2018-06-06 02:42:14 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0+
|
2016-10-03 16:11:19 +00:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2016 Oracle. All Rights Reserved.
|
|
|
|
* Author: Darrick J. Wong <darrick.wong@oracle.com>
|
|
|
|
*/
|
|
|
|
#include "xfs.h"
|
|
|
|
#include "xfs_fs.h"
|
|
|
|
#include "xfs_shared.h"
|
|
|
|
#include "xfs_format.h"
|
|
|
|
#include "xfs_log_format.h"
|
|
|
|
#include "xfs_trans_resv.h"
|
|
|
|
#include "xfs_mount.h"
|
|
|
|
#include "xfs_defer.h"
|
|
|
|
#include "xfs_btree.h"
|
|
|
|
#include "xfs_bmap.h"
|
|
|
|
#include "xfs_refcount_btree.h"
|
|
|
|
#include "xfs_alloc.h"
|
2017-10-31 19:04:49 +00:00
|
|
|
#include "xfs_errortag.h"
|
2016-10-03 16:11:19 +00:00
|
|
|
#include "xfs_error.h"
|
|
|
|
#include "xfs_trace.h"
|
|
|
|
#include "xfs_trans.h"
|
|
|
|
#include "xfs_bit.h"
|
|
|
|
#include "xfs_refcount.h"
|
2016-10-03 16:11:39 +00:00
|
|
|
#include "xfs_rmap.h"
|
2021-06-02 00:48:24 +00:00
|
|
|
#include "xfs_ag.h"
|
2016-10-03 16:11:19 +00:00
|
|
|
|
2021-10-12 21:11:01 +00:00
|
|
|
struct kmem_cache *xfs_refcount_intent_cache;
|
|
|
|
|
2016-10-03 16:11:21 +00:00
|
|
|
/* Allowable refcount adjustment amounts. */
|
|
|
|
enum xfs_refc_adjust_op {
|
|
|
|
XFS_REFCOUNT_ADJUST_INCREASE = 1,
|
|
|
|
XFS_REFCOUNT_ADJUST_DECREASE = -1,
|
2016-10-03 16:11:39 +00:00
|
|
|
XFS_REFCOUNT_ADJUST_COW_ALLOC = 0,
|
|
|
|
XFS_REFCOUNT_ADJUST_COW_FREE = -1,
|
2016-10-03 16:11:21 +00:00
|
|
|
};
|
|
|
|
|
2016-10-03 16:11:39 +00:00
|
|
|
STATIC int __xfs_refcount_cow_alloc(struct xfs_btree_cur *rcur,
|
2018-08-01 14:20:34 +00:00
|
|
|
xfs_agblock_t agbno, xfs_extlen_t aglen);
|
2016-10-03 16:11:39 +00:00
|
|
|
STATIC int __xfs_refcount_cow_free(struct xfs_btree_cur *rcur,
|
2018-08-01 14:20:34 +00:00
|
|
|
xfs_agblock_t agbno, xfs_extlen_t aglen);
|
2016-10-03 16:11:39 +00:00
|
|
|
|
2016-10-03 16:11:19 +00:00
|
|
|
/*
|
|
|
|
* Look up the first record less than or equal to [bno, len] in the btree
|
|
|
|
* given by cur.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_refcount_lookup_le(
|
|
|
|
struct xfs_btree_cur *cur,
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
enum xfs_refc_domain domain,
|
2016-10-03 16:11:19 +00:00
|
|
|
xfs_agblock_t bno,
|
|
|
|
int *stat)
|
|
|
|
{
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
trace_xfs_refcount_lookup(cur->bc_mp, cur->bc_ag.pag->pag_agno,
|
|
|
|
xfs_refcount_encode_startblock(bno, domain),
|
2016-10-03 16:11:19 +00:00
|
|
|
XFS_LOOKUP_LE);
|
|
|
|
cur->bc_rec.rc.rc_startblock = bno;
|
|
|
|
cur->bc_rec.rc.rc_blockcount = 0;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
cur->bc_rec.rc.rc_domain = domain;
|
2016-10-03 16:11:19 +00:00
|
|
|
return xfs_btree_lookup(cur, XFS_LOOKUP_LE, stat);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Look up the first record greater than or equal to [bno, len] in the btree
|
|
|
|
* given by cur.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_refcount_lookup_ge(
|
|
|
|
struct xfs_btree_cur *cur,
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
enum xfs_refc_domain domain,
|
2016-10-03 16:11:19 +00:00
|
|
|
xfs_agblock_t bno,
|
|
|
|
int *stat)
|
|
|
|
{
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
trace_xfs_refcount_lookup(cur->bc_mp, cur->bc_ag.pag->pag_agno,
|
|
|
|
xfs_refcount_encode_startblock(bno, domain),
|
2016-10-03 16:11:19 +00:00
|
|
|
XFS_LOOKUP_GE);
|
|
|
|
cur->bc_rec.rc.rc_startblock = bno;
|
|
|
|
cur->bc_rec.rc.rc_blockcount = 0;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
cur->bc_rec.rc.rc_domain = domain;
|
2016-10-03 16:11:19 +00:00
|
|
|
return xfs_btree_lookup(cur, XFS_LOOKUP_GE, stat);
|
|
|
|
}
|
|
|
|
|
2018-05-09 17:02:03 +00:00
|
|
|
/*
|
|
|
|
* Look up the first record equal to [bno, len] in the btree
|
|
|
|
* given by cur.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_refcount_lookup_eq(
|
|
|
|
struct xfs_btree_cur *cur,
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
enum xfs_refc_domain domain,
|
2018-05-09 17:02:03 +00:00
|
|
|
xfs_agblock_t bno,
|
|
|
|
int *stat)
|
|
|
|
{
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
trace_xfs_refcount_lookup(cur->bc_mp, cur->bc_ag.pag->pag_agno,
|
|
|
|
xfs_refcount_encode_startblock(bno, domain),
|
2018-05-09 17:02:03 +00:00
|
|
|
XFS_LOOKUP_LE);
|
|
|
|
cur->bc_rec.rc.rc_startblock = bno;
|
|
|
|
cur->bc_rec.rc.rc_blockcount = 0;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
cur->bc_rec.rc.rc_domain = domain;
|
2018-05-09 17:02:03 +00:00
|
|
|
return xfs_btree_lookup(cur, XFS_LOOKUP_EQ, stat);
|
|
|
|
}
|
|
|
|
|
2016-10-03 16:11:39 +00:00
|
|
|
/* Convert on-disk record to in-core format. */
|
2018-05-09 17:02:02 +00:00
|
|
|
void
|
2016-10-03 16:11:39 +00:00
|
|
|
xfs_refcount_btrec_to_irec(
|
2021-08-11 00:02:16 +00:00
|
|
|
const union xfs_btree_rec *rec,
|
2016-10-03 16:11:39 +00:00
|
|
|
struct xfs_refcount_irec *irec)
|
|
|
|
{
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
uint32_t start;
|
|
|
|
|
|
|
|
start = be32_to_cpu(rec->refc.rc_startblock);
|
2022-10-10 18:13:20 +00:00
|
|
|
if (start & XFS_REFC_COWFLAG) {
|
|
|
|
start &= ~XFS_REFC_COWFLAG;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
irec->rc_domain = XFS_REFC_DOMAIN_COW;
|
|
|
|
} else {
|
|
|
|
irec->rc_domain = XFS_REFC_DOMAIN_SHARED;
|
|
|
|
}
|
|
|
|
|
|
|
|
irec->rc_startblock = start;
|
2016-10-03 16:11:39 +00:00
|
|
|
irec->rc_blockcount = be32_to_cpu(rec->refc.rc_blockcount);
|
|
|
|
irec->rc_refcount = be32_to_cpu(rec->refc.rc_refcount);
|
|
|
|
}
|
|
|
|
|
2023-04-12 02:00:02 +00:00
|
|
|
/* Simple checks for refcount records. */
|
|
|
|
xfs_failaddr_t
|
|
|
|
xfs_refcount_check_irec(
|
2023-12-15 18:03:33 +00:00
|
|
|
struct xfs_perag *pag,
|
2023-04-12 02:00:02 +00:00
|
|
|
const struct xfs_refcount_irec *irec)
|
|
|
|
{
|
|
|
|
if (irec->rc_blockcount == 0 || irec->rc_blockcount > MAXREFCEXTLEN)
|
|
|
|
return __this_address;
|
|
|
|
|
|
|
|
if (!xfs_refcount_check_domain(irec))
|
|
|
|
return __this_address;
|
|
|
|
|
|
|
|
/* check for valid extent range, including overflow */
|
|
|
|
if (!xfs_verify_agbext(pag, irec->rc_startblock, irec->rc_blockcount))
|
|
|
|
return __this_address;
|
|
|
|
|
|
|
|
if (irec->rc_refcount == 0 || irec->rc_refcount > MAXREFCOUNT)
|
|
|
|
return __this_address;
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2023-04-12 02:00:04 +00:00
|
|
|
static inline int
|
|
|
|
xfs_refcount_complain_bad_rec(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
xfs_failaddr_t fa,
|
|
|
|
const struct xfs_refcount_irec *irec)
|
|
|
|
{
|
|
|
|
struct xfs_mount *mp = cur->bc_mp;
|
|
|
|
|
|
|
|
xfs_warn(mp,
|
|
|
|
"Refcount BTree record corruption in AG %d detected at %pS!",
|
|
|
|
cur->bc_ag.pag->pag_agno, fa);
|
|
|
|
xfs_warn(mp,
|
|
|
|
"Start block 0x%x, block count 0x%x, references 0x%x",
|
|
|
|
irec->rc_startblock, irec->rc_blockcount, irec->rc_refcount);
|
|
|
|
return -EFSCORRUPTED;
|
|
|
|
}
|
|
|
|
|
2016-10-03 16:11:19 +00:00
|
|
|
/*
|
|
|
|
* Get the data from the pointed-to record.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_refcount_get_rec(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
struct xfs_refcount_irec *irec,
|
|
|
|
int *stat)
|
|
|
|
{
|
2016-10-03 16:11:39 +00:00
|
|
|
union xfs_btree_rec *rec;
|
2023-04-12 02:00:02 +00:00
|
|
|
xfs_failaddr_t fa;
|
2016-10-03 16:11:39 +00:00
|
|
|
int error;
|
2016-10-03 16:11:19 +00:00
|
|
|
|
|
|
|
error = xfs_btree_get_rec(cur, &rec, stat);
|
2018-06-06 02:42:13 +00:00
|
|
|
if (error || !*stat)
|
|
|
|
return error;
|
|
|
|
|
|
|
|
xfs_refcount_btrec_to_irec(rec, irec);
|
2023-12-15 18:03:33 +00:00
|
|
|
fa = xfs_refcount_check_irec(cur->bc_ag.pag, irec);
|
2023-04-12 02:00:02 +00:00
|
|
|
if (fa)
|
2023-04-12 02:00:04 +00:00
|
|
|
return xfs_refcount_complain_bad_rec(cur, fa, irec);
|
2018-06-06 02:42:13 +00:00
|
|
|
|
2023-04-12 02:00:04 +00:00
|
|
|
trace_xfs_refcount_get(cur->bc_mp, cur->bc_ag.pag->pag_agno, irec);
|
2018-06-06 02:42:13 +00:00
|
|
|
return 0;
|
2016-10-03 16:11:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Update the record referred to by cur to the value given
|
|
|
|
* by [bno, len, refcount].
|
|
|
|
* This either works (return 0) or gets an EFSCORRUPTED error.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_update(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
struct xfs_refcount_irec *irec)
|
|
|
|
{
|
|
|
|
union xfs_btree_rec rec;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
uint32_t start;
|
2016-10-03 16:11:19 +00:00
|
|
|
int error;
|
|
|
|
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_update(cur->bc_mp, cur->bc_ag.pag->pag_agno, irec);
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
|
|
|
|
start = xfs_refcount_encode_startblock(irec->rc_startblock,
|
|
|
|
irec->rc_domain);
|
|
|
|
rec.refc.rc_startblock = cpu_to_be32(start);
|
2016-10-03 16:11:19 +00:00
|
|
|
rec.refc.rc_blockcount = cpu_to_be32(irec->rc_blockcount);
|
|
|
|
rec.refc.rc_refcount = cpu_to_be32(irec->rc_refcount);
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
|
2016-10-03 16:11:19 +00:00
|
|
|
error = xfs_btree_update(cur, &rec);
|
|
|
|
if (error)
|
|
|
|
trace_xfs_refcount_update_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:19 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Insert the record referred to by cur to the value given
|
|
|
|
* by [bno, len, refcount].
