xref: /linux/fs/xfs/scrub/symlink_repair.c (revision 001821b0e79716c4e17c71d8e053a23599a7a508)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (c) 2018-2024 Oracle.  All Rights Reserved.
4  * Author: Darrick J. Wong <djwong@kernel.org>
5  */
6 #include "xfs.h"
7 #include "xfs_fs.h"
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_defer.h"
13 #include "xfs_btree.h"
14 #include "xfs_bit.h"
15 #include "xfs_log_format.h"
16 #include "xfs_trans.h"
17 #include "xfs_sb.h"
18 #include "xfs_inode.h"
19 #include "xfs_inode_fork.h"
20 #include "xfs_symlink.h"
21 #include "xfs_bmap.h"
22 #include "xfs_quota.h"
23 #include "xfs_da_format.h"
24 #include "xfs_da_btree.h"
25 #include "xfs_bmap_btree.h"
26 #include "xfs_trans_space.h"
27 #include "xfs_symlink_remote.h"
28 #include "xfs_exchmaps.h"
29 #include "xfs_exchrange.h"
30 #include "xfs_health.h"
31 #include "scrub/xfs_scrub.h"
32 #include "scrub/scrub.h"
33 #include "scrub/common.h"
34 #include "scrub/trace.h"
35 #include "scrub/repair.h"
36 #include "scrub/tempfile.h"
37 #include "scrub/tempexch.h"
38 #include "scrub/reap.h"
39 
40 /*
41  * Symbolic Link Repair
42  * ====================
43  *
44  * We repair symbolic links by reading whatever target data we can find, up to
45  * the first NULL byte.  If the recovered target strlen matches i_size, then
46  * we rewrite the target.  In all other cases, we replace the target with an
47  * overly long string that cannot possibly resolve.  The new target is written
48  * into a private hidden temporary file, and then a file contents exchange
49  * commits the new symlink target to the file being repaired.
50  */
51 
52 /* Set us up to repair the symlink file. */
53 int
54 xrep_setup_symlink(
55 	struct xfs_scrub	*sc,
56 	unsigned int		*resblks)
57 {
58 	struct xfs_mount	*mp = sc->mp;
59 	unsigned long long	blocks;
60 	int			error;
61 
62 	error = xrep_tempfile_create(sc, S_IFLNK);
63 	if (error)
64 		return error;
65 
66 	/*
67 	 * If we're doing a repair, we reserve enough blocks to write out a
68 	 * completely new symlink file, plus twice as many blocks as we would
69 	 * need if we can only allocate one block per data fork mapping.  This
70 	 * should cover the preallocation of the temporary file and exchanging
71 	 * the extent mappings.
72 	 *
73 	 * We cannot use xfs_exchmaps_estimate because we have not yet
74 	 * constructed the replacement symlink and therefore do not know how
75 	 * many extents it will use.  By the time we do, we will have a dirty
76 	 * transaction (which we cannot drop because we cannot drop the
77 	 * symlink ILOCK) and cannot ask for more reservation.
78 	 */
79 	blocks = xfs_symlink_blocks(sc->mp, XFS_SYMLINK_MAXLEN);
80 	blocks += xfs_bmbt_calc_size(mp, blocks) * 2;
81 	if (blocks > UINT_MAX)
82 		return -EOPNOTSUPP;
83 
84 	*resblks += blocks;
85 	return 0;
86 }
87 
88 /*
89  * Try to salvage the pathname from remote blocks.  Returns the number of bytes
90  * salvaged or a negative errno.
