_one_device() sets -EINVAL for error from
btrfs_read_disk_super(), so this patch returns -EINVAL from the latter
function.

A preparatory patch to add csum check in btrfs_read_disk_super().

Signed-off-by: Anand Jain <anand.jain@oracle.com>
---
 fs/btrfs/volumes.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 87d183accdb2..ed22f0a3d239 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1154,23 +1154,23 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
 
 	/* make sure our super fits in the device */
 	if (bytenr + PAGE_SIZE >= i_size_read(bdev->bd_inode))
-		return 1;
+		return -EINVAL;
 
 	/* make sure our super fits in the page */
 	if (sizeof(**disk_super) > PAGE_SIZE)
-		return 1;
+		return -EINVAL;
 
 	/* make sure our super doesn't straddle pages on disk */
 	index = bytenr >> PAGE_SHIFT;
 	if ((bytenr + sizeof(**disk_super) - 1) >> PAGE_SHIFT != index)
-		return 1;
+		return -EINVAL;
 
 	/* pull in the page with our super */
 	*page = read_cache_page_gfp(bdev->bd_inode->i_mapping,
 				   index, GFP_KERNEL);
 
 	if (IS_ERR_OR_NULL(*page))
-		return 1;
+		return -EINVAL;
 
 	p = kmap(*page);
 
@@ -1180,7 +1180,7 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
 	if (btrfs_super_bytenr(*disk_super) != bytenr ||
 	    btrfs_super_magic(*disk_super) != BTRFS_MAGIC) {
 		btrfs_release_disk_super(*page);
-		return 1;
+		return -EINVAL;
 	}
 
 	if ((*disk_super)->label[0] &&
@@ -1218,10 +1218,9 @@ int btrfs_scan_one_device(const char *path, fmode_t flags, void *holder,
 	if (IS_ERR(bdev))
 		return PTR_ERR(bdev);
 
-	if (btrfs_read_disk_super(bdev, bytenr, &page, &disk_super)) {
-		ret = -EINVAL;
+	ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
+	if (ret)
 		goto error_bdev_put;
-	}
 
 	mutex_lock(&uuid_mutex);
 	device = device_list_add(path, disk_super);
-- 
2.7.0

Re: [PATCH 3/8] btrfs: cleanup btrfs_read_disk_super() to return std error

[Nikolay Borisov]

On 26.03.2018 11:27, Anand Jain wrote:
> The only caller btrfs_scan_one_device() sets -EINVAL for error from
> btrfs_read_disk_super(), so this patch returns -EINVAL from the latter
> function.
> 
> A preparatory patch to add csum check in btrfs_read_disk_super().
> 
> Signed-off-by: Anand Jain <anand.jain@oracle.com>
> ---
>  fs/btrfs/volumes.c | 15 +++++++--------
>  1 file changed, 7 insertions(+), 8 deletions(-)
> 
> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
> index 87d183accdb2..ed22f0a3d239 100644
> --- a/fs/btrfs/volumes.c
> +++ b/fs/btrfs/volumes.c
> @@ -1154,23 +1154,23 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
>  
>  	/* make sure our super fits in the device */
>  	if (bytenr + PAGE_SIZE >= i_size_read(bdev->bd_inode))
> -		return 1;
> +		return -EINVAL;
>  
>  	/* make sure our super fits in the page */
>  	if (sizeof(**disk_super) > PAGE_SIZE)
> -		return 1;
> +		return -EINVAL;
>  
>  	/* make sure our super doesn't straddle pages on disk */
>  	index = bytenr >> PAGE_SHIFT;
>  	if ((bytenr + sizeof(**disk_super) - 1) >> PAGE_SHIFT != index)
> -		return 1;
> +		return -EINVAL;
>  
>  	/* pull in the page with our super */
>  	*page = read_cache_page_gfp(bdev->bd_inode->i_mapping,
>  				   index, GFP_KERNEL);
>  
>  	if (IS_ERR_OR_NULL(*page))
> -		return 1;
> +		return -EINVAL;
>  
>  	p = kmap(*page);
>  
> @@ -1180,7 +1180,7 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
>  	if (btrfs_super_bytenr(*disk_super) != bytenr ||
>  	    btrfs_super_magic(*disk_super) != BTRFS_MAGIC) {
>  		btrfs_release_disk_super(*page);
> -		return 1;
> +		return -EINVAL;
>  	}
>  
>  	if ((*disk_super)->label[0] &&
> @@ -1218,10 +1218,9 @@ int btrfs_scan_one_device(const char *path, fmode_t flags, void *holder,
>  	if (IS_ERR(bdev))
>  		return PTR_ERR(bdev);
>  
> -	if (btrfs_read_disk_super(bdev, bytenr, &page, &disk_super)) {
> -		ret = -EINVAL;
> +	ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
> +	if (ret)

I'd rather have explicit ret < 0 check.

>  		goto error_bdev_put;
> -	}
>  
>  	mutex_lock(&uuid_mutex);
>  	device = device_list_add(path, disk_super);
> 

[PATCH 4/8] btrfs: make btrfs_check_super_csum() non-static

[Anand Jain]

In preparation to add the superblock csum verification for the
scan context, make btrfs_check_super_csum() non-static.

Signed-off-by: Anand Jain <anand.jain@oracle.com>
---
 fs/btrfs/disk-io.c | 2 +-
 fs/btrfs/disk-io.h | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 8b4e602ed60a..6299ab18da5f 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -395,7 +395,7 @@ static int verify_parent_transid(struct extent_io_tree *io_tree,
  * Otherwise: -EINVAL  if csum type is not found
  * 	      -EUCLEAN if csum does not match
  */
-static int btrfs_check_super_csum(char *raw_disk_sb)
+int btrfs_check_super_csum(char *raw_disk_sb)
 {
 	struct btrfs_super_block *disk_sb =
 		(struct btrfs_super_block *)raw_disk_sb;
diff --git a/fs/btrfs/disk-io.h b/fs/btrfs/disk-io.h
index 70a88d61b547..c400cc68f913 100644
--- a/fs/btrfs/disk-io.h
+++ b/fs/btrfs/disk-io.h
@@ -69,6 +69,7 @@ int write_all_supers(struct btrfs_fs_info *fs_info, int max_mirrors);
 struct buffer_head *btrfs_read_dev_super(struct block_device *bdev);
 int btrfs_read_dev_one_super(struct block_device *bdev, int copy_num,
 			struct buffer_head **bh_ret);
+int btrfs_check_super_csum(char *raw_disk_sb);
 int btrfs_commit_super(struct btrfs_fs_info *fs_info);
 struct btrfs_root *btrfs_read_fs_root(struct btrfs_root *tree_root,
 				      struct btrfs_key *location);
-- 
2.7.0

Re: [PATCH 4/8] btrfs: make btrfs_check_super_csum() non-static

[Nikolay Borisov]

On 26.03.2018 11:27, Anand Jain wrote:
> In preparation to add the superblock csum verification for the
> scan context, make btrfs_check_super_csum() non-static.
> 
> Signed-off-by: Anand Jain <anand.jain@oracle.com>

Reviewed-by: Nikolay Borisov <nborisov@suse.com>

> ---
>  fs/btrfs/disk-io.c | 2 +-
>  fs/btrfs/disk-io.h | 1 +
>  2 files changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
> index 8b4e602ed60a..6299ab18da5f 100644
> --- a/fs/btrfs/disk-io.c
> +++ b/fs/btrfs/disk-io.c
> @@ -395,7 +395,7 @@ static int verify_parent_transid(struct extent_io_tree *io_tree,
>   * Otherwise: -EINVAL  if csum type is not found
>   * 	      -EUCLEAN if csum does not match
>   */
> -static int btrfs_check_super_csum(char *raw_disk_sb)
> +int btrfs_check_super_csum(char *raw_disk_sb)
>  {
>  	struct btrfs_super_block *disk_sb =
>  		(struct btrfs_super_block *)raw_disk_sb;
> diff --git a/fs/btrfs/disk-io.h b/fs/btrfs/disk-io.h
> index 70a88d61b547..c400cc68f913 100644
> --- a/fs/btrfs/disk-io.h
> +++ b/fs/btrfs/disk-io.h
> @@ -69,6 +69,7 @@ int write_all_supers(struct btrfs_fs_info *fs_info, int max_mirrors);
>  struct buffer_head *btrfs_read_dev_super(struct block_device *bdev);
>  int btrfs_read_dev_one_super(struct block_device *bdev, int copy_num,
>  			struct buffer_head **bh_ret);
> +int btrfs_check_super_csum(char *raw_disk_sb);
>  int btrfs_commit_super(struct btrfs_fs_info *fs_info);
>  struct btrfs_root *btrfs_read_fs_root(struct btrfs_root *tree_root,
>  				      struct btrfs_key *location);
> 

