6c7289528d
In a previous patch, we added some code to perform sufficient repairs to an ondisk inode record such that the inode cache would be willing to load the inode. If the broken inode was a shortform directory, it will reset the directory to something plausible, which is to say an empty subdirectory of the root. The telltale signs that something is seriously wrong is the broken link count. Such directories look clean, but they shouldn't participate in a filesystem scan to find or confirm a directory parent pointer. Create a predicate that identifies such directories and abort the scrub. Found by fuzzing xfs/1554 with multithreaded xfs_scrub enabled and u3.bmx[0].startblock = zeroes. Signed-off-by: Darrick J. Wong <djwong@kernel.org> Reviewed-by: Christoph Hellwig <hch@lst.de>
240 lines
5.7 KiB
C
240 lines
5.7 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* Copyright (C) 2017-2023 Oracle. All Rights Reserved.
|
|
* Author: Darrick J. Wong <djwong@kernel.org>
|
|
*/
|
|
#include "xfs.h"
|
|
#include "xfs_fs.h"
|
|
#include "xfs_shared.h"
|
|
#include "xfs_format.h"
|
|
#include "xfs_trans_resv.h"
|
|
#include "xfs_mount.h"
|
|
#include "xfs_log_format.h"
|
|
#include "xfs_inode.h"
|
|
#include "xfs_icache.h"
|
|
#include "xfs_dir2.h"
|
|
#include "xfs_dir2_priv.h"
|
|
#include "scrub/scrub.h"
|
|
#include "scrub/common.h"
|
|
#include "scrub/readdir.h"
|
|
|
|
/* Set us up to scrub parents. */
|
|
int
|
|
xchk_setup_parent(
|
|
struct xfs_scrub *sc)
|
|
{
|
|
return xchk_setup_inode_contents(sc, 0);
|
|
}
|
|
|
|
/* Parent pointers */
|
|
|
|
/* Look for an entry in a parent pointing to this inode. */
|
|
|
|
struct xchk_parent_ctx {
|
|
struct xfs_scrub *sc;
|
|
xfs_nlink_t nlink;
|
|
};
|
|
|
|
/* Look for a single entry in a directory pointing to an inode. */
|
|
STATIC int
|
|
xchk_parent_actor(
|
|
struct xfs_scrub *sc,
|
|
struct xfs_inode *dp,
|
|
xfs_dir2_dataptr_t dapos,
|
|
const struct xfs_name *name,
|
|
xfs_ino_t ino,
|
|
void *priv)
|
|
{
|
|
struct xchk_parent_ctx *spc = priv;
|
|
int error = 0;
|
|
|
|
/* Does this name make sense? */
|
|
if (!xfs_dir2_namecheck(name->name, name->len))
|
|
error = -EFSCORRUPTED;
|
|
if (!xchk_fblock_xref_process_error(sc, XFS_DATA_FORK, 0, &error))
|
|
return error;
|
|
|
|
if (sc->ip->i_ino == ino)
|
|
spc->nlink++;
|
|
|
|
if (xchk_should_terminate(spc->sc, &error))
|
|
return error;
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Try to lock a parent directory for checking dirents. Returns the inode
|
|
* flags for the locks we now hold, or zero if we failed.
|
|
*/
|
|
STATIC unsigned int
|
|
xchk_parent_ilock_dir(
|
|
struct xfs_inode *dp)
|
|
{
|
|
if (!xfs_ilock_nowait(dp, XFS_ILOCK_SHARED))
|
|
return 0;
|
|
|
|
if (!xfs_need_iread_extents(&dp->i_df))
|
|
return XFS_ILOCK_SHARED;
|
|
|
|
xfs_iunlock(dp, XFS_ILOCK_SHARED);
|
|
|
|
if (!xfs_ilock_nowait(dp, XFS_ILOCK_EXCL))
|
|
return 0;
|
|
|
|
return XFS_ILOCK_EXCL;
|
|
}
|
|
|
|
/*
|
|
* Given the inode number of the alleged parent of the inode being scrubbed,
|
|
* try to validate that the parent has exactly one directory entry pointing
|
|
* back to the inode being scrubbed. Returns -EAGAIN if we need to revalidate
|
|
* the dotdot entry.
|
|
*/
|
|
STATIC int
|
|
xchk_parent_validate(
|
|
struct xfs_scrub *sc,
|
|
xfs_ino_t parent_ino)
|
|
{
|
|
struct xchk_parent_ctx spc = {
|
|
.sc = sc,
|
|
.nlink = 0,
|
|
};
|
|
struct xfs_mount *mp = sc->mp;
|
|
struct xfs_inode *dp = NULL;
|
|
xfs_nlink_t expected_nlink;
|
|
unsigned int lock_mode;
|
|
int error = 0;
|
|
|
|
/* Is this the root dir? Then '..' must point to itself. */
|
|
if (sc->ip == mp->m_rootip) {
|
|
if (sc->ip->i_ino != mp->m_sb.sb_rootino ||
|
|
sc->ip->i_ino != parent_ino)
|
|
xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
|
|
return 0;
|
|
}
|
|
|
|
/* '..' must not point to ourselves. */
|
|
if (sc->ip->i_ino == parent_ino) {
|
|
xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* If we're an unlinked directory, the parent /won't/ have a link
|
|
* to us. Otherwise, it should have one link.
