Linux-XFS Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] xfs_repair: fix bad next_unlinked field
@ 2020-02-10 15:42 Eric Sandeen
  2020-02-10 15:54 ` Darrick J. Wong
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Eric Sandeen @ 2020-02-10 15:42 UTC (permalink / raw)
  To: linux-xfs; +Cc: John Jore

As of xfsprogs-4.17 we started testing whether the di_next_unlinked field
on an inode is valid in the inode verifiers. However, this field is never
tested or repaired during inode processing.

So if, for example, we had a completely zeroed-out inode, we'd detect and
fix the broken magic and version, but the invalid di_next_unlinked field
would not be touched, fail the write verifier, and prevent the inode from
being properly repaired or even written out.

Fix this by checking the di_next_unlinked inode field for validity and
clearing it if it is invalid.

Reported-by: John Jore <john@jore.no>
Fixes: 2949b4677 ("xfs: don't accept inode buffers with suspicious unlinked chains")
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---

diff --git a/repair/dinode.c b/repair/dinode.c
index 8af2cb25..c5d2f350 100644
--- a/repair/dinode.c
+++ b/repair/dinode.c
@@ -2272,6 +2272,7 @@ process_dinode_int(xfs_mount_t *mp,
 	const int		is_free = 0;
 	const int		is_used = 1;
 	blkmap_t		*dblkmap = NULL;
+	xfs_agino_t		unlinked_ino;
 
 	*dirty = *isa_dir = 0;
 	*used = is_used;
@@ -2351,6 +2352,23 @@ process_dinode_int(xfs_mount_t *mp,
 		}
 	}
 
+	unlinked_ino = be32_to_cpu(dino->di_next_unlinked);
+	if (!xfs_verify_agino_or_null(mp, agno, unlinked_ino)) {
+		retval = 1;
+		if (!uncertain)
+			do_warn(_("bad next_unlinked 0x%x on inode %" PRIu64 "%c"),
+				(__s32)dino->di_next_unlinked, lino,
+				verify_mode ? '\n' : ',');
+		if (!verify_mode) {
+			if (!no_modify) {
+				do_warn(_(" resetting next_unlinked\n"));
+				clear_dinode_unlinked(mp, dino);
+				*dirty = 1;
+			} else
+				do_warn(_(" would reset next_unlinked\n"));
+		}
+	}
+
 	/*
 	 * We don't bother checking the CRC here - we cannot guarantee that when
 	 * we are called here that the inode has not already been modified in


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] xfs_repair: fix bad next_unlinked field
  2020-02-10 15:42 [PATCH] xfs_repair: fix bad next_unlinked field Eric Sandeen
@ 2020-02-10 15:54 ` Darrick J. Wong
  2020-02-11  9:08 ` Carlos Maiolino
  2020-02-11 10:11 ` John Jore
  2 siblings, 0 replies; 6+ messages in thread
From: Darrick J. Wong @ 2020-02-10 15:54 UTC (permalink / raw)
  To: Eric Sandeen; +Cc: linux-xfs, John Jore

On Mon, Feb 10, 2020 at 09:42:28AM -0600, Eric Sandeen wrote:
> As of xfsprogs-4.17 we started testing whether the di_next_unlinked field
> on an inode is valid in the inode verifiers. However, this field is never
> tested or repaired during inode processing.
> 
> So if, for example, we had a completely zeroed-out inode, we'd detect and
> fix the broken magic and version, but the invalid di_next_unlinked field
> would not be touched, fail the write verifier, and prevent the inode from
> being properly repaired or even written out.
> 
> Fix this by checking the di_next_unlinked inode field for validity and
> clearing it if it is invalid.
> 
> Reported-by: John Jore <john@jore.no>
> Fixes: 2949b4677 ("xfs: don't accept inode buffers with suspicious unlinked chains")
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>

