Age | Commit message (Collapse) | Author | Files | Lines |
|
Currently checking of EA inodes was rather weak. Add several more
consistency checks.
1) Check that EA inode is a regular file.
2) Check that EA_INODE feature is set if the filesystem has EA inodes.
3) Make sure that no EA inode is referenced from directory hierarchy.
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20240506174132.12883-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
There's a issue:
[]$~/e2fsprogs/e2fsck/e2fsck -f scsi-disk2.img
e2fsck 1.47.0 (5-Feb-2023)
scsi-disk2.img: recovering journal
Clearing orphaned inode 12 (uid=0, gid=0, mode=0140777, size=0)
Pass 1: Checking inodes, blocks, and sizes
Extended attribute block 4247 has reference count 3, should be 2. Fix<y>? no
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Free blocks count wrong (249189, counted=249188).
Fix<y>? no
Free inodes count wrong (65526, counted=65523).
Fix<y>? no
scsi-disk2.img: ***** FILE SYSTEM WAS MODIFIED *****
scsi-disk2.img: ********** WARNING: Filesystem still has errors **********
scsi-disk2.img: 10/65536 files (0.0% non-contiguous), 12955/262144 blocks
Above issue can reproduce as follows:
step1: socat UNIX-LISTEN:/home/test/mysocket.sock,mode=777,reuseaddr,fork EXEC:/home/test &
step2: setfacl some xattr for mysocket.sock
step3: cp -a /home/test/mysocket.sock /home/test/sock1
cp -a /home/test/mysocket.sock /home/test/sock2
step4: sync
step5: Power-off
step6: run e2fsck
As after commit 42475e281d22 add ext2fs_inode_has_valid_blocks() judgement in
release_inode_blocks() which means socket type file skip realse block include
ACL block. The kernel does not restrict the setting of extended attributes for
socket files. So this will lead to ACL block leak.
To solve above issue there's need to release ACL block for other kind of
special file.
Fixes: 42475e281d22 ("super.c (release_inode_blocks): Don't try to release the blocks if the orphaned inode is a device file, symlink, or some other kind of special file that doesn't have a block list.")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20240418063946.2802835-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
If read of a block fails, we offer the user the opportunity to force a
rewrite to that sector to force the storage device to remap the LBA to
its spare block pool. Check that write so if it fails, we can let the
user know.
Addresses-Coverity-bug: 1432422
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Addresses-Debian-Bug: #1038286
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
We explicitly decided not to reserve space for a 64-bit dtime, since
it's never displayed or exposed to userspace. The dtime field is used
a linked list for the ophan list, and for forensic purposes when
trying to determine when an inode was deleted. So right after the
2038 epoch, a deleted inode might end up with a dtime which is zero or
smaller than the number of inodes, which will result in e2fsck
reporting a potential problems. So when we set the dtime, make sure
that the dtime won't be mistaken for an inode number.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Fixes: a12302fa683e ("e2fsck: make sure get_backup_sb() works ...")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This changes were missed in commit ca8bc9240a00 ("Add post-2038
timestamp support to e2fsprogs").
Addresses-Coverity-Bug: 1531832
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The print_e2fsck_message() function can call get_backup_sb() with the
ctx variable set to NULL. In that case, we can't dereference
ctx->filesystem_name; instead, we can get the size of the file system
from the ext2fs_block_count(fs->super).
Addresses-Coverity-Bug: 1596517
Addresses-Coverity-Bug: 1596505
Fixes: b53ce7848c2e ("e2fsck: don't try backup superblocks beyond...")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Commit f7ef5f3e356d ("e2fsck: check all sparse_super backups") tries
to limit the number of block groups to search for backup superblocks
based on ctx->num_blocks. Unfortunately, get_backup_sb() gets called
before ctx->num_blocks is set, so we try all block groups up to 2**32
- 1. Not only does this waste time trying to read from blocks that
don't exist, it triggers the UBSAN checker when multiplying a very
large number by the block size.
Fix this by using ext2fs_get_Device_size(), and if that isn't
available, arbitrarily cap things so that we search block groups up to
128.
Fixes: f7ef5f3e356d ("e2fsck: check all sparse_super backups")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
If a bad inode is found it will be deallocated. However, if the filesystem has
quota enabled, the quota information isn't being updated accordingly. This
issue was detected by running fstest ext4/019.
This patch fixes the issue by decreasing the inode count from the
quota and, if blocks are also being released, also subtract them as well.
While there, and as suggested by Andreas Dilger, the deallocate_inode()
function documentation is also updated by this patch to make it clear what
that function really does.
Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Link: https://lore.kernel.org/r/20240405142405.12312-3-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
In "Pass 3A: Optimizing directories", a directory may have it's size reduced.
If that happens and quota is enabled in the filesystem, the quota information
will be incorrect because it doesn't take the rehash into account. This issue
was detected by running fstest ext4/014.
This patch simply updates the quota data accordingly, after the directory is
written and it's size has been updated.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218626
Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://lore.kernel.org/r/20240405142405.12312-2-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Teach e2fsck to look for backup super blocks in the "sparse_super"
groups, by checking group #1 first and then powers of 3^n, 5^n,
and 7^n, up to the limit of available block groups.
Export ext2fs_list_backups() function to efficiently iterate groups
for backup sb/GDT instead of checking every group. Ensure that the
group counters do not try to overflow the 2^32-1 group limit, and
try to limit scanning to the size of the block device (if available).
Signed-off-by: Li Dongyang <dongyangli@ddn.com>
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Link: https://lore.kernel.org/r/20230904045742.827584-1-dongyangli@ddn.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The ext4 kernel code implemented support for s_mtime_hi,
s_wtime_hi, and related timestamp fields to avoid timestamp
overflow in 2038, but similar handling is not in e2fsprogs.
Add helper macros for the superblock _hi timestamp fields
ext2fs_super_tstamp_get() and ext2fs_super_tstamp_set().
Add helper macro for inode _extra timestamp fields
ext2fs_inode_xtime_get() and ext2fs_inode_xtime_set().
Add helper macro ext2fs_actual_inode_size() to avoid open
coding the i_extra_isize check in multiple places.
Remove inode_time_to_string() since this is unused once callers
change to time_to_string(ext2fs_inode_xtime_get()) directly.
Fix inode_includes() macro to properly wrap "inode" parameter,
and rename to ext2fs_inode_includes() to avoid potential name
clashes. Use this to check inode field inclusion in debugfs
instead of bare constants for inode field offsets.
Use these interfaces to access timestamps in debugfs, e2fsck,
libext2fs, fuse2fs, tune2fs, and e2undo.
Signed-off-by: Andreas Dilger <adilger@dilger.ca>
Link: https://lore.kernel.org/r/20230927054016.16645-1-adilger@dilger.ca
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
When repairing a file system with s_errno missing from the journal
superblock but the file system superblock contains the ERROR_FS flag,
the ERROR_FS flag on the file system image is overwritten after the
journal replay, followed by a reload of the file system data from disk
and the ERROR_FS flag in memory is overwritten. Also s_errno is not set
and the ERROR_FS flag is not reset. Therefore, when checked later, no
forced check is performed, which makes it possible to have some errors
hidden in the disk image, which may make it read-only when using the
file system. So we save the ERROR_FS flag to the superblock after the
journal replay, instead of just relying on the jsb->s_errno to do this.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: zhanchengbin <zhanchengbin1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20230217100922.588961-2-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
If there is an inline directory that contains a directory entry to an
invalid symlink, and that invalid symlink is the portion of the inline
directory stored in an xattr portion of the inode, this can result in
a buffer overrun.
When check_dir_block() is handling the in-xattr portion of the inline
directory, it sets the buf pointer to the beginning of that part of
the inline directory. This results in the scratch buffer passed to
e2fsck_process_bad_inode() to incorrect, resulting in a buffer overrun
if e2fsck_pass1_check_symlink() needs to read the symlink target (when
the symlink is too long to fit in the i_blocks[] space).