|
|
|
|
* This either works (return 0) or gets an EFSCORRUPTED error.
|
|
|
|
*/
|
2018-05-09 17:02:02 +00:00
|
|
|
int
|
2016-10-03 16:11:19 +00:00
|
|
|
xfs_refcount_insert(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
struct xfs_refcount_irec *irec,
|
|
|
|
int *i)
|
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_insert(cur->bc_mp, cur->bc_ag.pag->pag_agno, irec);
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
|
2016-10-03 16:11:19 +00:00
|
|
|
cur->bc_rec.rc.rc_startblock = irec->rc_startblock;
|
|
|
|
cur->bc_rec.rc.rc_blockcount = irec->rc_blockcount;
|
|
|
|
cur->bc_rec.rc.rc_refcount = irec->rc_refcount;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
cur->bc_rec.rc.rc_domain = irec->rc_domain;
|
|
|
|
|
2016-10-03 16:11:19 +00:00
|
|
|
error = xfs_btree_insert(cur, i);
|
2018-05-31 23:49:00 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, *i != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2018-05-31 23:49:00 +00:00
|
|
|
|
2016-10-03 16:11:19 +00:00
|
|
|
out_error:
|
|
|
|
if (error)
|
|
|
|
trace_xfs_refcount_insert_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:19 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Remove the record referred to by cur, then set the pointer to the spot
|
|
|
|
* where the record could be re-inserted, in case we want to increment or
|
|
|
|
* decrement the cursor.
|
|
|
|
* This either works (return 0) or gets an EFSCORRUPTED error.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_delete(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
int *i)
|
|
|
|
{
|
|
|
|
struct xfs_refcount_irec irec;
|
|
|
|
int found_rec;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = xfs_refcount_get_rec(cur, &irec, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_delete(cur->bc_mp, cur->bc_ag.pag->pag_agno, &irec);
|
2016-10-03 16:11:19 +00:00
|
|
|
error = xfs_btree_delete(cur, i);
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, *i != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:19 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_ge(cur, irec.rc_domain, irec.rc_startblock,
|
|
|
|
&found_rec);
|
2016-10-03 16:11:19 +00:00
|
|
|
out_error:
|
|
|
|
if (error)
|
|
|
|
trace_xfs_refcount_delete_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:19 +00:00
|
|
|
return error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Adjusting the Reference Count
|
|
|
|
*
|
|
|
|
* As stated elsewhere, the reference count btree (refcbt) stores
|
|
|
|
* >1 reference counts for extents of physical blocks. In this
|
|
|
|
* operation, we're either raising or lowering the reference count of
|
|
|
|
* some subrange stored in the tree:
|
|
|
|
*
|
|
|
|
* <------ adjustment range ------>
|
|
|
|
* ----+ +---+-----+ +--+--------+---------
|
|
|
|
* 2 | | 3 | 4 | |17| 55 | 10
|
|
|
|
* ----+ +---+-----+ +--+--------+---------
|
|
|
|
* X axis is physical blocks number;
|
|
|
|
* reference counts are the numbers inside the rectangles
|
|
|
|
*
|
|
|
|
* The first thing we need to do is to ensure that there are no
|
|
|
|
* refcount extents crossing either boundary of the range to be
|
|
|
|
* adjusted. For any extent that does cross a boundary, split it into
|
|
|
|
* two extents so that we can increment the refcount of one of the
|
|
|
|
* pieces later:
|
|
|
|
*
|
|
|
|
* <------ adjustment range ------>
|
|
|
|
* ----+ +---+-----+ +--+--------+----+----
|
|
|
|
* 2 | | 3 | 2 | |17| 55 | 10 | 10
|
|
|
|
* ----+ +---+-----+ +--+--------+----+----
|
|
|
|
*
|
|
|
|
* For this next step, let's assume that all the physical blocks in
|
|
|
|
* the adjustment range are mapped to a file and are therefore in use
|
|
|
|
* at least once. Therefore, we can infer that any gap in the
|
|
|
|
* refcount tree within the adjustment range represents a physical
|
|
|
|
* extent with refcount == 1:
|
|
|
|
*
|
|
|
|
* <------ adjustment range ------>
|
|
|
|
* ----+---+---+-----+-+--+--------+----+----
|
|
|
|
* 2 |"1"| 3 | 2 |1|17| 55 | 10 | 10
|
|
|
|
* ----+---+---+-----+-+--+--------+----+----
|
|
|
|
* ^
|
|
|
|
*
|
|
|
|
* For each extent that falls within the interval range, figure out
|
|
|
|
* which extent is to the left or the right of that extent. Now we
|
|
|
|
* have a left, current, and right extent. If the new reference count
|
|
|
|
* of the center extent enables us to merge left, center, and right
|
|
|
|
* into one record covering all three, do so. If the center extent is
|
|
|
|
* at the left end of the range, abuts the left extent, and its new
|
|
|
|
* reference count matches the left extent's record, then merge them.
|
|
|
|
* If the center extent is at the right end of the range, abuts the
|
|
|
|
* right extent, and the reference counts match, merge those. In the
|
|
|
|
* example, we can left merge (assuming an increment operation):
|
|
|
|
*
|
|
|
|
* <------ adjustment range ------>
|
|
|
|
* --------+---+-----+-+--+--------+----+----
|
|
|
|
* 2 | 3 | 2 |1|17| 55 | 10 | 10
|
|
|
|
* --------+---+-----+-+--+--------+----+----
|
|
|
|
* ^
|
|
|
|
*
|
|
|
|
* For all other extents within the range, adjust the reference count
|
|
|
|
* or delete it if the refcount falls below 2. If we were
|
|
|
|
* incrementing, the end result looks like this:
|
|
|
|
*
|
|
|
|
* <------ adjustment range ------>
|
|
|
|
* --------+---+-----+-+--+--------+----+----
|
|
|
|
* 2 | 4 | 3 |2|18| 56 | 11 | 10
|
|
|
|
* --------+---+-----+-+--+--------+----+----
|
|
|
|
*
|
|
|
|
* The result of a decrement operation looks as such:
|
|
|
|
*
|
|
|
|
* <------ adjustment range ------>
|
|
|
|
* ----+ +---+ +--+--------+----+----
|
|
|
|
* 2 | | 2 | |16| 54 | 9 | 10
|
|
|
|
* ----+ +---+ +--+--------+----+----
|
|
|
|
* DDDD 111111DD
|
|
|
|
*
|
|
|
|
* The blocks marked "D" are freed; the blocks marked "1" are only
|
|
|
|
* referenced once and therefore the record is removed from the
|
|
|
|
* refcount btree.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Next block after this extent. */
|
|
|
|
static inline xfs_agblock_t
|
|
|
|
xfs_refc_next(
|
|
|
|
struct xfs_refcount_irec *rc)
|
|
|
|
{
|
|
|
|
return rc->rc_startblock + rc->rc_blockcount;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Split a refcount extent that crosses agbno.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_split_extent(
|
|
|
|
struct xfs_btree_cur *cur,
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
enum xfs_refc_domain domain,
|
2016-10-03 16:11:21 +00:00
|
|
|
xfs_agblock_t agbno,
|
|
|
|
bool *shape_changed)
|
|
|
|
{
|
|
|
|
struct xfs_refcount_irec rcext, tmp;
|
|
|
|
int found_rec;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
*shape_changed = false;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_le(cur, domain, agbno, &found_rec);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (!found_rec)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error = xfs_refcount_get_rec(cur, &rcext, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2022-10-26 21:16:36 +00:00
|
|
|
if (rcext.rc_domain != domain)
|
|
|
|
return 0;
|
2016-10-03 16:11:21 +00:00
|
|
|
if (rcext.rc_startblock == agbno || xfs_refc_next(&rcext) <= agbno)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
*shape_changed = true;
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_split_extent(cur->bc_mp, cur->bc_ag.pag->pag_agno,
|
2016-10-03 16:11:21 +00:00
|
|
|
&rcext, agbno);
|
|
|
|
|
|
|
|
/* Establish the right extent. */
|
|
|
|
tmp = rcext;
|
|
|
|
tmp.rc_startblock = agbno;
|
|
|
|
tmp.rc_blockcount -= (agbno - rcext.rc_startblock);
|
|
|
|
error = xfs_refcount_update(cur, &tmp);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
/* Insert the left extent. */
|
|
|
|
tmp = rcext;
|
|
|
|
tmp.rc_blockcount = agbno - rcext.rc_startblock;
|
|
|
|
error = xfs_refcount_insert(cur, &tmp, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
return error;
|
|
|
|
|
|
|
|
out_error:
|
|
|
|
trace_xfs_refcount_split_extent_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:21 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Merge the left, center, and right extents.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_merge_center_extents(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
struct xfs_refcount_irec *left,
|
|
|
|
struct xfs_refcount_irec *center,
|
|
|
|
struct xfs_refcount_irec *right,
|
|
|
|
unsigned long long extlen,
|
|
|
|
xfs_extlen_t *aglen)
|
|
|
|
{
|
|
|
|
int error;
|
|
|
|
int found_rec;
|
|
|
|
|
|
|
|
trace_xfs_refcount_merge_center_extents(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, left, center, right);
|
2016-10-03 16:11:21 +00:00
|
|
|
|
2022-10-26 21:16:36 +00:00
|
|
|
ASSERT(left->rc_domain == center->rc_domain);
|
|
|
|
ASSERT(right->rc_domain == center->rc_domain);
|
|
|
|
|
2016-10-03 16:11:21 +00:00
|
|
|
/*
|
|
|
|
* Make sure the center and right extents are not in the btree.
|
|
|
|
* If the center extent was synthesized, the first delete call
|
|
|
|
* removes the right extent and we skip the second deletion.
|
|
|
|
* If center and right were in the btree, then the first delete
|
|
|
|
* call removes the center and the second one removes the right
|
|
|
|
* extent.
|
|
|
|
*/
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_ge(cur, center->rc_domain,
|
|
|
|
center->rc_startblock, &found_rec);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
error = xfs_refcount_delete(cur, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
if (center->rc_refcount > 1) {
|
|
|
|
error = xfs_refcount_delete(cur, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Enlarge the left extent. */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_le(cur, left->rc_domain,
|
|
|
|
left->rc_startblock, &found_rec);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
left->rc_blockcount = extlen;
|
|
|
|
error = xfs_refcount_update(cur, left);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
*aglen = 0;
|
|
|
|
return error;
|
|
|
|
|
|
|
|
out_error:
|
|
|
|
trace_xfs_refcount_merge_center_extents_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:21 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Merge with the left extent.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_merge_left_extent(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
struct xfs_refcount_irec *left,
|
|
|
|
struct xfs_refcount_irec *cleft,
|
|
|
|
xfs_agblock_t *agbno,
|
|
|
|
xfs_extlen_t *aglen)
|
|
|
|
{
|
|
|
|
int error;
|
|
|
|
int found_rec;
|
|
|
|
|
|
|
|
trace_xfs_refcount_merge_left_extent(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, left, cleft);
|
2016-10-03 16:11:21 +00:00
|
|
|
|
2022-10-26 21:16:36 +00:00
|
|
|
ASSERT(left->rc_domain == cleft->rc_domain);
|
|
|
|
|
2016-10-03 16:11:21 +00:00
|
|
|
/* If the extent at agbno (cleft) wasn't synthesized, remove it. */
|
|
|
|
if (cleft->rc_refcount > 1) {
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_le(cur, cleft->rc_domain,
|
|
|
|
cleft->rc_startblock, &found_rec);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
error = xfs_refcount_delete(cur, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Enlarge the left extent. */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_le(cur, left->rc_domain,
|
|
|
|
left->rc_startblock, &found_rec);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
left->rc_blockcount += cleft->rc_blockcount;
|
|
|
|
error = xfs_refcount_update(cur, left);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
*agbno += cleft->rc_blockcount;
|
|
|
|
*aglen -= cleft->rc_blockcount;
|
|
|
|
return error;
|
|
|
|
|
|
|
|
out_error:
|
|
|
|
trace_xfs_refcount_merge_left_extent_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:21 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Merge with the right extent.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_merge_right_extent(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
struct xfs_refcount_irec *right,
|
|
|
|
struct xfs_refcount_irec *cright,
|
|
|
|
xfs_extlen_t *aglen)
|
|
|
|
{
|
|
|
|
int error;
|
|
|
|
int found_rec;
|
|
|
|
|
|
|
|
trace_xfs_refcount_merge_right_extent(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, cright, right);
|
2016-10-03 16:11:21 +00:00
|
|
|
|
2022-10-26 21:16:36 +00:00
|
|
|
ASSERT(right->rc_domain == cright->rc_domain);
|
|
|
|
|
2016-10-03 16:11:21 +00:00
|
|
|
/*
|
|
|
|
* If the extent ending at agbno+aglen (cright) wasn't synthesized,
|
|
|
|
* remove it.