Seems reasonable,
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>

--D

> ---
> 
> diff --git a/repair/dinode.c b/repair/dinode.c
> index 8af2cb25..c5d2f350 100644
> --- a/repair/dinode.c
> +++ b/repair/dinode.c
> @@ -2272,6 +2272,7 @@ process_dinode_int(xfs_mount_t *mp,
>  	const int		is_free = 0;
>  	const int		is_used = 1;
>  	blkmap_t		*dblkmap = NULL;
> +	xfs_agino_t		unlinked_ino;
>  
>  	*dirty = *isa_dir = 0;
>  	*used = is_used;
> @@ -2351,6 +2352,23 @@ process_dinode_int(xfs_mount_t *mp,
>  		}
>  	}
>  
> +	unlinked_ino = be32_to_cpu(dino->di_next_unlinked);
> +	if (!xfs_verify_agino_or_null(mp, agno, unlinked_ino)) {
> +		retval = 1;
> +		if (!uncertain)
> +			do_warn(_("bad next_unlinked 0x%x on inode %" PRIu64 "%c"),
> +				(__s32)dino->di_next_unlinked, lino,
> +				verify_mode ? '\n' : ',');
> +		if (!verify_mode) {
> +			if (!no_modify) {
> +				do_warn(_(" resetting next_unlinked\n"));
> +				clear_dinode_unlinked(mp, dino);
> +				*dirty = 1;
> +			} else
> +				do_warn(_(" would reset next_unlinked\n"));
> +		}
> +	}
> +
>  	/*
>  	 * We don't bother checking the CRC here - we cannot guarantee that when
>  	 * we are called here that the inode has not already been modified in
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] xfs_repair: fix bad next_unlinked field
  2020-02-10 15:42 [PATCH] xfs_repair: fix bad next_unlinked field Eric Sandeen
  2020-02-10 15:54 ` Darrick J. Wong
@ 2020-02-11  9:08 ` Carlos Maiolino
  2020-02-11 14:34   ` Eric Sandeen
  2020-02-11 10:11 ` John Jore
  2 siblings, 1 reply; 6+ messages in thread
From: Carlos Maiolino @ 2020-02-11  9:08 UTC (permalink / raw)
  To: Eric Sandeen; +Cc: linux-xfs, John Jore

> +	unlinked_ino = be32_to_cpu(dino->di_next_unlinked);
> +	if (!xfs_verify_agino_or_null(mp, agno, unlinked_ino)) {
> +		retval = 1;
> +		if (!uncertain)
> +			do_warn(_("bad next_unlinked 0x%x on inode %" PRIu64 "%c"),
> +				(__s32)dino->di_next_unlinked, lino,
				^^^^
				shouldn't we be using be32_to_cpu()
				here, instead of a direct casting to
				__s32?



Cheers.

-- 
Carlos


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] xfs_repair: fix bad next_unlinked field
  2020-02-10 15:42 [PATCH] xfs_repair: fix bad next_unlinked field Eric Sandeen
  2020-02-10 15:54 ` Darrick J. Wong
  2020-02-11  9:08 ` Carlos Maiolino
@ 2020-02-11 10:11 ` John Jore
  2020-02-11 14:31   ` Eric Sandeen
  2 siblings, 1 reply; 6+ messages in thread
From: John Jore @ 2020-02-11 10:11 UTC (permalink / raw)
  To: Eric Sandeen, linux-xfs

Hi and thanks for this one.

Ran it twice. No errors were found on the second run.

Let me know if you need a dump or anything for validation purposes?


John

---
From: Eric Sandeen <sandeen@redhat.com>
Sent: 11 February 2020 02:42
To: linux-xfs
Cc: John Jore
Subject: [PATCH] xfs_repair: fix bad next_unlinked field
    
As of xfsprogs-4.17 we started testing whether the di_next_unlinked field
on an inode is valid in the inode verifiers. However, this field is never
tested or repaired during inode processing.

So if, for example, we had a completely zeroed-out inode, we'd detect and
fix the broken magic and version, but the invalid di_next_unlinked field
would not be touched, fail the write verifier, and prevent the inode from
being properly repaired or even written out.

Fix this by checking the di_next_unlinked inode field for validity and
clearing it if it is invalid.

Reported-by: John Jore <john@jore.no>
Fixes: 2949b4677 ("xfs: don't accept inode buffers with suspicious unlinked chains")
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---

diff --git a/repair/dinode.c b/repair/dinode.c
index 8af2cb25..c5d2f350 100644
--- a/repair/dinode.c
+++ b/repair/dinode.c
@@ -2272,6 +2272,7 @@ process_dinode_int(xfs_mount_t *mp,
         const int               is_free = 0;
         const int               is_used = 1;
         blkmap_t                *dblkmap = NULL;
+       xfs_agino_t             unlinked_ino;
 
         *dirty = *isa_dir = 0;
         *used = is_used;
@@ -2351,6 +2352,23 @@ process_dinode_int(xfs_mount_t *mp,
                 }
         }
 
+       unlinked_ino = be32_to_cpu(dino->di_next_unlinked);
+       if (!xfs_verify_agino_or_null(mp, agno, unlinked_ino)) {
+               retval = 1;
+               if (!uncertain)
+                       do_warn(_("bad next_unlinked 0x%x on inode %" PRIu64 "%c"),
+                               (__s32)dino->di_next_unlinked, lino,
+                               verify_mode ? '\n' : ',');
+               if (!verify_mode) {
+                       if (!no_modify) {
+                               do_warn(_(" resetting next_unlinked\n"));
+                               clear_dinode_unlinked(mp, dino);
+                               *dirty = 1;
+                       } else
+                               do_warn(_(" would reset next_unlinked\n"));
+               }
+       }
+
         /*
          * We don't bother checking the CRC here - we cannot guarantee that when
          * we are called here that the inode has not already been modified in

     

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] xfs_repair: fix bad next_unlinked field
  2020-02-11 10:11 ` John Jore
@ 2020-02-11 14:31   ` Eric Sandeen
  0 siblings, 0 replies; 6+ messages in thread
From: Eric Sandeen @ 2020-02-11 14:31 UTC (permalink / raw)
  To: John Jore, linux-xfs

On 2/11/20 4:11 AM, John Jore wrote:
> Hi and thanks for this one.
> 
> Ran it twice. No errors were found on the second run.
> 
> Let me know if you need a dump or anything for validation purposes?

