2018-06-05 19:42:14 -07:00
|
|
|
// SPDX-License-Identifier: GPL-2.0+
|
2017-10-17 21:37:41 -07:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2017 Oracle. All Rights Reserved.
|
|
|
|
|
* Author: Darrick J. Wong <darrick.wong@oracle.com>
|
|
|
|
|
*/
|
|
|
|
|
#include "xfs.h"
|
|
|
|
|
#include "xfs_fs.h"
|
|
|
|
|
#include "xfs_shared.h"
|
|
|
|
|
#include "xfs_format.h"
|
|
|
|
|
#include "xfs_btree.h"
|
|
|
|
|
#include "xfs_rmap.h"
|
2018-01-16 18:53:09 -08:00
|
|
|
#include "xfs_refcount.h"
|
2017-10-17 21:37:41 -07:00
|
|
|
#include "scrub/scrub.h"
|
|
|
|
|
#include "scrub/common.h"
|
|
|
|
|
#include "scrub/btree.h"
|
2022-07-07 19:13:21 +10:00
|
|
|
#include "xfs_trans_resv.h"
|
|
|
|
|
#include "xfs_mount.h"
|
2021-06-02 10:48:24 +10:00
|
|
|
#include "xfs_ag.h"
|
2017-10-17 21:37:41 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set us up to scrub reference count btrees.
|
|
|
|
|
*/
|
|
|
|
|
int
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_setup_ag_refcountbt(
|
2021-04-07 17:59:39 -07:00
|
|
|
struct xfs_scrub *sc)
|
2017-10-17 21:37:41 -07:00
|
|
|
{
|
2021-04-07 17:59:39 -07:00
|
|
|
return xchk_setup_ag_btree(sc, false);
|
2017-10-17 21:37:41 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Reference count btree scrubber. */
|
|
|
|
|
|
2018-01-16 18:53:08 -08:00
|
|
|
/*
|
|
|
|
|
* Confirming Reference Counts via Reverse Mappings
|
|
|
|
|
*
|
|
|
|
|
* We want to count the reverse mappings overlapping a refcount record
|
|
|
|
|
* (bno, len, refcount), allowing for the possibility that some of the
|
|
|
|
|
* overlap may come from smaller adjoining reverse mappings, while some
|
|
|
|
|
* comes from single extents which overlap the range entirely. The
|
|
|
|
|
* outer loop is as follows:
|
|
|
|
|
*
|
|
|
|
|
* 1. For all reverse mappings overlapping the refcount extent,
|
|
|
|
|
* a. If a given rmap completely overlaps, mark it as seen.
|
|
|
|
|
* b. Otherwise, record the fragment (in agbno order) for later
|
|
|
|
|
* processing.
|
|
|
|
|
*
|
|
|
|
|
* Once we've seen all the rmaps, we know that for all blocks in the
|
|
|
|
|
* refcount record we want to find $refcount owners and we've already
|
|
|
|
|
* visited $seen extents that overlap all the blocks. Therefore, we
|
|
|
|
|
* need to find ($refcount - $seen) owners for every block in the
|
|
|
|
|
* extent; call that quantity $target_nr. Proceed as follows:
|
|
|
|
|
*
|
|
|
|
|
* 2. Pull the first $target_nr fragments from the list; all of them
|
|
|
|
|
* should start at or before the start of the extent.
|
|
|
|
|
* Call this subset of fragments the working set.
|
|
|
|
|
* 3. Until there are no more unprocessed fragments,
|
|
|
|
|
* a. Find the shortest fragments in the set and remove them.
|
|
|
|
|
* b. Note the block number of the end of these fragments.
|
|
|
|
|
* c. Pull the same number of fragments from the list. All of these
|
|
|
|
|
* fragments should start at the block number recorded in the
|
|
|
|
|
* previous step.
|
|
|
|
|
* d. Put those fragments in the set.
|
|
|
|
|
* 4. Check that there are $target_nr fragments remaining in the list,
|
|
|
|
|
* and that they all end at or beyond the end of the refcount extent.
