On Tue, Feb 04, 2020 at 04:46:44PM -0800, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
>
> Repair uses the verify_inum function to validate inode numbers that it
> finds in the superblock and in directories. libxfs now has validator
> functions to cover that kind of thing, so remove verify_inum(). As a
> side bonus, this means that we will flag directories that point to the
> quota/realtime metadata inodes.
>
> This fixes a regression found by fuzzing u3.sfdir3.hdr.parent.i4 to
> lastbit (aka making a directory's .. point to the user quota inode) in
> xfs/384.
Whoops, this was supposed to be in the previous series, not this one.
--D
> Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> ---
> libxfs/libxfs_api_defs.h | 1 +
> repair/dino_chunks.c | 2 +-
> repair/dinode.c | 29 -----------------------------
> repair/dinode.h | 4 ----
> repair/dir2.c | 7 +++----
> repair/phase4.c | 12 ++++++------
> repair/phase6.c | 8 ++++----
> 7 files changed, 15 insertions(+), 48 deletions(-)
>
>
> diff --git a/libxfs/libxfs_api_defs.h b/libxfs/libxfs_api_defs.h
> index 6e09685b..9daf2635 100644
> --- a/libxfs/libxfs_api_defs.h
> +++ b/libxfs/libxfs_api_defs.h
> @@ -176,6 +176,7 @@
> #define xfs_trans_roll libxfs_trans_roll
>
> #define xfs_verify_cksum libxfs_verify_cksum
> +#define xfs_verify_dir_ino libxfs_verify_dir_ino
> #define xfs_verify_ino libxfs_verify_ino
> #define xfs_verify_rtbno libxfs_verify_rtbno
> #define xfs_zero_extent libxfs_zero_extent
> diff --git a/repair/dino_chunks.c b/repair/dino_chunks.c
> index 00b67468..dbf3d37a 100644
> --- a/repair/dino_chunks.c
> +++ b/repair/dino_chunks.c
> @@ -65,7 +65,7 @@ check_aginode_block(xfs_mount_t *mp,
> * inode chunk. returns number of new inodes if things are good
> * and 0 if bad. start is the start of the discovered inode chunk.
> * routine assumes that ino is a legal inode number
> - * (verified by verify_inum()). If the inode chunk turns out
> + * (verified by libxfs_verify_ino()). If the inode chunk turns out
> * to be good, this routine will put the inode chunk into
> * the good inode chunk tree if required.
> *
> diff --git a/repair/dinode.c b/repair/dinode.c
> index 8af2cb25..0d9c96be 100644
> --- a/repair/dinode.c
> +++ b/repair/dinode.c
> @@ -171,35 +171,6 @@ verify_ag_bno(xfs_sb_t *sbp,
> return 1;
> }
>
> -/*
> - * returns 0 if inode number is valid, 1 if bogus
> - */
> -int
> -verify_inum(xfs_mount_t *mp,
> - xfs_ino_t ino)
> -{
> - xfs_agnumber_t agno;
> - xfs_agino_t agino;
> - xfs_agblock_t agbno;
> - xfs_sb_t *sbp = &mp->m_sb;;
> -
> - /* range check ag #, ag block. range-checking offset is pointless */
> -
> - agno = XFS_INO_TO_AGNO(mp, ino);
> - agino = XFS_INO_TO_AGINO(mp, ino);
> - agbno = XFS_AGINO_TO_AGBNO(mp, agino);
> - if (agbno == 0)
> - return 1;
> -
> - if (ino == 0 || ino == NULLFSINO)
> - return(1);
> -
> - if (ino != XFS_AGINO_TO_INO(mp, agno, agino))
> - return(1);
> -
> - return verify_ag_bno(sbp, agno, agbno);
> -}
> -
> /*
> * have a separate routine to ensure that we don't accidentally
> * lose illegally set bits in the agino by turning it into an FSINO
> diff --git a/repair/dinode.h b/repair/dinode.h
> index aa177465..98238357 100644
> --- a/repair/dinode.h
> +++ b/repair/dinode.h
> @@ -77,10 +77,6 @@ verify_uncertain_dinode(xfs_mount_t *mp,
> xfs_agnumber_t agno,
> xfs_agino_t ino);
>
> -int
> -verify_inum(xfs_mount_t *mp,
> - xfs_ino_t ino);
> -
> int
> verify_aginum(xfs_mount_t *mp,
> xfs_agnumber_t agno,
> diff --git a/repair/dir2.c b/repair/dir2.c
> index e43a9732..723aee1f 100644
> --- a/repair/dir2.c
> +++ b/repair/dir2.c
> @@ -215,7 +215,7 @@ process_sf_dir2(
> if (lino == ino) {
> junkit = 1;
> junkreason = _("current");
> - } else if (verify_inum(mp, lino)) {
> + } else if (!libxfs_verify_dir_ino(mp, lino)) {
> junkit = 1;
> junkreason = _("invalid");
> } else if (lino == mp->m_sb.sb_rbmino) {
> @@ -486,8 +486,7 @@ _("corrected entry offsets in directory %" PRIu64 "\n"),
> * If the validation fails for the root inode we fix it in
> * the next else case.