91  */
92 STATIC ssize_t
93 xrep_symlink_salvage_remote(
94 	struct xfs_scrub	*sc)
95 {
96 	struct xfs_bmbt_irec	mval[XFS_SYMLINK_MAPS];
97 	struct xfs_inode	*ip = sc->ip;
98 	struct xfs_buf		*bp;
99 	char			*target_buf = sc->buf;
100 	xfs_failaddr_t		fa;
101 	xfs_filblks_t		fsblocks;
102 	xfs_daddr_t		d;
103 	loff_t			len;
104 	loff_t			offset = 0;
105 	unsigned int		byte_cnt;
106 	bool			magic_ok;
107 	bool			hdr_ok;
108 	int			n;
109 	int			nmaps = XFS_SYMLINK_MAPS;
110 	int			error;
111 
112 	/* We'll only read until the buffer is full. */
113 	len = min_t(loff_t, ip->i_disk_size, XFS_SYMLINK_MAXLEN);
114 	fsblocks = xfs_symlink_blocks(sc->mp, len);
115 	error = xfs_bmapi_read(ip, 0, fsblocks, mval, &nmaps, 0);
116 	if (error)
117 		return error;
118 
119 	for (n = 0; n < nmaps; n++) {
120 		struct xfs_dsymlink_hdr	*dsl;
121 
122 		d = XFS_FSB_TO_DADDR(sc->mp, mval[n].br_startblock);
123 
124 		/* Read the rmt block.  We'll run the verifiers manually. */
125 		error = xfs_trans_read_buf(sc->mp, sc->tp, sc->mp->m_ddev_targp,
126 				d, XFS_FSB_TO_BB(sc->mp, mval[n].br_blockcount),
127 				0, &bp, NULL);
128 		if (error)
129 			return error;
130 		bp->b_ops = &xfs_symlink_buf_ops;
131 
132 		/* How many bytes do we expect to get out of this buffer? */
133 		byte_cnt = XFS_FSB_TO_B(sc->mp, mval[n].br_blockcount);
134 		byte_cnt = XFS_SYMLINK_BUF_SPACE(sc->mp, byte_cnt);
135 		byte_cnt = min_t(unsigned int, byte_cnt, len);
136 
137 		/*
138 		 * See if the verifiers accept this block.  We're willing to
139 		 * salvage if the if the offset/byte/ino are ok and either the
140 		 * verifier passed or the magic is ok.  Anything else and we
141 		 * stop dead in our tracks.
142 		 */
143 		fa = bp->b_ops->verify_struct(bp);
144 		dsl = bp->b_addr;
145 		magic_ok = dsl->sl_magic == cpu_to_be32(XFS_SYMLINK_MAGIC);
146 		hdr_ok = xfs_symlink_hdr_ok(ip->i_ino, offset, byte_cnt, bp);
147 		if (!hdr_ok || (fa != NULL && !magic_ok))
148 			break;
149 
150 		memcpy(target_buf + offset, dsl + 1, byte_cnt);
151 
152 		len -= byte_cnt;
153 		offset += byte_cnt;
154 	}
155 	return offset;
156 }
157 
158 /*
159  * Try to salvage an inline symlink's contents.  Returns the number of bytes
160  * salvaged or a negative errno.
161  */
162 STATIC ssize_t
163 xrep_symlink_salvage_inline(
164 	struct xfs_scrub	*sc)
165 {
166 	struct xfs_inode	*ip = sc->ip;
167 	char			*target_buf = sc->buf;
168 	char			*old_target;
169 	struct xfs_ifork	*ifp;
170 	unsigned int		nr;
171 
172 	ifp = xfs_ifork_ptr(ip, XFS_DATA_FORK);
173 	if (!ifp->if_data)
174 		return 0;
175 
176 	/*
177 	 * If inode repair zapped the link target, pretend that we didn't find
178 	 * any bytes at all so that we can replace the (now totally lost) link
179 	 * target with a warning message.
180 	 */
181 	old_target = ifp->if_data;
182 	if (xfs_inode_has_sickness(sc->ip, XFS_SICK_INO_SYMLINK_ZAPPED) &&
183 	    sc->ip->i_disk_size == 1 && old_target[0] == '?')
184 		return 0;
185 
186 	nr = min(XFS_SYMLINK_MAXLEN, xfs_inode_data_fork_size(ip));
187 	strncpy(target_buf, ifp->if_data, nr);
188 	return nr;
189 }
190 
191 #define DUMMY_TARGET \
192 	"The target of this symbolic link could not be recovered at all and " \
193 	"has been replaced with this explanatory message.  To avoid " \
194 	"accidentally pointing to an existing file path, this message is " \
195 	"longer than the maximum supported file name length.  That is an " \
196 	"acceptable length for a symlink target on XFS but will produce " \
197 	"File Name Too Long errors if resolved."
