Invalid extra isize fields can cause crashes in e2fsprogs and possibly
in the kernel for some architectures due to unaligned accesses.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
We need to prevent unaligned accesses, so treat any extra_isize which
is not a multiple of four as an bug.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
On platforms that don't permit unaligned pointer dereferences,
corrupted file systems will as used by the regression test suite can
cause e2fsck and debugfs to crash. Avoid those crashes caused by
corrupted file systems. With this commit the full set of regression
test suites will pass on the sparc64 platform.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Commit 35a4e1b1c5 introduced a regression which caused e2fsck on
32-bit systems to think all timestamps were legacy pre-1970
timestamps. Fix the bug.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
The mk_cmds and compile_et scripts include the build directory, which
breaks the build reproducibility goal of Debian.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
A static code checker noticed that we had a redundant condition:
if (((sizeof(time_t) <= 4) ||
((sizeof(time_t) > 4) &&
which was caused by the parenthesis were in the wrong place.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
When journal is released, s_sequence is set to j_tail_sequence.
But, currently, even if the recovery process is successfully completed,
the j_tail_sequence and, finally, s_sequence are never changed. By this,
when we repeat doing power-off the device suddenly and executing e2fsck
without full scan before mount, the s_sequence number will never change
and, in a very rare case, newly generated journal logs will be
surprisingly grafted to the old journal logs. In this case, out-of-date
metadata log can be replayed on the filesystem area and the filesystem
can be crashed unintentionally by journal recovery process. Therefore,
we need to update j_tail_sequence after recovery process is successfully
completed in e2fsck.
Youngjin had repeated this test and found the problem. With our test,
the filesystem crash occurred within 4 hours.
Signed-off-by: Youngjin Gil <youngjin.gil@samsung.com>
Signed-off-by: Daeho Jeong <daeho.jeong@samsung.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
If there is a feature check, we can just depend on the feature check.
If it is something that can't be checked via a feature flag, then
instead of checking for EXT2_OS_LINUX, we should instead check for
*NOT* EXT2_OS_HURD. since HURD is the special case.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
The scratch_files feature is not really needed except on 32-bit
platforms, since tdb's performance is pretty awful given how we are
using it. Maybe SQLite would be faster, but for 64-bit platforms,
enabling swap works fairly well, especially using the rbtree for the
bitmap abstraction.
We leave tdb for Android since it's unlikely that someone will be
trying to connect petabyte+ sized file systems to a mobile handset.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Systems with 32-bit time_t's can be used past 2038, so we should
always modify dates with extra_time=3. (On systems with 64-bit
time_t's we will fix these dates before the year 2242.)
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
If the journal superblock is corrupt and the user declines to fix it
(or runs e2fsck -n), make sure the error messages are clear and
explain that e2fsck cannot (safely) proceed.
Addresses-Debian-Bug: #768162
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Use a large_inode so that when e2fsck is fixing a file system with
project quota enabled, the correct project id's quota is adjusted when
a corrupted inode is deleted.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Some operating systems may not define EBADMSG and EUCLEAN, so for
better portability use our own private error code numbers.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Update the tests to match with the new behavior and error messages
Also fix test_one so that it doesn't print the failed test output in
the case where the script does not exist.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
If e2fsck_run_ext3_journal() returns an error indicating that a CRC
error was detected, we shouldn't abort, but instead proceed so the
file system can be fixed.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
If the UUID field is NULL, e2fsck will try to generate and set a new
UUID. This will cause massive problems if the metadata_csum feature
is set, so avoid doing so in that case.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Sync up with kernel commit 6a797d27: "ext4: call out CRC and
corruption errors with specific error codes".
This allows us to distinguish between CRC errors and I/O errors.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Most libraries use the "-host" suffix when building for the host. This
patch renames all the libraries to use -host instead of _host.
Addresses-Google-Bug: #24619596
TEST=make dist
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
When adding 'libext2fs' as a library dependency from any other binary,
the binary needs to find the library headers. Users of this library
should not hard-code the include path themselves. This patch exports the
library headers on all three version of the libext2fs library and
removes the redundant include path from executables in e2fsprogs.
Addresses-Google-Bug: #23084776
TEST=mma
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Older kernels on 64-bit machines would incorrectly encode pre-1970
ext4 dates as post-2311 dates. Detect and correct this (assuming the
current date is before 2242).
Include tests for this, as well as changes to debugfs to correctly
set crtimes.
Signed-off-by: David Turner <novalis@novalis.org>
Signed-off-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Remove the stray left parenthesis. Observed while testing bigalloc_1k
filesystems with shared/298 on 32 bit ARM running 4.3 kernels.
Signed-off-by: Eric Whitney <enwlinux@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
This patch adds project quota support. An new quota type PRJQUOTA(2)
is added. EXT4_PRJ_QUOTA_INO(11) is reserved for project quota inode.
The super block reservers an field s_prj_quota_inum for saving
project quota inode. And each inode adds an internal field i_projid
for saving its project ID.
Signed-off-by: Li Xi <lixi@ddn.com>
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Project quota related fields are reserved in Linux kernel.