> */
> - if (verify_inum(mp, *parent) && ino != mp->m_sb.sb_rootino) {
> -
> + if (!libxfs_verify_dir_ino(mp, *parent) && ino != mp->m_sb.sb_rootino) {
> do_warn(
> _("bogus .. inode number (%" PRIu64 ") in directory inode %" PRIu64 ", "),
> *parent, ino);
> @@ -674,7 +673,7 @@ process_dir2_data(
> * (or did it ourselves) during phase 3.
> */
> clearino = 0;
> - } else if (verify_inum(mp, ent_ino)) {
> + } else if (!libxfs_verify_dir_ino(mp, ent_ino)) {
> /*
> * Bad inode number. Clear the inode number and the
> * entry will get removed later. We don't trash the
> diff --git a/repair/phase4.c b/repair/phase4.c
> index e1ba778f..8197db06 100644
> --- a/repair/phase4.c
> +++ b/repair/phase4.c
> @@ -36,7 +36,7 @@ quotino_check(xfs_mount_t *mp)
> ino_tree_node_t *irec;
>
> if (mp->m_sb.sb_uquotino != NULLFSINO && mp->m_sb.sb_uquotino != 0) {
> - if (verify_inum(mp, mp->m_sb.sb_uquotino))
> + if (!libxfs_verify_ino(mp, mp->m_sb.sb_uquotino))
> irec = NULL;
> else
> irec = find_inode_rec(mp,
> @@ -52,7 +52,7 @@ quotino_check(xfs_mount_t *mp)
> }
>
> if (mp->m_sb.sb_gquotino != NULLFSINO && mp->m_sb.sb_gquotino != 0) {
> - if (verify_inum(mp, mp->m_sb.sb_gquotino))
> + if (!libxfs_verify_ino(mp, mp->m_sb.sb_gquotino))
> irec = NULL;
> else
> irec = find_inode_rec(mp,
> @@ -68,7 +68,7 @@ quotino_check(xfs_mount_t *mp)
> }
>
> if (mp->m_sb.sb_pquotino != NULLFSINO && mp->m_sb.sb_pquotino != 0) {
> - if (verify_inum(mp, mp->m_sb.sb_pquotino))
> + if (!libxfs_verify_ino(mp, mp->m_sb.sb_pquotino))
> irec = NULL;
> else
> irec = find_inode_rec(mp,
> @@ -112,9 +112,9 @@ quota_sb_check(xfs_mount_t *mp)
> (mp->m_sb.sb_pquotino == NULLFSINO || mp->m_sb.sb_pquotino == 0)) {
> lost_quotas = 1;
> fs_quotas = 0;
> - } else if (!verify_inum(mp, mp->m_sb.sb_uquotino) &&
> - !verify_inum(mp, mp->m_sb.sb_gquotino) &&
> - !verify_inum(mp, mp->m_sb.sb_pquotino)) {
> + } else if (libxfs_verify_ino(mp, mp->m_sb.sb_uquotino) &&
> + libxfs_verify_ino(mp, mp->m_sb.sb_gquotino) &&
> + libxfs_verify_ino(mp, mp->m_sb.sb_pquotino)) {
> fs_quotas = 1;
> }
> }
> diff --git a/repair/phase6.c b/repair/phase6.c
> index 0874b649..70135694 100644
> --- a/repair/phase6.c
> +++ b/repair/phase6.c
> @@ -1814,7 +1814,7 @@ longform_dir2_entry_check_data(
> }
> continue;
> }
> - ASSERT(no_modify || !verify_inum(mp, inum));
> + ASSERT(no_modify || libxfs_verify_dir_ino(mp, inum));
> /*
> * special case the . entry. we know there's only one
> * '.' and only '.' points to itself because bogus entries
> @@ -1845,7 +1845,7 @@ longform_dir2_entry_check_data(
> /*
> * skip entries with bogus inumbers if we're in no modify mode
> */
> - if (no_modify && verify_inum(mp, inum))
> + if (no_modify && !libxfs_verify_dir_ino(mp, inum))
> continue;
>
> /* validate ftype field if supported */
> @@ -2634,14 +2634,14 @@ shortform_dir2_entry_check(xfs_mount_t *mp,
> fname[sfep->namelen] = '\0';
>
> ASSERT(no_modify || (lino != NULLFSINO && lino != 0));
> - ASSERT(no_modify || !verify_inum(mp, lino));
> + ASSERT(no_modify || libxfs_verify_dir_ino(mp, lino));
>
> /*
> * Also skip entries with bogus inode numbers if we're
> * in no modify mode.
> */
>
> - if (no_modify && verify_inum(mp, lino)) {
> + if (no_modify && !libxfs_verify_dir_ino(mp, lino)) {
> next_sfep = libxfs_dir2_sf_nextentry(mp, sfp, sfep);
> continue;
> }
>