[PATCH 5/8] btrfs: check if the fsid in the primary sb and copy sb are same

[Anand Jain]

During the btrfs dev scan make sure that other copies of superblock
contain the same fsid as the primary SB. So that we bring to the
user notice if the superblock has been overwritten.

 mkfs.btrfs -fq /dev/sdc
 mkfs.btrfs -fq /dev/sdb
 dd if=/dev/sdb of=/dev/sdc count=4K skip=64K seek=64K obs=1 ibs=1
 mount /dev/sdc /btrfs

Caveat: Pls note that older btrfs-progs do not wipe the non-overwriting
stale superblock like copy2 if a smaller mkfs.btrfs -b  <size>  is created.
So this patch in the kernel will report error. The workaround is to wipe
the superblock manually, like
 dd if=/dev/zero of=<dev> seek=274877906944 ibs=1 obs=1 count4K
OR apply btrfs-progs patch
  btrfs-progs: wipe copies of the stale superblock beyond -b size
which shall find and wipe the non overwriting superblock.

Signed-off-by: Anand Jain <anand.jain@oracle.com>
---
 fs/btrfs/volumes.c | 60 ++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 47 insertions(+), 13 deletions(-)

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index ed22f0a3d239..45dd0674571b 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1198,40 +1198,74 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
 int btrfs_scan_one_device(const char *path, fmode_t flags, void *holder,
 			  struct btrfs_fs_devices **fs_devices_ret)
 {
+	struct btrfs_super_block *disk_super_primary;
 	struct btrfs_super_block *disk_super;
 	struct btrfs_device *device;
 	struct block_device *bdev;
 	struct page *page;
 	int ret = 0;
-	u64 bytenr;
+	int i;
 
-	/*
-	 * we would like to check all the supers, but that would make
-	 * a btrfs mount succeed after a mkfs from a different FS.
-	 * So, we need to add a special mount option to scan for
-	 * later supers, using BTRFS_SUPER_MIRROR_MAX instead
-	 */
-	bytenr = btrfs_sb_offset(0);
 	flags |= FMODE_EXCL;
 
 	bdev = blkdev_get_by_path(path, flags, holder);
 	if (IS_ERR(bdev))
 		return PTR_ERR(bdev);
 
-	ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
-	if (ret)
+	disk_super_primary = kzalloc(sizeof(*disk_super_primary), GFP_KERNEL);
+	if (!disk_super_primary) {
+		ret = -ENOMEM;
 		goto error_bdev_put;
+	}
+
+	/*
+	 * We would like to check all the supers and use one good copy,
+	 * but that would make a btrfs mount succeed after a mkfs from
+	 * a different FS.
+	 * So, we need to add a special mount option to scan for
+	 * later supers, using BTRFS_SUPER_MIRROR_MAX instead.
+	 * So, just validate if all copies of the superblocks are ok
+	 * and have the same fsid.
+	 */
+	for (i = 0; i < BTRFS_SUPER_MIRROR_MAX; i++) {
+		u64 bytenr = btrfs_sb_offset(i);
+
+		ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
+		if (ret) {
+			if (i == 0)
+				goto error_kfree;
+			/* copy2 is optional */
+			ret = 0;
+			continue;
+		}
+
+		if (i == 0) {
+			memcpy(disk_super_primary, disk_super,
+			       sizeof(*disk_super_primary));
+			btrfs_release_disk_super(page);
+			continue;
+		} else if (memcmp(disk_super_primary->fsid, disk_super->fsid,
+			   BTRFS_FSID_SIZE)) {
+			pr_err("BTRFS (device %pg): superblock fsid missmatch "\
+				"primary %pU copy%d %pU", bdev,
+				disk_super_primary->fsid, i, disk_super->fsid);
+			ret = -EINVAL;
+			btrfs_release_disk_super(page);
+			goto error_kfree;
+		}
+		btrfs_release_disk_super(page);
+	}
 
 	mutex_lock(&uuid_mutex);
-	device = device_list_add(path, disk_super);
+	device = device_list_add(path, disk_super_primary);
 	if (IS_ERR(device))
 		ret = PTR_ERR(device);
 	else
 		*fs_devices_ret = device->fs_devices;
 	mutex_unlock(&uuid_mutex);
 
-	btrfs_release_disk_super(page);
-
+error_kfree:
+	kfree(disk_super_primary);
 error_bdev_put:
 	blkdev_put(bdev, flags);
 
-- 
2.7.0

Re: [PATCH 5/8] btrfs: check if the fsid in the primary sb and copy sb are same

[Nikolay Borisov]

On 26.03.2018 11:27, Anand Jain wrote:
> During the btrfs dev scan make sure that other copies of superblock
> contain the same fsid as the primary SB. So that we bring to the
> user notice if the superblock has been overwritten.
> 
>  mkfs.btrfs -fq /dev/sdc
>  mkfs.btrfs -fq /dev/sdb
>  dd if=/dev/sdb of=/dev/sdc count=4K skip=64K seek=64K obs=1 ibs=1
>  mount /dev/sdc /btrfs
> 
> Caveat: Pls note that older btrfs-progs do not wipe the non-overwriting
> stale superblock like copy2 if a smaller mkfs.btrfs -b  <size>  is created.
> So this patch in the kernel will report error. The workaround is to wipe
> the superblock manually, like
>  dd if=/dev/zero of=<dev> seek=274877906944 ibs=1 obs=1 count4K
> OR apply btrfs-progs patch
>   btrfs-progs: wipe copies of the stale superblock beyond -b size
> which shall find and wipe the non overwriting superblock.
> 
> Signed-off-by: Anand Jain <anand.jain@oracle.com>
> ---
>  fs/btrfs/volumes.c | 60 ++++++++++++++++++++++++++++++++++++++++++------------
>  1 file changed, 47 insertions(+), 13 deletions(-)
> 
> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
> index ed22f0a3d239..45dd0674571b 100644
> --- a/fs/btrfs/volumes.c
> +++ b/fs/btrfs/volumes.c
> @@ -1198,40 +1198,74 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
>  int btrfs_scan_one_device(const char *path, fmode_t flags, void *holder,
>  			  struct btrfs_fs_devices **fs_devices_ret)
>  {
> +	struct btrfs_super_block *disk_super_primary;
>  	struct btrfs_super_block *disk_super;
>  	struct btrfs_device *device;
>  	struct block_device *bdev;
>  	struct page *page;
>  	int ret = 0;
> -	u64 bytenr;
> +	int i;
>  
> -	/*
> -	 * we would like to check all the supers, but that would make
> -	 * a btrfs mount succeed after a mkfs from a different FS.
> -	 * So, we need to add a special mount option to scan for
> -	 * later supers, using BTRFS_SUPER_MIRROR_MAX instead
> -	 */
> -	bytenr = btrfs_sb_offset(0);
>  	flags |= FMODE_EXCL;
>  
>  	bdev = blkdev_get_by_path(path, flags, holder);
>  	if (IS_ERR(bdev))
>  		return PTR_ERR(bdev);
>  
> -	ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
> -	if (ret)
> +	disk_super_primary = kzalloc(sizeof(*disk_super_primary), GFP_KERNEL);
> +	if (!disk_super_primary) {
> +		ret = -ENOMEM;
>  		goto error_bdev_put;
> +	}
> +
> +	/*
> +	 * We would like to check all the supers and use one good copy,
> +	 * but that would make a btrfs mount succeed after a mkfs from
> +	 * a different FS.
> +	 * So, we need to add a special mount option to scan for
> +	 * later supers, using BTRFS_SUPER_MIRROR_MAX instead.
> +	 * So, just validate if all copies of the superblocks are ok
> +	 * and have the same fsid.
> +	 */
> +	for (i = 0; i < BTRFS_SUPER_MIRROR_MAX; i++) {
> +		u64 bytenr = btrfs_sb_offset(i);
> +
> +		ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
> +		if (ret) {
> +			if (i == 0)
> +				goto error_kfree;
> +			/* copy2 is optional */
> +			ret = 0;
> +			continue;
> +		}
> +
> +		if (i == 0) {
> +			memcpy(disk_super_primary, disk_super,
> +			       sizeof(*disk_super_primary));
> +			btrfs_release_disk_super(page);
> +			continue;

Doing the memcpy is enough here, the bottom of the loop already releases
the disk page and continues on the next iteration.