This commit fixes this by using the original cd->buf instead of buf,
since it can get modified when handling inline directories.
Fixes: 0ac4b3973f31 ("e2fsck: inspect inline dir data as two directory blocks")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Fix two compiler warnings on 32-bit platforms that have mallinfo() but
not mallinfo2(). These showed up when building e2fsprogs for armv7a or
i686 Android using the Android NDK, targeting Android API level 32 or
lower and using the autotools-based build system.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The e2fsck report, "Feature orphan_present is set but orphan file is
clean" is intended to request permission before removing the r/o
compat feature, orphan_present. However, it is normal if the orphan
file is empty, and removing the r/o compat feature is a good thing so
that the file system can be mounted on older kernels.
When a file system with an orphan_file feature is mounted, the
orphan_present feature is set, and it is cleared when the file system
is cleanly unmounted. IF the sytstem crashes when there are no inodes
in the orphan file, e2fsck should just silently clear the flag in
preen mode.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
No functional changes; just move things around so we can avoid
indenting the code quite so much.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
We attempt to fix directories which have a bad/corrupted htree index
node by completely rebuilding the directory htree nodes. Since this
is a very safe thing to do and has no risk of losing directory
entries, we've enabled this for preen mode. Unfortunately, subsequent
index nodes look like empty directory entries that fill the entire
block --- without a checksum at the end of the directory. So these
nodes will be treated as a completely corrupted directory block, and
this will *not* be fixed while in preen mode.
So add code to treat an empty directory entry which covers the entire
block as valid if the directory is already on the list of inodes to be
rebuilt.
Addresses-Gooogle-Bug: 178607853
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
For warnings not supported by upstream e2fsprogs, it's a waste of time
to suppress them only in specific places, as they can show up anywhere
in future releases of e2fsprogs. Let's consolidate all these warning
suppressions into the top-level Android.bp for e2fsprogs.
Change-Id: Icebc03289dae920cb1b673e605c48f7f2b517625
From AOSP commit: d08d59557a34c6362e3660e7e35bc118591dbbfa
|
|
The upstream build system for e2fsprogs doesn't use
-fno-strict-aliasing, so update the Android.bp files to match.
Note: Android's build system currently uses -fno-strict-aliasing by
default anyway, so this change doesn't actually enable strict aliasing.
But that's a bit besides the point. The point is that this project
doesn't need anything special, so we don't need to do anything special.
Change-Id: Ifa637058fd95fdc2b6994a8b801b238e929c1f13
From AOSP commit: c30a15e5d615748d4824dec26f1bda1a86be979c
|
|
|
|
Starting in Linux 6.2, char is forced to always unsigned when
compiling the kernel, even on those platforms (such as x86) where char
was traditionally signed. This exposed a bug in ext4, where when
calculating the extended attribute entry hash, we used a char value
from the extended attribute name. This resulted with the entry hash,
which is stored on-disk, to variable depending on whether the plaform
used a signed or unsigned char.
Fortunately, the xattr names tend to be ASCII characters with the 8th
bit zero, so it wasn't noticed two decades (this bugs dates back to
the introduction of extended attribute support to ext2 in 2.5.46).
However, when this change was made in v6.2-rc1, the inconsistency
between the extended attribute hash calculated by e2fsprogs (which was
still using a signed char on x86) was different from an x86 kernel,
and this triggered a test failure in generic/454.
This was fixed in kernel commit f3bbac32475b (" ext4: deal with legacy
signed xattr name hash values"), where Linus decreed that it wasn't
worth it to fix this the same way we had addressed has used by the
dir_index feature. Instead, starting in the 6.2 kernel, ext4 will
accept both the hash calculated using signed and unsigned chars, but
set the entry hash using the unsigned char. This commit makes
e2fsprogs follow suit.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The C standard is wrong[1] with respect to the function signature of
free(), while the kernel's kfree() is correct. Unfortunately, this
leads to compiler warnings.
Sayeth Dennis Ritchie: "Noalias must go. This is non-negotiable"[2].
Noalias went. The confusion around const, alas, still remains.
[1] https://yarchive.net/comp/const.html
[2] https://www.lysator.liu.se/c/dmr-on-noalias.html
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The ino_t type is defined by the system header files, and may be
anything from an unsigned int, unsigned long, or an unsigned long
long. So where we are referring to an ext2/ext3/ext4 inode number, we
should use ext2_ino_t to avoid this ambiguity, especially when passing
an inode number to a printf-style function.
This was detected via a compiler warning on MacOS, but it's
potentially a real bug, since it can cause an error message to print a
garbled inode number.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
The macros that e2fsck uses to implement kmalloc et al. use only some of
their arguments, so unlike standard function calls, they can cause
compiler warnings like:
./../e2fsck/revoke.c:141:8: warning: variable 'gfp_mask' set but not used [-Wunused-but-set-variable]
Fix this by providing a proper definition for each function, making sure
to match the function prototypes used in the kernel.
Remove the kmem_cache_t typedef, as it doesn't exist in the kernel.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Typos found with codespell.
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
When cloning multiply-claimed blocks for an inode,
clone_file() uses ext2fs_block_iterate3() to iterate
every block calling clone_file_block().
clone_file_block() calls check_if_fs_cluster(), even
the block is not on the block_dup_map, which could take
a long time on a large device.
Only check if it's metadata block when we need to clone
it.
Test block_metadata_map in check_if_fs_block()
and check_if_fs_cluster(), so we don't need to go over
each bg every time. The metadata blocks are already
marked in the bitmap.
Before this patch on a 500TB device with 3 files having
3 multiply-claimed blocks between them, pass1b is stuck
for more than 48 hours without progressing,
before e2fsck was terminated.
After this patch pass1b could finish in 180 seconds.
Signed-off-by: Li Dongyang <dongyangli@ddn.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Since the kernel is being fixed to consider journal inodes with the
'encrypt' flag set to be invalid, also update e2fsck accordingly.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
BSD is planning on changing their qsort_r() implementation to align
with the POSIX/GNU-style qsort_r() function signature. So use an
autoconf test to determine which qsort_r() a system has.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
The e2fsdroid build fails with musl because config.h is not included
before ext2fs.h, which causes HAVE_SYS_TYPES_H not to be defined
resulting in a missing definition for dev_t.
Include config.h at the top of each .c file, and remove extra
config.h include from perms.h.
Bug: 190084016
Test: m USE_HOST_MUSL=true fastboot
Change-Id: I95b3fff3f10ba85c00ec049811dd6b5d412e5dd2
From AOSP commit: 09c63d5edd35e3ca8366be0d92aad922d8895ac1
|
|
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Except for e2fsck (where we want to expose the corrupted directory
entries to e2fsck mostly so that the e2fsck output stays the same on
big-endian machines compared to little-endian machines, so we don't
break our regression tests), if the directory block is corrupted, and
ext2fs_dirent_swab_in[2](), trips across this, return an error. This
will make sure that naive users of libextfs will not try to handle a
corrupted directory block. This prevents potential buffer overruns in
the byte swapping code paths.
This commit does not cause any functional change on little-endian
systems.
Addresses-Coverity-Bug: 1433408
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Currently in varisous e2fsprogs tools, most notably tune2fs and e2fsck
we will get the device name by passing the user provided string into
blkid_get_devname(). This library function however is primarily intended
for parsing "NAME=value" tokens. It will return the device matching the
specified token, NULL if nothing is found, or copy of the string if it's
not in "NAME=value" format.
However in case where we're passing in a file name that contains an
equal sign blkid_get_devname() will treat it as a token and will attempt
to find the device with the match. Likely finding nothing.
Fix it by checking existence of the file first and then attempt to call
blkid_get_devname(). In case of a collision, notify the user and
automatically prefer the one returned by blkid_get_devname(). Otherwise
return either the existing file, or NULL.
