]> git.ipfire.org Git - thirdparty/xfsprogs-dev.git/blob - db/metadump.c
projects / thirdparty / xfsprogs-dev.git / blob
? search:


26a3bd58c6c2e4ef81f6854259f63b7187f997ae
[thirdparty/xfsprogs-dev.git] / db / metadump.c
1 /*
2 * Copyright (c) 2007, 2011 SGI
3 * All Rights Reserved.
4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License as
7 * published by the Free Software Foundation.
8 *
9 * This program is distributed in the hope that it would be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write the Free Software Foundation,
16 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
17 */
18
19 #include "libxfs.h"
20 #include "libxlog.h"
21 #include "bmap.h"
22 #include "command.h"
23 #include "metadump.h"
24 #include "io.h"
25 #include "output.h"
26 #include "type.h"
27 #include "init.h"
28 #include "sig.h"
29 #include "xfs_metadump.h"
30 #include "fprint.h"
31 #include "faddr.h"
32 #include "field.h"
33 #include "dir2.h"
34
35 #define DEFAULT_MAX_EXT_SIZE 1000
36
37 /*
38 * It's possible that multiple files in a directory (or attributes
39 * in a file) produce the same obfuscated name. If that happens, we
40 * try to create another one. After several rounds of this though,
41 * we just give up and leave the original name as-is.
42 */
43 #define DUP_MAX 5 /* Max duplicates before we give up */
44
45 /* copy all metadata structures to/from a file */
46
47 static int metadump_f(int argc, char **argv);
48 static void metadump_help(void);
49
50 /*
51 * metadump commands issue info/wornings/errors to standard error as
52 * metadump supports stdout as a destination.
53 *
54 * All static functions return zero on failure, while the public functions
55 * return zero on success.
56 */
57
58 static const cmdinfo_t metadump_cmd =
59 { "metadump", NULL, metadump_f, 0, -1, 0,
60 N_("[-a] [-e] [-g] [-m max_extent] [-w] [-o] filename"),
61 N_("dump metadata to a file"), metadump_help };
62
63 static FILE *outf; /* metadump file */
64
65 static xfs_metablock_t *metablock; /* header + index + buffers */
66 static __be64 *block_index;
67 static char *block_buffer;
68
69 static int num_indicies;
70 static int cur_index;
71
72 static xfs_ino_t cur_ino;
73
74 static int show_progress = 0;
75 static int stop_on_read_error = 0;
76 static int max_extent_size = DEFAULT_MAX_EXT_SIZE;
77 static int obfuscate = 1;
78 static int zero_stale_data = 1;
79 static int show_warnings = 0;
80 static int progress_since_warning = 0;
81
82 void
83 metadump_init(void)
84 {
85 add_command(&metadump_cmd);
86 }
87
88 static void
89 metadump_help(void)
90 {
91 dbprintf(_(
92 "\n"
93 " The 'metadump' command dumps the known metadata to a compact file suitable\n"
94 " for compressing and sending to an XFS maintainer for corruption analysis \n"
95 " or xfs_repair failures.\n\n"
96 " Options:\n"
97 " -a -- Copy full metadata blocks without zeroing unused space\n"
98 " -e -- Ignore read errors and keep going\n"
99 " -g -- Display dump progress\n"
100 " -m -- Specify max extent size in blocks to copy (default = %d blocks)\n"
101 " -o -- Don't obfuscate names and extended attributes\n"
102 " -w -- Show warnings of bad metadata information\n"
103 "\n"), DEFAULT_MAX_EXT_SIZE);
104 }
105
106 static void
107 print_warning(const char *fmt, ...)
108 {
109 char buf[200];
110 va_list ap;
111
112 if (seenint())
113 return;
114
115 va_start(ap, fmt);
116 vsnprintf(buf, sizeof(buf), fmt, ap);
117 va_end(ap);
118 buf[sizeof(buf)-1] = '\0';
119
120 fprintf(stderr, "%s%s: %s\n", progress_since_warning ? "\n" : "",
121 progname, buf);
122 progress_since_warning = 0;
123 }
124
125 static void
126 print_progress(const char *fmt, ...)
127 {
128 char buf[60];
129 va_list ap;
130 FILE *f;
131
132 if (seenint())
133 return;
134
135 va_start(ap, fmt);
136 vsnprintf(buf, sizeof(buf), fmt, ap);
137 va_end(ap);
138 buf[sizeof(buf)-1] = '\0';
139
140 f = (outf == stdout) ? stderr : stdout;
141 fprintf(f, "\r%-59s", buf);
142 fflush(f);
143 progress_since_warning = 1;
144 }
145
146 /*
147 * A complete dump file will have a "zero" entry in the last index block,
148 * even if the dump is exactly aligned, the last index will be full of
149 * zeros. If the last index entry is non-zero, the dump is incomplete.
150 * Correspondingly, the last chunk will have a count < num_indicies.
151 *
152 * Return 0 for success, -1 for failure.
153 */
154
155 static int
156 write_index(void)
157 {
158 /*
159 * write index block and following data blocks (streaming)
160 */
161 metablock->mb_count = cpu_to_be16(cur_index);
162 if (fwrite(metablock, (cur_index + 1) << BBSHIFT, 1, outf) != 1) {
163 print_warning("error writing to file: %s", strerror(errno));
164 return -errno;
165 }
166
167 memset(block_index, 0, num_indicies * sizeof(__be64));
168 cur_index = 0;
169 return 0;
170 }
171
172 /*
173 * Return 0 for success, -errno for failure.
174 */
175 static int
176 write_buf_segment(
177 char *data,
178 __int64_t off,
179 int len)
180 {
181 int i;
182 int ret;
183
184 for (i = 0; i < len; i++, off++, data += BBSIZE) {
185 block_index[cur_index] = cpu_to_be64(off);
186 memcpy(&block_buffer[cur_index << BBSHIFT], data, BBSIZE);
187 if (++cur_index == num_indicies) {
188 ret = write_index();
189 if (ret)
190 return -EIO;
191 }
192 }
193 return 0;
194 }
195
196 /*
197 * we want to preserve the state of the metadata in the dump - whether it is
198 * intact or corrupt, so even if the buffer has a verifier attached to it we
199 * don't want to run it prior to writing the buffer to the metadump image.
200 *
201 * The only reason for running the verifier is to recalculate the CRCs on a
202 * buffer that has been obfuscated. i.e. a buffer than metadump modified itself.
203 * In this case, we only run the verifier if the buffer was not corrupt to begin
204 * with so that we don't accidentally correct buffers with CRC or errors in them
205 * when we are obfuscating them.
206 */
207 static int
208 write_buf(
209 iocur_t *buf)
210 {
211 struct xfs_buf *bp = buf->bp;
212 int i;
213 int ret;
214
215 /*
216 * Run the write verifier to recalculate the buffer CRCs and check
217 * metadump didn't introduce a new corruption. Warn if the verifier
218 * failed, but still continue to dump it into the output file.
219 */
220 if (buf->need_crc && bp && bp->b_ops && !bp->b_error) {
221 bp->b_ops->verify_write(bp);
222 if (bp->b_error) {
223 print_warning(
224 "obfuscation corrupted block at %s bno 0x%llx/0x%x",
225 bp->b_ops->name,
226 (long long)bp->b_bn, bp->b_bcount);
227 }
228 }
229
230 /* handle discontiguous buffers */
231 if (!buf->bbmap) {
232 ret = write_buf_segment(buf->data, buf->bb, buf->blen);
233 if (ret)
234 return ret;
235 } else {
236 int len = 0;
237 for (i = 0; i < buf->bbmap->nmaps; i++) {
238 ret = write_buf_segment(buf->data + BBTOB(len),
239 buf->bbmap->b[i].bm_bn,
240 buf->bbmap->b[i].bm_len);
241 if (ret)
242 return ret;
243 len += buf->bbmap->b[i].bm_len;
244 }
245 }
246 return seenint() ? -EINTR : 0;
247 }
248
249 /*
250 * We could be processing a corrupt block, so we can't trust any of
251 * the offsets or lengths to be within the buffer range. Hence check
252 * carefully!
253 */
254 static void
255 zero_btree_node(
256 struct xfs_btree_block *block,
257 typnm_t btype)
258 {
259 int nrecs;
260 xfs_bmbt_ptr_t *bpp;
261 xfs_bmbt_key_t *bkp;
262 xfs_inobt_ptr_t *ipp;
263 xfs_inobt_key_t *ikp;
264 xfs_alloc_ptr_t *app;
265 xfs_alloc_key_t *akp;
266 char *zp1, *zp2;
267 char *key_end;
268
269 nrecs = be16_to_cpu(block->bb_numrecs);
270 if (nrecs < 0)
271 return;
272
273 switch (btype) {
274 case TYP_BMAPBTA:
275 case TYP_BMAPBTD:
276 if (nrecs > mp->m_bmap_dmxr[1])
277 return;
278
279 bkp = XFS_BMBT_KEY_ADDR(mp, block, 1);
280 bpp = XFS_BMBT_PTR_ADDR(mp, block, 1, mp->m_bmap_dmxr[1]);
281 zp1 = (char *)&bkp[nrecs];
282 zp2 = (char *)&bpp[nrecs];
283 key_end = (char *)bpp;
284 break;
285 case TYP_INOBT:
286 case TYP_FINOBT:
287 if (nrecs > mp->m_inobt_mxr[1])
288 return;
289
290 ikp = XFS_INOBT_KEY_ADDR(mp, block, 1);
291 ipp = XFS_INOBT_PTR_ADDR(mp, block, 1, mp->m_inobt_mxr[1]);
292 zp1 = (char *)&ikp[nrecs];
293 zp2 = (char *)&ipp[nrecs];
294 key_end = (char *)ipp;
295 break;
296 case TYP_BNOBT:
297 case TYP_CNTBT:
298 if (nrecs > mp->m_alloc_mxr[1])
299 return;
300
301 akp = XFS_ALLOC_KEY_ADDR(mp, block, 1);
302 app = XFS_ALLOC_PTR_ADDR(mp, block, 1, mp->m_alloc_mxr[1]);
303 zp1 = (char *)&akp[nrecs];
304 zp2 = (char *)&app[nrecs];
305 key_end = (char *)app;
306 break;
307 default:
308 return;
309 }
310
311
312 /* Zero from end of keys to beginning of pointers */
313 memset(zp1, 0, key_end - zp1);
314
315 /* Zero from end of pointers to end of block */
316 memset(zp2, 0, (char *)block + mp->m_sb.sb_blocksize - zp2);
317 }
318
319 /*
320 * We could be processing a corrupt block, so we can't trust any of
321 * the offsets or lengths to be within the buffer range. Hence check
322 * carefully!