> +		} else if (memcmp(disk_super_primary->fsid, disk_super->fsid,
> +			   BTRFS_FSID_SIZE)) {
> +			pr_err("BTRFS (device %pg): superblock fsid missmatch "\
> +				"primary %pU copy%d %pU", bdev,
> +				disk_super_primary->fsid, i, disk_super->fsid);
> +			ret = -EINVAL;
> +			btrfs_release_disk_super(page);
> +			goto error_kfree;
> +		}
> +		btrfs_release_disk_super(page);

I'd say split the "read first sb" from the loop, because alway want to
read it and return an error if it fails. And then have the loop begin at
i = 1 and handle only the possible mirrors of the sb. That would clean
up the nested 'if' in handling the ret.

Also you could introduce another struct *page primary_page where you
read the first super block. That way you save a memcpy + kzalloc but
you'd have to always free it on function exit so I am not sure how much
value it brings in terms of readability.

> +	}
>  
>  	mutex_lock(&uuid_mutex);
> -	device = device_list_add(path, disk_super);
> +	device = device_list_add(path, disk_super_primary);
>  	if (IS_ERR(device))
>  		ret = PTR_ERR(device);
>  	else
>  		*fs_devices_ret = device->fs_devices;
>  	mutex_unlock(&uuid_mutex);
>  
> -	btrfs_release_disk_super(page);
> -
> +error_kfree:
> +	kfree(disk_super_primary);
>  error_bdev_put:
>  	blkdev_put(bdev, flags);
>  
> 

Re: [PATCH 5/8] btrfs: check if the fsid in the primary sb and copy sb are same

[Anand Jain]

On 03/27/2018 04:49 PM, Nikolay Borisov wrote:
> 
> 
> On 26.03.2018 11:27, Anand Jain wrote:
>> During the btrfs dev scan make sure that other copies of superblock
>> contain the same fsid as the primary SB. So that we bring to the
>> user notice if the superblock has been overwritten.
>>
>>   mkfs.btrfs -fq /dev/sdc
>>   mkfs.btrfs -fq /dev/sdb
>>   dd if=/dev/sdb of=/dev/sdc count=4K skip=64K seek=64K obs=1 ibs=1
>>   mount /dev/sdc /btrfs
>>
>> Caveat: Pls note that older btrfs-progs do not wipe the non-overwriting
>> stale superblock like copy2 if a smaller mkfs.btrfs -b  <size>  is created.
>> So this patch in the kernel will report error. The workaround is to wipe
>> the superblock manually, like
>>   dd if=/dev/zero of=<dev> seek=274877906944 ibs=1 obs=1 count4K
>> OR apply btrfs-progs patch
>>    btrfs-progs: wipe copies of the stale superblock beyond -b size
>> which shall find and wipe the non overwriting superblock.
>>
>> Signed-off-by: Anand Jain <anand.jain@oracle.com>
>> ---
>>   fs/btrfs/volumes.c | 60 ++++++++++++++++++++++++++++++++++++++++++------------
>>   1 file changed, 47 insertions(+), 13 deletions(-)
>>
>> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
>> index ed22f0a3d239..45dd0674571b 100644
>> --- a/fs/btrfs/volumes.c
>> +++ b/fs/btrfs/volumes.c
>> @@ -1198,40 +1198,74 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
>>   int btrfs_scan_one_device(const char *path, fmode_t flags, void *holder,
>>   			  struct btrfs_fs_devices **fs_devices_ret)
>>   {
>> +	struct btrfs_super_block *disk_super_primary;
>>   	struct btrfs_super_block *disk_super;
>>   	struct btrfs_device *device;
>>   	struct block_device *bdev;
>>   	struct page *page;
>>   	int ret = 0;
>> -	u64 bytenr;
>> +	int i;
>>   
>> -	/*
>> -	 * we would like to check all the supers, but that would make
>> -	 * a btrfs mount succeed after a mkfs from a different FS.
>> -	 * So, we need to add a special mount option to scan for
>> -	 * later supers, using BTRFS_SUPER_MIRROR_MAX instead
>> -	 */
>> -	bytenr = btrfs_sb_offset(0);
>>   	flags |= FMODE_EXCL;
>>   
>>   	bdev = blkdev_get_by_path(path, flags, holder);
>>   	if (IS_ERR(bdev))
>>   		return PTR_ERR(bdev);
>>   
>> -	ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
>> -	if (ret)
>> +	disk_super_primary = kzalloc(sizeof(*disk_super_primary), GFP_KERNEL);
>> +	if (!disk_super_primary) {
>> +		ret = -ENOMEM;
>>   		goto error_bdev_put;
>> +	}
>> +
>> +	/*
>> +	 * We would like to check all the supers and use one good copy,
>> +	 * but that would make a btrfs mount succeed after a mkfs from
>> +	 * a different FS.
>> +	 * So, we need to add a special mount option to scan for
>> +	 * later supers, using BTRFS_SUPER_MIRROR_MAX instead.
>> +	 * So, just validate if all copies of the superblocks are ok
>> +	 * and have the same fsid.
>> +	 */
>> +	for (i = 0; i < BTRFS_SUPER_MIRROR_MAX; i++) {
>> +		u64 bytenr = btrfs_sb_offset(i);
>> +
>> +		ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
>> +		if (ret) {
>> +			if (i == 0)
>> +				goto error_kfree;
>> +			/* copy2 is optional */
>> +			ret = 0;
>> +			continue;
>> +		}
>> +
>> +		if (i == 0) {
>> +			memcpy(disk_super_primary, disk_super,
>> +			       sizeof(*disk_super_primary));
>> +			btrfs_release_disk_super(page);
>> +			continue;
> 
> Doing the memcpy is enough here, the bottom of the loop already releases
> the disk page and continues on the next iteration.

  The page map happens inside btrfs_read_disk_super(), we
  need unmap before going for the next superblock.


>> +		} else if (memcmp(disk_super_primary->fsid, disk_super->fsid,
>> +			   BTRFS_FSID_SIZE)) {
>> +			pr_err("BTRFS (device %pg): superblock fsid missmatch "\
>> +				"primary %pU copy%d %pU", bdev,
>> +				disk_super_primary->fsid, i, disk_super->fsid);
>> +			ret = -EINVAL;
>> +			btrfs_release_disk_super(page);
>> +			goto error_kfree;
>> +		}
>> +		btrfs_release_disk_super(page);
> 
> I'd say split the "read first sb" from the loop, because alway want to
> read it and return an error if it fails. And then have the loop begin at
> i = 1 and handle only the possible mirrors of the sb. That would clean
> up the nested 'if' in handling the ret.
> 
> Also you could introduce another struct *page primary_page where you
> read the first super block. That way you save a memcpy + kzalloc but
> you'd have to always free it on function exit so I am not sure how much
> value it brings in terms of readability.

  Right. Also with this approach I don't have to kzallo() anymore. Will fix.