|
|
|
|
|
*
|
|
|
|
|
* If the refcount is correct, all the check conditions in the algorithm
|
|
|
|
|
* should always hold true. If not, the refcount is incorrect.
|
|
|
|
|
*/
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_frag {
|
2018-07-19 12:29:12 -07:00
|
|
|
struct list_head list;
|
|
|
|
|
struct xfs_rmap_irec rm;
|
2018-01-16 18:53:08 -08:00
|
|
|
};
|
|
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_check {
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc;
|
2018-07-19 12:29:12 -07:00
|
|
|
struct list_head fragments;
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
/* refcount extent we're examining */
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_agblock_t bno;
|
|
|
|
|
xfs_extlen_t len;
|
|
|
|
|
xfs_nlink_t refcount;
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
/* number of owners seen */
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_nlink_t seen;
|
2018-01-16 18:53:08 -08:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Decide if the given rmap is large enough that we can redeem it
|
|
|
|
|
* towards refcount verification now, or if it's a fragment, in
|
|
|
|
|
* which case we'll hang onto it in the hopes that we'll later
|
|
|
|
|
* discover that we've collected exactly the correct number of
|
|
|
|
|
* fragments as the refcountbt says we should have.
|
|
|
|
|
*/
|
|
|
|
|
STATIC int
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_rmap_check(
|
2018-01-16 18:53:08 -08:00
|
|
|
struct xfs_btree_cur *cur,
|
2021-08-10 17:02:16 -07:00
|
|
|
const struct xfs_rmap_irec *rec,
|
2018-01-16 18:53:08 -08:00
|
|
|
void *priv)
|
|
|
|
|
{
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_check *refchk = priv;
|
|
|
|
|
struct xchk_refcnt_frag *frag;
|
2018-01-16 18:53:08 -08:00
|
|
|
xfs_agblock_t rm_last;
|
|
|
|
|
xfs_agblock_t rc_last;
|
|
|
|
|
int error = 0;
|
|
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
if (xchk_should_terminate(refchk->sc, &error))
|
2018-01-16 18:53:08 -08:00
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
rm_last = rec->rm_startblock + rec->rm_blockcount - 1;
|
|
|
|
|
rc_last = refchk->bno + refchk->len - 1;
|
|
|
|
|
|
|
|
|
|
/* Confirm that a single-owner refc extent is a CoW stage. */
|
|
|
|
|
if (refchk->refcount == 1 && rec->rm_owner != XFS_RMAP_OWN_COW) {
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(refchk->sc, cur, 0);
|
2018-01-16 18:53:08 -08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (rec->rm_startblock <= refchk->bno && rm_last >= rc_last) {
|
|
|
|
|
/*
|
|
|
|
|
* The rmap overlaps the refcount record, so we can confirm
|
|
|
|
|
* one refcount owner seen.
|
|
|
|
|
*/
|
|
|
|
|
refchk->seen++;
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* This rmap covers only part of the refcount record, so
|
|
|
|
|
* save the fragment for later processing. If the rmapbt
|
|
|
|
|
* is healthy each rmap_irec we see will be in agbno order
|
|
|
|
|
* so we don't need insertion sort here.
|
|
|
|
|
*/
|
2018-07-19 12:29:11 -07:00
|
|
|
frag = kmem_alloc(sizeof(struct xchk_refcnt_frag),
|
2018-05-09 10:02:00 -07:00
|
|
|
KM_MAYFAIL);
|
2018-01-16 18:53:08 -08:00
|
|
|
if (!frag)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
memcpy(&frag->rm, rec, sizeof(frag->rm));
|
|
|
|
|
list_add_tail(&frag->list, &refchk->fragments);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Given a bunch of rmap fragments, iterate through them, keeping
|
|
|
|
|
* a running tally of the refcount. If this ever deviates from
|
|
|
|
|
* what we expect (which is the refcountbt's refcount minus the
|
|
|
|
|
* number of extents that totally covered the refcountbt extent),
|
|
|
|
|
* we have a refcountbt error.
