ubifs: Handle re-linking of inodes correctly while recovery

UBIFS's recovery code strictly assumes that a deleted inode will never come back, therefore it removes all data which belongs to that inode as soon it faces an inode with link count 0 in the replay list. Before O_TMPFILE this assumption was perfectly fine. With O_TMPFILE it can lead to data loss upon a power-cut. Consider a journal with entries like: 0: inode X (nlink = 0) /* O_TMPFILE was created */ 1: data for inode X /* Someone writes to the temp file */ 2: inode X (nlink = 0) /* inode was changed, xattr, chmod, … */ 3: inode X (nlink = 1) /* inode was re-linked via linkat() */ Upon replay of entry #2 UBIFS will drop all data that belongs to inode X, this will lead to an empty file after mounting. As solution for this problem, scan the replay list for a re-link entry before dropping data. Fixes: 474b93704f32 ("ubifs: Implement O_TMPFILE") Cc: stable@vger.kernel.org Cc: Russell Senior <russell@personaltelco.net> Cc: Rafał Miłecki <zajec5@gmail.com> Reported-by: Russell Senior <russell@personaltelco.net> Reported-by: Rafał Miłecki <zajec5@gmail.com> Tested-by: Rafał Miłecki <rafal@milecki.pl> Signed-off-by: Richard Weinberger <richard@nod.at>
author: Richard Weinberger <richard@nod.at> 2018-11-07 17:04:43 -0500
committer: Richard Weinberger <richard@nod.at> 2018-12-13 16:18:24 -0500
commit: e58725d51fa8da9133f3f1c54170aa2e43056b91 (patch)
tree: f0962af31727da74c8696c140f6b5fb9c69b5451 /fs/ubifs
parent: e542087701f09418702673631a908429feb3eae0 (diff)
1 files changed, 37 insertions, 0 deletions
diff --git a/fs/ubifs/replay.c b/fs/ubifs/replay.c
index a08c5b7030ea..0a0e65c07c6d 100644
--- a/fs/ubifs/replay.c
+++ b/fs/ubifs/replay.c
@@ -213,6 +213,38 @@ static int trun_remove_range(struct ubifs_info *c, struct replay_entry *r)
 }
 /**
+ * inode_still_linked - check whether inode in question will be re-linked.
+ * @c: UBIFS file-system description object
+ * @rino: replay entry to test
+ *
+ * O_TMPFILE files can be re-linked, this means link count goes from 0 to 1.
+ * This case needs special care, otherwise all references to the inode will
+ * be removed upon the first replay entry of an inode with link count 0
+ * is found.
+ */
+static bool inode_still_linked(struct ubifs_info *c, struct replay_entry *rino)
+{
+        struct replay_entry *r;
+        ubifs_assert(c, rino->deletion);
+        ubifs_assert(c, key_type(c, &rino->key) == UBIFS_INO_KEY);
+        /*
+         * Find the most recent entry for the inode behind @rino and check
+         * whether it is a deletion.
+         */
+        list_for_each_entry_reverse(r, &c->replay_list, list) {
+                ubifs_assert(c, r->sqnum >= rino->sqnum);
+                if (key_inum(c, &r->key) == key_inum(c, &rino->key))
+                        return r->deletion == 0;
+        }
+        ubifs_assert(c, 0);
+        return false;
+}
+/**
 * apply_replay_entry - apply a replay entry to the TNC.
 * @c: UBIFS file-system description object
 * @r: replay entry to apply
@@ -239,6 +271,11 @@ static int apply_replay_entry(struct ubifs_info *c, struct replay_entry *r)
                        {
                                ino_t inum = key_inum(c, &r->key);
+                                if (inode_still_linked(c, r)) {
+                                        err = 0;
+                                        break;
+                                }
                                err = ubifs_tnc_remove_ino(c, inum);
                                break;
                        }
author	Richard Weinberger <richard@nod.at>	2018-11-07 17:04:43 -0500
committer	Richard Weinberger <richard@nod.at>	2018-12-13 16:18:24 -0500
commit	e58725d51fa8da9133f3f1c54170aa2e43056b91 (patch)
tree	f0962af31727da74c8696c140f6b5fb9c69b5451 /fs/ubifs
parent	e542087701f09418702673631a908429feb3eae0 (diff)

diff --git a/fs/ubifs/replay.c b/fs/ubifs/replay.c index a08c5b7030ea..0a0e65c07c6d 100644 --- a/fs/ubifs/replay.c +++ b/fs/ubifs/replay.c
@@ -213,6 +213,38 @@ static int trun_remove_range(struct ubifs_info c, struct replay_entry r)
213	}	213	}
214		214
215	/**	215	/**
		216	* inode_still_linked - check whether inode in question will be re-linked.
		217	* @c: UBIFS file-system description object
		218	* @rino: replay entry to test
		219	*
		220	* O_TMPFILE files can be re-linked, this means link count goes from 0 to 1.
		221	* This case needs special care, otherwise all references to the inode will
		222	* be removed upon the first replay entry of an inode with link count 0
		223	* is found.
		224	*/
		225	static bool inode_still_linked(struct ubifs_info c, struct replay_entry rino)
		226	{
		227	struct replay_entry *r;
		228
		229	ubifs_assert(c, rino->deletion);
		230	ubifs_assert(c, key_type(c, &rino->key) == UBIFS_INO_KEY);
		231
		232	/*
		233	* Find the most recent entry for the inode behind @rino and check
		234	* whether it is a deletion.
		235	*/
		236	list_for_each_entry_reverse(r, &c->replay_list, list) {
		237	ubifs_assert(c, r->sqnum >= rino->sqnum);
		238	if (key_inum(c, &r->key) == key_inum(c, &rino->key))
		239	return r->deletion == 0;
		240
		241	}
		242
		243	ubifs_assert(c, 0);
		244	return false;
		245	}
		246
		247	/**
216	* apply_replay_entry - apply a replay entry to the TNC.	248	* apply_replay_entry - apply a replay entry to the TNC.
217	* @c: UBIFS file-system description object	249	* @c: UBIFS file-system description object
218	* @r: replay entry to apply	250	* @r: replay entry to apply
@@ -239,6 +271,11 @@ static int apply_replay_entry(struct ubifs_info c, struct replay_entry r)
239	{	271	{
240	ino_t inum = key_inum(c, &r->key);	272	ino_t inum = key_inum(c, &r->key);
241		273
		274	if (inode_still_linked(c, r)) {
		275	err = 0;
		276	break;
		277	}
		278
242	err = ubifs_tnc_remove_ino(c, inum);	279	err = ubifs_tnc_remove_ino(c, inum);
243	break;	280	break;
244	}	281	}