323 */
324 static void
325 zero_btree_leaf(
326 struct xfs_btree_block *block,
327 typnm_t btype)
328 {
329 int nrecs;
330 struct xfs_bmbt_rec *brp;
331 struct xfs_inobt_rec *irp;
332 struct xfs_alloc_rec *arp;
333 char *zp;
334
335 nrecs = be16_to_cpu(block->bb_numrecs);
336 if (nrecs < 0)
337 return;
338
339 switch (btype) {
340 case TYP_BMAPBTA:
341 case TYP_BMAPBTD:
342 if (nrecs > mp->m_bmap_dmxr[0])
343 return;
344
345 brp = XFS_BMBT_REC_ADDR(mp, block, 1);
346 zp = (char *)&brp[nrecs];
347 break;
348 case TYP_INOBT:
349 case TYP_FINOBT:
350 if (nrecs > mp->m_inobt_mxr[0])
351 return;
352
353 irp = XFS_INOBT_REC_ADDR(mp, block, 1);
354 zp = (char *)&irp[nrecs];
355 break;
356 case TYP_BNOBT:
357 case TYP_CNTBT:
358 if (nrecs > mp->m_alloc_mxr[0])
359 return;
360
361 arp = XFS_ALLOC_REC_ADDR(mp, block, 1);
362 zp = (char *)&arp[nrecs];
363 break;
364 default:
365 return;
366 }
367
368 /* Zero from end of records to end of block */
369 memset(zp, 0, (char *)block + mp->m_sb.sb_blocksize - zp);
370 }
371
372 static void
373 zero_btree_block(
374 struct xfs_btree_block *block,
375 typnm_t btype)
376 {
377 int level;
378
379 level = be16_to_cpu(block->bb_level);
380
381 if (level > 0)
382 zero_btree_node(block, btype);
383 else
384 zero_btree_leaf(block, btype);
385 }
386
387 static int
388 scan_btree(
389 xfs_agnumber_t agno,
390 xfs_agblock_t agbno,
391 int level,
392 typnm_t btype,
393 void *arg,
394 int (*func)(struct xfs_btree_block *block,
395 xfs_agnumber_t agno,
396 xfs_agblock_t agbno,
397 int level,
398 typnm_t btype,
399 void *arg))
400 {
401 int rval = 0;
402
403 push_cur();
404 set_cur(&typtab[btype], XFS_AGB_TO_DADDR(mp, agno, agbno), blkbb,
405 DB_RING_IGN, NULL);
406 if (iocur_top->data == NULL) {
407 print_warning("cannot read %s block %u/%u", typtab[btype].name,
408 agno, agbno);
409 rval = !stop_on_read_error;
410 goto pop_out;
411 }
412
413 if (zero_stale_data) {
414 zero_btree_block(iocur_top->data, btype);
415 iocur_top->need_crc = 1;
416 }
417
418 if (write_buf(iocur_top))
419 goto pop_out;
420
421 if (!(*func)(iocur_top->data, agno, agbno, level - 1, btype, arg))
422 goto pop_out;
423 rval = 1;
424 pop_out:
425 pop_cur();
426 return rval;
427 }
428
429 /* free space tree copy routines */
430
431 static int
432 valid_bno(
433 xfs_agnumber_t agno,
434 xfs_agblock_t agbno)
435 {
436 if (agno < (mp->m_sb.sb_agcount - 1) && agbno > 0 &&
437 agbno <= mp->m_sb.sb_agblocks)
438 return 1;
439 if (agno == (mp->m_sb.sb_agcount - 1) && agbno > 0 &&
440 agbno <= (mp->m_sb.sb_dblocks -
441 (xfs_rfsblock_t)(mp->m_sb.sb_agcount - 1) *
442 mp->m_sb.sb_agblocks))
443 return 1;
444
445 return 0;
446 }
447
448
449 static int
450 scanfunc_freesp(
451 struct xfs_btree_block *block,
452 xfs_agnumber_t agno,
453 xfs_agblock_t agbno,
454 int level,
455 typnm_t btype,
456 void *arg)
457 {
458 xfs_alloc_ptr_t *pp;
459 int i;
460 int numrecs;
461
462 if (level == 0)
463 return 1;
464
465 numrecs = be16_to_cpu(block->bb_numrecs);
466 if (numrecs > mp->m_alloc_mxr[1]) {
467 if (show_warnings)
468 print_warning("invalid numrecs (%u) in %s block %u/%u",
469 numrecs, typtab[btype].name, agno, agbno);
470 return 1;
471 }
472
473 pp = XFS_ALLOC_PTR_ADDR(mp, block, 1, mp->m_alloc_mxr[1]);
474 for (i = 0; i < numrecs; i++) {
475 if (!valid_bno(agno, be32_to_cpu(pp[i]))) {
476 if (show_warnings)
477 print_warning("invalid block number (%u/%u) "
478 "in %s block %u/%u",
479 agno, be32_to_cpu(pp[i]),
480 typtab[btype].name, agno, agbno);
481 continue;
482 }
483 if (!scan_btree(agno, be32_to_cpu(pp[i]), level, btype, arg,
484 scanfunc_freesp))
485 return 0;
486 }
487 return 1;
488 }
489
490 static int
491 copy_free_bno_btree(
492 xfs_agnumber_t agno,
493 xfs_agf_t *agf)
494 {
495 xfs_agblock_t root;
496 int levels;
497
498 root = be32_to_cpu(agf->agf_roots[XFS_BTNUM_BNO]);
499 levels = be32_to_cpu(agf->agf_levels[XFS_BTNUM_BNO]);
500
501 /* validate root and levels before processing the tree */
502 if (root == 0 || root > mp->m_sb.sb_agblocks) {
503 if (show_warnings)
504 print_warning("invalid block number (%u) in bnobt "
505 "root in agf %u", root, agno);
506 return 1;
507 }
508 if (levels >= XFS_BTREE_MAXLEVELS) {
509 if (show_warnings)
510 print_warning("invalid level (%u) in bnobt root "
511 "in agf %u", levels, agno);
512 return 1;
513 }
514
515 return scan_btree(agno, root, levels, TYP_BNOBT, agf, scanfunc_freesp);
516 }
517
518 static int
519 copy_free_cnt_btree(
520 xfs_agnumber_t agno,
521 xfs_agf_t *agf)
522 {
523 xfs_agblock_t root;
524 int levels;
525
526 root = be32_to_cpu(agf->agf_roots[XFS_BTNUM_CNT]);
527 levels = be32_to_cpu(agf->agf_levels[XFS_BTNUM_CNT]);
528
529 /* validate root and levels before processing the tree */
530 if (root == 0 || root > mp->m_sb.sb_agblocks) {
531 if (show_warnings)
532 print_warning("invalid block number (%u) in cntbt "
533 "root in agf %u", root, agno);
534 return 1;
535 }
536 if (levels >= XFS_BTREE_MAXLEVELS) {
537 if (show_warnings)
538 print_warning("invalid level (%u) in cntbt root "
539 "in agf %u", levels, agno);
540 return 1;
541 }
542
543 return scan_btree(agno, root, levels, TYP_CNTBT, agf, scanfunc_freesp);
544 }
545
546 /* filename and extended attribute obfuscation routines */
547
548 struct name_ent {
549 struct name_ent *next;
550 xfs_dahash_t hash;
551 int namelen;
552 unsigned char name[1];
553 };
554
555 #define NAME_TABLE_SIZE 4096
556
557 static struct name_ent *nametable[NAME_TABLE_SIZE];
558
559 static void
560 nametable_clear(void)
561 {
562 int i;
563 struct name_ent *ent;
564
565 for (i = 0; i < NAME_TABLE_SIZE; i++) {
566 while ((ent = nametable[i])) {
567 nametable[i] = ent->next;
568 free(ent);
569 }
570 }
571 }
572
573 /*
574 * See if the given name is already in the name table. If so,
575 * return a pointer to its entry, otherwise return a null pointer.
576 */
577 static struct name_ent *
578 nametable_find(xfs_dahash_t hash, int namelen, unsigned char *name)
579 {
580 struct name_ent *ent;
581
582 for (ent = nametable[hash % NAME_TABLE_SIZE]; ent; ent = ent->next) {
583 if (ent->hash == hash && ent->namelen == namelen &&
584 !memcmp(ent->name, name, namelen))
585 return ent;
586 }
587 return NULL;
588 }
589
590 /*
591 * Add the given name to the name table. Returns a pointer to the
592 * name's new entry, or a null pointer if an error occurs.
593 */
594 static struct name_ent *
595 nametable_add(xfs_dahash_t hash, int namelen, unsigned char *name)
596 {
597 struct name_ent *ent;
598
599 ent = malloc(sizeof *ent + namelen);
600 if (!ent)
601 return NULL;
602
603 ent->namelen = namelen;
604 memcpy(ent->name, name, namelen);
605 ent->hash = hash;
606 ent->next = nametable[hash % NAME_TABLE_SIZE];
607
608 nametable[hash % NAME_TABLE_SIZE] = ent;
609
610 return ent;
611 }
612
613 #define is_invalid_char(c) ((c) == '/' || (c) == '\0')
614 #define rol32(x,y) (((x) << (y)) | ((x) >> (32 - (y))))
615
616 static inline unsigned char
617 random_filename_char(void)
618 {
619 static unsigned char filename_alphabet[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
620 "abcdefghijklmnopqrstuvwxyz"
621 "0123456789-_";
622
623 return filename_alphabet[random() % (sizeof filename_alphabet - 1)];
624 }
625
626 #define ORPHANAGE "lost+found"
627 #define ORPHANAGE_LEN (sizeof (ORPHANAGE) - 1)
628
629 static inline int
630 is_orphanage_dir(
631 struct xfs_mount *mp,
632 xfs_ino_t dir_ino,
633 size_t name_len,
634 unsigned char *name)
635 {
636 return dir_ino == mp->m_sb.sb_rootino &&
637 name_len == ORPHANAGE_LEN &&
638 !memcmp(name, ORPHANAGE, ORPHANAGE_LEN);
639 }
640
641 /*
642 * Determine whether a name is one we shouldn't obfuscate because
643 * it's an orphan (or the "lost+found" directory itself). Note
644 * "cur_ino" is the inode for the directory currently being
645 * processed.
646 *
647 * Returns 1 if the name should NOT be obfuscated or 0 otherwise.
648 */
649 static int
650 in_lost_found(
651 xfs_ino_t ino,
652 int namelen,
653 unsigned char *name)
654 {
655 static xfs_ino_t orphanage_ino = 0;
656 char s[24]; /* 21 is enough (64 bits in decimal) */
657 int slen;
658
659 /* Record the "lost+found" inode if we haven't done so already */
660
661 ASSERT(ino != 0);
662 if (!orphanage_ino && is_orphanage_dir(mp, cur_ino, namelen, name))
663 orphanage_ino = ino;
664
665 /* We don't obfuscate the "lost+found" directory itself */
666
667 if (ino == orphanage_ino)
668 return 1;
669
670 /* Most files aren't in "lost+found" at all */
671
672 if (cur_ino != orphanage_ino)
673 return 0;
674
675 /*
676 * Within "lost+found", we don't obfuscate any file whose
677 * name is the same as its inode number. Any others are
678 * stray files and can be obfuscated.
679 */
680 slen = snprintf(s, sizeof (s), "%llu", (unsigned long long) ino);
681
682 return slen == namelen && !memcmp(name, s, namelen);
683 }
684
685 /*
686 * Given a name and its hash value, massage the name in such a way
687 * that the result is another name of equal length which shares the
688 * same hash value.
689 */
690 static void
691 obfuscate_name(
692 xfs_dahash_t hash,
693 size_t name_len,
694 unsigned char *name)
695 {
696 unsigned char *newp = name;
697 int i;
698 xfs_dahash_t new_hash = 0;
699 unsigned char *first;
700 unsigned char high_bit;
701 int shift;
702
703 /*
704 * Our obfuscation algorithm requires at least 5-character
705 * names, so don't bother if the name is too short. We
706 * work backward from a hash value to determine the last
707 * five bytes in a name required to produce a new name
708 * with the same hash.
709 */
710 if (name_len < 5)
711 return;
712
713 /*
714 * The beginning of the obfuscated name can be pretty much
715 * anything, so fill it in with random characters.
716 * Accumulate its new hash value as we go.
717 */
718 for (i = 0; i < name_len - 5; i++) {
719 *newp = random_filename_char();
720 new_hash = *newp ^ rol32(new_hash, 7);
721 newp++;
722 }
723
724 /*
725 * Compute which five bytes need to be used at the end of
726 * the name so the hash of the obfuscated name is the same
727 * as the hash of the original. If any result in an invalid
728 * character, flip a bit and arrange for a corresponding bit
729 * in a neighboring byte to be flipped as well. For the
730 * last byte, the "neighbor" to change is the first byte
731 * we're computing here.
732 */
733 new_hash = rol32(new_hash, 3) ^ hash;
734
735 first = newp;
736 high_bit = 0;
737 for (shift = 28; shift >= 0; shift -= 7) {
738 *newp = (new_hash >> shift & 0x7f) ^ high_bit;
739 if (is_invalid_char(*newp)) {
740 *newp ^= 1;
741 high_bit = 0x80;
742 } else
743 high_bit = 0;
744 ASSERT(!is_invalid_char(*newp));
745 newp++;
746 }
747
748 /*
749 * If we flipped a bit on the last byte, we need to fix up
750 * the matching bit in the first byte. The result will
751 * be a valid character, because we know that first byte
752 * has 0's in its upper four bits (it was produced by a
753 * 28-bit right-shift of a 32-bit unsigned value).
754 */
755 if (high_bit) {
756 *first ^= 0x10;
757 ASSERT(!is_invalid_char(*first));
758 }
759 ASSERT(libxfs_da_hashname(name, name_len) == hash);
760 }
761
762 /*
763 * Flip a bit in each of two bytes at the end of the given name.
