[RFC PATCH mtd-utils 083/110] fsck.ubifs: Ensure that TNC LEB can be scanned successful

From: Zhihao Cheng
Date: Fri Jun 07 2024 - 00:48:22 EST


This is the second part of 6/18 step in fsck. Add an extra checking for
non-check mode while traversing TNC, make sure that all LEBs(contains TNC)
can be scanned successful. There could be following steps and possible
errors:
Step 2. Scan all LEBs(contain TNC), remove TNC branch which points to
corrupted LEB.
a. corrupted node is found by scanning: If current node is index node,
danger mode with rebuild_fs and normal mode with 'yes' answer will
turn to rebuild filesystem, other modes will exit; If current node
is non-index node, danger mode and normal mode with 'yes' answer
will remove all TNC branches which point to the corrupted LEB,
other modes will exit.
b. LEB contains both index and non-index nodes: danger mode with
rebuild_fs and normal mode with 'yes' answer will turn to rebuild
filesystem, other modes will exit.
This is a preparation for space checking, which means that ubifs_scan
will always succeed when check properties for any TNC LEBs. We do this
before checking files(step 7) & extracting dentry tree(step 8), nodes
cannot be dropped(which may corrupted file and make file inconsistent
again) when scanning corrupted as long as the dentry tree is extracted.

Signed-off-by: Zhihao Cheng <chengzhihao1@xxxxxxxxxx>
---
ubifs-utils/fsck.ubifs/check_files.c | 122 +++++++++++++++++++++++++++++++++--
ubifs-utils/fsck.ubifs/fsck.ubifs.c | 1 +
ubifs-utils/fsck.ubifs/fsck.ubifs.h | 2 +-
ubifs-utils/fsck.ubifs/problem.c | 10 +++
4 files changed, 128 insertions(+), 7 deletions(-)

diff --git a/ubifs-utils/fsck.ubifs/check_files.c b/ubifs-utils/fsck.ubifs/check_files.c
index 982c05b7..29848c4e 100644
--- a/ubifs-utils/fsck.ubifs/check_files.c
+++ b/ubifs-utils/fsck.ubifs/check_files.c
@@ -8,6 +8,7 @@
#include <stdio.h>
#include <stdlib.h>

+#include "linux_err.h"
#include "bitops.h"
#include "kmem.h"
#include "ubifs.h"
@@ -25,6 +26,7 @@ struct invalid_node {

struct iteration_info {
struct list_head invalid_nodes;
+ unsigned long *corrupted_lebs;
};

static int add_invalid_node(struct ubifs_info *c, union ubifs_key *key,
@@ -103,6 +105,49 @@ static int construct_file(struct ubifs_info *c, union ubifs_key *key,
return insert_or_update_file(c, tree, sn, key_type(c, key), inum);
}

+static int scan_check_leb(struct ubifs_info *c, int lnum, bool is_idx)
+{
+ int err = 0;
+ struct ubifs_scan_leb *sleb;
+ struct ubifs_scan_node *snod;
+
+ if (FSCK(c)->mode == CHECK_MODE)
+ /* Skip check mode. */
+ return 0;
+
+ ubifs_assert(c, lnum >= c->main_first);
+ if (test_bit(lnum - c->main_first, FSCK(c)->used_lebs))
+ return 0;
+
+ sleb = ubifs_scan(c, lnum, 0, c->sbuf, 0);
+ if (IS_ERR(sleb)) {
+ err = PTR_ERR(sleb);
+ if (test_and_clear_failure_reason_callback(c, FR_DATA_CORRUPTED))
+ err = 1;
+ return err;
+ }
+
+ list_for_each_entry(snod, &sleb->nodes, list) {
+ if (is_idx) {
+ if (snod->type != UBIFS_IDX_NODE) {
+ err = 1;
+ goto out;
+ }
+ } else {
+ if (snod->type == UBIFS_IDX_NODE) {
+ err = 1;
+ goto out;
+ }
+ }
+ }
+
+ set_bit(lnum - c->main_first, FSCK(c)->used_lebs);
+
+out:
+ ubifs_scan_destroy(sleb);
+ return err;
+}
+
static int check_leaf(struct ubifs_info *c, struct ubifs_zbranch *zbr,
void *priv)
{
@@ -127,6 +172,23 @@ static int check_leaf(struct ubifs_info *c, struct ubifs_zbranch *zbr,
return -EINVAL;
}

