On Sat, May 09, 2020 at 10:18:30AM -0700, Christoph Hellwig wrote:
> On Sat, May 09, 2020 at 09:30:54AM -0700, Darrick J. Wong wrote:
> > From: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> >
> > Convert the homegrown verify_agbno callers to use the libxfs function,
> > as needed.
> >
> > Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
>
> This looks mostly good, but there is one thing I wonder about:
>
> > bno = be32_to_cpu(agf->agf_roots[XFS_BTNUM_BNO]);
> > - if (bno != 0 && verify_agbno(mp, agno, bno)) {
> > + if (libxfs_verify_agbno(mp, agno, bno)) {
>
> Various of these block is non-zero check are going away. Did you
> audit if they weren't used as intentional escapes in a few places?
Yes. Each of those "bno != 0" checks occurs in the context of checking
an AG header's pointer to a btree root. The roots should never be zero
if the corresponding feature is enabled, and we're careful to check the
feature bits first.
AFAICT that bno != 0 check is actually there to cover a deficiency in
the verify_agbno function, which is that it only checked that the
supplied argument didn't go past the end of the AG and did not check
that the pointer didn't point into the AG header block(s).
Checking for a nonzero value is also insufficient, since on a
blocksize < sectorsize * 4 filesystem, the AGFL can end up in a nonzero
agbno. libxfs_verify_agbno covers all of these cases.
> Either way this should probably be documented in the changelog.
Ok, how about this for a commit message:
"Convert the homegrown verify_agbno callers to use the libxfs function,
as needed. In some places we drop the "bno != 0" checks because those
conditionals are checking btree roots; btree roots should never be
zero if the corresponding feature bit is set; and repair skips the if
clause entirely if the feature bit is disabled.
"In effect, this strengthens repair to validate that AG btree pointers
neither point to the AG headers nor point past the end of the AG."
--D