764 * This is used in generating a series of alternate names to be used
765 * in the event a duplicate is found.
766 *
767 * The bits flipped are selected such that they both affect the same
768 * bit in the name's computed hash value, so flipping them both will
769 * preserve the hash.
770 *
771 * The following diagram aims to show the portion of a computed
772 * hash that a given byte of a name affects.
773 *
774 * 31 28 24 21 14 8 7 3 0
775 * +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-+
776 * hash: | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
777 * +-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-|-+-+-+-+-+-+-+-+
778 * last-4 ->| |<-- last-2 --->| |<--- last ---->|
779 * |<-- last-3 --->| |<-- last-1 --->| |<- last-4
780 * |<-- last-7 --->| |<-- last-5 --->|
781 * |<-- last-8 --->| |<-- last-6 --->|
782 * . . . and so on
783 *
784 * The last byte of the name directly affects the low-order byte of
785 * the hash. The next-to-last affects bits 7-14, the next one back
786 * affects bits 14-21, and so on. The effect wraps around when it
787 * goes beyond the top of the hash (as happens for byte last-4).
788 *
789 * Bits that are flipped together "overlap" on the hash value. As
790 * an example of overlap, the last two bytes both affect bit 7 in
791 * the hash. That pair of bytes (and their overlapping bits) can be
792 * used for this "flip bit" operation (it's the first pair tried,
793 * actually).
794 *
795 * A table defines overlapping pairs--the bytes involved and bits
796 * within them--that can be used this way. The byte offset is
797 * relative to a starting point within the name, which will be set
798 * to affect the bytes at the end of the name. The function is
799 * called with a "bitseq" value which indicates which bit flip is
800 * desired, and this translates directly into selecting which entry
801 * in the bit_to_flip[] table to apply.
802 *
803 * The function returns 1 if the operation was successful. It
804 * returns 0 if the result produced a character that's not valid in
805 * a name (either '/' or a '\0'). Finally, it returns -1 if the bit
806 * sequence number is beyond what is supported for a name of this
807 * length.
808 *
809 * Discussion
810 * ----------
811 * (Also see the discussion above find_alternate(), below.)
812 *
813 * In order to make this function work for any length name, the
814 * table is ordered by increasing byte offset, so that the earliest
815 * entries can apply to the shortest strings. This way all names
816 * are done consistently.
817 *
818 * When bit flips occur, they can convert printable characters
819 * into non-printable ones. In an effort to reduce the impact of
820 * this, the first bit flips are chosen to affect bytes the end of
821 * the name (and furthermore, toward the low bits of a byte). Those
822 * bytes are often non-printable anyway because of the way they are
823 * initially selected by obfuscate_name()). This is accomplished,
824 * using later table entries first.
825 *
826 * Each row in the table doubles the number of alternates that
827 * can be generated. A two-byte name is limited to using only
828 * the first row, so it's possible to generate two alternates
829 * (the original name, plus the alternate produced by flipping
830 * the one pair of bits). In a 5-byte name, the effect of the
831 * first byte overlaps the last by 4 its, and there are 8 bits
832 * to flip, allowing for 256 possible alternates.
833 *
834 * Short names (less than 5 bytes) are never even obfuscated, so for
835 * such names the relatively small number of alternates should never
836 * really be a problem.
837 *
838 * Long names (more than 6 bytes, say) are not likely to exhaust
839 * the number of available alternates. In fact, the table could
840 * probably have stopped at 8 entries, on the assumption that 256
841 * alternates should be enough for most any situation. The entries
842 * beyond those are present mostly for demonstration of how it could
843 * be populated with more entries, should it ever be necessary to do
844 * so.
845 */
846 static int
847 flip_bit(
848 size_t name_len,
849 unsigned char *name,
850 uint32_t bitseq)
851 {
852 int index;
853 size_t offset;
854 unsigned char *p0, *p1;
855 unsigned char m0, m1;
856 struct {
857 int byte; /* Offset from start within name */
858 unsigned char bit; /* Bit within that byte */
859 } bit_to_flip[][2] = { /* Sorted by second entry's byte */
860 { { 0, 0 }, { 1, 7 } }, /* Each row defines a pair */
861 { { 1, 0 }, { 2, 7 } }, /* of bytes and a bit within */
862 { { 2, 0 }, { 3, 7 } }, /* each byte. Each bit in */
863 { { 0, 4 }, { 4, 0 } }, /* a pair affects the same */
864 { { 0, 5 }, { 4, 1 } }, /* bit in the hash, so flipping */
865 { { 0, 6 }, { 4, 2 } }, /* both will change the name */
866 { { 0, 7 }, { 4, 3 } }, /* while preserving the hash. */
867 { { 3, 0 }, { 4, 7 } },
868 { { 0, 0 }, { 5, 3 } }, /* The first entry's byte offset */
869 { { 0, 1 }, { 5, 4 } }, /* must be less than the second. */
870 { { 0, 2 }, { 5, 5 } },
871 { { 0, 3 }, { 5, 6 } }, /* The table can be extended to */
872 { { 0, 4 }, { 5, 7 } }, /* an arbitrary number of entries */
873 { { 4, 0 }, { 5, 7 } }, /* but there's not much point. */
874 /* . . . */
875 };
876
877 /* Find the first entry *not* usable for name of this length */
878
879 for (index = 0; index < ARRAY_SIZE(bit_to_flip); index++)
880 if (bit_to_flip[index][1].byte >= name_len)
881 break;
882
883 /*
884 * Back up to the last usable entry. If that number is
885 * smaller than the bit sequence number, inform the caller
886 * that nothing this large (or larger) will work.
887 */
888 if (bitseq > --index)
889 return -1;
890
891 /*
892 * We will be switching bits at the end of name, with a
893 * preference for affecting the last bytes first. Compute
894 * where in the name we'll start applying the changes.
895 */
896 offset = name_len - (bit_to_flip[index][1].byte + 1);
897 index -= bitseq; /* Use later table entries first */
898
899 p0 = name + offset + bit_to_flip[index][0].byte;
900 p1 = name + offset + bit_to_flip[index][1].byte;
901 m0 = 1 << bit_to_flip[index][0].bit;
902 m1 = 1 << bit_to_flip[index][1].bit;
903
904 /* Only change the bytes if it produces valid characters */
905
906 if (is_invalid_char(*p0 ^ m0) || is_invalid_char(*p1 ^ m1))
907 return 0;
908
909 *p0 ^= m0;
910 *p1 ^= m1;
911
912 return 1;
913 }
914
915 /*
916 * This function generates a well-defined sequence of "alternate"
917 * names for a given name. An alternate is a name having the same
918 * length and same hash value as the original name. This is needed
919 * because the algorithm produces only one obfuscated name to use
920 * for a given original name, and it's possible that result matches
921 * a name already seen. This function checks for this, and if it
922 * occurs, finds another suitable obfuscated name to use.
923 *
924 * Each bit in the binary representation of the sequence number is
925 * used to select one possible "bit flip" operation to perform on
926 * the name. So for example:
927 * seq = 0: selects no bits to flip
928 * seq = 1: selects the 0th bit to flip
929 * seq = 2: selects the 1st bit to flip
930 * seq = 3: selects the 0th and 1st bit to flip
931 * ... and so on.
932 *
933 * The flip_bit() function takes care of the details of the bit
934 * flipping within the name. Note that the "1st bit" in this
935 * context is a bit sequence number; i.e. it doesn't necessarily
936 * mean bit 0x02 will be changed.
937 *
938 * If a valid name (one that contains no '/' or '\0' characters) is
939 * produced by this process for the given sequence number, this
940 * function returns 1. If the result is not valid, it returns 0.
941 * Returns -1 if the sequence number is beyond the the maximum for
942 * names of the given length.
943 *
944 *
945 * Discussion
946 * ----------
947 * The number of alternates available for a given name is dependent
948 * on its length. A "bit flip" involves inverting two bits in
949 * a name--the two bits being selected such that their values
950 * affect the name's hash value in the same way. Alternates are
951 * thus generated by inverting the value of pairs of such
952 * "overlapping" bits in the original name. Each byte after the
953 * first in a name adds at least one bit of overlap to work with.
954 * (See comments above flip_bit() for more discussion on this.)
955 *
956 * So the number of alternates is dependent on the number of such
957 * overlapping bits in a name. If there are N bit overlaps, there
958 * 2^N alternates for that hash value.
959 *
960 * Here are the number of overlapping bits available for generating
961 * alternates for names of specific lengths:
962 * 1 0 (must have 2 bytes to have any overlap)
963 * 2 1 One bit overlaps--so 2 possible alternates
964 * 3 2 Two bits overlap--so 4 possible alternates
965 * 4 4 Three bits overlap, so 2^3 alternates
966 * 5 8 8 bits overlap (due to wrapping), 256 alternates
967 * 6 18 2^18 alternates
968 * 7 28 2^28 alternates
969 * ...
970 * It's clear that the number of alternates grows very quickly with
971 * the length of the name. But note that the set of alternates
972 * includes invalid names. And for certain (contrived) names, the
973 * number of valid names is a fairly small fraction of the total
974 * number of alternates.
975 *
976 * The main driver for this infrastructure for coming up with
977 * alternate names is really related to names 5 (or possibly 6)
978 * bytes in length. 5-byte obfuscated names contain no randomly-
979 * generated bytes in them, and the chance of an obfuscated name
980 * matching an already-seen name is too high to just ignore. This
981 * methodical selection of alternates ensures we don't produce
982 * duplicate names unless we have exhausted our options.
983 */
984 static int
985 find_alternate(
986 size_t name_len,
987 unsigned char *name,
988 uint32_t seq)
989 {
990 uint32_t bitseq = 0;
991 uint32_t bits = seq;
992
993 if (!seq)
994 return 1; /* alternate 0 is the original name */
995 if (name_len < 2) /* Must have 2 bytes to flip */
996 return -1;
997
998 for (bitseq = 0; bits; bitseq++) {
999 uint32_t mask = 1 << bitseq;
1000 int fb;
1001
1002 if (!(bits & mask))
1003 continue;
1004
1005 fb = flip_bit(name_len, name, bitseq);
1006 if (fb < 1)
1007 return fb ? -1 : 0;
1008 bits ^= mask;
1009 }
1010
1011 return 1;
1012 }
1013
1014 /*
1015 * Look up the given name in the name table. If it is already
1016 * present, iterate through a well-defined sequence of alternate
1017 * names and attempt to use an alternate name instead.
1018 *
1019 * Returns 1 if the (possibly modified) name is not present in the
1020 * name table. Returns 0 if the name and all possible alternates
1021 * are already in the table.
1022 */
1023 static int
1024 handle_duplicate_name(xfs_dahash_t hash, size_t name_len, unsigned char *name)
1025 {
1026 unsigned char new_name[name_len + 1];
1027 uint32_t seq = 1;
1028
1029 if (!nametable_find(hash, name_len, name))
1030 return 1; /* No duplicate */
1031
1032 /* Name is already in use. Need to find an alternate. */
1033
1034 do {
1035 int found;
1036
1037 /* Only change incoming name if we find an alternate */
1038 do {
1039 memcpy(new_name, name, name_len);
1040 found = find_alternate(name_len, new_name, seq++);
1041 if (found < 0)
1042 return 0; /* No more to check */
1043 } while (!found);
1044 } while (nametable_find(hash, name_len, new_name));
1045
1046 /*
1047 * The alternate wasn't in the table already. Pass it back
1048 * to the caller.
1049 */
1050 memcpy(name, new_name, name_len);
1051
1052 return 1;
1053 }
1054
1055 static void
1056 generate_obfuscated_name(
1057 xfs_ino_t ino,
1058 int namelen,
1059 unsigned char *name)
1060 {
1061 xfs_dahash_t hash;
1062
1063 /*
1064 * We don't obfuscate "lost+found" or any orphan files
1065 * therein. When the name table is used for extended
1066 * attributes, the inode number provided is 0, in which
1067 * case we don't need to make this check.
1068 */
1069 if (ino && in_lost_found(ino, namelen, name))
1070 return;
1071
1072 /*
1073 * If the name starts with a slash, just skip over it. It
1074 * isn't included in the hash and we don't record it in the
1075 * name table. Note that the namelen value passed in does
1076 * not count the leading slash (if one is present).
