Commit a45086e2 authored by Brian Foster's avatar Brian Foster Committed by Dave Chinner
Browse files

xfs: validate metadata LSNs against log on v5 superblocks 



Since the onset of v5 superblocks, the LSN of the last modification has
been included in a variety of on-disk data structures. This LSN is used
to provide log recovery ordering guarantees (e.g., to ensure an older
log recovery item is not replayed over a newer target data structure).

While this works correctly from the point a filesystem is formatted and
mounted, userspace tools have some problematic behaviors that defeat
this mechanism. For example, xfs_repair historically zeroes out the log
unconditionally (regardless of whether corruption is detected). If this
occurs, the LSN of the filesystem is reset and the log is now in a
problematic state with respect to on-disk metadata structures that might
have a larger LSN. Until either the log catches up to the highest
previously used metadata LSN or each affected data structure is modified
and written out without incident (which resets the metadata LSN), log
recovery is susceptible to filesystem corruption.

This problem is ultimately addressed and repaired in the associated
userspace tools. The kernel is still responsible to detect the problem
and notify the user that something is wrong. Check the superblock LSN at
mount time and fail the mount if it is invalid. From that point on,
trigger verifier failure on any metadata I/O where an invalid LSN is
detected. This results in a filesystem shutdown and guarantees that we
do not log metadata changes with invalid LSNs on disk. Since this is a
known issue with a known recovery path, present a warning to instruct
the user how to recover.

Signed-off-by: default avatarBrian Foster <bfoster@redhat.com>
Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
parent b7cdc66b

fs/xfs/libxfs/xfs_alloc.c

+9 −3
Original line number Diff line number Diff line
@@ -482,7 +482,9 @@ xfs_agfl_verify( 
		    be32_to_cpu(agfl->agfl_bno[i]) >= mp->m_sb.sb_agblocks)

			return false;

	}

	return true;



	return xfs_log_check_lsn(mp,

				 be64_to_cpu(XFS_BUF_TO_AGFL(bp)->agfl_lsn));

}



static void
@@ -2259,9 +2261,13 @@ xfs_agf_verify( 
 {

	struct xfs_agf	*agf = XFS_BUF_TO_AGF(bp);



	if (xfs_sb_version_hascrc(&mp->m_sb) &&

	    !uuid_equal(&agf->agf_uuid, &mp->m_sb.sb_meta_uuid))

	if (xfs_sb_version_hascrc(&mp->m_sb)) {

		if (!uuid_equal(&agf->agf_uuid, &mp->m_sb.sb_meta_uuid))

			return false;

		if (!xfs_log_check_lsn(mp,

				be64_to_cpu(XFS_BUF_TO_AGF(bp)->agf_lsn)))

			return false;

	}



	if (!(agf->agf_magicnum == cpu_to_be32(XFS_AGF_MAGIC) &&

	      XFS_AGF_GOOD_VERSION(be32_to_cpu(agf->agf_versionnum)) &&

fs/xfs/libxfs/xfs_attr_leaf.c

+3 −0
Original line number Diff line number Diff line
@@ -41,6 +41,7 @@ 
#include "xfs_buf_item.h"

#include "xfs_cksum.h"

#include "xfs_dir2.h"

#include "xfs_log.h"





/*
@@ -266,6 +267,8 @@ xfs_attr3_leaf_verify( 
			return false;

		if (be64_to_cpu(hdr3->info.blkno) != bp->b_bn)

			return false;

		if (!xfs_log_check_lsn(mp, be64_to_cpu(hdr3->info.lsn)))

			return false;

	} else {

		if (ichdr.magic != XFS_ATTR_LEAF_MAGIC)

			return false;

fs/xfs/libxfs/xfs_btree.c

+15 −2
Original line number Diff line number Diff line
@@ -32,6 +32,7 @@ 
#include "xfs_trace.h"

#include "xfs_cksum.h"

#include "xfs_alloc.h"

#include "xfs_log.h"



/*

 * Cursor allocation zone.
@@ -243,8 +244,14 @@ bool 
xfs_btree_lblock_verify_crc(

	struct xfs_buf		*bp)

{

	if (xfs_sb_version_hascrc(&bp->b_target->bt_mount->m_sb))

	struct xfs_btree_block	*block = XFS_BUF_TO_BLOCK(bp);

	struct xfs_mount	*mp = bp->b_target->bt_mount;



	if (xfs_sb_version_hascrc(&mp->m_sb)) {

		if (!xfs_log_check_lsn(mp, be64_to_cpu(block->bb_u.l.bb_lsn)))

			return false;

		return xfs_buf_verify_cksum(bp, XFS_BTREE_LBLOCK_CRC_OFF);

	}



	return true;

}
@@ -275,8 +282,14 @@ bool 
xfs_btree_sblock_verify_crc(

	struct xfs_buf		*bp)

{

	if (xfs_sb_version_hascrc(&bp->b_target->bt_mount->m_sb))

	struct xfs_btree_block  *block = XFS_BUF_TO_BLOCK(bp);

	struct xfs_mount	*mp = bp->b_target->bt_mount;



	if (xfs_sb_version_hascrc(&mp->m_sb)) {

		if (!xfs_log_check_lsn(mp, be64_to_cpu(block->bb_u.s.bb_lsn)))

			return false;

		return xfs_buf_verify_cksum(bp, XFS_BTREE_SBLOCK_CRC_OFF);

	}



	return true;

}

fs/xfs/libxfs/xfs_da_btree.c

+4 −0
Original line number Diff line number Diff line
@@ -39,6 +39,7 @@ 
#include "xfs_trace.h"

#include "xfs_cksum.h"

#include "xfs_buf_item.h"

#include "xfs_log.h"



/*

 * xfs_da_btree.c
@@ -150,6 +151,8 @@ xfs_da3_node_verify( 
			return false;

		if (be64_to_cpu(hdr3->info.blkno) != bp->b_bn)

			return false;

		if (!xfs_log_check_lsn(mp, be64_to_cpu(hdr3->info.lsn)))

			return false;

	} else {

		if (ichdr.magic != XFS_DA_NODE_MAGIC)

			return false;
@@ -322,6 +325,7 @@ xfs_da3_node_create( 
	if (xfs_sb_version_hascrc(&mp->m_sb)) {

		struct xfs_da3_node_hdr *hdr3 = bp->b_addr;



		memset(hdr3, 0, sizeof(struct xfs_da3_node_hdr));

		ichdr.magic = XFS_DA3_NODE_MAGIC;

		hdr3->info.blkno = cpu_to_be64(bp->b_bn);

		hdr3->info.owner = cpu_to_be64(args->dp->i_ino);

fs/xfs/libxfs/xfs_dir2_block.c

+3 −0
Original line number Diff line number Diff line
@@ -34,6 +34,7 @@ 
#include "xfs_error.h"

#include "xfs_trace.h"

#include "xfs_cksum.h"

#include "xfs_log.h"



/*

 * Local function prototypes.
@@ -71,6 +72,8 @@ xfs_dir3_block_verify( 
			return false;

		if (be64_to_cpu(hdr3->blkno) != bp->b_bn)

			return false;

		if (!xfs_log_check_lsn(mp, be64_to_cpu(hdr3->lsn)))

			return false;

	} else {

		if (hdr3->magic != cpu_to_be32(XFS_DIR2_BLOCK_MAGIC))

			return false;

CRA Git | Maintained and supported by SUSTech CRA and CCSE