From: "Darrick J. Wong" <djwong@kernel.org>
To: Christoph Hellwig <hch@infradead.org>
Cc: linux-xfs@vger.kernel.org
Subject: Re: [PATCH 1/1] xfs: online repair of symbolic links
Date: Wed, 28 Feb 2024 15:46:30 -0800 [thread overview]
Message-ID: <20240228234630.GV1927156@frogsfrogsfrogs> (raw)
In-Reply-To: <Zd-vaC5xjJ_YgeD6@infradead.org>
On Wed, Feb 28, 2024 at 02:10:48PM -0800, Christoph Hellwig wrote:
> On Wed, Feb 28, 2024 at 12:52:13PM -0800, Darrick J. Wong wrote:
> > I overlooked something this morning -- if the caller passes in
> > XFS_SCRUB_IFLAG_FORCE_REBUILD, that might be the free space defragmenter
> > trying to get us to move the remote target block somewhere else. For
> > that usecase, if the symlink scrub doesn't find any problems and we read
> > in exactly i_size bytes, I think we want to write that back to the
> > symlink, and not the DUMMY_TARGET.
>
> Yes, I think we really want that :)
I'm glad we agree.
> > Something like:
> >
> > if (FORCE_REBUILD && !CORRUPT) {
>
> Maybe I need to read the code a little more, but shouldn't this
> simply be !corrupt? Or an assert that if it is not corrupt it is
> a force rebuild? Or am I missing a use case for !corrupt &&
> !force_rebuild?
Hmmmm. You're right, I think that should merely be !corrupt.
I was trying to be cautious by checking FORCE_REBUILD, but there are
other ways to end up in repair -- if something sets PREEN, for example.
That won't happen for symbolic links (at least not today) but I could
also not leave such a logic bomb. :)
> > /*
> > * Change an empty target into a dummy target and clear the symlink
> > * target zapped flag.
> > */
> > if (target_buf[0] == 0) {
> > sc->sick_mask |= XFS_SICK_INO_SYMLINK_ZAPPED;
> > sprintf(target_buf, DUMMY_TARGET);
> > }
> >
> > Can we allow that without risking truncation making the symlink point to
> > some unintended place?
>
> I can't think of anything that would truncated it, what do you have in
> mind?
I think the answer to my question is "No".
If scrub (or the regular verifiers) hit anything, then we end up in
symlink_repair.c with CORRUPT set. In this case we set the target to
DUMMY_TARGET.
If the salvage functions recover fewer bytes than i_disk_size, then
we'll set the target to DUMMY_TARGET because that could lead to things
like:
0. touch autoexec autoexec@bat
1. ln -s 'autoexec@bat' victimlink
2. corrupt victimlink by s/@/\0/g' on the target
3. repair salvages the target and ends up with 'autoexec'
Alternately:
0. touch autoexec autoexec@bat
1. ln -s 'autoexec@bat' victimlink
2. corrupt victimlink by incrementing di_size (it's now 13)
3. repair salvages the target and ends up with "autoexec@bat\0"
In both of those cases, something's inconsistent between the buffer
contents and di_size. There aren't supposed to be nulls in the target,
but whatever might have been in that byte originally is long gone. The
only thing to do here is replace it with DUMMY_TARGET.
If salvage recovers more bytes than i_disk_size then we have no idea if
di_size was broken or not because the target isn't null-terminated.
In theory the kernel will never do this (because it zeroes the xfs_buf
contents in xfs_trans_buf_get) but fuzzers could do that.
So yeah, I think the salvage code should be:
buflen = 0;
if (!(sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)) {
if (sc->ip->i_df.if_format == XFS_DINODE_FMT_LOCAL)
buflen = xrep_symlink_salvage_inline(sc);
else
buflen = xrep_symlink_salvage_remote(sc);
if (buflen < 0)
return buflen;
/*
* NULL-terminate the buffer because the ondisk target does not
* do that for us. If salvage didn't find the exact amount of
* data that we expected to find, don't salvage anything.
*/
target_buf[buflen] = 0;
if (strlen(target_buf) != sc->ip->i_disk_size)
buflen = 0;
}
/*
* Change an empty target into a dummy target and clear the symlink
* target zapped flag.
*/
if (buflen == 0) {
sc->sick_mask |= XFS_SICK_INO_SYMLINK_ZAPPED;
sprintf(target_buf, DUMMY_TARGET);
}
--D
next prev parent reply other threads:[~2024-02-28 23:46 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-27 2:18 [PATCHSET v29.['hch@lst.de'] 11/13] xfs: online repair of symbolic links Darrick J. Wong
2024-02-27 2:23 ` Darrick J. Wong
2024-02-27 2:32 ` [PATCH 1/1] " Darrick J. Wong
2024-02-28 17:26 ` Christoph Hellwig
2024-02-28 18:37 ` Darrick J. Wong
2024-02-28 18:53 ` Christoph Hellwig
2024-02-28 20:52 ` Darrick J. Wong
2024-02-28 22:10 ` Christoph Hellwig
2024-02-28 23:46 ` Darrick J. Wong [this message]
2024-02-29 13:25 ` Christoph Hellwig
2024-02-29 17:16 ` Darrick J. Wong
2024-02-29 19:42 ` Christoph Hellwig
-- strict thread matches above, loose matches on Subject: below --
2024-03-27 1:49 [PATCHSET v30.1 12/15] " Darrick J. Wong
2024-03-27 2:05 ` [PATCH 1/1] " Darrick J. Wong
2024-03-27 16:53 ` Christoph Hellwig
2024-03-29 20:44 ` Darrick J. Wong
2024-03-29 20:58 ` Darrick J. Wong
2023-12-31 19:45 [PATCHSET v29.0 23/40] xfsprogs: " Darrick J. Wong
2023-12-31 22:35 ` [PATCH 1/1] xfs: " Darrick J. Wong
2023-12-31 19:31 [PATCHSET v29.0 24/28] " Darrick J. Wong
2023-12-31 20:39 ` [PATCH 1/1] " Darrick J. Wong
2023-05-26 0:36 [PATCHSET v25.0 0/1] " Darrick J. Wong
2023-05-26 1:36 ` [PATCH 1/1] " Darrick J. Wong
2022-12-30 22:14 [PATCHSET v24.0 0/1] " Darrick J. Wong
2022-12-30 22:14 ` [PATCH 1/1] " Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240228234630.GV1927156@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=hch@infradead.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.