198 
199 /* Salvage whatever we can of the target. */
200 STATIC int
201 xrep_symlink_salvage(
202 	struct xfs_scrub	*sc)
203 {
204 	char			*target_buf = sc->buf;
205 	ssize_t			buflen = 0;
206 
207 	BUILD_BUG_ON(sizeof(DUMMY_TARGET) - 1 <= NAME_MAX);
208 
209 	/*
210 	 * Salvage the target if there weren't any corruption problems observed
211 	 * while scanning it.
212 	 */
213 	if (!(sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)) {
214 		if (sc->ip->i_df.if_format == XFS_DINODE_FMT_LOCAL)
215 			buflen = xrep_symlink_salvage_inline(sc);
216 		else
217 			buflen = xrep_symlink_salvage_remote(sc);
218 		if (buflen < 0)
219 			return buflen;
220 
221 		/*
222 		 * NULL-terminate the buffer because the ondisk target does not
223 		 * do that for us.  If salvage didn't find the exact amount of
224 		 * data that we expected to find, don't salvage anything.
225 		 */
226 		target_buf[buflen] = 0;
227 		if (strlen(target_buf) != sc->ip->i_disk_size)
228 			buflen = 0;
229 	}
230 
231 	/*
232 	 * Change an empty target into a dummy target and clear the symlink
233 	 * target zapped flag.
234 	 */
235 	if (buflen == 0) {
236 		sc->sick_mask |= XFS_SICK_INO_SYMLINK_ZAPPED;
237 		sprintf(target_buf, DUMMY_TARGET);
238 	}
239 
240 	trace_xrep_symlink_salvage_target(sc->ip, target_buf,
241 			strlen(target_buf));
242 	return 0;
243 }
244 
245 STATIC void
246 xrep_symlink_local_to_remote(
247 	struct xfs_trans	*tp,
248 	struct xfs_buf		*bp,
249 	struct xfs_inode	*ip,
250 	struct xfs_ifork	*ifp,
251 	void			*priv)
252 {
253 	struct xfs_scrub	*sc = priv;
254 	struct xfs_dsymlink_hdr	*dsl = bp->b_addr;
255 
256 	xfs_symlink_local_to_remote(tp, bp, ip, ifp, NULL);
257 
258 	if (!xfs_has_crc(sc->mp))
259 		return;
260 
261 	dsl->sl_owner = cpu_to_be64(sc->ip->i_ino);
262 	xfs_trans_log_buf(tp, bp, 0,
263 			  sizeof(struct xfs_dsymlink_hdr) + ifp->if_bytes - 1);
264 }
265 
266 /*
267  * Prepare both links' data forks for an exchange.  Promote the tempfile from
268  * local format to extents format, and if the file being repaired has a short
269  * format data fork, turn it into an empty extent list.
270  */
271 STATIC int
272 xrep_symlink_swap_prep(
273 	struct xfs_scrub	*sc,
274 	bool			temp_local,
275 	bool			ip_local)
276 {
277 	int			error;
278 
279 	/*
280 	 * If the temp link is in shortform format, convert that to a remote
281 	 * target so that we can use the atomic mapping exchange.
282 	 */
283 	if (temp_local) {
284 		int		logflags = XFS_ILOG_CORE;
285 
286 		error = xfs_bmap_local_to_extents(sc->tp, sc->tempip, 1,
287 				&logflags, XFS_DATA_FORK,
288 				xrep_symlink_local_to_remote,
289 				sc);
290 		if (error)
291 			return error;
292 
293 		xfs_trans_log_inode(sc->tp, sc->ip, 0);
294 
295 		error = xfs_defer_finish(&sc->tp);
296 		if (error)
297 			return error;
298 	}
299 
300 	/*
301 	 * If the file being repaired had a shortform data fork, convert that
302 	 * to an empty extent list in preparation for the atomic mapping
303 	 * exchange.