Thanks, Anand

>> +	}
>>   
>>   	mutex_lock(&uuid_mutex);
>> -	device = device_list_add(path, disk_super);
>> +	device = device_list_add(path, disk_super_primary);
>>   	if (IS_ERR(device))
>>   		ret = PTR_ERR(device);
>>   	else
>>   		*fs_devices_ret = device->fs_devices;
>>   	mutex_unlock(&uuid_mutex);
>>   
>> -	btrfs_release_disk_super(page);
>> -
>> +error_kfree:
>> +	kfree(disk_super_primary);
>>   error_bdev_put:
>>   	blkdev_put(bdev, flags);
>>   
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [PATCH 5/8] btrfs: check if the fsid in the primary sb and copy sb are same

[Nikolay Borisov]

On 28.03.2018 01:06, Anand Jain wrote:
> 
> 
> On 03/27/2018 04:49 PM, Nikolay Borisov wrote:
>>
>>
>> On 26.03.2018 11:27, Anand Jain wrote:
>>> During the btrfs dev scan make sure that other copies of superblock
>>> contain the same fsid as the primary SB. So that we bring to the
>>> user notice if the superblock has been overwritten.
>>>
>>>   mkfs.btrfs -fq /dev/sdc
>>>   mkfs.btrfs -fq /dev/sdb
>>>   dd if=/dev/sdb of=/dev/sdc count=4K skip=64K seek=64K obs=1 ibs=1
>>>   mount /dev/sdc /btrfs
>>>
>>> Caveat: Pls note that older btrfs-progs do not wipe the non-overwriting
>>> stale superblock like copy2 if a smaller mkfs.btrfs -b  <size>  is
>>> created.
>>> So this patch in the kernel will report error. The workaround is to wipe
>>> the superblock manually, like
>>>   dd if=/dev/zero of=<dev> seek=274877906944 ibs=1 obs=1 count4K
>>> OR apply btrfs-progs patch
>>>    btrfs-progs: wipe copies of the stale superblock beyond -b size
>>> which shall find and wipe the non overwriting superblock.
>>>
>>> Signed-off-by: Anand Jain <anand.jain@oracle.com>
>>> ---
>>>   fs/btrfs/volumes.c | 60
>>> ++++++++++++++++++++++++++++++++++++++++++------------
>>>   1 file changed, 47 insertions(+), 13 deletions(-)
>>>
>>> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
>>> index ed22f0a3d239..45dd0674571b 100644
>>> --- a/fs/btrfs/volumes.c
>>> +++ b/fs/btrfs/volumes.c
>>> @@ -1198,40 +1198,74 @@ static int btrfs_read_disk_super(struct
>>> block_device *bdev, u64 bytenr,
>>>   int btrfs_scan_one_device(const char *path, fmode_t flags, void
>>> *holder,
>>>                 struct btrfs_fs_devices **fs_devices_ret)
>>>   {
>>> +    struct btrfs_super_block *disk_super_primary;
>>>       struct btrfs_super_block *disk_super;
>>>       struct btrfs_device *device;
>>>       struct block_device *bdev;
>>>       struct page *page;
>>>       int ret = 0;
>>> -    u64 bytenr;
>>> +    int i;
>>>   -    /*
>>> -     * we would like to check all the supers, but that would make
>>> -     * a btrfs mount succeed after a mkfs from a different FS.
>>> -     * So, we need to add a special mount option to scan for
>>> -     * later supers, using BTRFS_SUPER_MIRROR_MAX instead
>>> -     */
>>> -    bytenr = btrfs_sb_offset(0);
>>>       flags |= FMODE_EXCL;
>>>         bdev = blkdev_get_by_path(path, flags, holder);
>>>       if (IS_ERR(bdev))
>>>           return PTR_ERR(bdev);
>>>   -    ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
>>> -    if (ret)
>>> +    disk_super_primary = kzalloc(sizeof(*disk_super_primary),
>>> GFP_KERNEL);
>>> +    if (!disk_super_primary) {
>>> +        ret = -ENOMEM;
>>>           goto error_bdev_put;
>>> +    }
>>> +
>>> +    /*
>>> +     * We would like to check all the supers and use one good copy,
>>> +     * but that would make a btrfs mount succeed after a mkfs from
>>> +     * a different FS.
>>> +     * So, we need to add a special mount option to scan for
>>> +     * later supers, using BTRFS_SUPER_MIRROR_MAX instead.
>>> +     * So, just validate if all copies of the superblocks are ok
>>> +     * and have the same fsid.
>>> +     */
>>> +    for (i = 0; i < BTRFS_SUPER_MIRROR_MAX; i++) {
>>> +        u64 bytenr = btrfs_sb_offset(i);
>>> +
>>> +        ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
>>> +        if (ret) {
>>> +            if (i == 0)
>>> +                goto error_kfree;
>>> +            /* copy2 is optional */
>>> +            ret = 0;
>>> +            continue;
>>> +        }
>>> +
>>> +        if (i == 0) {
>>> +            memcpy(disk_super_primary, disk_super,
>>> +                   sizeof(*disk_super_primary));
>>> +            btrfs_release_disk_super(page);
>>> +            continue;
>>
>> Doing the memcpy is enough here, the bottom of the loop already releases
>> the disk page and continues on the next iteration.
> 
>  The page map happens inside btrfs_read_disk_super(), we
>  need unmap before going for the next superblock.

You already have  btrfs_release_disk_super(page); called at the end of
the iteration, right after the closing bracket for the else, see below...

> 
> 
>>> +        } else if (memcmp(disk_super_primary->fsid, disk_super->fsid,
>>> +               BTRFS_FSID_SIZE)) {
>>> +            pr_err("BTRFS (device %pg): superblock fsid missmatch "\
>>> +                "primary %pU copy%d %pU", bdev,
>>> +                disk_super_primary->fsid, i, disk_super->fsid);
>>> +            ret = -EINVAL;
>>> +            btrfs_release_disk_super(page);
>>> +            goto error_kfree;
>>> +        }
>>> +        btrfs_release_disk_super(page);
                ^^^^^^^^^^^^^^^^^^^^^^^
Here
>>
>> I'd say split the "read first sb" from the loop, because alway want to
>> read it and return an error if it fails. And then have the loop begin at
>> i = 1 and handle only the possible mirrors of the sb. That would clean
>> up the nested 'if' in handling the ret.
>>
>> Also you could introduce another struct *page primary_page where you
>> read the first super block. That way you save a memcpy + kzalloc but
>> you'd have to always free it on function exit so I am not sure how much
>> value it brings in terms of readability.
> 
>  Right. Also with this approach I don't have to kzallo() anymore. Will fix.
> 
> Thanks, Anand
> 
>>> +    }
>>>         mutex_lock(&uuid_mutex);
>>> -    device = device_list_add(path, disk_super);
>>> +    device = device_list_add(path, disk_super_primary);
>>>       if (IS_ERR(device))
>>>           ret = PTR_ERR(device);
>>>       else
>>>           *fs_devices_ret = device->fs_devices;
>>>       mutex_unlock(&uuid_mutex);
>>>   -    btrfs_release_disk_super(page);
>>> -
>>> +error_kfree:
>>> +    kfree(disk_super_primary);
>>>   error_bdev_put:
>>>       blkdev_put(bdev, flags);
>>>  
>> -- 
>> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
> 

Re: [PATCH 5/8] btrfs: check if the fsid in the primary sb and copy sb are same

[Anand Jain]

>>>> +    for (i = 0; i < BTRFS_SUPER_MIRROR_MAX; i++) {
>>>> +        u64 bytenr = btrfs_sb_offset(i);
>>>> +
>>>> +        ret = btrfs_read_disk_super(bdev, bytenr, &page, &disk_super);
>>>> +        if (ret) {
>>>> +            if (i == 0)
>>>> +                goto error_kfree;
>>>> +            /* copy2 is optional */
>>>> +            ret = 0;
>>>> +            continue;
>>>> +        }
>>>> +
>>>> +        if (i == 0) {
>>>> +            memcpy(disk_super_primary, disk_super,
>>>> +                   sizeof(*disk_super_primary));
>>>> +            btrfs_release_disk_super(page);
>>>> +            continue;
>>>
>>> Doing the memcpy is enough here, the bottom of the loop already releases
>>> the disk page and continues on the next iteration.
>>
>>   The page map happens inside btrfs_read_disk_super(), we
>>   need unmap before going for the next superblock.
> 
> You already have  btrfs_release_disk_super(page); called at the end of
> the iteration, right after the closing bracket for the else, see below...