|
|
|
|
*/
|
|
|
|
if (cright->rc_refcount > 1) {
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_le(cur, cright->rc_domain,
|
|
|
|
cright->rc_startblock, &found_rec);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
error = xfs_refcount_delete(cur, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Enlarge the right extent. */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_le(cur, right->rc_domain,
|
|
|
|
right->rc_startblock, &found_rec);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
right->rc_startblock -= cright->rc_blockcount;
|
|
|
|
right->rc_blockcount += cright->rc_blockcount;
|
|
|
|
error = xfs_refcount_update(cur, right);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
*aglen -= cright->rc_blockcount;
|
|
|
|
return error;
|
|
|
|
|
|
|
|
out_error:
|
|
|
|
trace_xfs_refcount_merge_right_extent_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:21 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Find the left extent and the one after it (cleft). This function assumes
|
|
|
|
* that we've already split any extent crossing agbno.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_find_left_extents(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
struct xfs_refcount_irec *left,
|
|
|
|
struct xfs_refcount_irec *cleft,
|
2022-10-26 21:42:48 +00:00
|
|
|
enum xfs_refc_domain domain,
|
2016-10-03 16:11:21 +00:00
|
|
|
xfs_agblock_t agbno,
|
2022-10-26 21:42:48 +00:00
|
|
|
xfs_extlen_t aglen)
|
2016-10-03 16:11:21 +00:00
|
|
|
{
|
|
|
|
struct xfs_refcount_irec tmp;
|
|
|
|
int error;
|
|
|
|
int found_rec;
|
|
|
|
|
|
|
|
left->rc_startblock = cleft->rc_startblock = NULLAGBLOCK;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_le(cur, domain, agbno - 1, &found_rec);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (!found_rec)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error = xfs_refcount_get_rec(cur, &tmp, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
2022-10-26 21:16:36 +00:00
|
|
|
if (tmp.rc_domain != domain)
|
2016-10-03 16:11:39 +00:00
|
|
|
return 0;
|
2022-10-26 21:16:36 +00:00
|
|
|
if (xfs_refc_next(&tmp) != agbno)
|
2016-10-03 16:11:39 +00:00
|
|
|
return 0;
|
2016-10-03 16:11:21 +00:00
|
|
|
/* We have a left extent; retrieve (or invent) the next right one */
|
|
|
|
*left = tmp;
|
|
|
|
|
|
|
|
error = xfs_btree_increment(cur, 0, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (found_rec) {
|
|
|
|
error = xfs_refcount_get_rec(cur, &tmp, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
2022-10-26 21:16:36 +00:00
|
|
|
if (tmp.rc_domain != domain)
|
|
|
|
goto not_found;
|
|
|
|
|
2016-10-03 16:11:21 +00:00
|
|
|
/* if tmp starts at the end of our range, just use that */
|
|
|
|
if (tmp.rc_startblock == agbno)
|
|
|
|
*cleft = tmp;
|
|
|
|
else {
|
|
|
|
/*
|
|
|
|
* There's a gap in the refcntbt at the start of the
|
|
|
|
* range we're interested in (refcount == 1) so
|
|
|
|
* synthesize the implied extent and pass it back.
|
|
|
|
* We assume here that the agbno/aglen range was
|
|
|
|
* passed in from a data fork extent mapping and
|
|
|
|
* therefore is allocated to exactly one owner.
|
|
|
|
*/
|
|
|
|
cleft->rc_startblock = agbno;
|
|
|
|
cleft->rc_blockcount = min(aglen,
|
|
|
|
tmp.rc_startblock - agbno);
|
|
|
|
cleft->rc_refcount = 1;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
cleft->rc_domain = domain;
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
} else {
|
2022-10-26 21:16:36 +00:00
|
|
|
not_found:
|
2016-10-03 16:11:21 +00:00
|
|
|
/*
|
|
|
|
* No extents, so pretend that there's one covering the whole
|
|
|
|
* range.
|
|
|
|
*/
|
|
|
|
cleft->rc_startblock = agbno;
|
|
|
|
cleft->rc_blockcount = aglen;
|
|
|
|
cleft->rc_refcount = 1;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
cleft->rc_domain = domain;
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_find_left_extent(cur->bc_mp, cur->bc_ag.pag->pag_agno,
|
2016-10-03 16:11:21 +00:00
|
|
|
left, cleft, agbno);
|
|
|
|
return error;
|
|
|
|
|
|
|
|
out_error:
|
|
|
|
trace_xfs_refcount_find_left_extent_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:21 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Find the right extent and the one before it (cright). This function
|
|
|
|
* assumes that we've already split any extents crossing agbno + aglen.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_find_right_extents(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
struct xfs_refcount_irec *right,
|
|
|
|
struct xfs_refcount_irec *cright,
|
2022-10-26 21:42:48 +00:00
|
|
|
enum xfs_refc_domain domain,
|
2016-10-03 16:11:21 +00:00
|
|
|
xfs_agblock_t agbno,
|
2022-10-26 21:42:48 +00:00
|
|
|
xfs_extlen_t aglen)
|
2016-10-03 16:11:21 +00:00
|
|
|
{
|
|
|
|
struct xfs_refcount_irec tmp;
|
|
|
|
int error;
|
|
|
|
int found_rec;
|
|
|
|
|
|
|
|
right->rc_startblock = cright->rc_startblock = NULLAGBLOCK;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_ge(cur, domain, agbno + aglen, &found_rec);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (!found_rec)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error = xfs_refcount_get_rec(cur, &tmp, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
2022-10-26 21:16:36 +00:00
|
|
|
if (tmp.rc_domain != domain)
|
2016-10-03 16:11:39 +00:00
|
|
|
return 0;
|
2022-10-26 21:16:36 +00:00
|
|
|
if (tmp.rc_startblock != agbno + aglen)
|
2016-10-03 16:11:39 +00:00
|
|
|
return 0;
|
2016-10-03 16:11:21 +00:00
|
|
|
/* We have a right extent; retrieve (or invent) the next left one */
|
|
|
|
*right = tmp;
|
|
|
|
|
|
|
|
error = xfs_btree_decrement(cur, 0, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (found_rec) {
|
|
|
|
error = xfs_refcount_get_rec(cur, &tmp, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
2022-10-26 21:16:36 +00:00
|
|
|
if (tmp.rc_domain != domain)
|
|
|
|
goto not_found;
|
|
|
|
|
2016-10-03 16:11:21 +00:00
|
|
|
/* if tmp ends at the end of our range, just use that */
|
|
|
|
if (xfs_refc_next(&tmp) == agbno + aglen)
|
|
|
|
*cright = tmp;
|
|
|
|
else {
|
|
|
|
/*
|
|
|
|
* There's a gap in the refcntbt at the end of the
|
|
|
|
* range we're interested in (refcount == 1) so
|
|
|
|
* create the implied extent and pass it back.
|
|
|
|
* We assume here that the agbno/aglen range was
|
|
|
|
* passed in from a data fork extent mapping and
|
|
|
|
* therefore is allocated to exactly one owner.
|
|
|
|
*/
|
|
|
|
cright->rc_startblock = max(agbno, xfs_refc_next(&tmp));
|
|
|
|
cright->rc_blockcount = right->rc_startblock -
|
|
|
|
cright->rc_startblock;
|
|
|
|
cright->rc_refcount = 1;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
cright->rc_domain = domain;
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
} else {
|
2022-10-26 21:16:36 +00:00
|
|
|
not_found:
|
2016-10-03 16:11:21 +00:00
|
|
|
/*
|
|
|
|
* No extents, so pretend that there's one covering the whole
|
|
|
|
* range.
|
|
|
|
*/
|
|
|
|
cright->rc_startblock = agbno;
|
|
|
|
cright->rc_blockcount = aglen;
|
|
|
|
cright->rc_refcount = 1;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
cright->rc_domain = domain;
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_find_right_extent(cur->bc_mp, cur->bc_ag.pag->pag_agno,
|
2016-10-03 16:11:21 +00:00
|
|
|
cright, right, agbno + aglen);
|
|
|
|
return error;
|
|
|
|
|
|
|
|
out_error:
|
|
|
|
trace_xfs_refcount_find_right_extent_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:21 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Is this extent valid? */
|
|
|
|
static inline bool
|
|
|
|
xfs_refc_valid(
|
2022-11-30 17:25:51 +00:00
|
|
|
const struct xfs_refcount_irec *rc)
|
2016-10-03 16:11:21 +00:00
|
|
|
{
|
|
|
|
return rc->rc_startblock != NULLAGBLOCK;
|
|
|
|
}
|
|
|
|
|
2022-11-30 17:25:51 +00:00
|
|
|
static inline xfs_nlink_t
|
|
|
|
xfs_refc_merge_refcount(
|
|
|
|
const struct xfs_refcount_irec *irec,
|
|
|
|
enum xfs_refc_adjust_op adjust)
|
|
|
|
{
|
|
|
|
/* Once a record hits MAXREFCOUNT, it is pinned there forever */
|
|
|
|
if (irec->rc_refcount == MAXREFCOUNT)
|
|
|
|
return MAXREFCOUNT;
|
|
|
|
return irec->rc_refcount + adjust;
|
|
|
|
}
|
|
|
|
|
2022-11-30 17:25:51 +00:00
|
|
|
static inline bool
|
|
|
|
xfs_refc_want_merge_center(
|
|
|
|
const struct xfs_refcount_irec *left,
|
|
|
|
const struct xfs_refcount_irec *cleft,
|
|
|
|
const struct xfs_refcount_irec *cright,
|
|
|
|
const struct xfs_refcount_irec *right,
|
|
|
|
bool cleft_is_cright,
|
|
|
|
enum xfs_refc_adjust_op adjust,
|
|
|
|
unsigned long long *ulenp)
|
|
|
|
{
|
|
|
|
unsigned long long ulen = left->rc_blockcount;
|
2022-11-30 17:25:51 +00:00
|
|
|
xfs_nlink_t new_refcount;
|
2022-11-30 17:25:51 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* To merge with a center record, both shoulder records must be
|
|
|
|
* adjacent to the record we want to adjust. This is only true if
|
|
|
|
* find_left and find_right made all four records valid.
|
|
|
|
*/
|
|
|
|
if (!xfs_refc_valid(left) || !xfs_refc_valid(right) ||
|
|
|
|
!xfs_refc_valid(cleft) || !xfs_refc_valid(cright))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* There must only be one record for the entire range. */
|
|
|
|
if (!cleft_is_cright)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* The shoulder record refcounts must match the new refcount. */
|
2022-11-30 17:25:51 +00:00
|
|
|
new_refcount = xfs_refc_merge_refcount(cleft, adjust);
|
|
|
|
if (left->rc_refcount != new_refcount)
|
2022-11-30 17:25:51 +00:00
|
|
|
return false;
|
2022-11-30 17:25:51 +00:00
|
|
|
if (right->rc_refcount != new_refcount)
|
2022-11-30 17:25:51 +00:00
|
|
|
return false;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The new record cannot exceed the max length. ulen is a ULL as the
|
|
|
|
* individual record block counts can be up to (u32 - 1) in length
|
|
|
|
* hence we need to catch u32 addition overflows here.
|
|
|
|
*/
|
|
|
|
ulen += cleft->rc_blockcount + right->rc_blockcount;
|
|
|
|
if (ulen >= MAXREFCEXTLEN)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
*ulenp = ulen;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool
|
|
|
|
xfs_refc_want_merge_left(
|
|
|
|
const struct xfs_refcount_irec *left,
|
|
|
|
const struct xfs_refcount_irec *cleft,
|
|
|
|
enum xfs_refc_adjust_op adjust)
|
|
|
|
{
|
|
|
|
unsigned long long ulen = left->rc_blockcount;
|
2022-11-30 17:25:51 +00:00
|
|
|
xfs_nlink_t new_refcount;
|
2022-11-30 17:25:51 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* For a left merge, the left shoulder record must be adjacent to the
|
|
|
|
* start of the range. If this is true, find_left made left and cleft
|
|
|
|
* contain valid contents.