1077 */
1078 if (*name == '/')
1079 name++;
1080
1081 /* Obfuscate the name (if possible) */
1082
1083 hash = libxfs_da_hashname(name, namelen);
1084 obfuscate_name(hash, namelen, name);
1085
1086 /*
1087 * Make sure the name is not something already seen. If we
1088 * fail to find a suitable alternate, we're dealing with a
1089 * very pathological situation, and we may end up creating
1090 * a duplicate name in the metadump, so issue a warning.
1091 */
1092 if (!handle_duplicate_name(hash, namelen, name)) {
1093 print_warning("duplicate name for inode %llu "
1094 "in dir inode %llu\n",
1095 (unsigned long long) ino,
1096 (unsigned long long) cur_ino);
1097 return;
1098 }
1099
1100 /* Create an entry for the new name in the name table. */
1101
1102 if (!nametable_add(hash, namelen, name))
1103 print_warning("unable to record name for inode %llu "
1104 "in dir inode %llu\n",
1105 (unsigned long long) ino,
1106 (unsigned long long) cur_ino);
1107 }
1108
1109 static void
1110 process_sf_dir(
1111 xfs_dinode_t *dip)
1112 {
1113 struct xfs_dir2_sf_hdr *sfp;
1114 xfs_dir2_sf_entry_t *sfep;
1115 __uint64_t ino_dir_size;
1116 int i;
1117
1118 sfp = (struct xfs_dir2_sf_hdr *)XFS_DFORK_DPTR(dip);
1119 ino_dir_size = be64_to_cpu(dip->di_size);
1120 if (ino_dir_size > XFS_DFORK_DSIZE(dip, mp)) {
1121 ino_dir_size = XFS_DFORK_DSIZE(dip, mp);
1122 if (show_warnings)
1123 print_warning("invalid size in dir inode %llu",
1124 (long long)cur_ino);
1125 }
1126
1127 sfep = xfs_dir2_sf_firstentry(sfp);
1128 for (i = 0; (i < sfp->count) &&
1129 ((char *)sfep - (char *)sfp < ino_dir_size); i++) {
1130
1131 /*
1132 * first check for bad name lengths. If they are bad, we
1133 * have limitations to how much can be obfuscated.
1134 */
1135 int namelen = sfep->namelen;
1136
1137 if (namelen == 0) {
1138 if (show_warnings)
1139 print_warning("zero length entry in dir inode "
1140 "%llu", (long long)cur_ino);
1141 if (i != sfp->count - 1)
1142 break;
1143 namelen = ino_dir_size - ((char *)&sfep->name[0] -
1144 (char *)sfp);
1145 } else if ((char *)sfep - (char *)sfp +
1146 M_DIROPS(mp)->sf_entsize(sfp, sfep->namelen) >
1147 ino_dir_size) {
1148 if (show_warnings)
1149 print_warning("entry length in dir inode %llu "
1150 "overflows space", (long long)cur_ino);
1151 if (i != sfp->count - 1)
1152 break;
1153 namelen = ino_dir_size - ((char *)&sfep->name[0] -
1154 (char *)sfp);
1155 }
1156
1157 if (obfuscate)
1158 generate_obfuscated_name(
1159 M_DIROPS(mp)->sf_get_ino(sfp, sfep),
1160 namelen, &sfep->name[0]);
1161
1162 sfep = (xfs_dir2_sf_entry_t *)((char *)sfep +
1163 M_DIROPS(mp)->sf_entsize(sfp, namelen));
1164 }
1165
1166 /* zero stale data in rest of space in data fork, if any */
1167 if (zero_stale_data && (ino_dir_size < XFS_DFORK_DSIZE(dip, mp)))
1168 memset(sfep, 0, XFS_DFORK_DSIZE(dip, mp) - ino_dir_size);
1169 }
1170
1171 /*
1172 * The pathname may not be null terminated. It may be terminated by the end of
1173 * a buffer or inode literal area, and the start of the next region contains
1174 * unknown data. Therefore, when we get to the last component of the symlink, we
1175 * cannot assume that strlen() will give us the right result. Hence we need to
1176 * track the remaining pathname length and use that instead.
1177 */
1178 static void
1179 obfuscate_path_components(
1180 char *buf,
1181 __uint64_t len)
1182 {
1183 unsigned char *comp = (unsigned char *)buf;
1184 unsigned char *end = comp + len;
1185 xfs_dahash_t hash;
1186
1187 while (comp < end) {
1188 char *slash;
1189 int namelen;
1190
1191 /* find slash at end of this component */
1192 slash = strchr((char *)comp, '/');
1193 if (!slash) {
1194 /* last (or single) component */
1195 namelen = strnlen((char *)comp, len);
1196 hash = libxfs_da_hashname(comp, namelen);
1197 obfuscate_name(hash, namelen, comp);
1198 break;
1199 }
1200 namelen = slash - (char *)comp;
1201 /* handle leading or consecutive slashes */
1202 if (!namelen) {
1203 comp++;
1204 len--;
1205 continue;
1206 }
1207 hash = libxfs_da_hashname(comp, namelen);
1208 obfuscate_name(hash, namelen, comp);
1209 comp += namelen + 1;
1210 len -= namelen + 1;
1211 }
1212 }
1213
1214 static void
1215 process_sf_symlink(
1216 xfs_dinode_t *dip)
1217 {
1218 __uint64_t len;
1219 char *buf;
1220
1221 len = be64_to_cpu(dip->di_size);
1222 if (len > XFS_DFORK_DSIZE(dip, mp)) {
1223 if (show_warnings)
1224 print_warning("invalid size (%d) in symlink inode %llu",
1225 len, (long long)cur_ino);
1226 len = XFS_DFORK_DSIZE(dip, mp);
1227 }
1228
1229 buf = (char *)XFS_DFORK_DPTR(dip);
1230 if (obfuscate)
1231 obfuscate_path_components(buf, len);
1232
1233 /* zero stale data in rest of space in data fork, if any */
1234 if (zero_stale_data && len < XFS_DFORK_DSIZE(dip, mp))
1235 memset(&buf[len], 0, XFS_DFORK_DSIZE(dip, mp) - len);
1236 }
1237
1238 static void
1239 process_sf_attr(
1240 xfs_dinode_t *dip)
1241 {
1242 /*
1243 * with extended attributes, obfuscate the names and fill the actual
1244 * values with 'v' (to see a valid string length, as opposed to NULLs)
1245 */
1246
1247 xfs_attr_shortform_t *asfp;
1248 xfs_attr_sf_entry_t *asfep;
1249 int ino_attr_size;
1250 int i;
1251
1252 asfp = (xfs_attr_shortform_t *)XFS_DFORK_APTR(dip);
1253 if (asfp->hdr.count == 0)
1254 return;
1255
1256 ino_attr_size = be16_to_cpu(asfp->hdr.totsize);
1257 if (ino_attr_size > XFS_DFORK_ASIZE(dip, mp)) {
1258 ino_attr_size = XFS_DFORK_ASIZE(dip, mp);
1259 if (show_warnings)
1260 print_warning("invalid attr size in inode %llu",
1261 (long long)cur_ino);
1262 }
1263
1264 asfep = &asfp->list[0];
1265 for (i = 0; (i < asfp->hdr.count) &&
1266 ((char *)asfep - (char *)asfp < ino_attr_size); i++) {
1267
1268 int namelen = asfep->namelen;
1269
1270 if (namelen == 0) {
1271 if (show_warnings)
1272 print_warning("zero length attr entry in inode "
1273 "%llu", (long long)cur_ino);
1274 break;
1275 } else if ((char *)asfep - (char *)asfp +
1276 XFS_ATTR_SF_ENTSIZE(asfep) > ino_attr_size) {
1277 if (show_warnings)
1278 print_warning("attr entry length in inode %llu "
1279 "overflows space", (long long)cur_ino);
1280 break;
1281 }
1282
1283 if (obfuscate) {
1284 generate_obfuscated_name(0, asfep->namelen,
1285 &asfep->nameval[0]);
1286 memset(&asfep->nameval[asfep->namelen], 'v',
1287 asfep->valuelen);
1288 }
1289
1290 asfep = (xfs_attr_sf_entry_t *)((char *)asfep +
1291 XFS_ATTR_SF_ENTSIZE(asfep));
1292 }
1293
1294 /* zero stale data in rest of space in attr fork, if any */
1295 if (zero_stale_data && (ino_attr_size < XFS_DFORK_ASIZE(dip, mp)))
1296 memset(asfep, 0, XFS_DFORK_ASIZE(dip, mp) - ino_attr_size);
1297 }
1298
1299 static void
1300 process_dir_data_block(
1301 char *block,
1302 xfs_fileoff_t offset,
1303 int is_block_format)
1304 {
1305 /*
1306 * we have to rely on the fileoffset and signature of the block to
1307 * handle it's contents. If it's invalid, leave it alone.
1308 * for multi-fsblock dir blocks, if a name crosses an extent boundary,
1309 * ignore it and continue.