304 	 */
305 	if (ip_local) {
306 		struct xfs_ifork	*ifp;
307 
308 		ifp = xfs_ifork_ptr(sc->ip, XFS_DATA_FORK);
309 		xfs_idestroy_fork(ifp);
310 		ifp->if_format = XFS_DINODE_FMT_EXTENTS;
311 		ifp->if_nextents = 0;
312 		ifp->if_bytes = 0;
313 		ifp->if_data = NULL;
314 		ifp->if_height = 0;
315 
316 		xfs_trans_log_inode(sc->tp, sc->ip,
317 				XFS_ILOG_CORE | XFS_ILOG_DDATA);
318 	}
319 
320 	return 0;
321 }
322 
323 /* Exchange the temporary symlink's data fork with the one being repaired. */
324 STATIC int
325 xrep_symlink_swap(
326 	struct xfs_scrub	*sc)
327 {
328 	struct xrep_tempexch	*tx = sc->buf;
329 	bool			ip_local, temp_local;
330 	int			error;
331 
332 	ip_local = sc->ip->i_df.if_format == XFS_DINODE_FMT_LOCAL;
333 	temp_local = sc->tempip->i_df.if_format == XFS_DINODE_FMT_LOCAL;
334 
335 	/*
336 	 * If the both links have a local format data fork and the rebuilt
337 	 * remote data would fit in the repaired file's data fork, copy the
338 	 * contents from the tempfile and declare ourselves done.
339 	 */
340 	if (ip_local && temp_local &&
341 	    sc->tempip->i_disk_size <= xfs_inode_data_fork_size(sc->ip)) {
342 		xrep_tempfile_copyout_local(sc, XFS_DATA_FORK);
343 		return 0;
344 	}
345 
346 	/* Otherwise, make sure both data forks are in block-mapping mode. */
347 	error = xrep_symlink_swap_prep(sc, temp_local, ip_local);
348 	if (error)
349 		return error;
350 
351 	return xrep_tempexch_contents(sc, tx);
352 }
353 
354 /*
355  * Free all the remote blocks and reset the data fork.  The caller must join
356  * the inode to the transaction.  This function returns with the inode joined
357  * to a clean scrub transaction.
358  */
359 STATIC int
360 xrep_symlink_reset_fork(
361 	struct xfs_scrub	*sc)
362 {
363 	struct xfs_ifork	*ifp = xfs_ifork_ptr(sc->tempip, XFS_DATA_FORK);
364 	int			error;
365 
366 	/* Unmap all the remote target buffers. */
367 	if (xfs_ifork_has_extents(ifp)) {
368 		error = xrep_reap_ifork(sc, sc->tempip, XFS_DATA_FORK);
369 		if (error)
370 			return error;
371 	}
372 
373 	trace_xrep_symlink_reset_fork(sc->tempip);
374 
375 	/* Reset the temp symlink target to dummy content. */
376 	xfs_idestroy_fork(ifp);
377 	return xfs_symlink_write_target(sc->tp, sc->tempip, sc->tempip->i_ino,
378 			"?", 1, 0, 0);
379 }
380 
381 /*
382  * Reinitialize a link target.  Caller must ensure the inode is joined to
383  * the transaction.
384  */
385 STATIC int
386 xrep_symlink_rebuild(
387 	struct xfs_scrub	*sc)
388 {
389 	struct xrep_tempexch	*tx;
390 	char			*target_buf = sc->buf;
391 	xfs_fsblock_t		fs_blocks;
392 	unsigned int		target_len;
393 	unsigned int		resblks;
394 	int			error;
395 
396 	/* How many blocks do we need? */
397 	target_len = strlen(target_buf);
398 	ASSERT(target_len != 0);
399 	if (target_len == 0 || target_len > XFS_SYMLINK_MAXLEN)
400 		return -EFSCORRUPTED;
401 
402 	trace_xrep_symlink_rebuild(sc->ip);
403 
404 	/*
405 	 * In preparation to write the new symlink target to the temporary
406 	 * file, drop the ILOCK of the file being repaired (it shouldn't be
407 	 * joined) and take the ILOCK of the temporary file.