|
|
*/
|
|
expected_nlink = VFS_I(sc->ip)->i_nlink == 0 ? 0 : 1;
|
|
|
|
/*
|
|
* Grab the parent directory inode. This must be released before we
|
|
* cancel the scrub transaction.
|
|
*
|
|
* If _iget returns -EINVAL or -ENOENT then the parent inode number is
|
|
* garbage and the directory is corrupt. If the _iget returns
|
|
* -EFSCORRUPTED or -EFSBADCRC then the parent is corrupt which is a
|
|
* cross referencing error. Any other error is an operational error.
|
|
*/
|
|
error = xchk_iget(sc, parent_ino, &dp);
|
|
if (error == -EINVAL || error == -ENOENT) {
|
|
error = -EFSCORRUPTED;
|
|
xchk_fblock_process_error(sc, XFS_DATA_FORK, 0, &error);
|
|
return error;
|
|
}
|
|
if (!xchk_fblock_xref_process_error(sc, XFS_DATA_FORK, 0, &error))
|
|
return error;
|
|
if (dp == sc->ip || !S_ISDIR(VFS_I(dp)->i_mode)) {
|
|
xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
|
|
goto out_rele;
|
|
}
|
|
|
|
lock_mode = xchk_parent_ilock_dir(dp);
|
|
if (!lock_mode) {
|
|
xchk_iunlock(sc, XFS_ILOCK_EXCL);
|
|
xchk_ilock(sc, XFS_ILOCK_EXCL);
|
|
error = -EAGAIN;
|
|
goto out_rele;
|
|
}
|
|
|
|
/*
|
|
* We cannot yet validate this parent pointer if the directory looks as
|
|
* though it has been zapped by the inode record repair code.
|
|
*/
|
|
if (xchk_dir_looks_zapped(dp)) {
|
|
error = -EBUSY;
|
|
xchk_set_incomplete(sc);
|
|
goto out_unlock;
|
|
}
|
|
|
|
/* Look for a directory entry in the parent pointing to the child. */
|
|
error = xchk_dir_walk(sc, dp, xchk_parent_actor, &spc);
|
|
if (!xchk_fblock_xref_process_error(sc, XFS_DATA_FORK, 0, &error))
|
|
goto out_unlock;
|
|
|
|
/*
|
|
* Ensure that the parent has as many links to the child as the child
|
|
* thinks it has to the parent.
|
|
*/
|
|
if (spc.nlink != expected_nlink)
|
|
xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
|
|
|
|
out_unlock:
|
|
xfs_iunlock(dp, lock_mode);
|
|
out_rele:
|
|
xchk_irele(sc, dp);
|
|
return error;
|
|
}
|
|
|
|
/* Scrub a parent pointer. */
|
|
int
|
|
xchk_parent(
|
|
struct xfs_scrub *sc)
|
|
{
|
|
struct xfs_mount *mp = sc->mp;
|
|
xfs_ino_t parent_ino;
|
|
int error = 0;
|
|
|
|
/*
|
|
* If we're a directory, check that the '..' link points up to
|
|
* a directory that has one entry pointing to us.
|
|
*/
|
|
if (!S_ISDIR(VFS_I(sc->ip)->i_mode))
|
|
return -ENOENT;
|
|
|
|
/* We're not a special inode, are we? */
|
|
if (!xfs_verify_dir_ino(mp, sc->ip->i_ino)) {
|
|
xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
|
|
return 0;
|
|
}
|
|
|
|
do {
|
|
if (xchk_should_terminate(sc, &error))
|
|
break;
|
|
|
|
/* Look up '..' */
|
|
error = xchk_dir_lookup(sc, sc->ip, &xfs_name_dotdot,
|
|
&parent_ino);
|
|
if (!xchk_fblock_process_error(sc, XFS_DATA_FORK, 0, &error))
|
|
return error;
|
|
if (!xfs_verify_dir_ino(mp, parent_ino)) {
|
|
xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Check that the dotdot entry points to a parent directory
|
|
* containing a dirent pointing to this subdirectory.
|
|
*/
|
|
error = xchk_parent_validate(sc, parent_ino);
|
|
} while (error == -EAGAIN);
|
|
if (error == -EBUSY) {
|
|
/*
|
|
* We could not scan a directory, so we marked the check
|
|
* incomplete. No further error return is necessary.
|
|
*/
|
|
return 0;
|
|
}
|
|
|
|
return error;
|
|
}
|