|
|
|
|
*/
|
|
|
|
if (!xfs_refc_valid(left) || !xfs_refc_valid(cleft))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* Left shoulder record refcount must match the new refcount. */
|
2022-11-30 17:25:51 +00:00
|
|
|
new_refcount = xfs_refc_merge_refcount(cleft, adjust);
|
|
|
|
if (left->rc_refcount != new_refcount)
|
2022-11-30 17:25:51 +00:00
|
|
|
return false;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The new record cannot exceed the max length. ulen is a ULL as the
|
|
|
|
* individual record block counts can be up to (u32 - 1) in length
|
|
|
|
* hence we need to catch u32 addition overflows here.
|
|
|
|
*/
|
|
|
|
ulen += cleft->rc_blockcount;
|
|
|
|
if (ulen >= MAXREFCEXTLEN)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool
|
|
|
|
xfs_refc_want_merge_right(
|
|
|
|
const struct xfs_refcount_irec *cright,
|
|
|
|
const struct xfs_refcount_irec *right,
|
|
|
|
enum xfs_refc_adjust_op adjust)
|
|
|
|
{
|
|
|
|
unsigned long long ulen = right->rc_blockcount;
|
2022-11-30 17:25:51 +00:00
|
|
|
xfs_nlink_t new_refcount;
|
2022-11-30 17:25:51 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* For a right merge, the right shoulder record must be adjacent to the
|
|
|
|
* end of the range. If this is true, find_right made cright and right
|
|
|
|
* contain valid contents.
|
|
|
|
*/
|
|
|
|
if (!xfs_refc_valid(right) || !xfs_refc_valid(cright))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* Right shoulder record refcount must match the new refcount. */
|
2022-11-30 17:25:51 +00:00
|
|
|
new_refcount = xfs_refc_merge_refcount(cright, adjust);
|
|
|
|
if (right->rc_refcount != new_refcount)
|
2022-11-30 17:25:51 +00:00
|
|
|
return false;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The new record cannot exceed the max length. ulen is a ULL as the
|
|
|
|
* individual record block counts can be up to (u32 - 1) in length
|
|
|
|
* hence we need to catch u32 addition overflows here.
|
|
|
|
*/
|
|
|
|
ulen += cright->rc_blockcount;
|
|
|
|
if (ulen >= MAXREFCEXTLEN)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-10-03 16:11:21 +00:00
|
|
|
/*
|
|
|
|
* Try to merge with any extents on the boundaries of the adjustment range.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_merge_extents(
|
|
|
|
struct xfs_btree_cur *cur,
|
2022-10-26 21:42:48 +00:00
|
|
|
enum xfs_refc_domain domain,
|
2016-10-03 16:11:21 +00:00
|
|
|
xfs_agblock_t *agbno,
|
|
|
|
xfs_extlen_t *aglen,
|
|
|
|
enum xfs_refc_adjust_op adjust,
|
|
|
|
bool *shape_changed)
|
|
|
|
{
|
|
|
|
struct xfs_refcount_irec left = {0}, cleft = {0};
|
|
|
|
struct xfs_refcount_irec cright = {0}, right = {0};
|
|
|
|
int error;
|
|
|
|
unsigned long long ulen;
|
|
|
|
bool cequal;
|
|
|
|
|
|
|
|
*shape_changed = false;
|
|
|
|
/*
|
|
|
|
* Find the extent just below agbno [left], just above agbno [cleft],
|
|
|
|
* just below (agbno + aglen) [cright], and just above (agbno + aglen)
|
|
|
|
* [right].
|
|
|
|
*/
|
2022-10-26 21:42:48 +00:00
|
|
|
error = xfs_refcount_find_left_extents(cur, &left, &cleft, domain,
|
|
|
|
*agbno, *aglen);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
return error;
|
2022-10-26 21:42:48 +00:00
|
|
|
error = xfs_refcount_find_right_extents(cur, &right, &cright, domain,
|
|
|
|
*agbno, *aglen);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
|
|
|
/* No left or right extent to merge; exit. */
|
|
|
|
if (!xfs_refc_valid(&left) && !xfs_refc_valid(&right))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
cequal = (cleft.rc_startblock == cright.rc_startblock) &&
|
|
|
|
(cleft.rc_blockcount == cright.rc_blockcount);
|
|
|
|
|
|
|
|
/* Try to merge left, cleft, and right. cleft must == cright. */
|
2022-11-30 17:25:51 +00:00
|
|
|
if (xfs_refc_want_merge_center(&left, &cleft, &cright, &right, cequal,
|
|
|
|
adjust, &ulen)) {
|
2016-10-03 16:11:21 +00:00
|
|
|
*shape_changed = true;
|
|
|
|
return xfs_refcount_merge_center_extents(cur, &left, &cleft,
|
2018-04-06 17:09:42 +00:00
|
|
|
&right, ulen, aglen);
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Try to merge left and cleft. */
|
2022-11-30 17:25:51 +00:00
|
|
|
if (xfs_refc_want_merge_left(&left, &cleft, adjust)) {
|
2016-10-03 16:11:21 +00:00
|
|
|
*shape_changed = true;
|
|
|
|
error = xfs_refcount_merge_left_extent(cur, &left, &cleft,
|
|
|
|
agbno, aglen);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we just merged left + cleft and cleft == cright,
|
|
|
|
* we no longer have a cright to merge with right. We're done.
|
|
|
|
*/
|
|
|
|
if (cequal)
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Try to merge cright and right. */
|
2022-11-30 17:25:51 +00:00
|
|
|
if (xfs_refc_want_merge_right(&cright, &right, adjust)) {
|
2016-10-03 16:11:21 +00:00
|
|
|
*shape_changed = true;
|
|
|
|
return xfs_refcount_merge_right_extent(cur, &right, &cright,
|
2018-04-06 17:09:42 +00:00
|
|
|
aglen);
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
|
2022-10-26 21:16:36 +00:00
|
|
|
return 0;
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* XXX: This is a pretty hand-wavy estimate. The penalty for guessing
|
|
|
|
* true incorrectly is a shutdown FS; the penalty for guessing false
|
|
|
|
* incorrectly is more transaction rolls than might be necessary.
|
|
|
|
* Be conservative here.
|
|
|
|
*/
|
|
|
|
static bool
|
|
|
|
xfs_refcount_still_have_space(
|
|
|
|
struct xfs_btree_cur *cur)
|
|
|
|
{
|
|
|
|
unsigned long overhead;
|
|
|
|
|
2022-04-26 01:38:14 +00:00
|
|
|
/*
|
|
|
|
* Worst case estimate: full splits of the free space and rmap btrees
|
|
|
|
* to handle each of the shape changes to the refcount btree.
|
|
|
|
*/
|
2022-04-26 01:38:24 +00:00
|
|
|
overhead = xfs_allocfree_block_count(cur->bc_mp,
|
2022-04-26 01:38:14 +00:00
|
|
|
cur->bc_ag.refc.shape_changes);
|
|
|
|
overhead += cur->bc_mp->m_refc_maxlevels;
|
2016-10-03 16:11:21 +00:00
|
|
|
overhead *= cur->bc_mp->m_sb.sb_blocksize;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Only allow 2 refcount extent updates per transaction if the
|
|
|
|
* refcount continue update "error" has been injected.
|
|
|
|
*/
|
2020-03-11 00:57:51 +00:00
|
|
|
if (cur->bc_ag.refc.nr_ops > 2 &&
|
2016-10-03 16:11:21 +00:00
|
|
|
XFS_TEST_ERROR(false, cur->bc_mp,
|
2017-06-21 00:54:47 +00:00
|
|
|
XFS_ERRTAG_REFCOUNT_CONTINUE_UPDATE))
|
2016-10-03 16:11:21 +00:00
|
|
|
return false;
|
|
|
|
|
2020-03-11 00:57:51 +00:00
|
|
|
if (cur->bc_ag.refc.nr_ops == 0)
|
2016-10-03 16:11:21 +00:00
|
|
|
return true;
|
|
|
|
else if (overhead > cur->bc_tp->t_log_res)
|
|
|
|
return false;
|
|
|
|
return cur->bc_tp->t_log_res - overhead >
|
2020-03-11 00:57:51 +00:00
|
|
|
cur->bc_ag.refc.nr_ops * XFS_REFCOUNT_ITEM_OVERHEAD;
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Adjust the refcounts of middle extents. At this point we should have
|
|
|
|
* split extents that crossed the adjustment range; merged with adjacent
|
|
|
|
* extents; and updated agbno/aglen to reflect the merges. Therefore,
|
|
|
|
* all we have to do is update the extents inside [agbno, agbno + aglen].
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_adjust_extents(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
xfs_agblock_t *agbno,
|
|
|
|
xfs_extlen_t *aglen,
|
2021-10-12 22:58:11 +00:00
|
|
|
enum xfs_refc_adjust_op adj)
|
2016-10-03 16:11:21 +00:00
|
|
|
{
|
|
|
|
struct xfs_refcount_irec ext, tmp;
|
|
|
|
int error;
|
|
|
|
int found_rec, found_tmp;
|
|
|
|
xfs_fsblock_t fsbno;
|
|
|
|
|
|
|
|
/* Merging did all the work already. */
|
|
|
|
if (*aglen == 0)
|
|
|
|
return 0;
|
|
|
|
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_ge(cur, XFS_REFC_DOMAIN_SHARED, *agbno,
|
|
|
|
&found_rec);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
while (*aglen > 0 && xfs_refcount_still_have_space(cur)) {
|
|
|
|
error = xfs_refcount_get_rec(cur, &ext, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
2022-10-26 21:16:36 +00:00
|
|
|
if (!found_rec || ext.rc_domain != XFS_REFC_DOMAIN_SHARED) {
|
2016-10-03 16:11:21 +00:00
|
|
|
ext.rc_startblock = cur->bc_mp->m_sb.sb_agblocks;
|
|
|
|
ext.rc_blockcount = 0;
|
|
|
|
ext.rc_refcount = 0;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
ext.rc_domain = XFS_REFC_DOMAIN_SHARED;
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Deal with a hole in the refcount tree; if a file maps to
|
|
|
|
* these blocks and there's no refcountbt record, pretend that
|
|
|
|
* there is one with refcount == 1.
|
|
|
|
*/
|
|
|
|
if (ext.rc_startblock != *agbno) {
|
|
|
|
tmp.rc_startblock = *agbno;
|
|
|
|
tmp.rc_blockcount = min(*aglen,
|
|
|
|
ext.rc_startblock - *agbno);
|
|
|
|
tmp.rc_refcount = 1 + adj;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
tmp.rc_domain = XFS_REFC_DOMAIN_SHARED;
|
|
|
|
|
2016-10-03 16:11:21 +00:00
|
|
|
trace_xfs_refcount_modify_extent(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, &tmp);
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Either cover the hole (increment) or
|
|
|
|
* delete the range (decrement).
|
|
|
|
*/
|
2022-04-26 22:29:54 +00:00
|
|
|
cur->bc_ag.refc.nr_ops++;
|
2016-10-03 16:11:21 +00:00
|
|
|
if (tmp.rc_refcount) {
|
|
|
|
error = xfs_refcount_insert(cur, &tmp,
|
|
|
|
&found_tmp);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp,
|
|
|
|
found_tmp != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
} else {
|
|
|
|
fsbno = XFS_AGB_TO_FSB(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno,
|
2016-10-03 16:11:21 +00:00
|
|
|
tmp.rc_startblock);
|
2023-06-05 04:48:15 +00:00
|
|
|
error = xfs_free_extent_later(cur->bc_tp, fsbno,
|
2023-06-28 18:04:32 +00:00
|
|
|
tmp.rc_blockcount, NULL,
|
2023-12-07 02:40:57 +00:00
|
|
|
XFS_AG_RESV_NONE, false);
|
2023-06-05 04:48:15 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
(*agbno) += tmp.rc_blockcount;
|
|
|
|
(*aglen) -= tmp.rc_blockcount;
|
|
|
|
|
2022-10-26 01:18:21 +00:00
|
|
|
/* Stop if there's nothing left to modify */
|
|
|
|
if (*aglen == 0 || !xfs_refcount_still_have_space(cur))
|
|
|
|
break;
|
|
|
|
|
|
|
|
/* Move the cursor to the start of ext. */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_ge(cur,
|
|
|
|
XFS_REFC_DOMAIN_SHARED, *agbno,
|
2016-10-03 16:11:21 +00:00
|
|
|
&found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
}
|
|
|
|
|
2022-10-26 01:18:21 +00:00
|
|
|
/*
|
|
|
|
* A previous step trimmed agbno/aglen such that the end of the
|
|
|
|
* range would not be in the middle of the record. If this is
|
|
|
|
* no longer the case, something is seriously wrong with the
|
|
|
|
* btree. Make sure we never feed the synthesized record into
|
|
|
|
* the processing loop below.
