Google Git
Sign in
kernel / pub / scm / linux / kernel / git / djwong / xfsprogs-dev / 84d197557a7cd1716ec442782074dbc0e1617c3a^! / .
commit84d197557a7cd1716ec442782074dbc0e1617c3a[log] [tgz]
authorDarrick J. Wong <djwong@kernel.org>Wed Oct 12 12:19:20 2022 -0700
committerDarrick J. Wong <djwong@kernel.org>Fri Oct 14 14:24:38 2022 -0700
tree01b59292ba84ee44c83d16a0de9488093a97b264
parent6381946821549974325bed1f9c3c29c55f43388d [diff]
xfs: check deferred refcount op continuation parameters

If we're in the middle of a deferred refcount operation and decide to
roll the transaction to avoid overflowing the transaction space, we need
to check the new agbno/aglen parameters that we're about to record in
the new intent.  Specifically, we need to check that the new extent is
completely within the filesystem, and that continuation does not put us
into a different AG.

This should never happen, but if the keys of a node block are wrong, the
refcount btree lookups performed during the adjust operation (and
resumptions therein) can point us to the wrong record blocks.  The
refcount domain should prevent most of this, but this is a convenient
place to double-check that everything is still ok.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>

diff --git a/libxfs/xfs_refcount.c b/libxfs/xfs_refcount.c
index e5e1f64..aa3937d 100644
--- a/libxfs/xfs_refcount.c
+++ b/libxfs/xfs_refcount.c

@@ -1180,6 +1180,45 @@
 }
 
 /*
+ * Set up a continuation a deferred refcount operation by updating the intent.
+ * Checks to make sure we're not going to run off the end of the AG.
+ */
+static inline int
+xfs_refcount_continue_op(
+	struct xfs_btree_cur		*cur,
+	xfs_fsblock_t			startblock,
+	xfs_agblock_t			new_agbno,
+	xfs_extlen_t			new_len,
+	xfs_fsblock_t			*fsbp)
+{
+	struct xfs_mount		*mp = cur->bc_mp;
+	struct xfs_perag		*pag = cur->bc_ag.pag;
+	xfs_fsblock_t			new_fsbno;
+	xfs_agnumber_t			old_agno;
+
+	old_agno = XFS_FSB_TO_AGNO(mp, startblock);
+	new_fsbno = XFS_AGB_TO_FSB(mp, pag->pag_agno, new_agbno);
+
+	/*
+	 * If we don't have any work left to do, then there's no need to
+	 * perform the validation of the new parameters since we're about to
+	 * tear down all the operation context.
+	 */
+	if (!new_len)
+		goto done;
+
+	if (XFS_IS_CORRUPT(mp, !xfs_verify_fsbext(mp, new_fsbno, new_len)))
+		return -EFSCORRUPTED;
+
+	if (XFS_IS_CORRUPT(mp, old_agno != XFS_FSB_TO_AGNO(mp, new_fsbno)))
+		return -EFSCORRUPTED;
+
+done:
+	*fsbp = new_fsbno;
+	return 0;
+}
+
+/*
  * Process one of the deferred refcount operations.  We pass back the
  * btree cursor to maintain our lock on the btree between calls.
  * This saves time and eliminates a buffer deadlock between the
@@ -1246,12 +1285,18 @@
 	case XFS_REFCOUNT_INCREASE:
 		error = xfs_refcount_adjust(rcur, bno, blockcount, &new_agbno,
 				new_len, XFS_REFCOUNT_ADJUST_INCREASE);
-		*new_fsb = XFS_AGB_TO_FSB(mp, pag->pag_agno, new_agbno);
+		if (error)
+			goto out_drop;
+		error = xfs_refcount_continue_op(rcur, startblock, new_agbno,
+				*new_len, new_fsb);
 		break;
 	case XFS_REFCOUNT_DECREASE:
 		error = xfs_refcount_adjust(rcur, bno, blockcount, &new_agbno,
 				new_len, XFS_REFCOUNT_ADJUST_DECREASE);
-		*new_fsb = XFS_AGB_TO_FSB(mp, pag->pag_agno, new_agbno);
+		if (error)
+			goto out_drop;
+		error = xfs_refcount_continue_op(rcur, startblock, new_agbno,
+				*new_len, new_fsb);
 		break;
 	case XFS_REFCOUNT_ALLOC_COW:
 		*new_fsb = startblock + blockcount;