1310 */
1311 int dir_offset;
1312 char *ptr;
1313 char *endptr;
1314 int end_of_data;
1315 int wantmagic;
1316 struct xfs_dir2_data_hdr *datahdr;
1317
1318 datahdr = (struct xfs_dir2_data_hdr *)block;
1319
1320 if (is_block_format) {
1321 xfs_dir2_leaf_entry_t *blp;
1322 xfs_dir2_block_tail_t *btp;
1323
1324 btp = xfs_dir2_block_tail_p(mp->m_dir_geo, datahdr);
1325 blp = xfs_dir2_block_leaf_p(btp);
1326 if ((char *)blp > (char *)btp)
1327 blp = (xfs_dir2_leaf_entry_t *)btp;
1328
1329 end_of_data = (char *)blp - block;
1330 if (xfs_sb_version_hascrc(&mp->m_sb))
1331 wantmagic = XFS_DIR3_BLOCK_MAGIC;
1332 else
1333 wantmagic = XFS_DIR2_BLOCK_MAGIC;
1334 } else { /* leaf/node format */
1335 end_of_data = mp->m_dir_geo->fsbcount << mp->m_sb.sb_blocklog;
1336 if (xfs_sb_version_hascrc(&mp->m_sb))
1337 wantmagic = XFS_DIR3_DATA_MAGIC;
1338 else
1339 wantmagic = XFS_DIR2_DATA_MAGIC;
1340 }
1341
1342 if (be32_to_cpu(datahdr->magic) != wantmagic) {
1343 if (show_warnings)
1344 print_warning(
1345 "invalid magic in dir inode %llu block %ld",
1346 (long long)cur_ino, (long)offset);
1347 return;
1348 }
1349
1350 dir_offset = M_DIROPS(mp)->data_entry_offset;
1351 ptr = block + dir_offset;
1352 endptr = block + mp->m_dir_geo->blksize;
1353
1354 while (ptr < endptr && dir_offset < end_of_data) {
1355 xfs_dir2_data_entry_t *dep;
1356 xfs_dir2_data_unused_t *dup;
1357 int length;
1358
1359 dup = (xfs_dir2_data_unused_t *)ptr;
1360
1361 if (be16_to_cpu(dup->freetag) == XFS_DIR2_DATA_FREE_TAG) {
1362 int length = be16_to_cpu(dup->length);
1363 if (dir_offset + length > end_of_data ||
1364 !length || (length & (XFS_DIR2_DATA_ALIGN - 1))) {
1365 if (show_warnings)
1366 print_warning(
1367 "invalid length for dir free space in inode %llu",
1368 (long long)cur_ino);
1369 return;
1370 }
1371 if (be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup)) !=
1372 dir_offset)
1373 return;
1374 dir_offset += length;
1375 ptr += length;
1376 /*
1377 * Zero the unused space up to the tag - the tag is
1378 * actually at a variable offset, so zeroing &dup->tag
1379 * is zeroing the free space in between
1380 */
1381 if (zero_stale_data) {
1382 int zlen = length -
1383 sizeof(xfs_dir2_data_unused_t);
1384
1385 if (zlen > 0) {
1386 memset(&dup->tag, 0, zlen);
1387 iocur_top->need_crc = 1;
1388 }
1389 }
1390 if (dir_offset >= end_of_data || ptr >= endptr)
1391 return;
1392 }
1393
1394 dep = (xfs_dir2_data_entry_t *)ptr;
1395 length = M_DIROPS(mp)->data_entsize(dep->namelen);
1396
1397 if (dir_offset + length > end_of_data ||
1398 ptr + length > endptr) {
1399 if (show_warnings)
1400 print_warning(
1401 "invalid length for dir entry name in inode %llu",
1402 (long long)cur_ino);
1403 return;
1404 }
1405 if (be16_to_cpu(*M_DIROPS(mp)->data_entry_tag_p(dep)) !=
1406 dir_offset)
1407 return;
1408
1409 if (obfuscate)
1410 generate_obfuscated_name(be64_to_cpu(dep->inumber),
1411 dep->namelen, &dep->name[0]);
1412 dir_offset += length;
1413 ptr += length;
1414 /* Zero the unused space after name, up to the tag */
1415 if (zero_stale_data) {
1416 /* 1 byte for ftype; don't bother with conditional */
1417 int zlen =
1418 (char *)M_DIROPS(mp)->data_entry_tag_p(dep) -
1419 (char *)&dep->name[dep->namelen] - 1;
1420 if (zlen > 0) {
1421 memset(&dep->name[dep->namelen] + 1, 0, zlen);
1422 iocur_top->need_crc = 1;
1423 }
1424 }
1425 }
1426 }
1427
1428 static void
1429 process_symlink_block(
1430 char *block)
1431 {
1432 char *link = block;
1433
1434 if (xfs_sb_version_hascrc(&(mp)->m_sb))
1435 link += sizeof(struct xfs_dsymlink_hdr);
1436
1437 if (obfuscate)
1438 obfuscate_path_components(link, XFS_SYMLINK_BUF_SPACE(mp,
1439 mp->m_sb.sb_blocksize));
1440 if (zero_stale_data) {
1441 size_t linklen, zlen;
1442
1443 linklen = strlen(link);
1444 zlen = mp->m_sb.sb_blocksize - linklen;
1445 if (xfs_sb_version_hascrc(&mp->m_sb))
1446 zlen -= sizeof(struct xfs_dsymlink_hdr);
1447 if (zlen < mp->m_sb.sb_blocksize)
1448 memset(link + linklen, 0, zlen);
1449 }
1450 }
1451
1452 #define MAX_REMOTE_VALS 4095
1453
1454 static struct attr_data_s {
1455 int remote_val_count;
1456 xfs_dablk_t remote_vals[MAX_REMOTE_VALS];
1457 } attr_data;
1458
1459 static inline void
1460 add_remote_vals(
1461 xfs_dablk_t blockidx,
1462 int length)
1463 {
1464 while (length > 0 && attr_data.remote_val_count < MAX_REMOTE_VALS) {
1465 attr_data.remote_vals[attr_data.remote_val_count] = blockidx;
1466 attr_data.remote_val_count++;
1467 blockidx++;
1468 length -= mp->m_sb.sb_blocksize;
1469 }
1470
1471 if (attr_data.remote_val_count >= MAX_REMOTE_VALS) {
1472 print_warning(
1473 "Overflowed attr obfuscation array. No longer obfuscating remote attrs.");
1474 }
1475 }
1476
1477 /* Handle remote and leaf attributes */
1478 static void
1479 process_attr_block(
1480 char *block,
1481 xfs_fileoff_t offset)
1482 {
1483 struct xfs_attr_leafblock *leaf;
1484 struct xfs_attr3_icleaf_hdr hdr;
1485 int i;
1486 int nentries;
1487 xfs_attr_leaf_entry_t *entry;
1488 xfs_attr_leaf_name_local_t *local;
1489 xfs_attr_leaf_name_remote_t *remote;
1490 __uint32_t bs = mp->m_sb.sb_blocksize;
1491 char *first_name;
1492
1493
1494 leaf = (xfs_attr_leafblock_t *)block;
1495
1496 /* Remote attributes - attr3 has XFS_ATTR3_RMT_MAGIC, attr has none */
1497 if ((be16_to_cpu(leaf->hdr.info.magic) != XFS_ATTR_LEAF_MAGIC) &&
1498 (be16_to_cpu(leaf->hdr.info.magic) != XFS_ATTR3_LEAF_MAGIC)) {
1499 for (i = 0; i < attr_data.remote_val_count; i++) {
1500 if (obfuscate && attr_data.remote_vals[i] == offset)
1501 /* Macros to handle both attr and attr3 */
1502 memset(block +
1503 (bs - XFS_ATTR3_RMT_BUF_SPACE(mp, bs)),
1504 'v', XFS_ATTR3_RMT_BUF_SPACE(mp, bs));
1505 }
1506 return;
1507 }
1508
1509 /* Ok, it's a leaf - get header; accounts for crc & non-crc */
1510 xfs_attr3_leaf_hdr_from_disk(mp->m_attr_geo, &hdr, leaf);
1511
1512 nentries = hdr.count;
1513 if (nentries * sizeof(xfs_attr_leaf_entry_t) +
1514 xfs_attr3_leaf_hdr_size(leaf) >
1515 XFS_ATTR3_RMT_BUF_SPACE(mp, bs)) {
1516 if (show_warnings)
1517 print_warning("invalid attr count in inode %llu",
1518 (long long)cur_ino);
1519 return;
1520 }
1521
1522 entry = xfs_attr3_leaf_entryp(leaf);
1523 /* We will move this as we parse */
1524 first_name = NULL;
1525 for (i = 0; i < nentries; i++, entry++) {
1526 int nlen, vlen, zlen;
1527
1528 /* Grows up; if this name is topmost, move first_name */
1529 if (!first_name || xfs_attr3_leaf_name(leaf, i) < first_name)
1530 first_name = xfs_attr3_leaf_name(leaf, i);
1531
1532 if (be16_to_cpu(entry->nameidx) > mp->m_sb.sb_blocksize) {
1533 if (show_warnings)
1534 print_warning(
1535 "invalid attr nameidx in inode %llu",
1536 (long long)cur_ino);
1537 break;
1538 }
1539 if (entry->flags & XFS_ATTR_LOCAL) {
1540 local = xfs_attr3_leaf_name_local(leaf, i);
1541 if (local->namelen == 0) {
1542 if (show_warnings)
1543 print_warning(
1544 "zero length for attr name in inode %llu",
1545 (long long)cur_ino);
1546 break;
1547 }
1548 if (obfuscate) {
1549 generate_obfuscated_name(0, local->namelen,
1550 &local->nameval[0]);
1551 memset(&local->nameval[local->namelen], 'v',
1552 be16_to_cpu(local->valuelen));
1553 }
1554 /* zero from end of nameval[] to next name start */
1555 nlen = local->namelen;
1556 vlen = be16_to_cpu(local->valuelen);
1557 zlen = xfs_attr_leaf_entsize_local(nlen, vlen) -
1558 (sizeof(xfs_attr_leaf_name_local_t) - 1 +
1559 nlen + vlen);
1560 if (zero_stale_data)
1561 memset(&local->nameval[nlen + vlen], 0, zlen);
1562 } else {
1563 remote = xfs_attr3_leaf_name_remote(leaf, i);
1564 if (remote->namelen == 0 || remote->valueblk == 0) {
1565 if (show_warnings)
1566 print_warning(
1567 "invalid attr entry in inode %llu",
1568 (long long)cur_ino);
1569 break;
1570 }
1571 if (obfuscate) {
1572 generate_obfuscated_name(0, remote->namelen,
1573 &remote->name[0]);
1574 add_remote_vals(be32_to_cpu(remote->valueblk),
1575 be32_to_cpu(remote->valuelen));
1576 }
1577 /* zero from end of name[] to next name start */
1578 nlen = remote->namelen;
1579 zlen = xfs_attr_leaf_entsize_remote(nlen) -
1580 (sizeof(xfs_attr_leaf_name_remote_t) - 1 +
1581 nlen);
1582 if (zero_stale_data)
1583 memset(&remote->name[nlen], 0, zlen);
1584 }
1585 }
1586
1587 /* Zero from end of entries array to the first name/val */
1588 if (zero_stale_data) {
1589 struct xfs_attr_leaf_entry *entries;
1590
1591 entries = xfs_attr3_leaf_entryp(leaf);
1592 memset(&entries[nentries], 0,
1593 first_name - (char *)&entries[nentries]);
1594 }
1595 }
1596
1597 /* Processes symlinks, attrs, directories ... */
1598 static int
1599 process_single_fsb_objects(
1600 xfs_fileoff_t o,
1601 xfs_fsblock_t s,
1602 xfs_filblks_t c,
1603 typnm_t btype,
1604 xfs_fileoff_t last)
1605 {
1606 char *dp;
1607 int ret = 0;
1608 int i;
1609
1610 for (i = 0; i < c; i++) {
1611 push_cur();
1612 set_cur(&typtab[btype], XFS_FSB_TO_DADDR(mp, s), blkbb,
1613 DB_RING_IGN, NULL);
1614
1615 if (!iocur_top->data) {
1616 xfs_agnumber_t agno = XFS_FSB_TO_AGNO(mp, s);
1617 xfs_agblock_t agbno = XFS_FSB_TO_AGBNO(mp, s);
1618
1619 print_warning("cannot read %s block %u/%u (%llu)",
1620 typtab[btype].name, agno, agbno, s);
1621 if (stop_on_read_error)
1622 ret = -EIO;
1623 goto out_pop;
1624
1625 }
1626
1627 if (!obfuscate && !zero_stale_data)
1628 goto write;
1629
1630 /* Zero unused part of interior nodes */
1631 if (zero_stale_data) {
1632 xfs_da_intnode_t *node = iocur_top->data;
1633 int magic = be16_to_cpu(node->hdr.info.magic);
1634
1635 if (magic == XFS_DA_NODE_MAGIC ||
1636 magic == XFS_DA3_NODE_MAGIC) {
1637 struct xfs_da3_icnode_hdr hdr;
1638 int used;
1639
1640 M_DIROPS(mp)->node_hdr_from_disk(&hdr, node);
1641 used = M_DIROPS(mp)->node_hdr_size;
1642
1643 used += hdr.count
1644 * sizeof(struct xfs_da_node_entry);
1645
1646 if (used < mp->m_sb.sb_blocksize) {
1647 memset((char *)node + used, 0,
1648 mp->m_sb.sb_blocksize - used);
1649 iocur_top->need_crc = 1;
1650 }
1651 }
1652 }
1653
1654 /* Handle leaf nodes */
1655 dp = iocur_top->data;
1656 switch (btype) {
1657 case TYP_DIR2:
1658 if (o >= mp->m_dir_geo->leafblk)
1659 break;
1660
1661 process_dir_data_block(dp, o,
1662 last == mp->m_dir_geo->fsbcount);
1663 iocur_top->need_crc = 1;
1664 break;
1665 case TYP_SYMLINK:
1666 process_symlink_block(dp);
1667 iocur_top->need_crc = 1;
1668 break;
1669 case TYP_ATTR:
1670 process_attr_block(dp, o);
1671 iocur_top->need_crc = 1;
1672 break;
1673 default:
1674 break;
1675 }
1676
1677 write:
1678 ret = write_buf(iocur_top);
1679 out_pop:
1680 pop_cur();
1681 if (ret)
1682 break;
1683 o++;
1684 s++;
1685 }
1686
1687 return ret;
1688 }
1689
1690 /*
1691 * Static map to aggregate multiple extents into a single directory block.