|
|
|
|
|
*/
|
|
|
|
|
STATIC void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_process_rmap_fragments(
|
|
|
|
|
struct xchk_refcnt_check *refchk)
|
2018-01-16 18:53:08 -08:00
|
|
|
{
|
|
|
|
|
struct list_head worklist;
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_frag *frag;
|
|
|
|
|
struct xchk_refcnt_frag *n;
|
2018-01-16 18:53:08 -08:00
|
|
|
xfs_agblock_t bno;
|
|
|
|
|
xfs_agblock_t rbno;
|
|
|
|
|
xfs_agblock_t next_rbno;
|
|
|
|
|
xfs_nlink_t nr;
|
|
|
|
|
xfs_nlink_t target_nr;
|
|
|
|
|
|
|
|
|
|
target_nr = refchk->refcount - refchk->seen;
|
|
|
|
|
if (target_nr == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* There are (refchk->rc.rc_refcount - refchk->nr refcount)
|
|
|
|
|
* references we haven't found yet. Pull that many off the
|
|
|
|
|
* fragment list and figure out where the smallest rmap ends
|
|
|
|
|
* (and therefore the next rmap should start). All the rmaps
|
|
|
|
|
* we pull off should start at or before the beginning of the
|
|
|
|
|
* refcount record's range.
|
|
|
|
|
*/
|
|
|
|
|
INIT_LIST_HEAD(&worklist);
|
|
|
|
|
rbno = NULLAGBLOCK;
|
|
|
|
|
|
|
|
|
|
/* Make sure the fragments actually /are/ in agbno order. */
|
|
|
|
|
bno = 0;
|
|
|
|
|
list_for_each_entry(frag, &refchk->fragments, list) {
|
|
|
|
|
if (frag->rm.rm_startblock < bno)
|
|
|
|
|
goto done;
|
|
|
|
|
bno = frag->rm.rm_startblock;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Find all the rmaps that start at or before the refc extent,
|
|
|
|
|
* and put them on the worklist.
|
|
|
|
|
*/
|
2020-11-08 16:32:42 -08:00
|
|
|
nr = 0;
|
2018-01-16 18:53:08 -08:00
|
|
|
list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
|
2020-11-08 16:32:42 -08:00
|
|
|
if (frag->rm.rm_startblock > refchk->bno || nr > target_nr)
|
|
|
|
|
break;
|
2018-01-16 18:53:08 -08:00
|
|
|
bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
|
|
|
|
|
if (bno < rbno)
|
|
|
|
|
rbno = bno;
|
|
|
|
|
list_move_tail(&frag->list, &worklist);
|
|
|
|
|
nr++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We should have found exactly $target_nr rmap fragments starting
|
|
|
|
|
* at or before the refcount extent.
|
|
|
|
|
*/
|
|
|
|
|
if (nr != target_nr)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
while (!list_empty(&refchk->fragments)) {
|
|
|
|
|
/* Discard any fragments ending at rbno from the worklist. */
|
|
|
|
|
nr = 0;
|
|
|
|
|
next_rbno = NULLAGBLOCK;
|
|
|
|
|
list_for_each_entry_safe(frag, n, &worklist, list) {
|
|
|
|
|
bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
|
|
|
|
|
if (bno != rbno) {
|
|
|
|
|
if (bno < next_rbno)
|
|
|
|
|
next_rbno = bno;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
list_del(&frag->list);
|
|
|
|
|
kmem_free(frag);
|
|
|
|
|
nr++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Try to add nr rmaps starting at rbno to the worklist. */
|
|
|
|
|
list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
|
|
|
|
|
bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
|
|
|
|
|
if (frag->rm.rm_startblock != rbno)
|
|
|
|
|
goto done;
|
|
|
|
|
list_move_tail(&frag->list, &worklist);
|
|
|
|
|
if (next_rbno > bno)
|
|
|
|
|
next_rbno = bno;
|
|
|
|
|
nr--;
|
|
|
|
|
if (nr == 0)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If we get here and nr > 0, this means that we added fewer
|
|
|
|
|
* items to the worklist than we discarded because the fragment
|
|
|
|
|
* list ran out of items. Therefore, we cannot maintain the
|
|
|
|
|
* required refcount. Something is wrong, so we're done.