   Ah. You meant only memcpy. Yes.
   This part of the code is completely changed in V2. Thanks.

[PATCH 6/8] btrfs: verify checksum when superblock is read for scan

[Anand Jain]

During the scan context, we aren't verifying the superblock-
checksum when read.
This patch fixes it by adding the checksum verification function
btrfs_check_super_csum() in the function btrfs_read_disk_super().
And makes device scan to error fail if the primary superblock csum
is wrong, whereas if the copy-superblock csum is wrong it will just
just report missmatch and continue mount/scan as usual. When the
mount is successful We anyway overwrite all superblocks upon unmount.

The context in which this will be called is - device scan, device ready,
and mount -o device option.

Test script:

 Corrupt primary superblock and check if device scan and mount
 fails:
 mkfs.btrfs -fq /dev/sdc
 dd if=/dev/urandom of=/dev/sdc ibs=1 obs=1 count=1 seek=64K
 btrfs dev scan
 mount /dev/sdb /btrfs

 Corrupt secondary superblock and check if device scan and mount
 is succcessful, check for the dmesg for errors.
 mkfs.btrfs -fq /dev/sdc
 dd if=/dev/urandom of=/dev/sdc ibs=1 obs=1 count=1 seek=64K
 btrfs dev scan
 mount /dev/sdb /btrfs

Signed-off-by: Anand Jain <anand.jain@oracle.com>
---
 fs/btrfs/volumes.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 45dd0674571b..384e503c83ff 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1149,6 +1149,7 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
 				 struct page **page,
 				 struct btrfs_super_block **disk_super)
 {
+	int err;
 	void *p;
 	pgoff_t index;
 
@@ -1177,6 +1178,20 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
 	/* align our pointer to the offset of the super block */
 	*disk_super = p + (bytenr & ~PAGE_MASK);
 
+	err = btrfs_check_super_csum((char *) *disk_super);
+	if (err) {
+		if (err == -EINVAL)
+			pr_err("BTRFS error (device %pg): "\
+				"unsupported checksum type, bytenr=%llu",
+				bdev, bytenr);
+		else
+			pr_err("BTRFS error (device %pg): "\
+				"superblock checksum failed, bytenr=%llu",
+				bdev, bytenr);
+		btrfs_release_disk_super(*page);
+		return err;
+	}
+
 	if (btrfs_super_bytenr(*disk_super) != bytenr ||
 	    btrfs_super_magic(*disk_super) != BTRFS_MAGIC) {
 		btrfs_release_disk_super(*page);
-- 
2.7.0

Re: [PATCH 6/8] btrfs: verify checksum when superblock is read for scan

[Nikolay Borisov]

On 26.03.2018 11:27, Anand Jain wrote:
> During the scan context, we aren't verifying the superblock-
> checksum when read.
> This patch fixes it by adding the checksum verification function
> btrfs_check_super_csum() in the function btrfs_read_disk_super().
> And makes device scan to error fail if the primary superblock csum
> is wrong, whereas if the copy-superblock csum is wrong it will just
> just report missmatch and continue mount/scan as usual. When the
> mount is successful We anyway overwrite all superblocks upon unmount.
> 
> The context in which this will be called is - device scan, device ready,
> and mount -o device option.
> 
> Test script:
> 
>  Corrupt primary superblock and check if device scan and mount
>  fails:
>  mkfs.btrfs -fq /dev/sdc
>  dd if=/dev/urandom of=/dev/sdc ibs=1 obs=1 count=1 seek=64K
>  btrfs dev scan
>  mount /dev/sdb /btrfs
> 
>  Corrupt secondary superblock and check if device scan and mount
>  is succcessful, check for the dmesg for errors.
>  mkfs.btrfs -fq /dev/sdc
>  dd if=/dev/urandom of=/dev/sdc ibs=1 obs=1 count=1 seek=64K
>  btrfs dev scan
>  mount /dev/sdb /btrfs

Have you considered adding fstests, it will be very easy to test for
this behavior?

> 
> Signed-off-by: Anand Jain <anand.jain@oracle.com>
> ---
>  fs/btrfs/volumes.c | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
> 
> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
> index 45dd0674571b..384e503c83ff 100644
> --- a/fs/btrfs/volumes.c
> +++ b/fs/btrfs/volumes.c
> @@ -1149,6 +1149,7 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
>  				 struct page **page,
>  				 struct btrfs_super_block **disk_super)
>  {
> +	int err;
>  	void *p;
>  	pgoff_t index;
>  
> @@ -1177,6 +1178,20 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
>  	/* align our pointer to the offset of the super block */
>  	*disk_super = p + (bytenr & ~PAGE_MASK);
>  
> +	err = btrfs_check_super_csum((char *) *disk_super);
> +	if (err) {
if (err < 0)
> +		if (err == -EINVAL)
> +			pr_err("BTRFS error (device %pg): "\
> +				"unsupported checksum type, bytenr=%llu",
> +				bdev, bytenr);

Same comment as before regarding string literals splitting across lines.

> +		else
> +			pr_err("BTRFS error (device %pg): "\
> +				"superblock checksum failed, bytenr=%llu",
> +				bdev, bytenr);
> +		btrfs_release_disk_super(*page);
> +		return err;
> +	}
> +
>  	if (btrfs_super_bytenr(*disk_super) != bytenr ||
>  	    btrfs_super_magic(*disk_super) != BTRFS_MAGIC) {
>  		btrfs_release_disk_super(*page);
> 

Re: [PATCH 6/8] btrfs: verify checksum when superblock is read for scan

[Nikolay Borisov]

On 27.03.2018 14:30, Nikolay Borisov wrote:
> 
> 
> On 26.03.2018 11:27, Anand Jain wrote:
>> During the scan context, we aren't verifying the superblock-
>> checksum when read.
>> This patch fixes it by adding the checksum verification function
>> btrfs_check_super_csum() in the function btrfs_read_disk_super().
>> And makes device scan to error fail if the primary superblock csum
>> is wrong, whereas if the copy-superblock csum is wrong it will just
>> just report missmatch and continue mount/scan as usual. When the
>> mount is successful We anyway overwrite all superblocks upon unmount.
>>
>> The context in which this will be called is - device scan, device ready,
>> and mount -o device option.
>>
>> Test script:
>>
>>  Corrupt primary superblock and check if device scan and mount
>>  fails:
>>  mkfs.btrfs -fq /dev/sdc
>>  dd if=/dev/urandom of=/dev/sdc ibs=1 obs=1 count=1 seek=64K
>>  btrfs dev scan
>>  mount /dev/sdb /btrfs
>>
>>  Corrupt secondary superblock and check if device scan and mount
>>  is succcessful, check for the dmesg for errors.
>>  mkfs.btrfs -fq /dev/sdc
>>  dd if=/dev/urandom of=/dev/sdc ibs=1 obs=1 count=1 seek=64K
>>  btrfs dev scan
>>  mount /dev/sdb /btrfs
> 
> Have you considered adding fstests, it will be very easy to test for
> this behavior?
> 
>>
>> Signed-off-by: Anand Jain <anand.jain@oracle.com>
>> ---
>>  fs/btrfs/volumes.c | 15 +++++++++++++++
>>  1 file changed, 15 insertions(+)
>>
>> diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
>> index 45dd0674571b..384e503c83ff 100644
>> --- a/fs/btrfs/volumes.c
>> +++ b/fs/btrfs/volumes.c
>> @@ -1149,6 +1149,7 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
>>  				 struct page **page,
>>  				 struct btrfs_super_block **disk_super)
>>  {
>> +	int err;
>>  	void *p;
>>  	pgoff_t index;
>>  
>> @@ -1177,6 +1178,20 @@ static int btrfs_read_disk_super(struct block_device *bdev, u64 bytenr,
>>  	/* align our pointer to the offset of the super block */
>>  	*disk_super = p + (bytenr & ~PAGE_MASK);
>>  
>> +	err = btrfs_check_super_csum((char *) *disk_super);
>> +	if (err) {
> if (err < 0)
>> +		if (err == -EINVAL)
>> +			pr_err("BTRFS error (device %pg): "\
>> +				"unsupported checksum type, bytenr=%llu",
>> +				bdev, bytenr);
> 
> Same comment as before regarding string literals splitting across lines.
> 
>> +		else
>> +			pr_err("BTRFS error (device %pg): "\
>> +				"superblock checksum failed, bytenr=%llu",
>> +				bdev, bytenr);
>> +		btrfs_release_disk_super(*page);
>> +		return err;
>> +	}

Also it will be better to have the checksum check after we have verified
some basic invariants - that bytenr and magic have sane values.