1692 */
1693 static struct bbmap mfsb_map;
1694 static int mfsb_length;
1695
1696 static int
1697 process_multi_fsb_objects(
1698 xfs_fileoff_t o,
1699 xfs_fsblock_t s,
1700 xfs_filblks_t c,
1701 typnm_t btype,
1702 xfs_fileoff_t last)
1703 {
1704 int ret = 0;
1705
1706 switch (btype) {
1707 case TYP_DIR2:
1708 break;
1709 default:
1710 print_warning("bad type for multi-fsb object %d", btype);
1711 return -EINVAL;
1712 }
1713
1714 while (c > 0) {
1715 unsigned int bm_len;
1716
1717 if (mfsb_length + c >= mp->m_dir_geo->fsbcount) {
1718 bm_len = mp->m_dir_geo->fsbcount - mfsb_length;
1719 mfsb_length = 0;
1720 } else {
1721 mfsb_length += c;
1722 bm_len = c;
1723 }
1724
1725 mfsb_map.b[mfsb_map.nmaps].bm_bn = XFS_FSB_TO_DADDR(mp, s);
1726 mfsb_map.b[mfsb_map.nmaps].bm_len = XFS_FSB_TO_BB(mp, bm_len);
1727 mfsb_map.nmaps++;
1728
1729 if (mfsb_length == 0) {
1730 push_cur();
1731 set_cur(&typtab[btype], 0, 0, DB_RING_IGN, &mfsb_map);
1732 if (!iocur_top->data) {
1733 xfs_agnumber_t agno = XFS_FSB_TO_AGNO(mp, s);
1734 xfs_agblock_t agbno = XFS_FSB_TO_AGBNO(mp, s);
1735
1736 print_warning("cannot read %s block %u/%u (%llu)",
1737 typtab[btype].name, agno, agbno, s);
1738 if (stop_on_read_error)
1739 ret = -1;
1740 goto out_pop;
1741
1742 }
1743
1744 if ((!obfuscate && !zero_stale_data) ||
1745 o >= mp->m_dir_geo->leafblk) {
1746 ret = write_buf(iocur_top);
1747 goto out_pop;
1748 }
1749
1750 process_dir_data_block(iocur_top->data, o,
1751 last == mp->m_dir_geo->fsbcount);
1752 iocur_top->need_crc = 1;
1753 ret = write_buf(iocur_top);
1754 out_pop:
1755 pop_cur();
1756 mfsb_map.nmaps = 0;
1757 if (ret)
1758 break;
1759 }
1760 c -= bm_len;
1761 s += bm_len;
1762 }
1763
1764 return ret;
1765 }
1766
1767 /* inode copy routines */
1768 static int
1769 process_bmbt_reclist(
1770 xfs_bmbt_rec_t *rp,
1771 int numrecs,
1772 typnm_t btype)
1773 {
1774 int i;
1775 xfs_fileoff_t o, op = NULLFILEOFF;
1776 xfs_fsblock_t s;
1777 xfs_filblks_t c, cp = NULLFILEOFF;
1778 int f;
1779 xfs_fileoff_t last;
1780 xfs_agnumber_t agno;
1781 xfs_agblock_t agbno;
1782 int error;
1783
1784 if (btype == TYP_DATA)
1785 return 1;
1786
1787 convert_extent(&rp[numrecs - 1], &o, &s, &c, &f);
1788 last = o + c;
1789
1790 for (i = 0; i < numrecs; i++, rp++) {
1791 convert_extent(rp, &o, &s, &c, &f);
1792
1793 /*
1794 * ignore extents that are clearly bogus, and if a bogus
1795 * one is found, stop processing remaining extents
1796 */
1797 if (i > 0 && op + cp > o) {
1798 if (show_warnings)
1799 print_warning("bmap extent %d in %s ino %llu "
1800 "starts at %llu, previous extent "
1801 "ended at %llu", i,
1802 typtab[btype].name, (long long)cur_ino,
1803 o, op + cp - 1);
1804 break;
1805 }
1806
1807 if (c > max_extent_size) {
1808 /*
1809 * since we are only processing non-data extents,
1810 * large numbers of blocks in a metadata extent is
1811 * extremely rare and more than likely to be corrupt.
1812 */
1813 if (show_warnings)
1814 print_warning("suspicious count %u in bmap "
1815 "extent %d in %s ino %llu", c, i,
1816 typtab[btype].name, (long long)cur_ino);
1817 break;
1818 }
1819
1820 op = o;
1821 cp = c;
1822
1823 agno = XFS_FSB_TO_AGNO(mp, s);
1824 agbno = XFS_FSB_TO_AGBNO(mp, s);
1825
1826 if (!valid_bno(agno, agbno)) {
1827 if (show_warnings)
1828 print_warning("invalid block number %u/%u "
1829 "(%llu) in bmap extent %d in %s ino "
1830 "%llu", agno, agbno, s, i,
1831 typtab[btype].name, (long long)cur_ino);
1832 break;
1833 }
1834
1835 if (!valid_bno(agno, agbno + c - 1)) {
1836 if (show_warnings)
1837 print_warning("bmap extent %i in %s inode %llu "
1838 "overflows AG (end is %u/%u)", i,
1839 typtab[btype].name, (long long)cur_ino,
1840 agno, agbno + c - 1);
1841 break;
1842 }
1843
1844 /* multi-extent blocks require special handling */
1845 if (btype != TYP_DIR2 || mp->m_dir_geo->fsbcount == 1) {
1846 error = process_single_fsb_objects(o, s, c, btype, last);
1847 } else {
1848 error = process_multi_fsb_objects(o, s, c, btype, last);
1849 }
1850 if (error)
1851 return 0;
1852 }
1853
1854 return 1;
1855 }
1856
1857 static int
1858 scanfunc_bmap(
1859 struct xfs_btree_block *block,
1860 xfs_agnumber_t agno,
1861 xfs_agblock_t agbno,
1862 int level,
1863 typnm_t btype,
1864 void *arg) /* ptr to itype */
1865 {
1866 int i;
1867 xfs_bmbt_ptr_t *pp;
1868 int nrecs;
1869
1870 nrecs = be16_to_cpu(block->bb_numrecs);
1871
1872 if (level == 0) {
1873 if (nrecs > mp->m_bmap_dmxr[0]) {
1874 if (show_warnings)
1875 print_warning("invalid numrecs (%u) in %s "
1876 "block %u/%u", nrecs,
1877 typtab[btype].name, agno, agbno);
1878 return 1;
1879 }
1880 return process_bmbt_reclist(XFS_BMBT_REC_ADDR(mp, block, 1),
1881 nrecs, *(typnm_t*)arg);
1882 }
1883
1884 if (nrecs > mp->m_bmap_dmxr[1]) {
1885 if (show_warnings)
1886 print_warning("invalid numrecs (%u) in %s block %u/%u",
1887 nrecs, typtab[btype].name, agno, agbno);
1888 return 1;
1889 }
1890 pp = XFS_BMBT_PTR_ADDR(mp, block, 1, mp->m_bmap_dmxr[1]);
1891 for (i = 0; i < nrecs; i++) {
1892 xfs_agnumber_t ag;
1893 xfs_agblock_t bno;
1894
1895 ag = XFS_FSB_TO_AGNO(mp, get_unaligned_be64(&pp[i]));
1896 bno = XFS_FSB_TO_AGBNO(mp, get_unaligned_be64(&pp[i]));
1897
1898 if (bno == 0 || bno > mp->m_sb.sb_agblocks ||
1899 ag > mp->m_sb.sb_agcount) {
1900 if (show_warnings)
1901 print_warning("invalid block number (%u/%u) "
1902 "in %s block %u/%u", ag, bno,
1903 typtab[btype].name, agno, agbno);
1904 continue;
1905 }
1906
1907 if (!scan_btree(ag, bno, level, btype, arg, scanfunc_bmap))
1908 return 0;
1909 }
1910 return 1;
1911 }
1912
1913 static int
1914 process_btinode(
1915 xfs_dinode_t *dip,
1916 typnm_t itype)
1917 {
1918 xfs_bmdr_block_t *dib;
1919 int i;
1920 xfs_bmbt_ptr_t *pp;
1921 int level;
1922 int nrecs;
1923 int maxrecs;
1924 int whichfork;
1925 typnm_t btype;
1926
1927 whichfork = (itype == TYP_ATTR) ? XFS_ATTR_FORK : XFS_DATA_FORK;
1928 btype = (itype == TYP_ATTR) ? TYP_BMAPBTA : TYP_BMAPBTD;
1929
1930 dib = (xfs_bmdr_block_t *)XFS_DFORK_PTR(dip, whichfork);
1931 level = be16_to_cpu(dib->bb_level);
1932 nrecs = be16_to_cpu(dib->bb_numrecs);
1933
1934 if (level > XFS_BM_MAXLEVELS(mp, whichfork)) {
1935 if (show_warnings)
1936 print_warning("invalid level (%u) in inode %lld %s "
1937 "root", level, (long long)cur_ino,
1938 typtab[btype].name);
1939 return 1;
1940 }
1941
1942 if (level == 0) {
1943 return process_bmbt_reclist(XFS_BMDR_REC_ADDR(dib, 1),
1944 nrecs, itype);
1945 }
1946
1947 maxrecs = xfs_bmdr_maxrecs(XFS_DFORK_SIZE(dip, mp, whichfork), 0);
1948 if (nrecs > maxrecs) {
1949 if (show_warnings)
1950 print_warning("invalid numrecs (%u) in inode %lld %s "
1951 "root", nrecs, (long long)cur_ino,
1952 typtab[btype].name);
1953 return 1;
1954 }
1955
1956 pp = XFS_BMDR_PTR_ADDR(dib, 1, maxrecs);
1957 for (i = 0; i < nrecs; i++) {
1958 xfs_agnumber_t ag;
1959 xfs_agblock_t bno;
1960
1961 ag = XFS_FSB_TO_AGNO(mp, get_unaligned_be64(&pp[i]));
1962 bno = XFS_FSB_TO_AGBNO(mp, get_unaligned_be64(&pp[i]));
1963
1964 if (bno == 0 || bno > mp->m_sb.sb_agblocks ||
1965 ag > mp->m_sb.sb_agcount) {
1966 if (show_warnings)
1967 print_warning("invalid block number (%u/%u) "
1968 "in inode %llu %s root", ag,
1969 bno, (long long)cur_ino,
1970 typtab[btype].name);
1971 continue;
1972 }
1973
1974 if (!scan_btree(ag, bno, level, btype, &itype, scanfunc_bmap))
1975 return 0;
1976 }
1977 return 1;
1978 }
1979
1980 static int
1981 process_exinode(
1982 xfs_dinode_t *dip,
1983 typnm_t itype)
1984 {
1985 int whichfork;
1986 int used;
1987 xfs_extnum_t nex;
1988
1989 whichfork = (itype == TYP_ATTR) ? XFS_ATTR_FORK : XFS_DATA_FORK;
1990
1991 nex = XFS_DFORK_NEXTENTS(dip, whichfork);
1992 used = nex * sizeof(xfs_bmbt_rec_t);
1993 if (nex < 0 || used > XFS_DFORK_SIZE(dip, mp, whichfork)) {
1994 if (show_warnings)
1995 print_warning("bad number of extents %d in inode %lld",
1996 nex, (long long)cur_ino);
1997 return 1;
1998 }
1999
2000 /* Zero unused data fork past used extents */
2001 if (zero_stale_data && (used < XFS_DFORK_SIZE(dip, mp, whichfork)))
2002 memset(XFS_DFORK_PTR(dip, whichfork) + used, 0,
2003 XFS_DFORK_SIZE(dip, mp, whichfork) - used);
2004
2005
2006 return process_bmbt_reclist((xfs_bmbt_rec_t *)XFS_DFORK_PTR(dip,
2007 whichfork), nex, itype);
2008 }
2009
2010 static int
2011 process_inode_data(
2012 xfs_dinode_t *dip,
2013 typnm_t itype)
2014 {
2015 switch (dip->di_format) {
2016 case XFS_DINODE_FMT_LOCAL:
2017 if (obfuscate || zero_stale_data)
2018 switch (itype) {
2019 case TYP_DIR2:
2020 process_sf_dir(dip);
2021 break;
2022
2023 case TYP_SYMLINK:
2024 process_sf_symlink(dip);
2025 break;
2026
2027 default: ;
2028 }
2029 break;
2030
2031 case XFS_DINODE_FMT_EXTENTS:
2032 return process_exinode(dip, itype);
2033
2034 case XFS_DINODE_FMT_BTREE:
2035 return process_btinode(dip, itype);
2036 }
2037 return 1;
2038 }
2039
2040 /*
2041 * when we process the inode, we may change the data in the data and/or
2042 * attribute fork if they are in short form and we are obfuscating names.
2043 * In this case we need to recalculate the CRC of the inode, but we should
2044 * only do that if the CRC in the inode is good to begin with. If the crc
2045 * is not ok, we just leave it alone.