We do it this way to avoid some existing file in working directory (for
example LABEL=volume-name) masking an actual device containing the
matchin LABEL. User can specify full, or relative path (e.g.
./LABEL=volume-name) to make sure the file is used instead.
Link: https://lore.kernel.org/r/20220812130122.69468-1-lczerner@redhat.com
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reported-by: Daniel Ng <danielng@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Addresses-Coverity-Bug: 1500765
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Addresses-Coverity-Bug: 1500772
Addresses-Coverity-Bug: 1500769
Addresses-Coverity-Bug: 1500767
Addresses-Coverity-Bug: 1500758
Addresses-Coverity-Bug: 1500756
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
We only print the parent directory to help provide context to the
user, but it's possible that a corrupted directory doesn't have a '..'
link.
Addresses-Coverity-Bug: 1507762
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
No functional changes, but streamline the logic, and avoid a coverity
warning.
Addresses-Coverity-Bug: 1507763
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
E2fsck will attempt to mutate filenames to ensure uniqueness if
necessary. If there are two unique filenames that are 254 or 255
characters in length and do not contain the '~' character, the
mutate_name() function would create a filename which is 256 bytes
long, which is not a legal filename in Linux. Adjust the mutate_name
function to avoid this possibility.
Addresses-Coverity-Bug: 1500768
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Some of the new fastcommit and casefold changes used the system
"ino_t" instead of "ext2_ino_t" for handling filesystem inodes.
This causes printf warnings if the system "ino_t" is of a different
size. Use the library "ext2_ino_t" for consistency.
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Gabriel Krisman Bertazi <krisman@collabora.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Combining superblock (-b) with undo file (-z) fails iff the block size
is not specified (-B) and is different from the first blocksize probed
in try_open_fs (1k). The reason is as follows:
try_open_fs() will probe different blocksizes if none is provided on
the command line. It is done by opening and closing the filesystem
until it finds a blocksize that makes sense. This is fine for all
io_managers, but undo_io creates the undo file with that blocksize
during ext2fs_open. Once try_open_fs realizes it had the wrong
blocksize and retries with a different blocksize, undo_io will read
the previously created file and think it's corrupt for this
filesystem.
Ideally, undo_io would know this is a probe and would fix the undo file.
It is not simple, though, because it would require undo_io to know the
file was just created by the probe code, since an undo file survives
through different fsck sessions. We'd have to pass this information
around somehow. This seems like a complex change to solve a corner
case.
Instead, this patch changes the blocksize probe to always use the
unix_io_manager. This way, we safely probe for the blocksize without
side effects. Once the blocksize is known, we can safely reopen the
filesystem under the proper io_manager.
An easily reproducer for this issue (from Ted, adapted by me) is:
mke2fs -b 4k -q -t ext4 /tmp/foo.img 2G
e2fsck -b 32768 -z /tmp/undo /tmp/foo.img
Reported-by: Peter Urbanec <linux-ext4.vger.kernel.org@urbanec.net>
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Quiet various compiler warnings about unreferenced or unset variables.
Signed-off-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Add a missing default: case when expanding percent expansions in the
log file specified in /etc/e2fsck.conf.
Addresses-Coverity-Bug: 1500757
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The ext2_extent_info.max_depth is zero-based (e.g., it is zero when
the entire extent tree fits in the inode). Hence, if it is equal to
MAX_EXTENT_DEPTH_COUNT we should always rebuild the extent tree to
shorten it.
Also, for 1k block file systems, it's possible for the worst-case
extent tree in its most compact form to have a maximum depth of 6, not
5. So set MAX_EXTENT_DEPTH_COUNT to 8 just to be sure we have plenty
of headroom. (The kernel supports an extent depth up to 2**16, but
e2fsck only keeps statistics up to MAX_EXTENT_DEPTH_COUNT, and if it's
deeper than that, we know that it will be profitable to rebuild the
extent tree in any case.)
Addresses-Coverity-Bug: 1507761
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Previously, ext2fs_open() and ext2fs_open2() would return an error if
s_desc_size is too small. Add a check so it will return an error if
s_desc_size is too large, as well.
These checks will be skipped for e2fsck when it uses the flag
EXT2_FLAG_IGNORE_SB_ERRORS.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
It is logal (albeit rare) for the number of block groups per flex_bg
to 2**31 (which effectively means to put all of the block groups into
a single flex_bg). However, in that case "1 << 31" is undefined on
architectures with a 32-bit integer. Fix this UBSAN complaint by
using "1U << 31" instead.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
The kernel doesn't support extent trees deeper than 5
(EXT4_MAX_EXTENT_DEPTH). For this reason we only maintain the extent
tree statistics for 5 levels. Avoid out-of-bounds writes and reads if
the extent tree is deeper than this.
We keep these statistics to determine whether we should rebuild the
extent tree. If the extent tree is too deep, we don't need the
statistics because we should always rebuild the it.
Reported-by: Nils Bars <nils.bars@rub.de>
Reported-by: Moritz Schlögel <moritz.schloegel@rub.de>
Reported-by: Nico Schiller <nico.schiller@rub.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
When checking an extended attrbiute block for correctness, we check if
the starting offset plus the value size exceeds the end of the block.
However, we weren't checking if the size was too large, and if it is
so large that it triggers a wraparound when we added the starting
offset, we won't notice the problem. Add the missing check.
Reported-by: Nils Bars <nils.bars@rub.de>
Reported-by: Moritz Schlögel <moritz.schloegel@rub.de>
Reported-by: Nico Schiller <nico.schiller@rub.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
If there isn't enough space for a full extended attribute entry,
inc_ea_inode_refs() might end up reading beyond the allocated memory
buffer.
Reported-by: Nils Bars <nils.bars@rub.de>
Reported-by: Moritz Schlögel <moritz.schloegel@rub.de>
Reported-by: Nico Schiller <nico.schiller@rub.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
E2fsck replays the journal before sanity checking the full superblock.
So it's possible that the journal inode number is not valid relative
to the number of block groups. So to avoid potentially an array
bounds overrun, sanity check this before trying to find the journal
inode.
Reported-by: Nils Bars <nils.bars@rub.de>
Reported-by: Moritz Schlögel <moritz.schloegel@rub.de>
Reported-by: Nico Schiller <nico.schiller@rub.de>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This should only happen if there is a programming bug, but better safe
than sorry.
Link: https://lore.kernel.org/r/9a9c6658-a8b3-794a-85df-c3bdf0470111@huawei.com
Signed-off-by: zhanchengbin <zhanchengbin1@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Link: https://lore.kernel.org/r/6d2844c7-0fd2-e432-3c7e-bb8de8c8a186@huawei.com
Signed-off-by: zhanchengbin <zhanchengbin1@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Don't call into ext2fs_get_pathname() to do a name lookup for a
disconnected directory, since the directory block traversal in
pass1 has already scanned all of the leaf blocks and never finds
the entry, always printing "???". If the name entry had been
found earlier, the directory would not be disconnected in pass3.
Instead, lookup ".." and print the parent name in the prompt, and
then do not search for the current directory name at all. This
avoids a useless full directory scan for each disconnected entry,
which can potentially be slow if the parent directory is large.
Separate the recursively looped directory case to a new error code,
since it is a different problem that should use its own descriptive
text, and a proper pathname can be shown in this case.
Lustre-bug-Id: https://jira.whamcloud.com/browse/LU-15330
Change-Id: If17a92689f24f365ca1fbe5c837e7d5f383ebbe5
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
It isn't totally clear when searching the code for PROMPT_*
constants from problem codes where these messages come from.
Similarly, there isn't a direct mapping from the prompt string
to the constant.
Add comments that make this mapping more clear.
Signed-off-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
mallinfo has been deprecated with GNU C library version 2.33 in favor of
mallinfo2 which works exactly the same as mallinfo but with larger field
widths. Use mallinfo2 if available.