>> +
>>  	if (btrfs_super_bytenr(*disk_super) != bytenr ||
>>  	    btrfs_super_magic(*disk_super) != BTRFS_MAGIC) {
>>  		btrfs_release_disk_super(*page);
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [PATCH 6/8] btrfs: verify checksum when superblock is read for scan

[Anand Jain]

>>> Test script:
>>>
>>>   Corrupt primary superblock and check if device scan and mount
>>>   fails:
>>>   mkfs.btrfs -fq /dev/sdc
>>>   dd if=/dev/urandom of=/dev/sdc ibs=1 obs=1 count=1 seek=64K
>>>   btrfs dev scan
>>>   mount /dev/sdb /btrfs
>>>
>>>   Corrupt secondary superblock and check if device scan and mount
>>>   is succcessful, check for the dmesg for errors.
>>>   mkfs.btrfs -fq /dev/sdc
>>>   dd if=/dev/urandom of=/dev/sdc ibs=1 obs=1 count=1 seek=64K
>>>   btrfs dev scan
>>>   mount /dev/sdb /btrfs
>>
>> Have you considered adding fstests, it will be very easy to test for
>> this behavior?

  This is one off kind of bug, not sure if it would value add
  for checking it all the time in xfstests?


>> Same comment as before regarding string literals splitting across lines.

accepted.


>>> +		else
>>> +			pr_err("BTRFS error (device %pg): "\
>>> +				"superblock checksum failed, bytenr=%llu",
>>> +				bdev, bytenr);
>>> +		btrfs_release_disk_super(*page);
>>> +		return err;
>>> +	}
> 
> Also it will be better to have the checksum check after we have verified
> some basic invariants - that bytenr and magic have sane values.

  accepted.

Thanks,
Anand

Re: [PATCH 6/8] btrfs: verify checksum when superblock is read for scan

[Nikolay Borisov]

On 28.03.2018 02:01, Anand Jain wrote:
> 
> 
>>>> Test script:
>>>>
>>>>   Corrupt primary superblock and check if device scan and mount
>>>>   fails:
>>>>   mkfs.btrfs -fq /dev/sdc
>>>>   dd if=/dev/urandom of=/dev/sdc ibs=1 obs=1 count=1 seek=64K
>>>>   btrfs dev scan
>>>>   mount /dev/sdb /btrfs
>>>>
>>>>   Corrupt secondary superblock and check if device scan and mount
>>>>   is succcessful, check for the dmesg for errors.
>>>>   mkfs.btrfs -fq /dev/sdc
>>>>   dd if=/dev/urandom of=/dev/sdc ibs=1 obs=1 count=1 seek=64K
>>>>   btrfs dev scan
>>>>   mount /dev/sdb /btrfs
>>>
>>> Have you considered adding fstests, it will be very easy to test for
>>> this behavior?
> 
>  This is one off kind of bug, not sure if it would value add
>  for checking it all the time in xfstests?
> 

It's some btrfs-specific behavior which in order to not regress in the
future it will be best to have tests for. IMO whatever we can test
should be tested to ensure maintainability. I think a btrfs-specific
test wouldn't hurt here.

> 
>>> Same comment as before regarding string literals splitting across lines.
> 
> accepted.
> 
> 
>>>> +        else
>>>> +            pr_err("BTRFS error (device %pg): "\
>>>> +                "superblock checksum failed, bytenr=%llu",
>>>> +                bdev, bytenr);
>>>> +        btrfs_release_disk_super(*page);
>>>> +        return err;
>>>> +    }
>>
>> Also it will be better to have the checksum check after we have verified
>> some basic invariants - that bytenr and magic have sane values.
> 
>  accepted.
> 
> Thanks,
> Anand
> 

[PATCH 7/8] btrfs: verify checksum for all devices in mount context

[Anand Jain]

During mount context, we aren't verifying the superblock checksum
for all the devices, instead, we verify it only for the
struct btrfs_fs_device::latest_bdev. This patch fixes it
by moving the checksum verification code from the function open_ctree()
into the function btrfs_read_dev_one_super().

By doing this now we are verifying the superblock checksum
in the mount-context, device-replace and, device-delete context.

Signed-off-by: Anand Jain <anand.jain@oracle.com>
---
 fs/btrfs/disk-io.c | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 6299ab18da5f..3cc50041c0b9 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -2565,24 +2565,6 @@ int open_ctree(struct super_block *sb,
 	}
 
 	/*
-	 * We want to check superblock checksum, the type is stored inside.
-	 * Pass the whole disk block of size BTRFS_SUPER_INFO_SIZE (4k).
-	 */
-	err = btrfs_check_super_csum(bh->b_data);
-	if (err) {
-		if (err == -EINVAL)
-			pr_err("BTRFS error (device %pg): "\
-				"unsupported checksum algorithm",
-				fs_devices->latest_bdev);
-		else
-			pr_err("BTRFS error (device %pg): "\
-				"superblock checksum mismatch",
-				fs_devices->latest_bdev);
-		brelse(bh);
-		goto fail_alloc;
-	}
-
-	/*
 	 * super_copy is zeroed at allocation time and we never touch the
 	 * following bytes up to INFO_SIZE, the checksum is calculated from
 	 * the whole block of INFO_SIZE
@@ -3128,6 +3110,7 @@ int btrfs_read_dev_one_super(struct block_device *bdev, int copy_num,
 	struct buffer_head *bh;
 	struct btrfs_super_block *super;
 	u64 bytenr;
+	int err;
 
 	bytenr = btrfs_sb_offset(copy_num);
 	if (bytenr + BTRFS_SUPER_INFO_SIZE >= i_size_read(bdev->bd_inode))
@@ -3148,6 +3131,22 @@ int btrfs_read_dev_one_super(struct block_device *bdev, int copy_num,
 		return -EINVAL;
 	}
 
+	/*
+	 * Check the superblock checksum, the type is stored inside.
+	 * Pass the whole disk block of size BTRFS_SUPER_INFO_SIZE (4k).
+	 */
+	err = btrfs_check_super_csum(bh->b_data);
+	if (err) {
+		if (err == -EINVAL)
+			pr_err("BTRFS error (device %pg): unsupported checksum algorithm",
+				bdev);
+		else if (err == -EUCLEAN)
+			pr_err("BTRFS error (device %pg): superblock checksum mismatch",
+				bdev);
+		brelse(bh);
+		return err;
+	}
+
 	*bh_ret = bh;
 	return 0;
 }
-- 
2.7.0

Re: [PATCH 7/8] btrfs: verify checksum for all devices in mount context

[Nikolay Borisov]

On 26.03.2018 11:27, Anand Jain wrote:
> During mount context, we aren't verifying the superblock checksum
> for all the devices, instead, we verify it only for the
> struct btrfs_fs_device::latest_bdev. This patch fixes it
> by moving the checksum verification code from the function open_ctree()
> into the function btrfs_read_dev_one_super().
> 
> By doing this now we are verifying the superblock checksum
> in the mount-context, device-replace and, device-delete context.

Which call chain provides the device-replace and device-delete contexts?
I think it is worth it documenting them in the changelog.