|
|
|
|
|
*/
|
|
|
|
|
if (nr)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
rbno = next_rbno;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Make sure the last extent we processed ends at or beyond
|
|
|
|
|
* the end of the refcount extent.
|
|
|
|
|
*/
|
|
|
|
|
if (rbno < refchk->bno + refchk->len)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
/* Actually record us having seen the remaining refcount. */
|
|
|
|
|
refchk->seen = refchk->refcount;
|
|
|
|
|
done:
|
|
|
|
|
/* Delete fragments and work list. */
|
|
|
|
|
list_for_each_entry_safe(frag, n, &worklist, list) {
|
|
|
|
|
list_del(&frag->list);
|
|
|
|
|
kmem_free(frag);
|
|
|
|
|
}
|
|
|
|
|
list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
|
|
|
|
|
list_del(&frag->list);
|
|
|
|
|
kmem_free(frag);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Use the rmap entries covering this extent to verify the refcount. */
|
|
|
|
|
STATIC void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_xref_rmap(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc,
|
2022-10-11 11:22:54 -07:00
|
|
|
const struct xfs_refcount_irec *irec)
|
2018-01-16 18:53:08 -08:00
|
|
|
{
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_check refchk = {
|
2022-10-11 11:22:54 -07:00
|
|
|
.sc = sc,
|
|
|
|
|
.bno = irec->rc_startblock,
|
|
|
|
|
.len = irec->rc_blockcount,
|
|
|
|
|
.refcount = irec->rc_refcount,
|
2018-01-16 18:53:08 -08:00
|
|
|
.seen = 0,
|
|
|
|
|
};
|
|
|
|
|
struct xfs_rmap_irec low;
|
|
|
|
|
struct xfs_rmap_irec high;
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_frag *frag;
|
|
|
|
|
struct xchk_refcnt_frag *n;
|
2018-01-16 18:53:08 -08:00
|
|
|
int error;
|
|
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!sc->sa.rmap_cur || xchk_skip_xref(sc->sm))
|
2018-01-16 18:53:08 -08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* Cross-reference with the rmapbt to confirm the refcount. */
|
|
|
|
|
memset(&low, 0, sizeof(low));
|
2022-10-11 11:22:54 -07:00
|
|
|
low.rm_startblock = irec->rc_startblock;
|
2018-01-16 18:53:08 -08:00
|
|
|
memset(&high, 0xFF, sizeof(high));
|
2022-10-11 11:22:54 -07:00
|
|
|
high.rm_startblock = irec->rc_startblock + irec->rc_blockcount - 1;
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
INIT_LIST_HEAD(&refchk.fragments);
|
|
|
|
|
error = xfs_rmap_query_range(sc->sa.rmap_cur, &low, &high,
|
2018-07-19 12:29:11 -07:00
|
|
|
&xchk_refcountbt_rmap_check, &refchk);
|
|
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
|
2018-01-16 18:53:08 -08:00
|
|
|
goto out_free;
|
|
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_process_rmap_fragments(&refchk);
|
2022-10-11 11:22:54 -07:00
|
|
|
if (irec->rc_refcount != refchk.seen)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
out_free:
|
|
|
|
|
list_for_each_entry_safe(frag, n, &refchk.fragments, list) {
|
|
|
|
|
list_del(&frag->list);
|
|
|
|
|
kmem_free(frag);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-16 18:53:05 -08:00
|
|
|
/* Cross-reference with the other btrees. */
|
|
|
|
|
STATIC void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_xref(
|
2022-10-11 11:22:54 -07:00
|
|
|
struct xfs_scrub *sc,
|
|
|
|
|
const struct xfs_refcount_irec *irec)
|
2018-01-16 18:53:05 -08:00
|
|
|
{
|
|
|
|
|
if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
|
|
|
|
|
return;
|
2018-01-16 18:53:06 -08:00
|
|
|
|
2022-10-11 11:22:54 -07:00
|
|
|
xchk_xref_is_used_space(sc, irec->rc_startblock, irec->rc_blockcount);
|
|
|
|
|