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Otherwise, we break the block group descriptor's checksum, and while
this gets fixed by e2fsck, it results unnecessary messages printed or
questions asked of the system administrator.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
At the end of a fast commit replay, e2fsck tries merging extents in a
inode. This patch fixes a bug in this logic where we were continuing
this action even if there were no extents to merge resulting in
accessing illegal memory.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
|
|
Reduce the number of times that the inode is read from storage.
Factor ext2fs_xattrs_read() into a new ext2fs_xattrs_read_inode()
function that can accept an in-memory inode, and call that from
within ext2fs_xattrs_read() and in e2fsck_pass1() when the inode
is already available.
Similarly, in e2fsck_pass4() avoid re-reading the inode multiple
times in disconnect_inode(), check_ea_inode(), and in the main
function body if possible.
Signed-off-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
When e2fsck was loading quotas to process orphan list, it was loading
only quota usage. However subsequent quota writeout has effectively
overwritten quota limits, loosing them forever. Make sure quota limits
are preserved over orphan replay.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
quota_update_limits() is a misnomer because what it actually does is
that it updates 'usage' counters and leaves 'limit' counters intact.
Rename quota_update_limits() to quota_read_all_dquots() and while
changing prototype also add a flags argument so that callers can control
which quota information is actually updated from the disk.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
To improve consistency, use "file system" in all of the man pages in
preference over "filesystem".
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Quota files must not be referenced from directory entries. Otherwise
they can get corrupted under the hands of the kernel.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
When parsing strings from /proc/apm and /proc/acpi/ac_adapter, add
string length limits to prevent possible buffer overruns.
Addresses-Coverty-Bug: 1297496
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Fix a signed vs unsigned and a void * pointer arithmetic warning.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Remove it to silence clang warning.
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This synchronizes e2fsprogs with kernel commit c6bf3f0e25f4 ("block:
use an on-stack bio in blkdev_issue_flush").
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Commit 63f44aafb1f2 ("e2fsck: fix ".." more gracefully if possible")
changed the check_dot() function to try to avoid resetting the '..'
entry when the '.' entry is too large.. But if we do that, then on
big-endian systems, we need to try byte swapping the rest of the
directory entries, or else the f_baddotdir test will fail on
big-endian systems.
Also add a check to avoid UBSAN warning when there is not enough space
at the end of the directory block for a directory entry, and so we can
potentially overflow some pointer arithmetic when trying to byte swap
the remainder of the (negative) space in the directory block.
Fixes: 63f44aafb1f2 ("e2fsck: fix ".." more gracefully if possible")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Use target.bionic.system_shared_libs when it is used to limit the
default shared libraries (as opposed to remove them completely).
This avoids attempting to add a host dependency on libc when
system_shared_libs is modified to apply to all variants.
Also remove system_shared_libs from static binaries where it has
no effect, and consolidate it into e2fsprogs-defaults.
Bug: 193559105
Test: m checkbuild
Change-Id: I2d447b006afc783f4acd6c1acd93f338a68a01ed
From AOSP commit: 48fa7248112701c30d3cabfb8d3360b2408d6491
|
|
Added SPDX-license-identifier-0BSD SPDX-license-identifier-Apache-2.0
SPDX-license-identifier-BSD SPDX-license-identifier-GPL
SPDX-license-identifier-GPL-2.0 SPDX-license-identifier-LGPL
SPDX-license-identifier-LGPL-2.0 SPDX-license-identifier-LGPL-2.1
SPDX-license-identifier-LGPL-3.0 SPDX-license-identifier-MIT
legacy_notice legacy_unencumbered
to:
Android.bp
Added SPDX-license-identifier-0BSD SPDX-license-identifier-BSD
SPDX-license-identifier-GPL SPDX-license-identifier-GPL-2.0
SPDX-license-identifier-LGPL SPDX-license-identifier-LGPL-2.1
SPDX-license-identifier-LGPL-3.0 SPDX-license-identifier-MIT
legacy_unencumbered
to:
lib/Android.bp
Added SPDX-license-identifier-0BSD SPDX-license-identifier-BSD
SPDX-license-identifier-GPL-2.0 SPDX-license-identifier-MIT
to:
lib/et/Android.bp
Added SPDX-license-identifier-0BSD SPDX-license-identifier-MIT
to:
lib/ss/Android.bp
Added SPDX-license-identifier-Apache-2.0
to:
contrib/android/Android.bp
Added SPDX-license-identifier-Apache-2.0 SPDX-license-identifier-GPL
to:
contrib/Android.bp
Added SPDX-license-identifier-BSD
to:
lib/uuid/Android.bp
Added SPDX-license-identifier-GPL
to:
resize/Android.bp
Added SPDX-license-identifier-GPL SPDX-license-identifier-GPL-2.0
to:
debugfs/Android.bp
Added SPDX-license-identifier-GPL SPDX-license-identifier-GPL-2.0
SPDX-license-identifier-LGPL
to:
e2fsck/Android.bp
Added SPDX-license-identifier-GPL SPDX-license-identifier-GPL-2.0
SPDX-license-identifier-LGPL SPDX-license-identifier-LGPL-2.1
SPDX-license-identifier-LGPL-3.0 legacy_unencumbered
to:
lib/ext2fs/Android.bp
Added SPDX-license-identifier-GPL SPDX-license-identifier-LGPL
to:
lib/e2p/Android.bp
Added SPDX-license-identifier-GPL SPDX-license-identifier-LGPL
SPDX-license-identifier-LGPL-2.1 SPDX-license-identifier-LGPL-3.0
to:
lib/blkid/Android.bp
misc/Android.bp
Added SPDX-license-identifier-GPL SPDX-license-identifier-MIT
to:
lib/support/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Exempt-From-Owner-Approval: janitorial work
Change-Id: I239a04a83f12ba051be911d18f6df4ae77fb3368
From AOSP commit: e86522c572b5715b85889cf8ca1c52a5cc350ca7
|
|
Address a number of signed vs. unsigned comparison errors, unused
function parameters, casts which drop const, etc.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Fix all warnings about unused variables that were introduced since
e2fsprogs v1.45.4.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Fix all warnings about unused function parameters that were introduced
since e2fsprogs v1.45.4, by adding EXT2FS_ATTR((unused)) or removing
parameters as appropriate.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Sync the changes to fc_do_one_pass() from the kernel's recovery.c so
that e2fsck picks up the fixes to the jbd_debug() statements.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Make jbd_debug() do format string checking (but still get compiled away
to nothing) when --enable-jbd-debug isn't specified, similar to
commit d556435156b7 ("jbd2: avoid -Wempty-body warnings") on the kernel
side. This should prevent --enable-jbd-debug from getting broken due to
bad jbd_debug() statements. It also eliminates a -Wunused-variable
warning where a variable was only used in a jbd_debug() statement.
Also remove an alternative definition of jbd_debug() that was
conditional on CONFIG_JBD_DEBUG && !CONFIG_JBD_DEBUG, so was dead code.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
With commit c52d930f e2fsck is no longer able to fix bad last
mount/write time by default because it is conditioned on s_checkinterval
not being zero, which it is by default.
One place where it matters is when other e2fsprogs tools require to run
full file system check before a certain operation. If the last mount
time is for any reason in future, it will not allow it to run even if
full e2fsck is ran.
Fix it by checking the last mount/write time when the e2fsck is forced,
except for the case where we know the system clock is broken.
[ Reworked the conditionals so error messages claiming that the last
write/mount time were corrupted wouldn't be always printed when the
e2fsck was run with the -f option, thus causing 299 out of 372
regression tests to fail. -- TYT ]
Fixes: c52d930f ("e2fsck: don't check for future superblock times if checkinterval == 0")
Reported-by: Dusty Mabe <dustymabe@redhat.com>
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
If the "." entry is corrupted, it will be reset in check_dot().
It is possible that the ".." entry can be recovered from the
directory block instead of also resetting it immediately. If
it appears that there is a valid ".." entry in the block, allow
that to be used, and let check_dotdot() verify the dirent itself.