As a preparation for it, this patch cleans up quota codes
of e2fsprogs so as to make it easier to add new quota type(s).
Signed-off-by: Li Xi <lixi@ddn.com>
Signed-off-by: Wang Shilong <wshilong@ddn.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
When an extent-mapped directory is compacted by "e2fsck -fD" and
frees enough leaf blocks that it loses an extent tree index block,
the old e2fsck_rehash_dir->ext2fs_block_iterate3->write_dir_block()
code would not free the extent block, which would result in the
extent tree becoming corrupted when it is written out.
Pass 1: Checking inodes, blocks, and sizes
Inode 17825800, end of extent exceeds allowed value
(logical block 710, physical block 570459684, len 1019)
This results in loss of a whole index block of directory leaf blocks
and maybe thousands or millions of files in lost+found.
Fix e2fsck_rehash_dir() to call ext2fs_punch() to free the blocks
at the end of the directory instead of trying to handle this itself
while writing out the directory. That properly handles all of the
cases of updating the extent tree as well as accounting for blocks
that are released (both leaf blocks and index blocks).
Add a test case for compacting the directory to be smaller than the
index block that originally caused the corruption.
Signed-off-by: Andreas Dilger <andreas.dilger@intel.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
The kernel requires all inodes with the extent flag set to have a
valid extent tree header in i_block. The ext2fs_extent_open2 prefers
to initialize the header if i_block is zeroed, but e2fsck never writes
the new header to disk. Since the kernel won't create inodes with the
flag and no header anyway, zap such files.
Reported-by: Bo Branten <bosse@acc.umu.se>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
In check_inode_extra_space(), if we attempt to read an EA header at
the end of the extra space, in a corrupted filesystem it may result in
a read beyond the bounds of the inode. Add a check to prevent this.
Reproduced by running ./test_one --valgrind f_write_ea_toobig_extra_isize.
Signed-off-by: Artemiy Volkov <artemiyv@acm.org>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: Darrick J. Wong <darrick.wong@oracle.com>
There is a bug in how e2fsck handles being interrupted by CTRL-C.
If CTRL-C is pressed to kill e2fsck rather than e.g. kill -9, then
the interrupt handler sets E2F_FLAG_CANCEL in the context but doesn't
actually kill the process. Instead, e2fsck_pass1() checks this flag
before processing the next inode.
If a filesystem is running in fix mode (e2fsck -fy) is interrupted,
and the quota feature is enabled, then the quota file will still be
written to disk even though the inode scan was not complete and the
quota information is totally inaccurate. Even worse, if the Pass 1
inode and block scan was not finished, then the in-memory block
bitmaps (which are used for block allocation during e2fsck) are also
invalid, so any blocks allocated to the quota files may corrupt other
files if those blocks were actually used.
e2fsck 1.42.13.wc3 (28-Aug-2015)
Pass 1: Checking inodes, blocks, and sizes
^C[QUOTA WARNING] Usage inconsistent for ID 0:
actual (6455296, 168) != expected (8568832, 231)
[QUOTA WARNING] Usage inconsistent for ID 695:
actual (614932320256, 63981) != expected (2102405386240, 176432)
Update quota info for quota type 0? yes
[QUOTA WARNING] Usage inconsistent for ID 0:
actual (6455296, 168) != expected (8568832, 231)
[QUOTA WARNING] Usage inconsistent for ID 538:
actual (614932320256, 63981) != expected (2102405386240, 176432)
Update quota info for quota type 1? yes
myth-OST0001: e2fsck canceled.
myth-OST0001: ***** FILE SYSTEM WAS MODIFIED *****
There may be a desire to flush out modified inodes and such that have
been repaired, so that restarting an interrupted e2fsck will make
progress, but the quota file update is plain wrong unless at least
pass1 has finished, and the journal recreation is also dangerous if
the block bitmaps have not been fully updated.
Signed-off-by: Andreas Dilger <andreas.dilger@intel.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Create separate predicate functions to test/set/clear feature flags,
thereby replacing the wordy old macros. Furthermore, clean out the
places where we open-coded feature tests.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
We weren't verifying the checksum of an htree leaf block due to a
coding error that marked all htree blocks as not having checksums.
While we're at it, fix the error message that gets displayed so that
it doesn't print a meaningless block offset.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
If there are directory entries with file names which are less than 16
bytes, it turns out that passing less than the crypto block size to
the kernel's crypto layer will cause the kernel to crash.
However, since there never should be encrypted directory entries where
the file name is less than 16 bytes (the AES block size), change
e2fsck to offer to address this corruption by deleting the directory
entry.
(We need to checks for this condition into the kernel as well.)
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
The /lost+found directory must not be encrypted, since e2fsck won't
have any keys. If we find an encrypted lost+found directory, we
should delete the directory and recreate it.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
The quota code required that we included dict.o in libsupport.a, so we
might as well just move dict.c and dict.h to lib/support, and then
have e2fsck use the version of dict.c in libsupport.a. This
simplifies the build system and eliminates having two identical copies
of dict.o floating around in the build tree.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>