> 
> Signed-off-by: Anand Jain <anand.jain@oracle.com>

Reviewed-by: Nikolay Borisov <nborisov@suse.com>

> ---
>  fs/btrfs/disk-io.c | 35 +++++++++++++++++------------------
>  1 file changed, 17 insertions(+), 18 deletions(-)
> 
> diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
> index 6299ab18da5f..3cc50041c0b9 100644
> --- a/fs/btrfs/disk-io.c
> +++ b/fs/btrfs/disk-io.c
> @@ -2565,24 +2565,6 @@ int open_ctree(struct super_block *sb,
>  	}
>  
>  	/*
> -	 * We want to check superblock checksum, the type is stored inside.
> -	 * Pass the whole disk block of size BTRFS_SUPER_INFO_SIZE (4k).
> -	 */
> -	err = btrfs_check_super_csum(bh->b_data);
> -	if (err) {
> -		if (err == -EINVAL)
> -			pr_err("BTRFS error (device %pg): "\
> -				"unsupported checksum algorithm",
> -				fs_devices->latest_bdev);
> -		else
> -			pr_err("BTRFS error (device %pg): "\
> -				"superblock checksum mismatch",
> -				fs_devices->latest_bdev);
> -		brelse(bh);
> -		goto fail_alloc;
> -	}
> -
> -	/*
>  	 * super_copy is zeroed at allocation time and we never touch the
>  	 * following bytes up to INFO_SIZE, the checksum is calculated from
>  	 * the whole block of INFO_SIZE
> @@ -3128,6 +3110,7 @@ int btrfs_read_dev_one_super(struct block_device *bdev, int copy_num,
>  	struct buffer_head *bh;
>  	struct btrfs_super_block *super;
>  	u64 bytenr;
> +	int err;
>  
>  	bytenr = btrfs_sb_offset(copy_num);
>  	if (bytenr + BTRFS_SUPER_INFO_SIZE >= i_size_read(bdev->bd_inode))
> @@ -3148,6 +3131,22 @@ int btrfs_read_dev_one_super(struct block_device *bdev, int copy_num,
>  		return -EINVAL;
>  	}
>  
> +	/*
> +	 * Check the superblock checksum, the type is stored inside.
> +	 * Pass the whole disk block of size BTRFS_SUPER_INFO_SIZE (4k).
> +	 */
> +	err = btrfs_check_super_csum(bh->b_data);
> +	if (err) {
> +		if (err == -EINVAL)
> +			pr_err("BTRFS error (device %pg): unsupported checksum algorithm",
> +				bdev);
> +		else if (err == -EUCLEAN)
> +			pr_err("BTRFS error (device %pg): superblock checksum mismatch",
> +				bdev);
> +		brelse(bh);
> +		return err;
> +	}
> +
>  	*bh_ret = bh;
>  	return 0;
>  }
> 

Re: [PATCH 7/8] btrfs: verify checksum for all devices in mount context

[Anand Jain]

On 03/27/2018 08:21 PM, Nikolay Borisov wrote:
> 
> 
> On 26.03.2018 11:27, Anand Jain wrote:
>> During mount context, we aren't verifying the superblock checksum
>> for all the devices, instead, we verify it only for the
>> struct btrfs_fs_device::latest_bdev. This patch fixes it
>> by moving the checksum verification code from the function open_ctree()
>> into the function btrfs_read_dev_one_super().
>>
>> By doing this now we are verifying the superblock checksum
>> in the mount-context, device-replace and, device-delete context.
> 
> Which call chain provides the device-replace and device-delete contexts?
> I think it is worth it documenting them in the changelog.

  Will copy it here from the cover-letter.

>>
>> Signed-off-by: Anand Jain <anand.jain@oracle.com>
> 
> Reviewed-by: Nikolay Borisov <nborisov@suse.com>

> 
>> ---
>>   fs/btrfs/disk-io.c | 35 +++++++++++++++++------------------
>>   1 file changed, 17 insertions(+), 18 deletions(-)
>>
>> diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
>> index 6299ab18da5f..3cc50041c0b9 100644
>> --- a/fs/btrfs/disk-io.c
>> +++ b/fs/btrfs/disk-io.c
>> @@ -2565,24 +2565,6 @@ int open_ctree(struct super_block *sb,
>>   	}
>>   
>>   	/*
>> -	 * We want to check superblock checksum, the type is stored inside.
>> -	 * Pass the whole disk block of size BTRFS_SUPER_INFO_SIZE (4k).
>> -	 */
>> -	err = btrfs_check_super_csum(bh->b_data);
>> -	if (err) {
>> -		if (err == -EINVAL)
>> -			pr_err("BTRFS error (device %pg): "\
>> -				"unsupported checksum algorithm",
>> -				fs_devices->latest_bdev);
>> -		else
>> -			pr_err("BTRFS error (device %pg): "\
>> -				"superblock checksum mismatch",
>> -				fs_devices->latest_bdev);
>> -		brelse(bh);
>> -		goto fail_alloc;
>> -	}
>> -
>> -	/*
>>   	 * super_copy is zeroed at allocation time and we never touch the
>>   	 * following bytes up to INFO_SIZE, the checksum is calculated from
>>   	 * the whole block of INFO_SIZE
>> @@ -3128,6 +3110,7 @@ int btrfs_read_dev_one_super(struct block_device *bdev, int copy_num,
>>   	struct buffer_head *bh;
>>   	struct btrfs_super_block *super;
>>   	u64 bytenr;
>> +	int err;
>>   
>>   	bytenr = btrfs_sb_offset(copy_num);
>>   	if (bytenr + BTRFS_SUPER_INFO_SIZE >= i_size_read(bdev->bd_inode))
>> @@ -3148,6 +3131,22 @@ int btrfs_read_dev_one_super(struct block_device *bdev, int copy_num,
>>   		return -EINVAL;
>>   	}
>>   
>> +	/*
>> +	 * Check the superblock checksum, the type is stored inside.
>> +	 * Pass the whole disk block of size BTRFS_SUPER_INFO_SIZE (4k).
>> +	 */
>> +	err = btrfs_check_super_csum(bh->b_data);
>> +	if (err) {

I am fixing this to if (err < 0) {

>> +		if (err == -EINVAL)
>> +			pr_err("BTRFS error (device %pg): unsupported checksum algorithm",
>> +				bdev);
>> +		else if (err == -EUCLEAN)
>> +			pr_err("BTRFS error (device %pg): superblock checksum mismatch",
>> +				bdev);

  I am also dropping else if to else in v2.

Thanks, Anand


>> +		brelse(bh);
>> +		return err;
>> +	}
>> +
>>   	*bh_ret = bh;
>>   	return 0;
>>   }
>>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

[PATCH 8/8] btrfs: drop the redundant invalidate_bdev()

[Anand Jain]

During the mount context btrfs_open_devices() calls invalidate_bdev()
for all the devices. So drop the invalidate_bdev() in open_ctree()
which is only for the btrfs_fs_devices::latest_bdev.

The call trace is as shown below.

btrfs_mount_root()
 |
 |_btrfs_parse_early_options (-o device only)
 | |_btrfs_scan_one_device
 |   |_btrfs_read_disk_super()
 |     |_read_cache_page_gfp()
 |
 |_btrfs_scan_one_device(mount-arg-dev only)
 | |_btrfs_read_disk_super()
 |   |_read_cache_page_gfp()
 |
 |
 |_btrfs_open_devices(fsid:all)
 |  |_btrfs_open_one_device()
 |    |_btrfs_get_bdev_and_sb()  <--- invalidate_bdev(fsid:all)
 |      |_btrfs_read_dev_super()
 |        |_btrfs_read_dev_one_super()
 |          |___bread()
 |
 |_btrfs_fill_super()
   |_btrfs_open_ctree()   <-- invalidate_bdev(latest_bdev) <-- redundant
     |_btrfs_read_dev_super(latest_bdev only)
       |_btrfs_read_dev_one_super(latest_bdev only)
         |___bread(latest_bdev)

Signed-off-by: Anand Jain <anand.jain@oracle.com>
---
 fs/btrfs/disk-io.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 3cc50041c0b9..4f667c99dd16 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -2553,8 +2553,6 @@ int open_ctree(struct super_block *sb,
 
 	__setup_root(tree_root, fs_info, BTRFS_ROOT_TREE_OBJECTID);
 
-	invalidate_bdev(fs_devices->latest_bdev);
-
 	/*
 	 * Read super block and check the signature bytes only
 	 */
-- 
2.7.0

[PATCH v2 0/9] Superblock read and verify cleanups

[Anand Jain]

v1->v2:
 Various changes suggested by Nicokay. Thanks. For specific changes
 pls ref to the patch.