408 	 *
409 	 * The VFS does not take the IOLOCK while reading a symlink (and new
410 	 * symlinks are hidden with INEW until they've been written) so it's
411 	 * possible that a readlink() could see the old corrupted contents
412 	 * while we're doing this.
413 	 */
414 	xchk_iunlock(sc, XFS_ILOCK_EXCL);
415 	xrep_tempfile_ilock(sc);
416 	xfs_trans_ijoin(sc->tp, sc->tempip, 0);
417 
418 	/*
419 	 * Reserve resources to reinitialize the target.  We're allowed to
420 	 * exceed file quota to repair inconsistent metadata, though this is
421 	 * unlikely.
422 	 */
423 	fs_blocks = xfs_symlink_blocks(sc->mp, target_len);
424 	resblks = xfs_symlink_space_res(sc->mp, target_len, fs_blocks);
425 	error = xfs_trans_reserve_quota_nblks(sc->tp, sc->tempip, resblks, 0,
426 			true);
427 	if (error)
428 		return error;
429 
430 	/* Erase the dummy target set up by the tempfile initialization. */
431 	xfs_idestroy_fork(&sc->tempip->i_df);
432 	sc->tempip->i_df.if_bytes = 0;
433 	sc->tempip->i_df.if_format = XFS_DINODE_FMT_EXTENTS;
434 
435 	/* Write the salvaged target to the temporary link. */
436 	error = xfs_symlink_write_target(sc->tp, sc->tempip, sc->ip->i_ino,
437 			target_buf, target_len, fs_blocks, resblks);
438 	if (error)
439 		return error;
440 
441 	/*
442 	 * Commit the repair transaction so that we can use the atomic mapping
443 	 * exchange functions to compute the correct block reservations and
444 	 * re-lock the inodes.
445 	 */
446 	target_buf = NULL;
447 	error = xrep_trans_commit(sc);
448 	if (error)
449 		return error;
450 
451 	/* Last chance to abort before we start committing fixes. */
452 	if (xchk_should_terminate(sc, &error))
453 		return error;
454 
455 	xrep_tempfile_iunlock(sc);
456 
457 	/*
458 	 * We're done with the temporary buffer, so we can reuse it for the
459 	 * tempfile contents exchange information.
460 	 */
461 	tx = sc->buf;
462 	error = xrep_tempexch_trans_alloc(sc, XFS_DATA_FORK, tx);
463 	if (error)
464 		return error;
465 
466 	/*
467 	 * Exchange the temp link's data fork with the file being repaired.
468 	 * This recreates the transaction and takes the ILOCKs of the file
469 	 * being repaired and the temporary file.
470 	 */
471 	error = xrep_symlink_swap(sc);
472 	if (error)
473 		return error;
474 
475 	/*
476 	 * Release the old symlink blocks and reset the data fork of the temp
477 	 * link to an empty shortform link.  This is the last repair action we
478 	 * perform on the symlink, so we don't need to clean the transaction.
479 	 */
480 	return xrep_symlink_reset_fork(sc);
481 }
482 
483 /* Repair a symbolic link. */
484 int
485 xrep_symlink(
486 	struct xfs_scrub	*sc)
487 {
488 	int			error;
489 
490 	/* The rmapbt is required to reap the old data fork. */
491 	if (!xfs_has_rmapbt(sc->mp))
492 		return -EOPNOTSUPP;
493 	/* We require atomic file exchange range to rebuild anything. */
494 	if (!xfs_has_exchange_range(sc->mp))
495 		return -EOPNOTSUPP;
496 
497 	ASSERT(sc->ilock_flags & XFS_ILOCK_EXCL);
498 
499 	error = xrep_symlink_salvage(sc);
500 	if (error)
501 		return error;
502 
503 	/* Now reset the target. */
504 	error = xrep_symlink_rebuild(sc);
505 	if (error)
506 		return error;
507 
508 	return xrep_trans_commit(sc);
509 }
510