|
|
|
|
*/
|
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, ext.rc_blockcount == 0) ||
|
|
|
|
XFS_IS_CORRUPT(cur->bc_mp, ext.rc_blockcount > *aglen)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Adjust the reference count and either update the tree
|
|
|
|
* (incr) or free the blocks (decr).
|
|
|
|
*/
|
|
|
|
if (ext.rc_refcount == MAXREFCOUNT)
|
|
|
|
goto skip;
|
|
|
|
ext.rc_refcount += adj;
|
|
|
|
trace_xfs_refcount_modify_extent(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, &ext);
|
2022-04-26 22:29:54 +00:00
|
|
|
cur->bc_ag.refc.nr_ops++;
|
2016-10-03 16:11:21 +00:00
|
|
|
if (ext.rc_refcount > 1) {
|
|
|
|
error = xfs_refcount_update(cur, &ext);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
} else if (ext.rc_refcount == 1) {
|
|
|
|
error = xfs_refcount_delete(cur, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:21 +00:00
|
|
|
goto advloop;
|
|
|
|
} else {
|
|
|
|
fsbno = XFS_AGB_TO_FSB(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno,
|
2016-10-03 16:11:21 +00:00
|
|
|
ext.rc_startblock);
|
2023-06-05 04:48:15 +00:00
|
|
|
error = xfs_free_extent_later(cur->bc_tp, fsbno,
|
2023-06-28 18:04:32 +00:00
|
|
|
ext.rc_blockcount, NULL,
|
2023-12-07 02:40:57 +00:00
|
|
|
XFS_AG_RESV_NONE, false);
|
2023-06-05 04:48:15 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
2016-10-03 16:11:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
skip:
|
|
|
|
error = xfs_btree_increment(cur, 0, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
advloop:
|
|
|
|
(*agbno) += ext.rc_blockcount;
|
|
|
|
(*aglen) -= ext.rc_blockcount;
|
|
|
|
}
|
|
|
|
|
|
|
|
return error;
|
|
|
|
out_error:
|
|
|
|
trace_xfs_refcount_modify_extent_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:21 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Adjust the reference count of a range of AG blocks. */
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_adjust(
|
|
|
|
struct xfs_btree_cur *cur,
|
2023-02-01 18:16:04 +00:00
|
|
|
xfs_agblock_t *agbno,
|
|
|
|
xfs_extlen_t *aglen,
|
2021-10-12 22:58:11 +00:00
|
|
|
enum xfs_refc_adjust_op adj)
|
2016-10-03 16:11:21 +00:00
|
|
|
{
|
|
|
|
bool shape_changed;
|
|
|
|
int shape_changes = 0;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (adj == XFS_REFCOUNT_ADJUST_INCREASE)
|
2023-02-01 18:16:04 +00:00
|
|
|
trace_xfs_refcount_increase(cur->bc_mp,
|
|
|
|
cur->bc_ag.pag->pag_agno, *agbno, *aglen);
|
2016-10-03 16:11:21 +00:00
|
|
|
else
|
2023-02-01 18:16:04 +00:00
|
|
|
trace_xfs_refcount_decrease(cur->bc_mp,
|
|
|
|
cur->bc_ag.pag->pag_agno, *agbno, *aglen);
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Ensure that no rcextents cross the boundary of the adjustment range.
|
|
|
|
*/
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_split_extent(cur, XFS_REFC_DOMAIN_SHARED,
|
2023-02-01 18:16:04 +00:00
|
|
|
*agbno, &shape_changed);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (shape_changed)
|
|
|
|
shape_changes++;
|
|
|
|
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_split_extent(cur, XFS_REFC_DOMAIN_SHARED,
|
2023-02-01 18:16:04 +00:00
|
|
|
*agbno + *aglen, &shape_changed);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (shape_changed)
|
|
|
|
shape_changes++;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Try to merge with the left or right extents of the range.
|
|
|
|
*/
|
2022-10-26 21:42:48 +00:00
|
|
|
error = xfs_refcount_merge_extents(cur, XFS_REFC_DOMAIN_SHARED,
|
2023-02-01 18:16:04 +00:00
|
|
|
agbno, aglen, adj, &shape_changed);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (shape_changed)
|
|
|
|
shape_changes++;
|
|
|
|
if (shape_changes)
|
2020-03-11 00:57:51 +00:00
|
|
|
cur->bc_ag.refc.shape_changes++;
|
2016-10-03 16:11:21 +00:00
|
|
|
|
|
|
|
/* Now that we've taken care of the ends, adjust the middle extents */
|
2023-02-01 18:16:04 +00:00
|
|
|
error = xfs_refcount_adjust_extents(cur, agbno, aglen, adj);
|
2016-10-03 16:11:21 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
out_error:
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_adjust_error(cur->bc_mp, cur->bc_ag.pag->pag_agno,
|
2016-10-03 16:11:21 +00:00
|
|
|
error, _RET_IP_);
|
|
|
|
return error;
|
|
|
|
}
|
2016-10-03 16:11:22 +00:00
|
|
|
|
|
|
|
/* Clean up after calling xfs_refcount_finish_one. */
|
|
|
|
void
|
|
|
|
xfs_refcount_finish_one_cleanup(
|
|
|
|
struct xfs_trans *tp,
|
|
|
|
struct xfs_btree_cur *rcur,
|
|
|
|
int error)
|
|
|
|
{
|
|
|
|
struct xfs_buf *agbp;
|
|
|
|
|
|
|
|
if (rcur == NULL)
|
|
|
|
return;
|
2020-03-11 00:51:15 +00:00
|
|
|
agbp = rcur->bc_ag.agbp;
|
2018-07-19 19:26:31 +00:00
|
|
|
xfs_btree_del_cursor(rcur, error);
|
2016-10-03 16:11:22 +00:00
|
|
|
if (error)
|
|
|
|
xfs_trans_brelse(tp, agbp);
|
|
|
|
}
|
|
|
|
|
2022-10-10 18:33:47 +00:00
|
|
|
/*
|
|
|
|
* Set up a continuation a deferred refcount operation by updating the intent.
|
|
|
|
* Checks to make sure we're not going to run off the end of the AG.
|
|
|
|
*/
|
|
|
|
static inline int
|
|
|
|
xfs_refcount_continue_op(
|
|
|
|
struct xfs_btree_cur *cur,
|
2023-02-01 18:16:04 +00:00
|
|
|
struct xfs_refcount_intent *ri,
|
|
|
|
xfs_agblock_t new_agbno)
|
2022-10-10 18:33:47 +00:00
|
|
|
{
|
|
|
|
struct xfs_mount *mp = cur->bc_mp;
|
|
|
|
struct xfs_perag *pag = cur->bc_ag.pag;
|
|
|
|
|
2023-02-01 18:16:04 +00:00
|
|
|
if (XFS_IS_CORRUPT(mp, !xfs_verify_agbext(pag, new_agbno,
|
|
|
|
ri->ri_blockcount)))
|
2022-10-10 18:33:47 +00:00
|
|
|
return -EFSCORRUPTED;
|
|
|
|
|
2023-02-01 18:16:04 +00:00
|
|
|
ri->ri_startblock = XFS_AGB_TO_FSB(mp, pag->pag_agno, new_agbno);
|
2022-10-10 18:33:47 +00:00
|
|
|
|
2023-02-01 18:16:04 +00:00
|
|
|
ASSERT(xfs_verify_fsbext(mp, ri->ri_startblock, ri->ri_blockcount));
|
|
|
|
ASSERT(pag->pag_agno == XFS_FSB_TO_AGNO(mp, ri->ri_startblock));
|
2022-10-10 18:33:47 +00:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-10-03 16:11:22 +00:00
|
|
|
/*
|
|
|
|
* Process one of the deferred refcount operations. We pass back the
|
|
|
|
* btree cursor to maintain our lock on the btree between calls.
|
|
|
|
* This saves time and eliminates a buffer deadlock between the
|
|
|
|
* superblock and the AGF because we'll always grab them in the same
|
|
|
|
* order.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_refcount_finish_one(
|
|
|
|
struct xfs_trans *tp,
|
2023-02-01 18:16:04 +00:00
|
|
|
struct xfs_refcount_intent *ri,
|
2016-10-03 16:11:22 +00:00
|
|
|
struct xfs_btree_cur **pcur)
|
|
|
|
{
|
|
|
|
struct xfs_mount *mp = tp->t_mountp;
|
|
|
|
struct xfs_btree_cur *rcur;
|
|
|
|
struct xfs_buf *agbp = NULL;
|
|
|
|
int error = 0;
|
|
|
|
xfs_agblock_t bno;
|
|
|
|
unsigned long nr_ops = 0;
|
|
|
|
int shape_changes = 0;
|
|
|
|
|
2023-02-01 18:16:04 +00:00
|
|
|
bno = XFS_FSB_TO_AGBNO(mp, ri->ri_startblock);
|
2016-10-03 16:11:22 +00:00
|
|
|
|
2023-02-01 18:16:04 +00:00
|
|
|
trace_xfs_refcount_deferred(mp, XFS_FSB_TO_AGNO(mp, ri->ri_startblock),
|
|
|
|
ri->ri_type, XFS_FSB_TO_AGBNO(mp, ri->ri_startblock),
|
|
|
|
ri->ri_blockcount);
|
2016-10-03 16:11:22 +00:00
|
|
|
|
2023-04-12 01:59:55 +00:00
|
|
|
if (XFS_TEST_ERROR(false, mp, XFS_ERRTAG_REFCOUNT_FINISH_ONE))
|
|
|
|
return -EIO;
|
2016-10-03 16:11:22 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If we haven't gotten a cursor or the cursor AG doesn't match
|
|
|
|
* the startblock, get one now.
|
|
|
|
*/
|
|
|
|
rcur = *pcur;
|
2023-04-12 01:59:55 +00:00
|
|
|
if (rcur != NULL && rcur->bc_ag.pag != ri->ri_pag) {
|
2020-03-11 00:57:51 +00:00
|
|
|
nr_ops = rcur->bc_ag.refc.nr_ops;
|
|
|
|
shape_changes = rcur->bc_ag.refc.shape_changes;
|
2016-10-03 16:11:22 +00:00
|
|
|
xfs_refcount_finish_one_cleanup(tp, rcur, 0);
|
|
|
|
rcur = NULL;
|
|
|
|
*pcur = NULL;
|
|
|
|
}
|
|
|
|
if (rcur == NULL) {
|
2023-04-12 01:59:55 +00:00
|
|
|
error = xfs_alloc_read_agf(ri->ri_pag, tp,
|
|
|
|
XFS_ALLOC_FLAG_FREEING, &agbp);
|
2016-10-03 16:11:22 +00:00
|
|
|
if (error)
|
2023-04-12 01:59:55 +00:00
|
|
|
return error;
|
2016-10-03 16:11:22 +00:00
|
|
|
|
2023-04-12 01:59:55 +00:00
|
|
|
rcur = xfs_refcountbt_init_cursor(mp, tp, agbp, ri->ri_pag);
|
2020-03-11 00:57:51 +00:00
|
|
|
rcur->bc_ag.refc.nr_ops = nr_ops;
|
|
|
|
rcur->bc_ag.refc.shape_changes = shape_changes;
|
2016-10-03 16:11:22 +00:00
|
|
|
}
|
|
|
|
*pcur = rcur;
|
|
|
|
|
2023-02-01 18:16:04 +00:00
|
|
|
switch (ri->ri_type) {
|
2016-10-03 16:11:22 +00:00
|
|
|
case XFS_REFCOUNT_INCREASE:
|
2023-02-01 18:16:04 +00:00
|
|
|
error = xfs_refcount_adjust(rcur, &bno, &ri->ri_blockcount,
|
|
|
|
XFS_REFCOUNT_ADJUST_INCREASE);
|
2022-10-10 18:33:47 +00:00
|
|
|
if (error)
|
2023-04-12 01:59:55 +00:00
|
|
|
return error;
|
2023-02-01 18:16:04 +00:00
|
|
|
if (ri->ri_blockcount > 0)
|
|
|
|
error = xfs_refcount_continue_op(rcur, ri, bno);
|
2016-10-03 16:11:22 +00:00
|
|
|
break;
|
|
|
|
case XFS_REFCOUNT_DECREASE:
|
2023-02-01 18:16:04 +00:00
|
|
|
error = xfs_refcount_adjust(rcur, &bno, &ri->ri_blockcount,
|
|
|
|
XFS_REFCOUNT_ADJUST_DECREASE);
|
2022-10-10 18:33:47 +00:00
|
|
|
if (error)
|
2023-04-12 01:59:55 +00:00
|
|
|
return error;
|
2023-02-01 18:16:04 +00:00
|
|
|
if (ri->ri_blockcount > 0)
|
|
|
|
error = xfs_refcount_continue_op(rcur, ri, bno);
|
2016-10-03 16:11:22 +00:00
|
|
|
break;
|
2016-10-03 16:11:39 +00:00
|
|
|
case XFS_REFCOUNT_ALLOC_COW:
|
2023-02-01 18:16:04 +00:00
|
|
|
error = __xfs_refcount_cow_alloc(rcur, bno, ri->ri_blockcount);
|
|
|
|
if (error)
|
2023-04-12 01:59:55 +00:00
|
|
|
return error;
|
2023-02-01 18:16:04 +00:00
|
|
|
ri->ri_blockcount = 0;
|
2016-10-03 16:11:39 +00:00
|
|
|
break;
|
|
|
|
case XFS_REFCOUNT_FREE_COW:
|
2023-02-01 18:16:04 +00:00
|
|
|
error = __xfs_refcount_cow_free(rcur, bno, ri->ri_blockcount);
|
|
|
|
if (error)
|
2023-04-12 01:59:55 +00:00
|
|
|
return error;
|
2023-02-01 18:16:04 +00:00
|
|
|
ri->ri_blockcount = 0;
|
2016-10-03 16:11:39 +00:00
|
|
|
break;
|
2016-10-03 16:11:22 +00:00
|
|
|
default:
|
|
|
|
ASSERT(0);
|
2023-04-12 01:59:55 +00:00
|
|
|
return -EFSCORRUPTED;
|
2016-10-03 16:11:22 +00:00
|
|
|
}
|
2023-02-01 18:16:04 +00:00
|
|
|
if (!error && ri->ri_blockcount > 0)
|
2023-04-12 01:59:55 +00:00
|
|
|
trace_xfs_refcount_finish_one_leftover(mp, ri->ri_pag->pag_agno,
|
2023-02-01 18:16:04 +00:00
|
|
|
ri->ri_type, bno, ri->ri_blockcount);
|
2016-10-03 16:11:22 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Record a refcount intent for later processing.