xchk_xref_is_not_inode_chunk(sc, irec->rc_startblock,
|
|
|
|
|
irec->rc_blockcount);
|
|
|
|
|
xchk_refcountbt_xref_rmap(sc, irec);
|
2018-01-16 18:53:05 -08:00
|
|
|
}
|
|
|
|
|
|
2017-10-17 21:37:41 -07:00
|
|
|
/* Scrub a refcountbt record. */
|
|
|
|
|
STATIC int
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_rec(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xchk_btree *bs,
|
2021-08-10 17:02:17 -07:00
|
|
|
const union xfs_btree_rec *rec)
|
2017-10-17 21:37:41 -07:00
|
|
|
{
|
2022-10-11 11:22:54 -07:00
|
|
|
struct xfs_refcount_irec irec;
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_agblock_t *cow_blocks = bs->private;
|
2022-07-07 19:13:02 +10:00
|
|
|
struct xfs_perag *pag = bs->cur->bc_ag.pag;
|
2017-10-17 21:37:41 -07:00
|
|
|
|
2022-10-11 11:22:54 -07:00
|
|
|
xfs_refcount_btrec_to_irec(rec, &irec);
|
2017-10-17 21:37:41 -07:00
|
|
|
|
|
|
|
|
/* Only CoW records can have refcount == 1. */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 09:06:24 -07:00
|
|
|
if (irec.rc_domain == XFS_REFC_DOMAIN_SHARED && irec.rc_refcount == 1)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 09:06:24 -07:00
|
|
|
if (irec.rc_domain == XFS_REFC_DOMAIN_COW) {
|
|
|
|
|
if (irec.rc_refcount != 1)
|
|
|
|
|
xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
|
2022-10-11 11:22:54 -07:00
|
|
|
(*cow_blocks) += irec.rc_blockcount;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 09:06:24 -07:00
|
|
|
}
|
2017-10-17 21:37:41 -07:00
|
|
|
|
|
|
|
|
/* Check the extent. */
|
2022-10-11 11:22:54 -07:00
|
|
|
if (!xfs_verify_agbext(pag, irec.rc_startblock, irec.rc_blockcount))
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
|
2017-10-17 21:37:41 -07:00
|
|
|
|
2022-10-11 11:22:54 -07:00
|
|
|
if (irec.rc_refcount == 0)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
|
2017-10-17 21:37:41 -07:00
|
|
|
|
2022-10-11 11:22:54 -07:00
|
|
|
xchk_refcountbt_xref(bs->sc, &irec);
|
2018-01-16 18:53:05 -08:00
|
|
|
|
2019-09-30 11:31:48 -07:00
|
|
|
return 0;
|
2017-10-17 21:37:41 -07:00
|
|
|
}
|
|
|
|
|
|
2018-01-16 18:53:08 -08:00
|
|
|
/* Make sure we have as many refc blocks as the rmap says. */
|
|
|
|
|
STATIC void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcount_xref_rmap(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_filblks_t cow_blocks)
|
2018-01-16 18:53:08 -08:00
|
|
|
{
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_extlen_t refcbt_blocks = 0;
|
|
|
|
|
xfs_filblks_t blocks;
|
|
|
|
|
int error;
|
2018-01-16 18:53:08 -08:00
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!sc->sa.rmap_cur || xchk_skip_xref(sc->sm))
|
2018-01-16 18:53:08 -08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* Check that we saw as many refcbt blocks as the rmap knows about. */
|
|
|
|
|
error = xfs_btree_count_blocks(sc->sa.refc_cur, &refcbt_blocks);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_btree_process_error(sc, sc->sa.refc_cur, 0, &error))
|
2018-01-16 18:53:08 -08:00
|
|
|
return;
|
2018-12-12 08:46:23 -08:00
|
|
|
error = xchk_count_rmap_ownedby_ag(sc, sc->sa.rmap_cur,
|
|
|
|
|
&XFS_RMAP_OINFO_REFC, &blocks);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
|
2018-01-16 18:53:08 -08:00
|
|
|
return;
|
|
|
|
|
if (blocks != refcbt_blocks)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
/* Check that we saw as many cow blocks as the rmap knows about. */
|
2018-12-12 08:46:23 -08:00
|
|
|
error = xchk_count_rmap_ownedby_ag(sc, sc->sa.rmap_cur,
|
|
|
|
|