When resetting the "." and ".." entries, use EXT2_FT_DIR as the
file type instead of EXT2_FT_UNKNOWN for the very common case of
filesystems with the "filetype" feature, to avoid later problems
that can be easily avoided. This can't always be done, even if
filesystems without "filetype" are totally obsolete, because many
old test images do not have this feature enabled.
Fixup affected tests using the new "repair-test" script that
updates the expect.[12] files from $test.[12].log for the given
tests and re-runs the test to ensure it now passes.
Signed-off-by: Andreas dilger <adilger@whamcloud.com>
Reviewed-by: Artem Blagodarenko <artem.blagodarenko@hpe.com>
Lustre-bug-Id: https://jira.whamcloud.com/browse/LU-14710
Change-Id: Ia5e579bcf31a9d9ee260d5640de6dbdb60514823
Reviewed-on: https://review.whamcloud.com/43858
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
These fast commit related structures can be unaligned on disk. So we
need to avoid accessing these structures directly, and first copy
them to memory which we know is appropriately aligned.
This fixes an e2fsck crash while running the j_recovery_fast_commit
regression test on a sparc64 system.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Fast commit related struct ext4_fc_tl can be unaligned on disk. So,
while accessing that we should ensure that the pointers are
aligned. This patch fixes unaligned accesses to ext4_fc_tl and also
gets rid of macros fc_for_each_tl and ext4_fc_tag_val that may result
in unaligned accesses to struct ext4_fc_tl.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The on-disk format for the ext4 journal can have unaigned 32-bit
integers. This can happen when replaying a journal using a obsolete
checksum format (which was never popularly used, since the v3 format
replaced v2 while the metadata checksum feature was being stablized),
and in the fast commit feature (which landed in the 5.10 kernel,
although it is not enabled by default).
This commit fixes the following regression tests on some platforms
(such as running 32-bit arm architectures on a 64-bit arm kernel):
j_recover_csum2_32bit, j_recover_csum2_64bit, j_recover_fast_commit.
https://github.com/tytso/e2fsprogs/issues/65
Addresses-Debian-Bug: #987641
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This was originally reported to the MacPorts of e2fsprogs at:
https://github.com/macports/macports-ports/pull/9137
Reported-by: Ryan Schmidt <ryandesign@macports.org>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The iscan program program isn't built by default, and was relying on
e2fsck's util.c, so it had suffered bitrot as e2fsck/util.c had
evolved. Fix it so that iscan builds correct.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Initialize ext2fs_ex variable in ext4_fc_replay_scan() before first
use. Also make sure ext2fs_decode_extent() completely overwrites the
extent structure passed to it as argument to prevent potential future
bugs for the users of the function.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
During fast commit replay scan phase, in ext4_fc_replay_scan(), we
want to fallthrough in switch case for EXT4_FC_TAG_ADD_RANGE case. Add
a comment for that.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Don't ignore return values of library function calls in
e2fsck_rewrite_extent_tree.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Addresses-Coverity-Bug: 1472586
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This function can't actually fail today, but in the future it could
return an error, so it's better to add the appropriate error check.
Addresses-Coverity-Bug: #1464579
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
On most systems where we compile e2fsprogs, the u64 type is an
unsigned long long. However, there are platforms (such as the
PowerPC) where a long 64-bits and so u64 is typedef'ed to be unsigned
long instead of a unsigned long long. Fix this by using explicit
casts in printf statements. For scanf calls, we need to receive the
value into a unsigned long long, and then assign it to a u64, after
doing range checks.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
(Also update some inaccuracies in the 1.46.0 release.)
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The qsort_r() function is specific to glibc. It is not present in the
musl C library. Worse, FreeBSD supports qsort_r, but with an
incompatible interface. So use sort_r() from commit c8c65c1e183d
from the git repository: https://github.com/noporpoise/sort_r
https://github.com/tytso/e2fsprogs/issues/58
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
There are a few places where the endianness conversion wasn't done
right. This patch fixes that. Verified that after this patch,
j_recover_fast_commit passes on big endian qemu VM.
root@debian-powerpc:~/e2fsprogs/tests# make j_recover_fast_commit
j_recover_fast_commit: : ok
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
If directories grow larger than 4GB in size with the large_dir
feature, e2fsck will consider them to be corrupted and clear
the high bits of the size.
Since it isn't very common to have directories this large, and
unlike sparse files that don't have ill effects if the size is
too large, an too-large directory will have all of the sparse
blocks filled in by e2fsck, so huge directories should still
be viewed with suspicion. Check for consistency between two of
the three among block count, inode size, and superblock large_dir
flag before deciding whether the directory inode should be fixed
or cleared, or if large_dir should be set in the superblock.
Update the f_recnect_bad test case to match new output.
Fixes: 49f28a06b738 ("e2fsck: allow to check >2GB sized directory")
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Lustre-bug-id: https://jira.whamcloud.com/browse/LU-14345
Change-Id: I1b898cdab95d239ba1a7b37eb96255acadce7057
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Remove the use of the binary interface using the sysctl(2) system call
since sys/sysctl.h has been deprecated. We can find the total memory
available in the system using the POSIX standard sysconf(2) interface.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
The vendor_ramdisk variant is dynamic, unlike the ramdisk variant.
Test: builds
Google-Bug-Id: 173425293
Change-Id: I45547b5ea99aae98727121c038129844b7930ed6
From AOSP commit: 073ede3200afeffd82889cb61a71fa1947314476
|
|
Adds support for EXT2_HASH_SIPHASH, and reading the hash from disk in
that case. We cannot compute the siphash without the key, so we must
not modify the names of any encrypted and casefolded directories,
which limits some recovery options, and we must assume the hashes
stored in dirents are correct.
This is in preparation for upcoming kernel support for encryption and
casefolding at the same time.
Google-Bug-Id: 138322712
Test: Create fs with casefold and encryption enabled via mke2fs and
tune2fs, run fsck after creating casefolded + encrypted folder
Change-Id: Icca32d7d9dd3c7f52da03d60e4d89273cbec0a7d
From AOSP commit: 67eae926bdac1a54dbb8335731c5e1581f93e4bb
|
|
We can't mutate a name without the key, as this will at best cause the
name to become gibberish, and at worst may introduce invalid characters
or even fail to be unique after decoding, so drop duplicates instead.
Files lost in this way will be reconnected to lost+found
Fixes: dbff534ec685 ("e2fsck: suppress bad name checks for encrypted directories")
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Google-Bug-Id: 138322712
Test: f_dup_de_crypt
Change-Id: I8d6cc3984872868a845fafabc554abdd86351fcc
From AOSP commit: 80b85f8a0b2ba7090a927f692ff9d2097ffd8d1f
|
|
The e2fsck may invoke the badblocks when -c is specified.
Also the badblocks is required by Mediatek devices. Add it for
completeness.
Test: compile wembley-userdebug
Google-Bug-Id: 157393160
Change-Id: I1163129c925e93ef386e86a60c93e9c314397134
From AOSP commit: dffec44dd56175b80810657f95f8e09a7e3ab0bf
|
|
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This is interesting for !strict filesystems as part of the encoding
update procedure. Once the filesystem is known to not have badly encoded
filenames, the update is trivial, thanks to the stability of assigned
code points in the unicode specification.
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
On pass2, support casefolded directories when looking for duplicated
entries.
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
When rehashing a +F directory, the casefold comparison needs to be
performed, in order to identify duplicated filenames. Like the -F
version, This is done in two steps, first adapt the qsort comparison to
consider casefolded directories, and then iterate over the sorted list
fixing dups.
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
On strict mode, invalid Unicode sequences are not permited. This patch
adds a verification step to pass2 to detect and modify the entries with
the same replacement char used for non-encoding directories '.'.
After the encoding test, we still want to check the name for usual
problems, '\0', '/' in the middle of the sequence.