|
|
|
|
*/
|
2019-08-27 00:06:04 +00:00
|
|
|
static void
|
2016-10-03 16:11:22 +00:00
|
|
|
__xfs_refcount_add(
|
2018-08-01 14:20:34 +00:00
|
|
|
struct xfs_trans *tp,
|
2016-10-03 16:11:22 +00:00
|
|
|
enum xfs_refcount_intent_type type,
|
|
|
|
xfs_fsblock_t startblock,
|
|
|
|
xfs_extlen_t blockcount)
|
|
|
|
{
|
|
|
|
struct xfs_refcount_intent *ri;
|
|
|
|
|
2018-08-01 14:20:34 +00:00
|
|
|
trace_xfs_refcount_defer(tp->t_mountp,
|
|
|
|
XFS_FSB_TO_AGNO(tp->t_mountp, startblock),
|
|
|
|
type, XFS_FSB_TO_AGBNO(tp->t_mountp, startblock),
|
2016-10-03 16:11:22 +00:00
|
|
|
blockcount);
|
|
|
|
|
2021-10-12 21:11:01 +00:00
|
|
|
ri = kmem_cache_alloc(xfs_refcount_intent_cache,
|
|
|
|
GFP_NOFS | __GFP_NOFAIL);
|
2016-10-03 16:11:22 +00:00
|
|
|
INIT_LIST_HEAD(&ri->ri_list);
|
|
|
|
ri->ri_type = type;
|
|
|
|
ri->ri_startblock = startblock;
|
|
|
|
ri->ri_blockcount = blockcount;
|
|
|
|
|
2023-04-12 01:59:55 +00:00
|
|
|
xfs_refcount_update_get_group(tp->t_mountp, ri);
|
2023-12-13 09:06:33 +00:00
|
|
|
xfs_defer_add(tp, &ri->ri_list, &xfs_refcount_update_defer_type);
|
2016-10-03 16:11:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Increase the reference count of the blocks backing a file's extent.
|
|
|
|
*/
|
2019-08-27 00:06:04 +00:00
|
|
|
void
|
2016-10-03 16:11:22 +00:00
|
|
|
xfs_refcount_increase_extent(
|
2018-08-01 14:20:34 +00:00
|
|
|
struct xfs_trans *tp,
|
2016-10-03 16:11:22 +00:00
|
|
|
struct xfs_bmbt_irec *PREV)
|
|
|
|
{
|
2021-08-19 01:46:55 +00:00
|
|
|
if (!xfs_has_reflink(tp->t_mountp))
|
2019-08-27 00:06:04 +00:00
|
|
|
return;
|
2016-10-03 16:11:22 +00:00
|
|
|
|
2019-08-27 00:06:04 +00:00
|
|
|
__xfs_refcount_add(tp, XFS_REFCOUNT_INCREASE, PREV->br_startblock,
|
|
|
|
PREV->br_blockcount);
|
2016-10-03 16:11:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Decrease the reference count of the blocks backing a file's extent.
|
|
|
|
*/
|
2019-08-27 00:06:04 +00:00
|
|
|
void
|
2016-10-03 16:11:22 +00:00
|
|
|
xfs_refcount_decrease_extent(
|
2018-08-01 14:20:34 +00:00
|
|
|
struct xfs_trans *tp,
|
2016-10-03 16:11:22 +00:00
|
|
|
struct xfs_bmbt_irec *PREV)
|
|
|
|
{
|
2021-08-19 01:46:55 +00:00
|
|
|
if (!xfs_has_reflink(tp->t_mountp))
|
2019-08-27 00:06:04 +00:00
|
|
|
return;
|
2016-10-03 16:11:22 +00:00
|
|
|
|
2019-08-27 00:06:04 +00:00
|
|
|
__xfs_refcount_add(tp, XFS_REFCOUNT_DECREASE, PREV->br_startblock,
|
|
|
|
PREV->br_blockcount);
|
2016-10-03 16:11:22 +00:00
|
|
|
}
|
2016-10-03 16:11:25 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Given an AG extent, find the lowest-numbered run of shared blocks
|
|
|
|
* within that range and return the range in fbno/flen. If
|
|
|
|
* find_end_of_shared is set, return the longest contiguous extent of
|
|
|
|
* shared blocks; if not, just return the first extent we find. If no
|
|
|
|
* shared blocks are found, fbno and flen will be set to NULLAGBLOCK
|
|
|
|
* and 0, respectively.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_refcount_find_shared(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
xfs_agblock_t agbno,
|
|
|
|
xfs_extlen_t aglen,
|
|
|
|
xfs_agblock_t *fbno,
|
|
|
|
xfs_extlen_t *flen,
|
|
|
|
bool find_end_of_shared)
|
|
|
|
{
|
|
|
|
struct xfs_refcount_irec tmp;
|
|
|
|
int i;
|
|
|
|
int have;
|
|
|
|
int error;
|
|
|
|
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_find_shared(cur->bc_mp, cur->bc_ag.pag->pag_agno,
|
2016-10-03 16:11:25 +00:00
|
|
|
agbno, aglen);
|
|
|
|
|
|
|
|
/* By default, skip the whole range */
|
|
|
|
*fbno = NULLAGBLOCK;
|
|
|
|
*flen = 0;
|
|
|
|
|
|
|
|
/* Try to find a refcount extent that crosses the start */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_le(cur, XFS_REFC_DOMAIN_SHARED, agbno,
|
|
|
|
&have);
|
2016-10-03 16:11:25 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (!have) {
|
|
|
|
/* No left extent, look at the next one */
|
|
|
|
error = xfs_btree_increment(cur, 0, &have);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (!have)
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
error = xfs_refcount_get_rec(cur, &tmp, &i);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, i != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2022-10-26 21:16:36 +00:00
|
|
|
if (tmp.rc_domain != XFS_REFC_DOMAIN_SHARED)
|
|
|
|
goto done;
|
2016-10-03 16:11:25 +00:00
|
|
|
|
|
|
|
/* If the extent ends before the start, look at the next one */
|
|
|
|
if (tmp.rc_startblock + tmp.rc_blockcount <= agbno) {
|
|
|
|
error = xfs_btree_increment(cur, 0, &have);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (!have)
|
|
|
|
goto done;
|
|
|
|
error = xfs_refcount_get_rec(cur, &tmp, &i);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, i != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2022-10-26 21:16:36 +00:00
|
|
|
if (tmp.rc_domain != XFS_REFC_DOMAIN_SHARED)
|
|
|
|
goto done;
|
2016-10-03 16:11:25 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* If the extent starts after the range we want, bail out */
|
|
|
|
if (tmp.rc_startblock >= agbno + aglen)
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
/* We found the start of a shared extent! */
|
|
|
|
if (tmp.rc_startblock < agbno) {
|
|
|
|
tmp.rc_blockcount -= (agbno - tmp.rc_startblock);
|
|
|
|
tmp.rc_startblock = agbno;
|
|
|
|
}
|
|
|
|
|
|
|
|
*fbno = tmp.rc_startblock;
|
|
|
|
*flen = min(tmp.rc_blockcount, agbno + aglen - *fbno);
|
|
|
|
if (!find_end_of_shared)
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
/* Otherwise, find the end of this shared extent */
|
|
|
|
while (*fbno + *flen < agbno + aglen) {
|
|
|
|
error = xfs_btree_increment(cur, 0, &have);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
if (!have)
|
|
|
|
break;
|
|
|
|
error = xfs_refcount_get_rec(cur, &tmp, &i);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, i != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2022-10-26 21:16:36 +00:00
|
|
|
if (tmp.rc_domain != XFS_REFC_DOMAIN_SHARED ||
|
|
|
|
tmp.rc_startblock >= agbno + aglen ||
|
2016-10-03 16:11:25 +00:00
|
|
|
tmp.rc_startblock != *fbno + *flen)
|
|
|
|
break;
|
|
|
|
*flen = min(*flen + tmp.rc_blockcount, agbno + aglen - *fbno);
|
|
|
|
}
|
|
|
|
|
|
|
|
done:
|
|
|
|
trace_xfs_refcount_find_shared_result(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, *fbno, *flen);
|
2016-10-03 16:11:25 +00:00
|
|
|
|
|
|
|
out_error:
|
|
|
|
if (error)
|
|
|
|
trace_xfs_refcount_find_shared_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:25 +00:00
|
|
|
return error;
|
|
|
|
}
|
2016-10-03 16:11:39 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Recovering CoW Blocks After a Crash
|
|
|
|
*
|
|
|
|
* Due to the way that the copy on write mechanism works, there's a window of
|
|
|
|
* opportunity in which we can lose track of allocated blocks during a crash.
|
|
|
|
* Because CoW uses delayed allocation in the in-core CoW fork, writeback
|
|
|
|
* causes blocks to be allocated and stored in the CoW fork. The blocks are
|
|
|
|
* no longer in the free space btree but are not otherwise recorded anywhere
|
|
|
|
* until the write completes and the blocks are mapped into the file. A crash
|
|
|
|
* in between allocation and remapping results in the replacement blocks being
|
|
|
|
* lost. This situation is exacerbated by the CoW extent size hint because
|
|
|
|
* allocations can hang around for long time.
|
|
|
|
*
|
|
|
|
* However, there is a place where we can record these allocations before they
|
|
|
|
* become mappings -- the reference count btree. The btree does not record
|
|
|
|
* extents with refcount == 1, so we can record allocations with a refcount of
|
|
|
|
* 1. Blocks being used for CoW writeout cannot be shared, so there should be
|
|
|
|
* no conflict with shared block records. These mappings should be created
|
|
|
|
* when we allocate blocks to the CoW fork and deleted when they're removed
|
|
|
|
* from the CoW fork.
|
|
|
|
*
|
|
|
|
* Minor nit: records for in-progress CoW allocations and records for shared
|
|
|
|
* extents must never be merged, to preserve the property that (except for CoW
|
|
|
|
* allocations) there are no refcount btree entries with refcount == 1. The
|
|
|
|
* only time this could potentially happen is when unsharing a block that's
|
|
|
|
* adjacent to CoW allocations, so we must be careful to avoid this.
|
|
|
|
*
|
|
|
|
* At mount time we recover lost CoW allocations by searching the refcount
|
|
|
|
* btree for these refcount == 1 mappings. These represent CoW allocations
|
|
|
|
* that were in progress at the time the filesystem went down, so we can free
|
|
|
|
* them to get the space back.