&XFS_RMAP_OINFO_COW, &blocks);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
|
2018-01-16 18:53:08 -08:00
|
|
|
return;
|
|
|
|
|
if (blocks != cow_blocks)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
|
2018-01-16 18:53:08 -08:00
|
|
|
}
|
|
|
|
|
|
2017-10-17 21:37:41 -07:00
|
|
|
/* Scrub the refcount btree for some AG. */
|
|
|
|
|
int
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc)
|
2017-10-17 21:37:41 -07:00
|
|
|
{
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_agblock_t cow_blocks = 0;
|
|
|
|
|
int error;
|
2017-10-17 21:37:41 -07:00
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
error = xchk_btree(sc, sc->sa.refc_cur, xchk_refcountbt_rec,
|
2018-12-12 08:46:23 -08:00
|
|
|
&XFS_RMAP_OINFO_REFC, &cow_blocks);
|
2018-01-16 18:53:08 -08:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
2018-12-12 08:46:23 -08:00
|
|
|
xchk_refcount_xref_rmap(sc, cow_blocks);
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
return 0;
|
2017-10-17 21:37:41 -07:00
|
|
|
}
|
2018-01-16 18:53:09 -08:00
|
|
|
|
|
|
|
|
/* xref check that a cow staging extent is marked in the refcountbt. */
|
|
|
|
|
void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_xref_is_cow_staging(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc,
|
2018-01-16 18:53:09 -08:00
|
|
|
xfs_agblock_t agbno,
|
|
|
|
|
xfs_extlen_t len)
|
|
|
|
|
{
|
|
|
|
|
struct xfs_refcount_irec rc;
|
|
|
|
|
int has_refcount;
|
|
|
|
|
int error;
|
|
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!sc->sa.refc_cur || xchk_skip_xref(sc->sm))
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* Find the CoW staging extent. */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 09:06:24 -07:00
|
|
|
error = xfs_refcount_lookup_le(sc->sa.refc_cur, XFS_REFC_DOMAIN_COW,
|
|
|
|
|
agbno, &has_refcount);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
if (!has_refcount) {
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
error = xfs_refcount_get_rec(sc->sa.refc_cur, &rc, &has_refcount);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
if (!has_refcount) {
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* CoW flag must be set, refcount must be 1. */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 09:06:24 -07:00
|
|
|
if (rc.rc_domain != XFS_REFC_DOMAIN_COW || rc.rc_refcount != 1)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
2018-01-16 18:53:09 -08:00
|
|
|
|
|
|
|
|
/* Must be at least as long as what was passed in */
|
|
|
|
|
if (rc.rc_blockcount < len)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
2018-01-16 18:53:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* xref check that the extent is not shared. Only file data blocks
|
|
|
|
|
* can have multiple owners.
|
|
|
|
|
*/
|
|
|
|
|
void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_xref_is_not_shared(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_agblock_t agbno,
|
|
|
|
|
xfs_extlen_t len)
|
2018-01-16 18:53:09 -08:00
|
|
|
{
|
2018-07-19 12:29:12 -07:00
|
|
|
bool shared;
|
|
|
|
|
int error;
|
2018-01-16 18:53:09 -08:00
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!sc->sa.refc_cur || xchk_skip_xref(sc->sm))
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 09:06:24 -07:00
|
|
|
error = xfs_refcount_has_record(sc->sa.refc_cur, XFS_REFC_DOMAIN_SHARED,
|
|
|
|
|
agbno, len, &shared);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
if (shared)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
2018-01-16 18:53:09 -08:00
|
|
|
}
|