Patch 1-4/8 are preparatory patches adds cleanups and nonstatic requisites.

Patch 5/8 makes sure that all copies of the superblock have the same fsid
when we scan the device.

Patch 6/8 verifies superblock csum when we read it in the scan context.

Patch 7/8 fixes a bug that we weren't verifying the superblock csum for
the non-latest_bdev.

And 8/8 patch drops the redundant invalidate_bdev() call during mount.

There is a btrfs-progs patch which is a kind of related, as its found that
we weren't wiping the non-overwritten superblock, so it could cause
confusion during the superblock recovery process. So the patch btrfs-progs
1/1 adds code to wipe superblock if we aren't overwriting it.

Now since kernel patch 5/8 checks if all the superblock copies are
pointing to the same fsid on the disk, so the scan will fail if without
the above 1/1 btrfs-progs, as in the example below [1]. However the simple
workaround is to wipe the superblock manually [2] or apply the btrfs-progs
patch below.

[1]
 mkfs.btrfs -qf /dev/sdb <-- 1T disk
 mkfs.btrfs -b 256M  /dev/sdb
 ERROR: device scan failed on /dev/sdb

[2]
 dd if=/dev/zero of=<dev> seek=274877906944 ibs=1 obs=1 count4K

Unfortunately, the error messages should have been failed to register
[3] device into the kernel to be more appropriate to the error.

[3]
        ret = ioctl(fd, BTRFS_IOC_SCAN_DEV, &args);
        if (ret < 0) {
                error("device scan failed on '%s': %m", fname);
                ret = -errno;
        }


Patches 1-7/8 were sent independently before. And  I found few more things
to fix alongs the line, and since they are related, so I am sending these
all together. Also, as there are minor changes, like in pr_err strings,
and splitting the unrelated changes into a separate patch, so though I am
thankful for the received reviewed-by, I couldn't include them here. Sorry.

Finally, here I am including the function relations [4] so that it will help
to review the code. And this flow is before these patches were applied.

[4]
In the long term, I suggest deprecating ioctl args which pass device path
(where possible), like in delete-device/replace. And
btrfs_read_dev_one_super() should replace btrfs_read_disk_super()

delete-device/replace:
btrfs_rm_device() || btrfs_dev_replace_by_ioctl()
|_btrfs_find_device_by_devspec()
  |_btrfs_find_device_missing_or_by_path()
    |_btrfs_find_device_by_path()
      |_btrfs_get_bdev_and_sb()
        |_btrfs_read_dev_super()
          |_btrfs_read_dev_one_super()
            |___bread()

btrfs_mount_root()
 |
 |_btrfs_parse_early_options (-o device only)
 | |_btrfs_scan_one_device
 |   |_btrfs_read_disk_super()
 |     |_read_cache_page_gfp()
 |
 |_btrfs_scan_one_device(mount-arg-dev only)
 | |_btrfs_read_disk_super()
 |   |_read_cache_page_gfp()
 |
 |
 |_btrfs_open_devices(fsid:all)
 |  |_btrfs_open_one_device()
 |    |_btrfs_get_bdev_and_sb()  <--- invalidate_bdev(fsid:all)
 |      |_btrfs_read_dev_super()
 |        |_btrfs_read_dev_one_super()
 |          |___bread()
 |
 |_btrfs_fill_super()
   |_btrfs_open_ctree()   <-- invalidate_bdev(latest_bdev) <-- redundant
     |_btrfs_read_dev_super(latest_bdev only)
     | |_btrfs_read_dev_one_super(latest_bdev only)
     |   |___bread(latest_bdev)
     |
     |_btrfs_check_super_csum(latest_bdev only) [*]
     |
     |_btrfs_read_chunk_tree
     | |_read_one_dev()
     |   |_open_seed_devices()
     |     |_btrfs_open_devices(fs_devices->seed only)

scan/ready
|
|_btrfs_scan_one_device(ioctl-arg-dev only)
   |_btrfs_read_disk_super()
     |_read_cache_page_gfp()


Anand Jain (8):
  btrfs: cleanup btrfs_check_super_csum() for better code flow
  btrfs: return required error from btrfs_check_super_csum
  btrfs: cleanup btrfs_read_disk_super() to return std error
  btrfs: make btrfs_check_super_csum() non static
  btrfs: check if the fsid in the primary sb and copy sb are same
  btrfs: verify checksum when superblock is read for scan
  btrfs: verify checksum for all devices in mount context
  btrfs: drop the redundant invalidate_bdev()

 fs/btrfs/disk-io.c | 72 +++++++++++++++++++++++-----------------------
 fs/btrfs/disk-io.h |  1 +
 fs/btrfs/volumes.c | 84 ++++++++++++++++++++++++++++++++++++++++++------------
 3 files changed, 102 insertions(+), 55 deletions(-)

Anand Jain (1):
  btrfs-progs: wipe copies of the stale superblock beyond -b size

 utils.c | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

-- 
2.7.0

[PATCH 1/8] btrfs: cleanup btrfs_check_super_csum() for better code flow

[Anand Jain]

We check the %csum_type twice. Drop one. Check for the csum_type and
then for the csum. Which also matches with the progs which have better
logic. This is preparatory patch to get proper error code from
btrfs_check_super_csum().

Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
---
 fs/btrfs/disk-io.c | 38 +++++++++++++++++---------------------
 1 file changed, 17 insertions(+), 21 deletions(-)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 1657d6aa4fa6..b9b435579527 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -399,32 +399,28 @@ static int btrfs_check_super_csum(struct btrfs_fs_info *fs_info,
 	struct btrfs_super_block *disk_sb =
 		(struct btrfs_super_block *)raw_disk_sb;
 	u16 csum_type = btrfs_super_csum_type(disk_sb);
-	int ret = 0;
-
-	if (csum_type == BTRFS_CSUM_TYPE_CRC32) {
-		u32 crc = ~(u32)0;
-		char result[sizeof(crc)];
-
-		/*
-		 * The super_block structure does not span the whole
-		 * BTRFS_SUPER_INFO_SIZE range, we expect that the unused space
-		 * is filled with zeros and is included in the checksum.
-		 */
-		crc = btrfs_csum_data(raw_disk_sb + BTRFS_CSUM_SIZE,
-				crc, BTRFS_SUPER_INFO_SIZE - BTRFS_CSUM_SIZE);
-		btrfs_csum_final(crc, result);
-
-		if (memcmp(raw_disk_sb, result, sizeof(result)))
-			ret = 1;
-	}
+	u32 crc = ~(u32)0;
+	char result[sizeof(crc)];
 
 	if (csum_type >= ARRAY_SIZE(btrfs_csum_sizes)) {
 		btrfs_err(fs_info, "unsupported checksum algorithm %u",
-				csum_type);
-		ret = 1;
+			  csum_type);
+		return 1;
 	}
 
-	return ret;
+	/*
+	 * The super_block structure does not span the whole
+	 * BTRFS_SUPER_INFO_SIZE range, we expect that the unused space
+	 * is filled with zeros and is included in the checksum.
+	 */
+	crc = btrfs_csum_data(raw_disk_sb + BTRFS_CSUM_SIZE,
+			      crc, BTRFS_SUPER_INFO_SIZE - BTRFS_CSUM_SIZE);
+	btrfs_csum_final(crc, result);
+
+	if (memcmp(raw_disk_sb, result, sizeof(result)))
+		return 1;
+
+	return 0;
 }
 
 /*
-- 
2.7.0