|
|
|
|
*
|
|
|
|
* This mechanism is superior to creating EFIs for unmapped CoW extents for
|
|
|
|
* several reasons -- first, EFIs pin the tail of the log and would have to be
|
|
|
|
* periodically relogged to avoid filling up the log. Second, CoW completions
|
|
|
|
* will have to file an EFD and create new EFIs for whatever remains in the
|
|
|
|
* CoW fork; this partially takes care of (1) but extent-size reservations
|
|
|
|
* will have to periodically relog even if there's no writeout in progress.
|
|
|
|
* This can happen if the CoW extent size hint is set, which you really want.
|
|
|
|
* Third, EFIs cannot currently be automatically relogged into newer
|
|
|
|
* transactions to advance the log tail. Fourth, stuffing the log full of
|
|
|
|
* EFIs places an upper bound on the number of CoW allocations that can be
|
|
|
|
* held filesystem-wide at any given time. Recording them in the refcount
|
|
|
|
* btree doesn't require us to maintain any state in memory and doesn't pin
|
|
|
|
* the log.
|
|
|
|
*/
|
|
|
|
/*
|
|
|
|
* Adjust the refcounts of CoW allocations. These allocations are "magic"
|
|
|
|
* in that they're not referenced anywhere else in the filesystem, so we
|
|
|
|
* stash them in the refcount btree with a refcount of 1 until either file
|
|
|
|
* remapping (or CoW cancellation) happens.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_adjust_cow_extents(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
xfs_agblock_t agbno,
|
|
|
|
xfs_extlen_t aglen,
|
2018-04-06 17:09:42 +00:00
|
|
|
enum xfs_refc_adjust_op adj)
|
2016-10-03 16:11:39 +00:00
|
|
|
{
|
|
|
|
struct xfs_refcount_irec ext, tmp;
|
|
|
|
int error;
|
|
|
|
int found_rec, found_tmp;
|
|
|
|
|
|
|
|
if (aglen == 0)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
/* Find any overlapping refcount records */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_lookup_ge(cur, XFS_REFC_DOMAIN_COW, agbno,
|
|
|
|
&found_rec);
|
2016-10-03 16:11:39 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
error = xfs_refcount_get_rec(cur, &ext, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
2022-10-26 21:16:36 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec &&
|
|
|
|
ext.rc_domain != XFS_REFC_DOMAIN_COW)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:39 +00:00
|
|
|
if (!found_rec) {
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
ext.rc_startblock = cur->bc_mp->m_sb.sb_agblocks;
|
2016-10-03 16:11:39 +00:00
|
|
|
ext.rc_blockcount = 0;
|
|
|
|
ext.rc_refcount = 0;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
ext.rc_domain = XFS_REFC_DOMAIN_COW;
|
2016-10-03 16:11:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
switch (adj) {
|
|
|
|
case XFS_REFCOUNT_ADJUST_COW_ALLOC:
|
|
|
|
/* Adding a CoW reservation, there should be nothing here. */
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp,
|
|
|
|
agbno + aglen > ext.rc_startblock)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:39 +00:00
|
|
|
|
|
|
|
tmp.rc_startblock = agbno;
|
|
|
|
tmp.rc_blockcount = aglen;
|
|
|
|
tmp.rc_refcount = 1;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
tmp.rc_domain = XFS_REFC_DOMAIN_COW;
|
|
|
|
|
2016-10-03 16:11:39 +00:00
|
|
|
trace_xfs_refcount_modify_extent(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, &tmp);
|
2016-10-03 16:11:39 +00:00
|
|
|
|
|
|
|
error = xfs_refcount_insert(cur, &tmp,
|
|
|
|
&found_tmp);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_tmp != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:39 +00:00
|
|
|
break;
|
|
|
|
case XFS_REFCOUNT_ADJUST_COW_FREE:
|
|
|
|
/* Removing a CoW reservation, there should be one extent. */
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, ext.rc_startblock != agbno)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, ext.rc_blockcount != aglen)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, ext.rc_refcount != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:39 +00:00
|
|
|
|
|
|
|
ext.rc_refcount = 0;
|
|
|
|
trace_xfs_refcount_modify_extent(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, &ext);
|
2016-10-03 16:11:39 +00:00
|
|
|
error = xfs_refcount_delete(cur, &found_rec);
|
|
|
|
if (error)
|
|
|
|
goto out_error;
|
xfs: kill the XFS_WANT_CORRUPT_* macros
The XFS_WANT_CORRUPT_* macros conceal subtle side effects such as the
creation of local variables and redirections of the code flow. This is
pretty ugly, so replace them with explicit XFS_IS_CORRUPT tests that
remove both of those ugly points. The change was performed with the
following coccinelle script:
@@
expression mp, test;
identifier label;
@@
- XFS_WANT_CORRUPTED_GOTO(mp, test, label);
+ if (XFS_IS_CORRUPT(mp, !test)) { error = -EFSCORRUPTED; goto label; }
@@
expression mp, test;
@@
- XFS_WANT_CORRUPTED_RETURN(mp, test);
+ if (XFS_IS_CORRUPT(mp, !test)) return -EFSCORRUPTED;
@@
expression mp, lval, rval;
@@
- XFS_IS_CORRUPT(mp, !(lval == rval))
+ XFS_IS_CORRUPT(mp, lval != rval)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 && e2))
+ XFS_IS_CORRUPT(mp, !e1 || !e2)
@@
expression e1, e2;
@@
- !(e1 == e2)
+ e1 != e2
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 && e3 == e4) || e5 != e6
+ e1 != e2 || e3 != e4 || e5 != e6
@@
expression e1, e2, e3, e4, e5, e6;
@@
- !(e1 == e2 || (e3 <= e4 && e5 <= e6))
+ e1 != e2 && (e3 > e4 || e5 > e6)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2))
+ XFS_IS_CORRUPT(mp, e1 > e2)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 < e2))
+ XFS_IS_CORRUPT(mp, e1 >= e2)
@@
expression mp, e1;
@@
- XFS_IS_CORRUPT(mp, !!e1)
+ XFS_IS_CORRUPT(mp, e1)
@@
expression mp, e1, e2;
@@
- XFS_IS_CORRUPT(mp, !(e1 || e2))
+ XFS_IS_CORRUPT(mp, !e1 && !e2)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 == e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 != e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 <= e2) || !(e3 >= e4))
+ XFS_IS_CORRUPT(mp, e1 > e2 || e3 < e4)
@@
expression mp, e1, e2, e3, e4;
@@
- XFS_IS_CORRUPT(mp, !(e1 == e2) && !(e3 <= e4))
+ XFS_IS_CORRUPT(mp, e1 != e2 && e3 > e4)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-11 20:52:18 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp, found_rec != 1)) {
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
goto out_error;
|
|
|
|
}
|
2016-10-03 16:11:39 +00:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ASSERT(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
return error;
|
|
|
|
out_error:
|
|
|
|
trace_xfs_refcount_modify_extent_error(cur->bc_mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
cur->bc_ag.pag->pag_agno, error, _RET_IP_);
|
2016-10-03 16:11:39 +00:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Add or remove refcount btree entries for CoW reservations.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_adjust_cow(
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
xfs_agblock_t agbno,
|
|
|
|
xfs_extlen_t aglen,
|
2018-04-06 17:09:42 +00:00
|
|
|
enum xfs_refc_adjust_op adj)
|
2016-10-03 16:11:39 +00:00
|
|
|
{
|
|
|
|
bool shape_changed;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Ensure that no rcextents cross the boundary of the adjustment range.
|
|
|
|
*/
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_split_extent(cur, XFS_REFC_DOMAIN_COW,
|
|
|
|
agbno, &shape_changed);
|
2016-10-03 16:11:39 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
error = xfs_refcount_split_extent(cur, XFS_REFC_DOMAIN_COW,
|
|
|
|
agbno + aglen, &shape_changed);
|
2016-10-03 16:11:39 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Try to merge with the left or right extents of the range.
|
|
|
|
*/
|
2022-10-26 21:42:48 +00:00
|
|
|
error = xfs_refcount_merge_extents(cur, XFS_REFC_DOMAIN_COW, &agbno,
|
|
|
|
&aglen, adj, &shape_changed);
|
2016-10-03 16:11:39 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
/* Now that we've taken care of the ends, adjust the middle extents */
|
2018-04-06 17:09:42 +00:00
|
|
|
error = xfs_refcount_adjust_cow_extents(cur, agbno, aglen, adj);
|
2016-10-03 16:11:39 +00:00
|
|
|
if (error)
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
out_error:
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_adjust_cow_error(cur->bc_mp, cur->bc_ag.pag->pag_agno,
|
2016-10-03 16:11:39 +00:00
|
|
|
error, _RET_IP_);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Record a CoW allocation in the refcount btree.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
__xfs_refcount_cow_alloc(
|
|
|
|
struct xfs_btree_cur *rcur,
|
|
|
|
xfs_agblock_t agbno,
|
2018-08-01 14:20:34 +00:00
|
|
|
xfs_extlen_t aglen)
|
2016-10-03 16:11:39 +00:00
|
|
|
{
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_cow_increase(rcur->bc_mp, rcur->bc_ag.pag->pag_agno,
|
2016-10-03 16:11:39 +00:00
|
|
|
agbno, aglen);
|
|
|
|
|
|
|
|
/* Add refcount btree reservation */
|
2017-12-08 03:07:03 +00:00
|
|
|
return xfs_refcount_adjust_cow(rcur, agbno, aglen,
|
2018-04-06 17:09:42 +00:00
|
|
|
XFS_REFCOUNT_ADJUST_COW_ALLOC);
|
2016-10-03 16:11:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Remove a CoW allocation from the refcount btree.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
__xfs_refcount_cow_free(
|
|
|
|
struct xfs_btree_cur *rcur,
|
|
|
|
xfs_agblock_t agbno,
|
2018-08-01 14:20:34 +00:00
|
|
|
xfs_extlen_t aglen)
|
2016-10-03 16:11:39 +00:00
|
|
|
{
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_cow_decrease(rcur->bc_mp, rcur->bc_ag.pag->pag_agno,
|
2016-10-03 16:11:39 +00:00
|
|
|
agbno, aglen);
|
|
|
|
|
|
|
|
/* Remove refcount btree reservation */
|
2017-12-08 03:07:03 +00:00
|
|
|