Nah it's all good, thanks for the report.

-Eric

> 
> John
> 
> ---
> From: Eric Sandeen <sandeen@redhat.com>
> Sent: 11 February 2020 02:42
> To: linux-xfs
> Cc: John Jore
> Subject: [PATCH] xfs_repair: fix bad next_unlinked field
>     
> As of xfsprogs-4.17 we started testing whether the di_next_unlinked field
> on an inode is valid in the inode verifiers. However, this field is never
> tested or repaired during inode processing.
> 
> So if, for example, we had a completely zeroed-out inode, we'd detect and
> fix the broken magic and version, but the invalid di_next_unlinked field
> would not be touched, fail the write verifier, and prevent the inode from
> being properly repaired or even written out.
> 
> Fix this by checking the di_next_unlinked inode field for validity and
> clearing it if it is invalid.
> 
> Reported-by: John Jore <john@jore.no>
> Fixes: 2949b4677 ("xfs: don't accept inode buffers with suspicious unlinked chains")
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>
> ---
> 
> diff --git a/repair/dinode.c b/repair/dinode.c
> index 8af2cb25..c5d2f350 100644
> --- a/repair/dinode.c
> +++ b/repair/dinode.c
> @@ -2272,6 +2272,7 @@ process_dinode_int(xfs_mount_t *mp,
>          const int               is_free = 0;
>          const int               is_used = 1;
>          blkmap_t                *dblkmap = NULL;
> +       xfs_agino_t             unlinked_ino;
>  
>          *dirty = *isa_dir = 0;
>          *used = is_used;
> @@ -2351,6 +2352,23 @@ process_dinode_int(xfs_mount_t *mp,
>                  }
>          }
>  
> +       unlinked_ino = be32_to_cpu(dino->di_next_unlinked);
> +       if (!xfs_verify_agino_or_null(mp, agno, unlinked_ino)) {
> +               retval = 1;
> +               if (!uncertain)
> +                       do_warn(_("bad next_unlinked 0x%x on inode %" PRIu64 "%c"),
> +                               (__s32)dino->di_next_unlinked, lino,
> +                               verify_mode ? '\n' : ',');
> +               if (!verify_mode) {
> +                       if (!no_modify) {
> +                               do_warn(_(" resetting next_unlinked\n"));
> +                               clear_dinode_unlinked(mp, dino);
> +                               *dirty = 1;
> +                       } else
> +                               do_warn(_(" would reset next_unlinked\n"));
> +               }
> +       }
> +
>          /*
>           * We don't bother checking the CRC here - we cannot guarantee that when
>           * we are called here that the inode has not already been modified in
> 
>      
> 


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] xfs_repair: fix bad next_unlinked field
  2020-02-11  9:08 ` Carlos Maiolino
@ 2020-02-11 14:34   ` Eric Sandeen
  0 siblings, 0 replies; 6+ messages in thread
From: Eric Sandeen @ 2020-02-11 14:34 UTC (permalink / raw)
  To: linux-xfs, John Jore

On 2/11/20 3:08 AM, Carlos Maiolino wrote:
>> +	unlinked_ino = be32_to_cpu(dino->di_next_unlinked);
>> +	if (!xfs_verify_agino_or_null(mp, agno, unlinked_ino)) {
>> +		retval = 1;
>> +		if (!uncertain)
>> +			do_warn(_("bad next_unlinked 0x%x on inode %" PRIu64 "%c"),
>> +				(__s32)dino->di_next_unlinked, lino,
> 				^^^^
> 				shouldn't we be using be32_to_cpu()
> 				here, instead of a direct casting to
> 				__s32?

Yes, good catch.  I was looking at the version check which just does (__s8)
but of course that doesn't need the conversion.  I'll fix it here, thanks!

-Eric


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-10 15:42 [PATCH] xfs_repair: fix bad next_unlinked field Eric Sandeen
2020-02-10 15:54 ` Darrick J. Wong
2020-02-11  9:08 ` Carlos Maiolino
2020-02-11 14:34   ` Eric Sandeen
2020-02-11 10:11 ` John Jore
2020-02-11 14:31   ` Eric Sandeen

Linux-XFS Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-xfs/0 linux-xfs/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-xfs linux-xfs/ https://lore.kernel.org/linux-xfs \
		linux-xfs@vger.kernel.org
	public-inbox-index linux-xfs

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-xfs


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git