Commit ed0d232d authored Dec 26, 2018 by Richard Weinberger Committed by Greg Kroah-Hartman Dec 29, 2018

ubifs: Handle re-linking of inodes correctly while recovery



commit e58725d51fa8da9133f3f1c54170aa2e43056b91 upstream.

UBIFS's recovery code strictly assumes that a deleted inode will never
come back, therefore it removes all data which belongs to that inode
as soon it faces an inode with link count 0 in the replay list.
Before O_TMPFILE this assumption was perfectly fine. With O_TMPFILE
it can lead to data loss upon a power-cut.

Consider a journal with entries like:
0: inode X (nlink = 0) /* O_TMPFILE was created */
1: data for inode X /* Someone writes to the temp file */
2: inode X (nlink = 0) /* inode was changed, xattr, chmod, … */
3: inode X (nlink = 1) /* inode was re-linked via linkat() */

Upon replay of entry #2 UBIFS will drop all data that belongs to inode X,
this will lead to an empty file after mounting.

As solution for this problem, scan the replay list for a re-link entry
before dropping data.

Fixes: 474b9370 ("ubifs: Implement O_TMPFILE")
Cc: stable@vger.kernel.org # 4.9-4.18
Cc: Russell Senior <russell@personaltelco.net>
Cc: Rafał Miłecki <zajec5@gmail.com>
Reported-by: Russell Senior <russell@personaltelco.net>
Reported-by: Rafał Miłecki <zajec5@gmail.com>
Tested-by: Rafał Miłecki <rafal@milecki.pl>
Signed-off-by: Richard Weinberger <richard@nod.at>
[rmilecki: update ubifs_assert() calls to compile with 4.18 and older]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit e58725d51fa8da9133f3f1c54170aa2e43056b91)
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 089651ef

fs/ubifs/replay.c

+37 −0

Original line number	Diff line number	Diff line
		@@ -209,6 +209,38 @@ static int trun_remove_range(struct ubifs_info c, struct replay_entry r)
		return ubifs_tnc_remove_range(c, &min_key, &max_key);
		}

		/**
		* inode_still_linked - check whether inode in question will be re-linked.
		* @c: UBIFS file-system description object
		* @rino: replay entry to test
		*
		* O_TMPFILE files can be re-linked, this means link count goes from 0 to 1.
		* This case needs special care, otherwise all references to the inode will
		* be removed upon the first replay entry of an inode with link count 0
		* is found.
		*/
		static bool inode_still_linked(struct ubifs_info c, struct replay_entry rino)
		{
		struct replay_entry *r;

		ubifs_assert(rino->deletion);
		ubifs_assert(key_type(c, &rino->key) == UBIFS_INO_KEY);

		/*
		* Find the most recent entry for the inode behind @rino and check
		* whether it is a deletion.
		*/
		list_for_each_entry_reverse(r, &c->replay_list, list) {
		ubifs_assert(r->sqnum >= rino->sqnum);
		if (key_inum(c, &r->key) == key_inum(c, &rino->key))
		return r->deletion == 0;

		}

		ubifs_assert(0);
		return false;
		}

		/**
		* apply_replay_entry - apply a replay entry to the TNC.
		* @c: UBIFS file-system description object
		@@ -239,6 +271,11 @@ static int apply_replay_entry(struct ubifs_info c, struct replay_entry r)
		{
		ino_t inum = key_inum(c, &r->key);

		if (inode_still_linked(c, r)) {
		err = 0;
		break;
		}

		err = ubifs_tnc_remove_ino(c, inum);
		break;
		}