2046 */
2047 static int
2048 process_inode(
2049 xfs_agnumber_t agno,
2050 xfs_agino_t agino,
2051 xfs_dinode_t *dip,
2052 bool free_inode)
2053 {
2054 int success;
2055 bool crc_was_ok = false; /* no recalc by default */
2056 bool need_new_crc = false;
2057
2058 success = 1;
2059 cur_ino = XFS_AGINO_TO_INO(mp, agno, agino);
2060
2061 /* we only care about crc recalculation if we will modify the inode. */
2062 if (obfuscate || zero_stale_data) {
2063 crc_was_ok = xfs_verify_cksum((char *)dip,
2064 mp->m_sb.sb_inodesize,
2065 offsetof(struct xfs_dinode, di_crc));
2066 }
2067
2068 if (free_inode) {
2069 if (zero_stale_data) {
2070 /* Zero all of the inode literal area */
2071 memset(XFS_DFORK_DPTR(dip), 0,
2072 XFS_LITINO(mp, dip->di_version));
2073 }
2074 goto done;
2075 }
2076
2077 /* copy appropriate data fork metadata */
2078 switch (be16_to_cpu(dip->di_mode) & S_IFMT) {
2079 case S_IFDIR:
2080 success = process_inode_data(dip, TYP_DIR2);
2081 if (dip->di_format == XFS_DINODE_FMT_LOCAL)
2082 need_new_crc = 1;
2083 break;
2084 case S_IFLNK:
2085 success = process_inode_data(dip, TYP_SYMLINK);
2086 if (dip->di_format == XFS_DINODE_FMT_LOCAL)
2087 need_new_crc = 1;
2088 break;
2089 case S_IFREG:
2090 success = process_inode_data(dip, TYP_DATA);
2091 break;
2092 default: ;
2093 }
2094 nametable_clear();
2095
2096 /* copy extended attributes if they exist and forkoff is valid */
2097 if (success &&
2098 XFS_DFORK_DSIZE(dip, mp) < XFS_LITINO(mp, dip->di_version)) {
2099 attr_data.remote_val_count = 0;
2100 switch (dip->di_aformat) {
2101 case XFS_DINODE_FMT_LOCAL:
2102 need_new_crc = 1;
2103 if (obfuscate || zero_stale_data)
2104 process_sf_attr(dip);
2105 break;
2106
2107 case XFS_DINODE_FMT_EXTENTS:
2108 success = process_exinode(dip, TYP_ATTR);
2109 break;
2110
2111 case XFS_DINODE_FMT_BTREE:
2112 success = process_btinode(dip, TYP_ATTR);
2113 break;
2114 }
2115 nametable_clear();
2116 }
2117
2118 done:
2119 /* Heavy handed but low cost; just do it as a catch-all. */
2120 if (zero_stale_data)
2121 need_new_crc = 1;
2122
2123 if (crc_was_ok && need_new_crc)
2124 libxfs_dinode_calc_crc(mp, dip);
2125 return success;
2126 }
2127
2128 static __uint32_t inodes_copied = 0;
2129
2130 static int
2131 copy_inode_chunk(
2132 xfs_agnumber_t agno,
2133 xfs_inobt_rec_t *rp)
2134 {
2135 xfs_agino_t agino;
2136 int off;
2137 xfs_agblock_t agbno;
2138 xfs_agblock_t end_agbno;
2139 int i;
2140 int rval = 0;
2141 int blks_per_buf;
2142 int inodes_per_buf;
2143 int ioff;
2144
2145 agino = be32_to_cpu(rp->ir_startino);
2146 agbno = XFS_AGINO_TO_AGBNO(mp, agino);
2147 end_agbno = agbno + mp->m_ialloc_blks;
2148 off = XFS_INO_TO_OFFSET(mp, agino);
2149
2150 /*
2151 * If the fs supports sparse inode records, we must process inodes a
2152 * cluster at a time because that is the sparse allocation granularity.
2153 * Otherwise, we risk CRC corruption errors on reads of inode chunks.
2154 *
2155 * Also make sure that that we don't process more than the single record
2156 * we've been passed (large block sizes can hold multiple inode chunks).
2157 */
2158 if (xfs_sb_version_hassparseinodes(&mp->m_sb))
2159 blks_per_buf = xfs_icluster_size_fsb(mp);
2160 else
2161 blks_per_buf = mp->m_ialloc_blks;
2162 inodes_per_buf = min(blks_per_buf << mp->m_sb.sb_inopblog,
2163 XFS_INODES_PER_CHUNK);
2164
2165 /*
2166 * Sanity check that we only process a single buffer if ir_startino has
2167 * a buffer offset. A non-zero offset implies that the entire chunk lies
2168 * within a block.
2169 */
2170 if (off && inodes_per_buf != XFS_INODES_PER_CHUNK) {
2171 print_warning("bad starting inode offset %d", off);
2172 return 0;
2173 }
2174
2175 if (agino == 0 || agino == NULLAGINO || !valid_bno(agno, agbno) ||
2176 !valid_bno(agno, XFS_AGINO_TO_AGBNO(mp,
2177 agino + XFS_INODES_PER_CHUNK - 1))) {
2178 if (show_warnings)
2179 print_warning("bad inode number %llu (%u/%u)",
2180 XFS_AGINO_TO_INO(mp, agno, agino), agno, agino);
2181 return 1;
2182 }
2183
2184 /*
2185 * check for basic assumptions about inode chunks, and if any
2186 * assumptions fail, don't process the inode chunk.
2187 */
2188 if ((mp->m_sb.sb_inopblock <= XFS_INODES_PER_CHUNK && off != 0) ||
2189 (mp->m_sb.sb_inopblock > XFS_INODES_PER_CHUNK &&
2190 off % XFS_INODES_PER_CHUNK != 0) ||
2191 (xfs_sb_version_hasalign(&mp->m_sb) &&
2192 mp->m_sb.sb_inoalignmt != 0 &&
2193 agbno % mp->m_sb.sb_inoalignmt != 0)) {
2194 if (show_warnings)
2195 print_warning("badly aligned inode (start = %llu)",
2196 XFS_AGINO_TO_INO(mp, agno, agino));
2197 return 1;
2198 }
2199
2200 push_cur();
2201 ioff = 0;
2202 while (agbno < end_agbno && ioff < XFS_INODES_PER_CHUNK) {
2203 if (xfs_inobt_is_sparse_disk(rp, ioff))
2204 goto next_bp;
2205
2206 set_cur(&typtab[TYP_INODE], XFS_AGB_TO_DADDR(mp, agno, agbno),
2207 XFS_FSB_TO_BB(mp, blks_per_buf), DB_RING_IGN, NULL);
2208 if (iocur_top->data == NULL) {
2209 print_warning("cannot read inode block %u/%u",
2210 agno, agbno);
2211 rval = !stop_on_read_error;
2212 goto pop_out;
2213 }
2214
2215 for (i = 0; i < inodes_per_buf; i++) {
2216 xfs_dinode_t *dip;
2217
2218 dip = (xfs_dinode_t *)((char *)iocur_top->data +
2219 ((off + i) << mp->m_sb.sb_inodelog));
2220
2221 /* process_inode handles free inodes, too */
2222 if (!process_inode(agno, agino + ioff + i, dip,
2223 XFS_INOBT_IS_FREE_DISK(rp, i)))
2224 goto pop_out;
2225
2226 inodes_copied++;
2227 }
2228
2229 if (write_buf(iocur_top))
2230 goto pop_out;
2231
2232 next_bp:
2233 agbno += blks_per_buf;
2234 ioff += inodes_per_buf;
2235 }
2236
2237 if (show_progress)
2238 print_progress("Copied %u of %u inodes (%u of %u AGs)",
2239 inodes_copied, mp->m_sb.sb_icount, agno,
2240 mp->m_sb.sb_agcount);
2241 rval = 1;
2242 pop_out:
2243 pop_cur();
2244 return rval;
2245 }
2246
2247 static int
2248 scanfunc_ino(
2249 struct xfs_btree_block *block,
2250 xfs_agnumber_t agno,
2251 xfs_agblock_t agbno,
2252 int level,
2253 typnm_t btype,
2254 void *arg)
2255 {
2256 xfs_inobt_rec_t *rp;
2257 xfs_inobt_ptr_t *pp;
2258 int i;
2259 int numrecs;
2260 int finobt = *(int *) arg;
2261
2262 numrecs = be16_to_cpu(block->bb_numrecs);
2263
2264 if (level == 0) {
2265 if (numrecs > mp->m_inobt_mxr[0]) {
2266 if (show_warnings)
2267 print_warning("invalid numrecs %d in %s "
2268 "block %u/%u", numrecs,
2269 typtab[btype].name, agno, agbno);
2270 numrecs = mp->m_inobt_mxr[0];
2271 }
2272
2273 /*
2274 * Only copy the btree blocks for the finobt. The inobt scan
2275 * copies the inode chunks.