+ if (test_bit(lnum - c->main_first, iter->corrupted_lebs)) {
+ if (fix_problem(c, SCAN_CORRUPTED, zbr))
+ /* All nodes in corrupted LEB should be removed. */
+ return add_invalid_node(c, key, lnum, offs, iter);
+ return 0;
+ }
+
+ err = scan_check_leb(c, lnum, false);
+ if (err < 0) {
+ return err;
+ } else if (err) {
+ set_bit(lnum - c->main_first, iter->corrupted_lebs);
+ if (fix_problem(c, SCAN_CORRUPTED, zbr))
+ return add_invalid_node(c, key, lnum, offs, iter);
+ return 0;
+ }
+
node = kmalloc(len, GFP_NOFS);
if (!node)
return -ENOMEM;
@@ -147,6 +209,34 @@ out:
return err;
}

+static int check_znode(struct ubifs_info *c, struct ubifs_znode *znode,
+ __unused void *priv)
+{
+ int err;
+ const struct ubifs_zbranch *zbr;
+
+ if (znode->parent)
+ zbr = &znode->parent->zbranch[znode->iip];
+ else
+ zbr = &c->zroot;
+
+ if (zbr->lnum == 0) {
+ /* The znode has been split up. */
+ ubifs_assert(c, zbr->offs == 0 && zbr->len == 0);
+ return 0;
+ }
+
+ err = scan_check_leb(c, zbr->lnum, true);
+ if (err < 0) {
+ return err;
+ } else if (err) {
+ set_failure_reason_callback(c, FR_TNC_CORRUPTED);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
static int remove_invalid_nodes(struct ubifs_info *c,
struct list_head *invalid_nodes, int error)
{
@@ -176,10 +266,12 @@ static int remove_invalid_nodes(struct ubifs_info *c,
* traverse_tnc_and_construct_files - traverse TNC and construct all files.
* @c: UBIFS file-system description object
*
- * This function checks all index nodes and non-index nodes by traversing TNC,
- * then construct file according to scanned non-index nodes and insert file
- * into file tree. Returns zero in case of success, a negative error code in
- * case of failure.
+ * This function does two things by traversing TNC:
+ * 1. Check all index nodes and non-index nodes, then construct file according
+ * to scanned non-index nodes and insert file into file tree.
+ * 2. Make sure that LEB(contains any nodes from TNC) can be scanned by
+ * ubifs_scan, and the LEB only contains index nodes or non-index nodes.
+ * Returns zero in case of success, a negative error code in case of failure.
*/
int traverse_tnc_and_construct_files(struct ubifs_info *c)
{
@@ -187,15 +279,33 @@ int traverse_tnc_and_construct_files(struct ubifs_info *c)
struct iteration_info iter;

FSCK(c)->scanned_files = RB_ROOT;
+ FSCK(c)->used_lebs = kcalloc(BITS_TO_LONGS(c->main_lebs),
+ sizeof(unsigned long), GFP_KERNEL);
+ if (!FSCK(c)->used_lebs) {
+ err = -ENOMEM;
+ log_err(c, errno, "can not allocate bitmap of used lebs");
+ return err;
+ }
INIT_LIST_HEAD(&iter.invalid_nodes);
+ iter.corrupted_lebs = kcalloc(BITS_TO_LONGS(c->main_lebs),
+ sizeof(unsigned long), GFP_KERNEL);
+ if (!iter.corrupted_lebs) {
+ err = -ENOMEM;
+ log_err(c, errno, "can not allocate bitmap of corrupted lebs");
+ goto out;
+ }

- err = dbg_walk_index(c, check_leaf, NULL, &iter);
+ err = dbg_walk_index(c, check_leaf, check_znode, &iter);

ret = remove_invalid_nodes(c, &iter.invalid_nodes, err);
if (!err)
err = ret;

