Re: [PATCH] ubifs: Handle re-linking of inodes correctly while recovery

[Richard Weinberger]

Am Donnerstag, 1. November 2018, 09:55:53 CET schrieb RafaÅ MiÅecki:
> On Sun, 28 Oct 2018 at 22:44, Richard Weinberger <richard@xxxxxx> wrote:
> > UBIFS's recovery code strictly assumes that a deleted inode will never
> > come back, therefore it removes all data which belongs to that inode
> > as soon it faces an inode with link count 0 in the replay list.
> > Before O_TMPFILE this assumption was perfectly fine. With O_TMPFILE
> > it can lead to data loss upon a power-cut.
> >
> > Consider a journal with entries like:
> > 0: inode X (nlink = 0) /* O_TMPFILE was created */
> > 1: data for inode X /* Someone writes to the temp file */
> > 2: inode X (nlink = 0) /* inode was changed, xattr, chmod, â */
> > 3: inode X (nlink = 1) /* inode was re-linked via linkat() */
> >
> > Upon replay of entry #2 UBIFS will drop all data that belongs to inode X,
> > this will lead to an empty file after mounting.
> >
> > As solution for this problem, scan the replay list for a re-link entry
> > before dropping data.
> >
> > Fixes: 474b93704f32 ("ubifs: Implement O_TMPFILE")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Reported-by: Russell Senior <russell@xxxxxxxxxxxxxxxxx>
> > Reported-by: RafaÅ MiÅecki <zajec5@xxxxxxxxx>
> > Signed-off-by: Richard Weinberger <richard@xxxxxx>
> 
> Thank you Richard!!!
> 
> Tested-by: RafaÅ MiÅecki <rafal@xxxxxxxxxx>

Thanks for testing and providing the reproducer!
I'll send a v2 of the patch soon where I've optimized the list scanning more.
In fact, the correct and fasted approach is walking the replay list backwards
to find the final link state of an inode.

Thanks,
//richard