2276 */
2277 if (finobt)
2278 return 1;
2279
2280 rp = XFS_INOBT_REC_ADDR(mp, block, 1);
2281 for (i = 0; i < numrecs; i++, rp++) {
2282 if (!copy_inode_chunk(agno, rp))
2283 return 0;
2284 }
2285 return 1;
2286 }
2287
2288 if (numrecs > mp->m_inobt_mxr[1]) {
2289 if (show_warnings)
2290 print_warning("invalid numrecs %d in %s block %u/%u",
2291 numrecs, typtab[btype].name, agno, agbno);
2292 numrecs = mp->m_inobt_mxr[1];
2293 }
2294
2295 pp = XFS_INOBT_PTR_ADDR(mp, block, 1, mp->m_inobt_mxr[1]);
2296 for (i = 0; i < numrecs; i++) {
2297 if (!valid_bno(agno, be32_to_cpu(pp[i]))) {
2298 if (show_warnings)
2299 print_warning("invalid block number (%u/%u) "
2300 "in %s block %u/%u",
2301 agno, be32_to_cpu(pp[i]),
2302 typtab[btype].name, agno, agbno);
2303 continue;
2304 }
2305 if (!scan_btree(agno, be32_to_cpu(pp[i]), level,
2306 btype, arg, scanfunc_ino))
2307 return 0;
2308 }
2309 return 1;
2310 }
2311
2312 static int
2313 copy_inodes(
2314 xfs_agnumber_t agno,
2315 xfs_agi_t *agi)
2316 {
2317 xfs_agblock_t root;
2318 int levels;
2319 int finobt = 0;
2320
2321 root = be32_to_cpu(agi->agi_root);
2322 levels = be32_to_cpu(agi->agi_level);
2323
2324 /* validate root and levels before processing the tree */
2325 if (root == 0 || root > mp->m_sb.sb_agblocks) {
2326 if (show_warnings)
2327 print_warning("invalid block number (%u) in inobt "
2328 "root in agi %u", root, agno);
2329 return 1;
2330 }
2331 if (levels >= XFS_BTREE_MAXLEVELS) {
2332 if (show_warnings)
2333 print_warning("invalid level (%u) in inobt root "
2334 "in agi %u", levels, agno);
2335 return 1;
2336 }
2337
2338 if (!scan_btree(agno, root, levels, TYP_INOBT, &finobt, scanfunc_ino))
2339 return 0;
2340
2341 if (xfs_sb_version_hasfinobt(&mp->m_sb)) {
2342 root = be32_to_cpu(agi->agi_free_root);
2343 levels = be32_to_cpu(agi->agi_free_level);
2344
2345 finobt = 1;
2346 if (!scan_btree(agno, root, levels, TYP_INOBT, &finobt,
2347 scanfunc_ino))
2348 return 0;
2349 }
2350
2351 return 1;
2352 }
2353
2354 static int
2355 scan_ag(
2356 xfs_agnumber_t agno)
2357 {
2358 xfs_agf_t *agf;
2359 xfs_agi_t *agi;
2360 int stack_count = 0;
2361 int rval = 0;
2362
2363 /* copy the superblock of the AG */
2364 push_cur();
2365 stack_count++;
2366 set_cur(&typtab[TYP_SB], XFS_AG_DADDR(mp, agno, XFS_SB_DADDR),
2367 XFS_FSS_TO_BB(mp, 1), DB_RING_IGN, NULL);
2368 if (!iocur_top->data) {
2369 print_warning("cannot read superblock for ag %u", agno);
2370 if (stop_on_read_error)
2371 goto pop_out;
2372 } else {
2373 /* Replace any filesystem label with "L's" */
2374 if (obfuscate) {
2375 struct xfs_sb *sb = iocur_top->data;
2376 memset(sb->sb_fname, 'L',
2377 min(strlen(sb->sb_fname), sizeof(sb->sb_fname)));
2378 iocur_top->need_crc = 1;
2379 }
2380 if (write_buf(iocur_top))
2381 goto pop_out;
2382 }
2383
2384 /* copy the AG free space btree root */
2385 push_cur();
2386 stack_count++;
2387 set_cur(&typtab[TYP_AGF], XFS_AG_DADDR(mp, agno, XFS_AGF_DADDR(mp)),
2388 XFS_FSS_TO_BB(mp, 1), DB_RING_IGN, NULL);
2389 agf = iocur_top->data;
2390 if (iocur_top->data == NULL) {
2391 print_warning("cannot read agf block for ag %u", agno);
2392 if (stop_on_read_error)
2393 goto pop_out;
2394 } else {
2395 if (write_buf(iocur_top))
2396 goto pop_out;
2397 }
2398
2399 /* copy the AG inode btree root */
2400 push_cur();
2401 stack_count++;
2402 set_cur(&typtab[TYP_AGI], XFS_AG_DADDR(mp, agno, XFS_AGI_DADDR(mp)),
2403 XFS_FSS_TO_BB(mp, 1), DB_RING_IGN, NULL);
2404 agi = iocur_top->data;
2405 if (iocur_top->data == NULL) {
2406 print_warning("cannot read agi block for ag %u", agno);
2407 if (stop_on_read_error)
2408 goto pop_out;
2409 } else {
2410 if (write_buf(iocur_top))
2411 goto pop_out;
2412 }
2413
2414 /* copy the AG free list header */
2415 push_cur();
2416 stack_count++;
2417 set_cur(&typtab[TYP_AGFL], XFS_AG_DADDR(mp, agno, XFS_AGFL_DADDR(mp)),
2418 XFS_FSS_TO_BB(mp, 1), DB_RING_IGN, NULL);
2419 if (iocur_top->data == NULL) {
2420 print_warning("cannot read agfl block for ag %u", agno);
2421 if (stop_on_read_error)
2422 goto pop_out;
2423 } else {
2424 if (agf && zero_stale_data) {
2425 /* Zero out unused bits of agfl */
2426 int i;
2427 __be32 *agfl_bno;
2428
2429 agfl_bno = XFS_BUF_TO_AGFL_BNO(mp, iocur_top->bp);
2430 i = be32_to_cpu(agf->agf_fllast);
2431
2432 for (;;) {
2433 if (++i == XFS_AGFL_SIZE(mp))
2434 i = 0;
2435 if (i == be32_to_cpu(agf->agf_flfirst))
2436 break;
2437 agfl_bno[i] = cpu_to_be32(NULLAGBLOCK);
2438 }
2439 iocur_top->need_crc = 1;
2440 }
2441 if (write_buf(iocur_top))
2442 goto pop_out;
2443 }
2444
2445 /* copy AG free space btrees */
2446 if (agf) {
2447 if (show_progress)
2448 print_progress("Copying free space trees of AG %u",
2449 agno);
2450 if (!copy_free_bno_btree(agno, agf))
2451 goto pop_out;
2452 if (!copy_free_cnt_btree(agno, agf))
2453 goto pop_out;
2454 }
2455
2456 /* copy inode btrees and the inodes and their associated metadata */
2457 if (agi) {
2458 if (!copy_inodes(agno, agi))
2459 goto pop_out;
2460 }
2461 rval = 1;
2462 pop_out:
2463 while (stack_count--)
2464 pop_cur();
2465 return rval;
2466 }
2467
2468 static int
2469 copy_ino(
2470 xfs_ino_t ino,
2471 typnm_t itype)
2472 {
2473 xfs_agnumber_t agno;
2474 xfs_agblock_t agbno;
2475 xfs_agino_t agino;
2476 int offset;
2477 int rval = 0;
2478
2479 if (ino == 0 || ino == NULLFSINO)
2480 return 1;
2481
2482 agno = XFS_INO_TO_AGNO(mp, ino);
2483 agino = XFS_INO_TO_AGINO(mp, ino);
2484 agbno = XFS_AGINO_TO_AGBNO(mp, agino);
2485 offset = XFS_AGINO_TO_OFFSET(mp, agino);
2486
2487 if (agno >= mp->m_sb.sb_agcount || agbno >= mp->m_sb.sb_agblocks ||
2488 offset >= mp->m_sb.sb_inopblock) {
2489 if (show_warnings)
2490 print_warning("invalid %s inode number (%lld)",
2491 typtab[itype].name, (long long)ino);
2492 return 1;
2493 }
2494
2495 push_cur();
2496 set_cur(&typtab[TYP_INODE], XFS_AGB_TO_DADDR(mp, agno, agbno),
2497 blkbb, DB_RING_IGN, NULL);
2498 if (iocur_top->data == NULL) {
2499 print_warning("cannot read %s inode %lld",
2500 typtab[itype].name, (long long)ino);
2501 rval = !stop_on_read_error;
2502 goto pop_out;
2503 }
2504 off_cur(offset << mp->m_sb.sb_inodelog, mp->m_sb.sb_inodesize);
2505
2506 cur_ino = ino;
2507 rval = process_inode_data(iocur_top->data, itype);
2508 pop_out:
2509 pop_cur();
2510 return rval;
2511 }
2512
2513
2514 static int
2515 copy_sb_inodes(void)
2516 {
2517 if (!copy_ino(mp->m_sb.sb_rbmino, TYP_RTBITMAP))
2518 return 0;
2519
2520 if (!copy_ino(mp->m_sb.sb_rsumino, TYP_RTSUMMARY))
2521 return 0;
2522
2523 if (!copy_ino(mp->m_sb.sb_uquotino, TYP_DQBLK))
2524 return 0;
2525
2526 if (!copy_ino(mp->m_sb.sb_gquotino, TYP_DQBLK))
2527 return 0;
2528
2529 return copy_ino(mp->m_sb.sb_pquotino, TYP_DQBLK);
2530 }
2531
2532 static int
2533 copy_log(void)
2534 {
2535 struct xlog log;
2536 int dirty;
2537 xfs_daddr_t logstart;
2538 int logblocks;
2539 int logversion;
2540 int cycle = XLOG_INIT_CYCLE;
2541
2542 if (show_progress)
2543 print_progress("Copying log");
2544
2545 push_cur();
2546 set_cur(&typtab[TYP_LOG], XFS_FSB_TO_DADDR(mp, mp->m_sb.sb_logstart),
2547 mp->m_sb.sb_logblocks * blkbb, DB_RING_IGN, NULL);
2548 if (iocur_top->data == NULL) {
2549 pop_cur();
2550 print_warning("cannot read log");
2551 return !stop_on_read_error;
2552 }
2553
2554 /* If not obfuscating or zeroing, just copy the log as it is */
2555 if (!obfuscate && !zero_stale_data)
2556 goto done;
2557
2558 dirty = xlog_is_dirty(mp, &log, &x, 0);
2559
2560 switch (dirty) {
2561 case 0:
2562 /* clear out a clean log */
2563 if (show_progress)
2564 print_progress("Zeroing clean log");
2565
2566 logstart = XFS_FSB_TO_DADDR(mp, mp->m_sb.sb_logstart);
2567 logblocks = XFS_FSB_TO_BB(mp, mp->m_sb.sb_logblocks);
2568 logversion = xfs_sb_version_haslogv2(&mp->m_sb) ? 2 : 1;
2569 if (xfs_sb_version_hascrc(&mp->m_sb))
2570 cycle = log.l_curr_cycle + 1;
2571
2572 libxfs_log_clear(NULL, iocur_top->data, logstart, logblocks,
2573 &mp->m_sb.sb_uuid, logversion,
2574 mp->m_sb.sb_logsunit, XLOG_FMT, cycle, true);
2575 break;
2576 case 1:
2577 /* keep the dirty log */
2578 print_warning(
2579 _("Filesystem log is dirty; image will contain unobfuscated metadata in log."));
2580 break;
2581 case -1:
2582 /* log detection error */
2583 print_warning(
2584 _("Could not discern log; image will contain unobfuscated metadata in log."));
2585 break;
2586 }
2587
2588 done:
2589 return !write_buf(iocur_top);
2590 }
2591
2592 static int
2593 metadump_f(
2594 int argc,
2595 char **argv)
2596 {
2597 xfs_agnumber_t agno;
2598 int c;
2599 int start_iocur_sp;
2600 char *p;
2601
2602 exitcode = 1;
2603 show_progress = 0;
2604 show_warnings = 0;
2605 stop_on_read_error = 0;
2606
2607 if (mp->m_sb.sb_magicnum != XFS_SB_MAGIC) {
2608 print_warning("bad superblock magic number %x, giving up",
2609 mp->m_sb.sb_magicnum);
2610 return 0;
2611 }
2612
2613 while ((c = getopt(argc, argv, "aegm:ow")) != EOF) {
2614 switch (c) {
2615 case 'a':
2616 zero_stale_data = 0;
2617 break;
2618 case 'e':
2619 stop_on_read_error = 1;
2620 break;
2621 case 'g':
2622 show_progress = 1;
2623 break;
2624 case 'm':
2625 max_extent_size = (int)strtol(optarg, &p, 0);
2626 if (*p != '\0' || max_extent_size <= 0) {
2627 print_warning("bad max extent size %s",
2628 optarg);
2629 return 0;
2630 }
2631 break;
2632 case 'o':
2633 obfuscate = 0;
2634 break;
2635 case 'w':
2636 show_warnings = 1;
2637 break;
2638 default:
2639 print_warning("bad option for metadump command");
2640 return 0;
2641 }
2642 }
2643
2644 if (optind != argc - 1) {
2645 print_warning("too few options for metadump (no filename given)");
2646 return 0;
2647 }
2648
2649 metablock = (xfs_metablock_t *)calloc(BBSIZE + 1, BBSIZE);
2650 if (metablock == NULL) {
2651 print_warning("memory allocation failure");
2652 return 0;
2653 }
2654 metablock->mb_blocklog = BBSHIFT;
2655 metablock->mb_magic = cpu_to_be32(XFS_MD_MAGIC);
2656
2657 block_index = (__be64 *)((char *)metablock + sizeof(xfs_metablock_t));
2658 block_buffer = (char *)metablock + BBSIZE;
2659 num_indicies = (BBSIZE - sizeof(xfs_metablock_t)) / sizeof(__be64);
2660 cur_index = 0;
2661 start_iocur_sp = iocur_sp;
2662
2663 if (strcmp(argv[optind], "-") == 0) {
2664 if (isatty(fileno(stdout))) {
2665 print_warning("cannot write to a terminal");
2666 free(metablock);
2667 return 0;
2668 }
2669 outf = stdout;
2670 } else {
2671 outf = fopen(argv[optind], "wb");
2672 if (outf == NULL) {
2673 print_warning("cannot create dump file");
2674 free(metablock);
2675 return 0;
2676 }
2677 }
2678
2679 exitcode = 0;
2680
2681 for (agno = 0; agno < mp->m_sb.sb_agcount; agno++) {
2682 if (!scan_ag(agno)) {
2683 exitcode = 1;
2684 break;
2685 }
2686 }
2687
2688 /* copy realtime and quota inode contents */
2689 if (!exitcode)
2690 exitcode = !copy_sb_inodes();
2691
2692 /* copy log if it's internal */
2693 if ((mp->m_sb.sb_logstart != 0) && !exitcode)
2694 exitcode = !copy_log();
2695
2696 /* write the remaining index */
2697 if (!exitcode)
2698 exitcode = write_index() < 0;
2699
2700 if (progress_since_warning)
2701 fputc('\n', (outf == stdout) ? stderr : stdout);
2702
2703 if (outf != stdout)
2704 fclose(outf);
2705
2706 /* cleanup iocur stack */
2707 while (iocur_sp > start_iocur_sp)
2708 pop_cur();
2709
2710 free(metablock);
2711
2712 return 0;
2713 }
Unnamed repository; edit this file 'description' to name the repository.