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.com>
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Add replay for inode's extent trees and inode itself.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Add fast commit replay for directory entry updates.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This function adds the skeleton for the replay path. Following patches
in the series implement the handling for individual tags.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Add fast commit scan pass. Scan pass is responsible for following
things:
* Count total number of fast commit tags that need to be replayed
during the replay phase.
* Validate whether the fast commit area is valid for a given
transaction ID.
* Verify the CRC of fast commit area.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Introduce "e2fsck_fc_replay_state" structure which is needed for ext4
fast commit replay.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Fast commit replay needs to rewrite the entire extent tree for inodes
found in fast commit area. This patch makes e2fsck's rewrite extent
tree path visible.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
When allocating buffer_heads in e2fsck and debugfs the actual size of
the memory which is requested is based on the file system block size.
So the actual size of b_data in struct buffer_head doesn't actually
matter, except that it can triggers a UBSAN error when running the
e2fsck regression test. So change it to be 4096 to avoid this false
positive.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Clang gets unhappy when passing an unsigned char to string functions.
For better or for worse we use __u8[] in the definition of the
superblock. So cast them these to "char *" to prevent clang
build-time warnings.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
params.num_journal_blocks is an unsigned value so it can never be less
than zero.
Addresses-Coverity-Bug: 1472250
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This patch makes number of fast commit blocks configurable. Also, the
number of fast commit blocks can now be seen in dumpe2fs output.
$ ./misc/mke2fs -O fast_commit -t ext4 image
mke2fs 1.46-WIP (20-Mar-2020)
Discarding device blocks: done
Creating filesystem with 5120 1k blocks and 1280 inodes
Allocating group tables: done
Writing inode tables: done
Creating journal (1040 blocks): done
Writing superblocks and filesystem accounting information: done
$ ./misc/dumpe2fs image
dumpe2fs 1.46-WIP (20-Mar-2020)
...
Journal features: (none)
Total journal size: 1040k
Total journal blocks: 1040
Max transaction length: 1024
Fast commit length: 16
Journal sequence: 0x00000001
Journal start: 0
$ ./misc/mke2fs -O fast_commit -t ext4 image -J fast_commit_size=256,size=1
mke2fs 1.46-WIP (20-Mar-2020)
Creating filesystem with 5120 1k blocks and 1280 inodes
Allocating group tables: done
Writing inode tables: done
Creating journal (1280 blocks): done
Writing superblocks and filesystem accounting information: done
$ ./misc/dumpe2fs image
dumpe2fs 1.46-WIP (20-Mar-2020)
...
Journal features: (none)
Total journal size: 1280k
Total journal blocks: 1280
Max transaction length: 1024
Fast commit length: 256
Journal sequence: 0x00000001
Journal start: 0
This patch also adds information about fast commit feature in mke2fs
and tune2fs man pages.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This patch adds new libext2fs that allow configuring number of fast
commit blocks in journal superblock. We also add a struct
ext2fs_journal_params which contains number of fast commit blocks and
number of normal journal blocks. With this patch, the preferred way
for configuring number of blocks with and without fast commits is:
struct ext2fs_journal_params params;
ext2fs_get_journal_params(¶ms, ...);
params.num_journal_blocks = ...;
params.num_fc_blocks = ...;
ext2fs_create_journal_superblock2(..., ¶ms, ...);
OR
ext2fs_add_journal_inode3(..., ¶ms, ...);
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This patch makes recovery.c identical with fast commit kernel changes.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
In order to make recovery.c identical with kernel, we need endianness
conversion macros (such as cpu_to_be32 and friends) defined in
e2fsprogs. This patch defines these macros and also fixes recovery.c
to use these. These macros are also needed for fast commit recovery
patches later in this series.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
In the case where mkdir -p is not thread-safe (for example, if the
build environment is using busybox's mkdir) the configure script will
fall back to the slow (but safe) install-sh script. In that case
MKDIR_P will be using a relative pathname; so we can't use speed
optimization of defining configure substitutions in MCONFIG.in, since
the substitution will be different depending on depth of the
subdirectory in the Makefile.in file.
https://github.com/tytso/e2fsprogs/issues/51
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
len argument in string_copy() is int, but it is used with malloc(),
strlen(), strncpy() and some callers use sizeof() to pass value in. So
it really ought to be size_t rather than int. Fix it.
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Fixes: 3f0cf6475399 ("e2fsprogs: add support for 3-level htree")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
v1.45.6
|
|
Test: pass
Bug: 147347110
Change-Id: Ie800ba1b56773dcc1b6563c4f19c27eccb9ffc1a
From AOSP commit: f5a8e8fdefd78deae971a475a7fa43734eef205e
|
|
When directory link count is set to overflow value (1) but during pass 4
we find out the exact link count would fit, we either silently fix this
(which is not great because e2fsck then reports the fs was modified but
output doesn't indicate why in any way), or we report that link count is
wrong and ask whether we should fix it (in case -n option was
specified). The second case is even more misleading because it suggests
non-trivial fs corruption which then gets silently fixed on the next
run. Similarly to how we fix up other non-problems, just create a new
error message for the case directory link count is not overflown anymore
and always report it to clarify what is going on.
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
(cherry picked from commit 4ebce13292f54c96f43dcb1bd1d5b8df5dc8749d)
|
|
|
|
Fixes: 70303df16ca6 ("e2fsck: consistently use ext2fs_get_mem()")
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
When directory link count is set to overflow value (1) but during pass 4
we find out the exact link count would fit, we either silently fix this
(which is not great because e2fsck then reports the fs was modified but
output doesn't indicate why in any way), or we report that link count is
wrong and ask whether we should fix it (in case -n option was
specified). The second case is even more misleading because it suggests
non-trivial fs corruption which then gets silently fixed on the next
run. Similarly to how we fix up other non-problems, just create a new
error message for the case directory link count is not overflown anymore
and always report it to clarify what is going on.
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
In alloc_size_dir() it multiples signed ints when allocating the
buffer for rehashing an htree-indexed directory. This will overflow
when the directory size is above 4GB, which is possible with largedir
directories having about 100M entries, assuming an average 3/4 leaf
fullness and 24-byte filenames, or fewer with longer filenames.
The same problem exisgs in get_next_block().
Similarly, the out_dir struct used a signed int for the number of
blocks in the directory, which may result in a negative size if the
directory is over 2GB (about 50M entries or fewer).
Use appropriate unsigned variables for block counts, and use larger
types for calculating the byte count for memory offsets/sizes.
Such large directories not been seen yet, but are not too far away.
The ext2fs_get_array() function will properly calculate the needed
memory allocation, and detect overflow on 32-bit systems.
Add ext2fs_resize_array() to do the same for array resize.
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Lustre-bug-id: https://jira.whamcloud.com/browse/LU-13197
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Consistently use ext2fs_get_mem() and ext2fs_free_mem() instead of
calling malloc() and free() directly in e2fsck. In several places
it is possible to use ext2fs_get_memzero() instead of explicitly
calling memset() on the memory afterward.
This is just a code cleanup, and does not fix any specific bugs.
[ Fix up library dependencies in e2fsck/Makefile.in to fix "make
check" breakages. -- TYT ]
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Lustre-bug-id: https://jira.whamcloud.com/browse/LU-13197
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Even though we don't have support for filesystems with over 4B inodes
in the current e2fsprogs, this may happen in the future. There are
latent overflow bugs when calculating the number of inodes in the
filesystem that can trivially be fixed now, rather than waiting for
them to be hit at some point in the future. The block number calcs
are already correct in this code.