return xfs_refcount_adjust_cow(rcur, agbno, aglen,
|
2018-04-06 17:09:42 +00:00
|
|
|
XFS_REFCOUNT_ADJUST_COW_FREE);
|
2016-10-03 16:11:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Record a CoW staging extent in the refcount btree. */
|
2019-08-27 00:06:04 +00:00
|
|
|
void
|
2016-10-03 16:11:39 +00:00
|
|
|
xfs_refcount_alloc_cow_extent(
|
2018-08-01 14:20:34 +00:00
|
|
|
struct xfs_trans *tp,
|
2016-10-03 16:11:39 +00:00
|
|
|
xfs_fsblock_t fsb,
|
|
|
|
xfs_extlen_t len)
|
|
|
|
{
|
2018-08-01 14:20:34 +00:00
|
|
|
struct xfs_mount *mp = tp->t_mountp;
|
2017-12-08 03:07:03 +00:00
|
|
|
|
2021-08-19 01:46:55 +00:00
|
|
|
if (!xfs_has_reflink(mp))
|
2019-08-27 00:06:04 +00:00
|
|
|
return;
|
2016-10-03 16:11:39 +00:00
|
|
|
|
2019-08-27 00:06:04 +00:00
|
|
|
__xfs_refcount_add(tp, XFS_REFCOUNT_ALLOC_COW, fsb, len);
|
2017-12-08 03:07:03 +00:00
|
|
|
|
|
|
|
/* Add rmap entry */
|
2019-08-27 00:06:03 +00:00
|
|
|
xfs_rmap_alloc_extent(tp, XFS_FSB_TO_AGNO(mp, fsb),
|
2017-12-08 03:07:03 +00:00
|
|
|
XFS_FSB_TO_AGBNO(mp, fsb), len, XFS_RMAP_OWN_COW);
|
2016-10-03 16:11:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Forget a CoW staging event in the refcount btree. */
|
2019-08-27 00:06:04 +00:00
|
|
|
void
|
2016-10-03 16:11:39 +00:00
|
|
|
xfs_refcount_free_cow_extent(
|
2018-08-01 14:20:34 +00:00
|
|
|
struct xfs_trans *tp,
|
2016-10-03 16:11:39 +00:00
|
|
|
xfs_fsblock_t fsb,
|
|
|
|
xfs_extlen_t len)
|
|
|
|
{
|
2018-08-01 14:20:34 +00:00
|
|
|
struct xfs_mount *mp = tp->t_mountp;
|
2017-12-08 03:07:03 +00:00
|
|
|
|
2021-08-19 01:46:55 +00:00
|
|
|
if (!xfs_has_reflink(mp))
|
2019-08-27 00:06:04 +00:00
|
|
|
return;
|
2016-10-03 16:11:39 +00:00
|
|
|
|
2017-12-08 03:07:03 +00:00
|
|
|
/* Remove rmap entry */
|
2019-08-27 00:06:03 +00:00
|
|
|
xfs_rmap_free_extent(tp, XFS_FSB_TO_AGNO(mp, fsb),
|
2017-12-08 03:07:03 +00:00
|
|
|
XFS_FSB_TO_AGBNO(mp, fsb), len, XFS_RMAP_OWN_COW);
|
2019-08-27 00:06:04 +00:00
|
|
|
__xfs_refcount_add(tp, XFS_REFCOUNT_FREE_COW, fsb, len);
|
2016-10-03 16:11:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
struct xfs_refcount_recovery {
|
|
|
|
struct list_head rr_list;
|
|
|
|
struct xfs_refcount_irec rr_rrec;
|
|
|
|
};
|
|
|
|
|
|
|
|
/* Stuff an extent on the recovery list. */
|
|
|
|
STATIC int
|
|
|
|
xfs_refcount_recover_extent(
|
2019-11-11 20:53:22 +00:00
|
|
|
struct xfs_btree_cur *cur,
|
2021-08-11 00:02:16 +00:00
|
|
|
const union xfs_btree_rec *rec,
|
2016-10-03 16:11:39 +00:00
|
|
|
void *priv)
|
|
|
|
{
|
|
|
|
struct list_head *debris = priv;
|
|
|
|
struct xfs_refcount_recovery *rr;
|
|
|
|
|
2019-11-11 20:53:22 +00:00
|
|
|
if (XFS_IS_CORRUPT(cur->bc_mp,
|
|
|
|
be32_to_cpu(rec->refc.rc_refcount) != 1))
|
2016-10-03 16:11:39 +00:00
|
|
|
return -EFSCORRUPTED;
|
|
|
|
|
2022-10-26 21:55:04 +00:00
|
|
|
rr = kmalloc(sizeof(struct xfs_refcount_recovery),
|
|
|
|
GFP_KERNEL | __GFP_NOFAIL);
|
|
|
|
INIT_LIST_HEAD(&rr->rr_list);
|
2016-10-03 16:11:39 +00:00
|
|
|
xfs_refcount_btrec_to_irec(rec, &rr->rr_rrec);
|
|
|
|
|
2023-12-15 18:03:33 +00:00
|
|
|
if (xfs_refcount_check_irec(cur->bc_ag.pag, &rr->rr_rrec) != NULL ||
|
2023-04-12 02:00:02 +00:00
|
|
|
XFS_IS_CORRUPT(cur->bc_mp,
|
2022-10-26 21:16:36 +00:00
|
|
|
rr->rr_rrec.rc_domain != XFS_REFC_DOMAIN_COW)) {
|
2022-10-26 21:55:04 +00:00
|
|
|
kfree(rr);
|
2022-10-26 21:16:36 +00:00
|
|
|
return -EFSCORRUPTED;
|
|
|
|
}
|
|
|
|
|
|
|
|
list_add_tail(&rr->rr_list, debris);
|
2016-10-03 16:11:39 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Find and remove leftover CoW reservations. */
|
|
|
|
int
|
|
|
|
xfs_refcount_recover_cow_leftovers(
|
|
|
|
struct xfs_mount *mp,
|
2021-06-02 00:48:24 +00:00
|
|
|
struct xfs_perag *pag)
|
2016-10-03 16:11:39 +00:00
|
|
|
{
|
|
|
|
struct xfs_trans *tp;
|
|
|
|
struct xfs_btree_cur *cur;
|
|
|
|
struct xfs_buf *agbp;
|
|
|
|
struct xfs_refcount_recovery *rr, *n;
|
|
|
|
struct list_head debris;
|
2023-06-30 00:39:46 +00:00
|
|
|
union xfs_btree_irec low = {
|
|
|
|
.rc.rc_domain = XFS_REFC_DOMAIN_COW,
|
|
|
|
};
|
|
|
|
union xfs_btree_irec high = {
|
|
|
|
.rc.rc_domain = XFS_REFC_DOMAIN_COW,
|
|
|
|
.rc.rc_startblock = -1U,
|
|
|
|
};
|
2016-10-03 16:11:39 +00:00
|
|
|
xfs_fsblock_t fsb;
|
|
|
|
int error;
|
|
|
|
|
2022-10-27 16:48:59 +00:00
|
|
|
/* reflink filesystems mustn't have AGs larger than 2^31-1 blocks */
|
2022-10-10 18:13:20 +00:00
|
|
|
BUILD_BUG_ON(XFS_MAX_CRC_AG_BLOCKS >= XFS_REFC_COWFLAG);
|
2022-10-27 16:48:59 +00:00
|
|
|
if (mp->m_sb.sb_agblocks > XFS_MAX_CRC_AG_BLOCKS)
|
2016-10-03 16:11:39 +00:00
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
2017-05-16 02:16:15 +00:00
|
|
|
INIT_LIST_HEAD(&debris);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* In this first part, we use an empty transaction to gather up
|
|
|
|
* all the leftover CoW extents so that we can subsequently
|
|
|
|
* delete them. The empty transaction is used to avoid
|
|
|
|
* a buffer lock deadlock if there happens to be a loop in the
|
|
|
|
* refcountbt because we're allowed to re-grab a buffer that is
|
|
|
|
* already attached to our transaction. When we're done
|
|
|
|
* recording the CoW debris we cancel the (empty) transaction
|
|
|
|
* and everything goes away cleanly.
|
|
|
|
*/
|
|
|
|
error = xfs_trans_alloc_empty(mp, &tp);
|
2016-10-03 16:11:39 +00:00
|
|
|
if (error)
|
|
|
|
return error;
|
2017-05-16 02:16:15 +00:00
|
|
|
|
2022-07-07 09:07:40 +00:00
|
|
|
error = xfs_alloc_read_agf(pag, tp, 0, &agbp);
|
2017-05-16 02:16:15 +00:00
|
|
|
if (error)
|
|
|
|
goto out_trans;
|
2021-06-02 00:48:24 +00:00
|
|
|
cur = xfs_refcountbt_init_cursor(mp, tp, agbp, pag);
|
2016-10-03 16:11:39 +00:00
|
|
|
|
|
|
|
/* Find all the leftover CoW staging extents. */
|
|
|
|
error = xfs_btree_query_range(cur, &low, &high,
|
|
|
|
xfs_refcount_recover_extent, &debris);
|
2018-07-19 19:29:10 +00:00
|
|
|
xfs_btree_del_cursor(cur, error);
|
2017-05-16 02:16:15 +00:00
|
|
|
xfs_trans_brelse(tp, agbp);
|
|
|
|
xfs_trans_cancel(tp);
|
2018-07-19 19:29:10 +00:00
|
|
|
if (error)
|
|
|
|
goto out_free;
|
2016-10-03 16:11:39 +00:00
|
|
|
|
|
|
|
/* Now iterate the list to free the leftovers */
|
2017-05-16 02:16:15 +00:00
|
|
|
list_for_each_entry_safe(rr, n, &debris, rr_list) {
|
2016-10-03 16:11:39 +00:00
|
|
|
/* Set up transaction. */
|
|
|
|
error = xfs_trans_alloc(mp, &M_RES(mp)->tr_write, 0, 0, 0, &tp);
|
|
|
|
if (error)
|
|
|
|
goto out_free;
|
|
|
|
|
2021-06-02 00:48:24 +00:00
|
|
|
trace_xfs_refcount_recover_extent(mp, pag->pag_agno,
|
|
|
|
&rr->rr_rrec);
|
2016-10-03 16:11:39 +00:00
|
|
|
|
|
|
|
/* Free the orphan record */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
fsb = XFS_AGB_TO_FSB(mp, pag->pag_agno,
|
|
|
|
rr->rr_rrec.rc_startblock);
|
2019-08-27 00:06:04 +00:00
|
|
|
xfs_refcount_free_cow_extent(tp, fsb,
|
2016-10-03 16:11:39 +00:00
|
|
|
rr->rr_rrec.rc_blockcount);
|
|
|
|
|
|
|
|
/* Free the block. */
|
2023-06-05 04:48:15 +00:00
|
|
|
error = xfs_free_extent_later(tp, fsb,
|
2023-06-28 18:04:32 +00:00
|
|
|
rr->rr_rrec.rc_blockcount, NULL,
|
2023-12-07 02:40:57 +00:00
|
|
|
XFS_AG_RESV_NONE, false);
|
2023-06-05 04:48:15 +00:00
|
|
|
if (error)
|
|
|
|
goto out_trans;
|
2016-10-03 16:11:39 +00:00
|
|
|
|
|
|
|
error = xfs_trans_commit(tp);
|
|
|
|
if (error)
|
2016-10-10 06:23:07 +00:00
|
|
|
goto out_free;
|
2017-05-16 02:16:15 +00:00
|
|
|
|
|
|
|
list_del(&rr->rr_list);
|
2022-10-26 21:55:04 +00:00
|
|
|
kfree(rr);
|
2016-10-03 16:11:39 +00:00
|
|
|
}
|
|
|
|
|
2017-05-16 02:16:15 +00:00
|
|
|
return error;
|
|
|
|
out_trans:
|
|
|
|
xfs_trans_cancel(tp);
|
2016-10-03 16:11:39 +00:00
|
|
|
out_free:
|
|
|
|
/* Free the leftover list */
|
|
|
|
list_for_each_entry_safe(rr, n, &debris, rr_list) {
|
|
|
|
list_del(&rr->rr_list);
|
2022-10-26 21:55:04 +00:00
|
|
|
kfree(rr);
|
2016-10-03 16:11:39 +00:00
|
|
|
}
|
|
|
|
return error;
|
|
|
|
}
|
2018-01-17 02:52:14 +00:00
|
|
|
|
2023-04-12 02:00:10 +00:00
|
|
|
/*
|
|
|
|
* Scan part of the keyspace of the refcount records and tell us if the area
|
|
|
|
* has no records, is fully mapped by records, or is partially filled.
|
|
|
|
*/
|
2018-01-17 02:52:14 +00:00
|
|
|
int
|
2023-04-12 02:00:10 +00:00
|
|
|
xfs_refcount_has_records(
|
2018-01-17 02:52:14 +00:00
|
|
|
struct xfs_btree_cur *cur,
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
enum xfs_refc_domain domain,
|
2018-01-17 02:52:14 +00:00
|
|
|
xfs_agblock_t bno,
|
|
|
|
xfs_extlen_t len,
|
2023-04-12 02:00:10 +00:00
|
|
|
enum xbtree_recpacking *outcome)
|
2018-01-17 02:52:14 +00:00
|
|
|
{
|
|
|
|
union xfs_btree_irec low;
|
|
|
|
union xfs_btree_irec high;
|
|
|
|
|
|
|
|
memset(&low, 0, sizeof(low));
|
|
|
|
low.rc.rc_startblock = bno;
|
|
|
|
memset(&high, 0xFF, sizeof(high));
|
|
|
|
high.rc.rc_startblock = bno + len - 1;
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 16:06:24 +00:00
|
|
|
low.rc.rc_domain = high.rc.rc_domain = domain;
|
2018-01-17 02:52:14 +00:00
|
|
|
|
2023-04-12 02:00:11 +00:00
|
|
|
return xfs_btree_has_records(cur, &low, &high, NULL, outcome);
|
2018-01-17 02:52:14 +00:00
|
|
|
}
|
2021-10-12 21:11:01 +00:00
|
|
|
|
|
|
|
int __init
|
|
|
|
xfs_refcount_intent_init_cache(void)
|
|
|
|
{
|
|
|
|
xfs_refcount_intent_cache = kmem_cache_create("xfs_refc_intent",
|
|
|
|
sizeof(struct xfs_refcount_intent),
|
|
|
|
0, 0, NULL);
|
|
|
|
|
|
|
|
return xfs_refcount_intent_cache != NULL ? 0 : -ENOMEM;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
xfs_refcount_intent_destroy_cache(void)
|
|
|
|
{
|
|
|
|
kmem_cache_destroy(xfs_refcount_intent_cache);
|
|
|
|
xfs_refcount_intent_cache = NULL;
|
|
|
|
}
|