- if (err)
+ kfree(iter.corrupted_lebs);
+out:
+ if (err) {
+ kfree(FSCK(c)->used_lebs);
destroy_file_tree(c, &FSCK(c)->scanned_files);
+ }
return err;
}
diff --git a/ubifs-utils/fsck.ubifs/fsck.ubifs.c b/ubifs-utils/fsck.ubifs/fsck.ubifs.c
index c85e9147..1486ab4d 100644
--- a/ubifs-utils/fsck.ubifs/fsck.ubifs.c
+++ b/ubifs-utils/fsck.ubifs/fsck.ubifs.c
@@ -443,6 +443,7 @@ static int do_fsck(void)
return err;
}

+ kfree(FSCK(c)->used_lebs);
destroy_file_tree(c, &FSCK(c)->scanned_files);
return err;
}
diff --git a/ubifs-utils/fsck.ubifs/fsck.ubifs.h b/ubifs-utils/fsck.ubifs/fsck.ubifs.h
index fe6070ac..0d4a0d63 100644
--- a/ubifs-utils/fsck.ubifs/fsck.ubifs.h
+++ b/ubifs-utils/fsck.ubifs/fsck.ubifs.h
@@ -39,7 +39,7 @@ enum { NORMAL_MODE = 0, SAFE_MODE, DANGER_MODE0,
/* Types of inconsistent problems */
enum { SB_CORRUPTED = 0, MST_CORRUPTED, LOG_CORRUPTED, BUD_CORRUPTED,
TNC_CORRUPTED, TNC_DATA_CORRUPTED, ORPHAN_CORRUPTED, INVALID_INO_NODE,
- INVALID_DENT_NODE, INVALID_DATA_NODE };
+ INVALID_DENT_NODE, INVALID_DATA_NODE, SCAN_CORRUPTED };

enum { HAS_DATA_CORRUPTED = 1, HAS_TNC_CORRUPTED = 2 };

diff --git a/ubifs-utils/fsck.ubifs/problem.c b/ubifs-utils/fsck.ubifs/problem.c
index f99fd90e..c5ecd109 100644
--- a/ubifs-utils/fsck.ubifs/problem.c
+++ b/ubifs-utils/fsck.ubifs/problem.c
@@ -45,6 +45,7 @@ static const struct fsck_problem problem_table[] = {
{PROBLEM_FIXABLE | PROBLEM_MUST_FIX | PROBLEM_DROP_DATA, "Invalid inode node"}, // INVALID_INO_NODE
{PROBLEM_FIXABLE | PROBLEM_MUST_FIX | PROBLEM_DROP_DATA, "Invalid dentry node"}, // INVALID_DENT_NODE
{PROBLEM_FIXABLE | PROBLEM_MUST_FIX | PROBLEM_DROP_DATA, "Invalid data node"}, // INVALID_DATA_NODE
+ {PROBLEM_FIXABLE | PROBLEM_MUST_FIX | PROBLEM_DROP_DATA, "Corrupted data is scanned"}, // SCAN_CORRUPTED
};

static const char *get_question(const struct fsck_problem *problem,
@@ -60,6 +61,7 @@ static const char *get_question(const struct fsck_problem *problem,
case INVALID_INO_NODE:
case INVALID_DENT_NODE:
case INVALID_DATA_NODE:
+ case SCAN_CORRUPTED:
return "Drop it?";
case ORPHAN_CORRUPTED:
return "Drop orphans on the LEB?";
@@ -88,6 +90,14 @@ static void print_problem(const struct ubifs_info *c,
log_out(c, "problem: %s %d", problem->desc, *lnum);
break;
}
+ case SCAN_CORRUPTED:
+ {
+ const struct ubifs_zbranch *zbr = (const struct ubifs_zbranch *)priv;
+
+ log_out(c, "problem: %s in LEB %d, node in %d:%d becomes invalid",
+ problem->desc, zbr->lnum, zbr->lnum, zbr->offs);
+ break;
+ }
default:
log_out(c, "problem: %s", problem->desc);
break;
--
2.13.6