Signed-off-by: Andreas Dilger <adilger@dilger.ca>
Lustre-bug-id: https://jira.whamcloud.com/browse/LU-13197
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Pack struct dx_dir_info and dx_dirblock_info properly in memory, to
avoid holes, and fields are not larger than necessary. This reduces
the memory needed for each hashed dir, according to pahole(1) from:
struct dx_dir_info {
/* size: 32, cachelines: 1, members: 6 */
/* sum members: 26, holes: 1, sum holes: 2 */
/* padding: 4 */
};
struct dx_dirblock_info {
/* size: 56, cachelines: 1, members: 9 */
/* sum members: 48, holes: 2, sum holes: 8 */
/* last cacheline: 56 bytes */
};
to 8 bytes less for each directory and directory block, and leaves
space for future use if needed (e.g. larger numblocks):
struct dx_dir_info {
/* size: 24, cachelines: 1, members: 6 */
/* sum members: 20, holes: 1, sum holes: 4 */
/* bit holes: 1, sum bit holes: 7 bits */
};
struct dx_dirblock_info {
/* size: 48, cachelines: 1, members: 9 */
};
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Lustre-bug-id: https://jira.whamcloud.com/browse/LU-13197
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Don't use mallinfo() for determining the amount of memory used if it
is over 2GB. Otherwise, the signed ints used by this interface can
can overflow and return garbage values. This makes the actual amount
of memory used by e2fsck misleading and hard to determine.
Instead, use brk() to get the total amount of memory allocated, and print
this if the more detailed mallinfo() information is not suitable for use.
There does not appear to be a mallinfo64() variant of this function.
There does appear to be an abomination named malloc_info() that writes
XML-formatted malloc stats to a FILE stream that would need to be read
and parsed in order to get these stats, but that doesn't seem worthwhile.
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Shilong Wang <wshilong@ddn.com>
Lustre-bug-id: https://jira.whamcloud.com/browse/LU-13197
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Use ext2_ino_t instead of ino_t for referencing inode numbers.
Use loff_t for for file offsets, and dgrp_t for group numbers.
Cast products to ssize_t before multiplication to avoid overflow.
Signed-off-by: Andreas Dilger <adilger@dilger.ca>
Reviewed-by: Shilong Wang <wshilong@ddn.com>
Lustre-bug-id: https://jira.whamcloud.com/browse/LU-13197
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
e2fsck_allocate_memory() takes an "unsigned int size" argument, which
will overflow for allocations above 4GB. This happens for dir_info
and dx_dir_info arrays when there are more than 350M directories in a
filesystem, and for the dblist array above 180M directories.
There is also a risk of overflow during the binary search in both
e2fsck_get_dir_info() and e2fsck_get_dx_dir_info() when the midpoint
of the array is calculated, if there would be more than 2B directories
in the filesystem and working above the half way point.
Also, in some places inode numbers are "int" instead of "ext2_ino_t",
which can also cause problems with the array size calculations, and
makes it hard to identify where inode numbers are used.
Fix e2fsck_allocate_memory() to take an "unsigned long" argument to
match ext2fs_get_mem(), so that it can do single memory allocations
over 4GB.
Fix e2fsck_get_dir_info() and e2fsck_get_dx_dir_info() to temporarily
use an unsigned long long value to calculate the midpoint (which will
always fit into an ext2_ino_t again afterward).
Change variables that hold inode numbers to be ext2_ino_t, and print
them as unsigned values instead of printing negative inode numbers.
Signed-off-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: Shilong Wang <wshilong@ddn.com>
Lustre-bug-id: https://jira.whamcloud.com/browse/LU-13197
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
The printf("%.*s") format requires both the buffer size and buffer
pointer to be specified for each use. Since this is repeatedly given
as "(int)sizeof(buf), (char *)buf" for mmp_nodename and mmp_bdevname
fields, with typecasts to avoid compiler warnings.
Add a helper macro EXT2_LEN_STR() to avoid repeated boilerplate code.
This can also be used for other superblock buffer fields that may not
have NUL-terminated strings (e.g. s_volume_name, s_last_mounted,
s_{first,last}_error_func, s_mount_opts) to simplify code and avoid
the need for temporary buffers for NUL-termination.
Annotate the superblock string fields that may not be NUL-terminated.
Signed-off-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Don't assume that mmp_nodename and mmp_bdevname are NUL terminated,
since very long node/device names may completely fill the buffers.
Limit string printing to the maximum buffer size for safety, and
change the field definitions to __u8 to make it more clear that
they are not NUL-terminated strings, as is done with other strings
in the superblock that do not have NUL termination.
Signed-off-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Previously, we just cleared the bad block list and restarted the inode
scan, but we didn't do a full reset of all of e2fsck's state. When
code handling this case; we didn't have the framework to do a
restarted run. Now that we do, we can simply the code and make it
more correct.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
We now restart the full e2fsck instead of unwinding and restarting
pass1. So most of what used to be in unwind_pass1() has been moved
elsewhere. Let's git rid of it entirely, which simplifies and shrinks
pass1.c slightly.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
|
We are no longer enabling periodic file system checks by default in
mke2fs. The only reason why we force file system checks if the last
mount time or last write time in the superblock is if this might
bypass the periodic file systme checks. So if the checkinterval is
zero, skip the last mount/write time checks since there's no reason to
force a check just because the system clock is incorrect.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The problem is alloc_blocks() will call get_next_block() which might
reallocate outdir->buf, and memory address could be changed after
this. To fix this, pointers that point into outdir->buf, such as
int_limit and root need to be recaulated based on the new starting
address of outdir->buf.
[ Changed to correctly recalculate int_limit, and to optimize how we
reallocate outdir->buf. -TYT ]
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Two memory allocation return check is missed.
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The function ext2fs_inode_i_blocks() is a bit confusing whether it is
returning the inode's i_blocks value, or whether it is returning the
value ala the stat(2) system call, which returns i_blocks in units of
512 byte sectors. This caused ext2fs_inode_i_blocks() to be
incorrectly used in fuse2fs and the function quota_compute_usage().
To address this, we add a new function, ext2fs_get_stat_i_blocks()
which is clearly labelled what it is returning, and use it in fuse2fs
and quota_compute_usage(). It's also a bit more convenient to use it
in e2fsck, so use it there too.
Reported-by: Wang Shilong <wangshilong1991@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
If directory has been deleted in pass1[bcd] processing, then we
shouldn't try to rehash the directory in pass 3a when we try to
rehash/reoptimize directories.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
In e2fsck pass 3a, when we are rehashing directories, at least in
theory, all of the directories should have had corruptions with
respect to directory entry structure fixed. However, it's possible
(for example, if the user declined a fix) that we can reach this stage
of processing with a corrupted directory entries.
So check for that case and don't try to process a corrupted directory
block so we don't run into trouble in mutate_name() if there is a
zero-length file name.
Addresses: TALOS-2019-0973
Addresses: CVE-2019-5188
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Optimize _("getting next inode from scan") so it is not called for
each initialized inode in the file system, and make a similar
optimization in pass 2 for each directory block.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This is a logical revert of commit 1911bf113ef0, for which the
description reads:
Solaris polutes the C namespace with kmem_cache_t when
you include in/netinet.h is included, so rename kmem_cache_t
to lkmem_cache_t.
Reverting this change allows us to keep e2fsck/revoke.c in sync with
its upstream kernel source of fs/jbd2/revoke.c, and was the last
change required to make the e2fsprogs and kernel versions of revoke.c
to be bit identical.
I've confirmed that this is no longer a problem with OmniOS (an
Illumos / Open Solaris derivative). It may be a problem with Solaris,
but since I don't have easy access to Solaris, ¯\_(ツ)_/¯
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
We were previously using contrib/jbd2-resync.sh to transmogrify the
beXX_to_cpu and cpu_to_beXX macros to ext2fs_beXX_to_cpu and
ext2fs_cpu_to_beXX. Define them in lib/ext2fs/jfs_compat.h so we can
more easily keep them in sync with the kernel version of those files.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This avoids some 32-bit vs 64-bit discrepancies in the function
signatures and the types used by their callers.
This cleans up some sparse warnings in recovery.c.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
E2fsprogs as a whole is not sparse-clean, but it does have and
understand the __beXX and __leXX types from the kernel. The structure
definitions in kernel-jbd.h have been updated to use the __beXX types,
so that recovery.c and revoke.c are more sparse-clean.
This removes a few more unneeded deltas from the kernel's recovery.c.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Apply the kernel's changes for commit 7b506b103532 ("jbd2: get rid of
open coded allocation retry loop") for revoke.c.
This required adjusting some of kernel compatibility defines.
Note that retrying allocations in user space never makes any sense!
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Commit 0d52154bb0a7 ("jbd2: fix potential double free") changes the
interface exported by revoke.c to initialize and destroy the slab
caches. Make the necessary changes to the code in e2fsck and debugfs
which calls revoke.c
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Sync the changes to e2fsck/revoke.c from commit 6da2ec56059c
("treewide: kmalloc() -> kmalloc_array()"), and add the emulation of
kmalloc_array() to e2fsck/jfs_user.h
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Commit 1101cd4d13ba ("jbd2: unify revoke and tag block checksum
handling") cleans up the fact that the jbd2_journal_revoke_tail and
jbd2_journal_block_tail structures are basically the same. So it
drops the definition of struct jbd2_journal_revoke_tail and unifies
the functions which calculates and verifies the checksums for revoke
blocks and tag blocks.
Make the same changes in e2fsprogs so eliminate unnecessary
differences in e2fsck/recovery.c and e2fsck/revoke.c.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Sync up the revoke.c specific changes from kernel commits 9bcf976cb8b8
("jbd2: remove unnecessary arguments of jbd2_journal_write_revoke_records"),
32ab671599a8 ("jbd2: factor out common descriptor block initialization"),
70fd76140a6c ("block,fs: use REQ_* flags directly"), cd9cb405e0b9
("jbd2: don't leak memory if setting up journal fails"), 8bdd5b60e027
("jbd2: remove NULL check before calling kmem_cache_destroy()"),
547b9ad698b4 ("jbd2: flush_descriptor(): Do not decrease buffer head's
ref count"), and fdc3ef882a5d ("jbd2: Reserve space for revoke descriptor
blocks").
Nearly all of the changes is in code under an #ifdef __KERNEL__. The
changes that will actually affect e2fprogs compilation are trivial and
easy to hand verify.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
We had previously stuck to using the names from ext3/jbd kernel files,
and used a script in contrib/jbd2-resync.sh to convert the kernel
files to use the ext3/jbd conventions so we could keep the files
e2fsck/recovery.c and e2fsck/revoke.c in sync with jbd2/recovery.c and
jbd2/revoke.c, respectively.
This has been getting harder and harder, so let's make a global sweep
through e2fsprogs to use the jbd2 names. Fortunately none of the
ext3/jbd names had leaked out into publically exported header files,
so this is only an internal change. Which looks scary, but it's
basically a search and replace, so if it compiles it's going to be
correct.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
In newer kernels, ll_rw_block() separated the request operation and
the operational flags arguments. This means adding a new parameter to
ll_rw_block() (which is ignored in our compat layer) and changing READ
and WRITE to REQ_OP_READ and REQ_OP_WRITE, respectively.
This makes it easier to keep us in sync with the kernel tree.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Historically e2fsprogs's e2fsck/recovery.c and e2fsck/revoke.c was
sync'ed against the ext3 version of jbd/recovery.c and jbd/revoke.c.
Remove minor differences so we can better sync up between the two
versions.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
By design, the kernel enforces that all files in an encrypted directory
use the same encryption policy as the directory. It's not possible to
violate this constraint using syscalls. Lookups of files that violate
this constraint also fail, in case the disk was manipulated.
But this constraint can also be violated by accidental filesystem
corruption. E.g., a power cut when using ext4 without a journal might
leave new files without the encryption bit and/or xattr. Thus, it's
important that e2fsck correct this condition.
Therefore, this patch makes the following changes to e2fsck:
- During pass 1 (inode table scan), create a map from inode number to
encryption policy for all encrypted inodes. But it's optimized so
that the full xattrs aren't saved but rather only 32-bit "policy IDs",
since usually many inodes share the same encryption policy. Also, if
an encryption xattr is missing, offer to clear the encrypt flag. If
an encryption xattr is clearly corrupt, offer to clear the inode.
- During pass 2 (directory structure check), use the map to verify that
all regular files, directories, and symlinks in encrypted directories
use the directory's encryption policy. Offer to clear any directory
entries for which this isn't the case.
Add a new test "f_bad_encryption" to test the new behavior.
Due to the new checks, it was also necessary to update the existing test
"f_short_encrypted_dirent" to add an encryption xattr to the test file,
since it was missing one before, which is now considered invalid.
Google-Bug-Id: 135138675
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
|
|
|
|
The casefold flag is only allowed on directories and when the casefold
feature is enabled.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The backup superblock may have a last mounted time of zero, if it has
never been updated since the file system was created. In that case,
the low dtime check may get disabled when using the backup superblock,
even though subsequent e2fsck runs will end up using the low dtime
check. This can cause a failure of ext4/007, since since when e2fsck
is run a second time after the file system is mounted, the low dtime
check will trigger the e2fsck complaint:
Inode NNNN was part of the orphaned inode list. IGNORED.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This option clears the uninitialized bit on all extents of all inodes.
Note that this can end up exposing uninitialized data to userspace.
It should only used in very specialized situations.
This option is only enabled via a new configure flag,
--enable-developer-features. It should *not* be enabled by
distributions, as it enables features thare only designed for use by
ext4 developers. These features have no documentation in the man
page, or regression tests, and if it breaks, you get to keep both
pieces.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Addresses-Debian-Bug: #932906
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
The xgettext program is incorrectly marking e2fsck problem
descriptions as being c-style printf strings. Override its mistakes.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Historically, e2fsck has required that directories not contain holes.
(In fact, as of this writing, ext4 still requires this to be the
case.) Commit ae9efd05a98 ("e2fsck: 3 level hash tree directory
optimization") removed this requirement if the large_dir feature is
enabled; however, the way it was done caused it to incorrectly handle
inline directories.
To reproduce the problem fixed by this commit:
truncate -s 100000000 ext4.img
misc/mke2fs -t ext4 -I 512 -O 'inline_data,large_dir' ext4.img
mkdir m
sudo mount ext4.img m
mkdir m/aa
sudo umount m
e2fsck/e2fsck -f -n ext4.img
The last command gives this output:
[root@localhost e2fsprogs-kernel]# e2fsck/e2fsck -f -n ext4-2.img
e2fsck 1.45.2 (27-May-2019)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
'..' in /aa (12) is <The NULL inode> (0), should be / (2).
Fix? no
Pass 4: Checking reference counts
Inode 2 ref count is 4, should be 3. Fix? no
Inode 12 ref count is 2, should be 1. Fix? no
Pass 5: Checking group summary information
ext4-2.img: ********** WARNING: Filesystem still has errors **********
ext4-2.img: 12/24384 files (0.0% non-contiguous), 17874/97656 blocks
Reported-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Artem Blagodarenko <c17828@cray.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Don't report PR_1_EXTENT_END_OUT_OF_BOUNDS on verity files during
scan_extent_node(), since they will have blocks stored past i_size.
This was missed during the earlier fix because this check only triggers
if the inode has enough extents to need at least one extent index node.
This bug is causing one of the fs-verity xfstests to fail with the
reworked fs-verity patchset.
Fixes: 3baafde6a8ae ("e2fsck: allow verity files to have initialized blocks past i_size")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
This doesn't actually fix a bug or change behavior, but it removes a
clang warning.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
Fixes-Coverity-Bug: 1444982
Fixes-Coverity-Bug: 1444983
Fixes-Coverity-Bug: 1444985
Fixes-Coverity-Bug: 1444986
Fixes-Coverity-Bug: 1444987
Fixes-Coverity-Bug: 1444988
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|