Theodore Ts'o [Fri, 20 Dec 2019 00:45:06 +0000 (19:45 -0500)]
e2fsck: don't try to rehash a deleted directory
If directory has been deleted in pass1[bcd] processing, then we
shouldn't try to rehash the directory in pass 3a when we try to
rehash/reoptimize directories.
Theodore Ts'o [Fri, 20 Dec 2019 00:37:34 +0000 (19:37 -0500)]
e2fsck: abort if there is a corrupted directory block when rehashing
In e2fsck pass 3a, when we are rehashing directories, at least in
theory, all of the directories should have had corruptions with
respect to directory entry structure fixed. However, it's possible
(for example, if the user declined a fix) that we can reach this stage
of processing with a corrupted directory entries.
So check for that case and don't try to process a corrupted directory
block so we don't run into trouble in mutate_name() if there is a
zero-length file name.
Theodore Ts'o [Sat, 14 Dec 2019 04:30:53 +0000 (23:30 -0500)]
e2fsck: optimize away repeated calls to gettext()
Optimize _("getting next inode from scan") so it is not called for
each initialized inode in the file system, and make a similar
optimization in pass 2 for each directory block.
Theodore Ts'o [Sat, 23 Nov 2019 04:27:47 +0000 (23:27 -0500)]
Add a program to test images provided by UBSAN fuzzing reports
This program calls a few ext2fs library functions used by the current
generation of libext2fs fuzzers, and is helpful in reproducing UBSAN
failures reported externally.
Darrick J. Wong [Wed, 20 Nov 2019 19:32:55 +0000 (11:32 -0800)]
tune2fs: prohibit toggling uninit_bg on live filesystems
An internal customer followed an erroneous AskUbuntu article[1] to try to
change the UUID of a live ext4 filesystem. The article claims that you
can work around tune2fs' "cannot change UUID on live fs" error by
disabling uninit_bg, changing the UUID, and re-enabling the feature.
This led to metadata corruption because tune2fs' journal descriptor
rewrite races with regular filesystem writes. Therefore, prevent
administrators from turning on or off uninit_bg on a mounted fs.
Eric Biggers [Mon, 18 Nov 2019 01:48:48 +0000 (17:48 -0800)]
chattr.1: adjust documentation for encryption attribute
Adjust the documentation for the encryption attribute ('E') to clarify
that encryption isn't experimental anymore and isn't restricted to
regular files, and that the encryption is done by the filesystem.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Theodore Ts'o [Wed, 13 Nov 2019 18:55:29 +0000 (13:55 -0500)]
configure: don't fail if /usr/include/sys/mount.h does not exist
The AX_CHECK_MOUNT_OPT macro fails if /usr/include/sys/mount.h.
Unfortunately, the GNU HURD doesn't have this header file. Drop the
requirement, since if it doesn't exist, the macro will assume that
given mount options don't exist, which for e2fsprogs is used to test
to for the existence of the mount options nosuid and nodev. This is
only used for fuse2fs, and HURD doesn't support fuse2fs anyway.
Theodore Ts'o [Sun, 10 Nov 2019 17:11:49 +0000 (12:11 -0500)]
libext2fs/ismounted.c: check device id in advance to skip false device names
If there is a trickster which tries to use device names as the mount
device for pseudo-file systems, the resulting /proc/mounts can confuse
ext2fs_check_mount_point(). (So far as I can tell, there's no good
reason to do this, but sysadmins do the darnest things.)
An example of this might be the following /proc/mounts excerpt:
This is created via "mount -t tmpfs /dev/sdb /mnt2" followed via
"mount -t ext4 /dev/sdb /mnt". (Normally, a sane mount of tmpfs would
use something like "mount -t tmpfs tmpfs /mnt2".)
Fix this by double checking the st_rdev of the claimed mountpoint and
match it with the dev_t of the device. (Note that the GNU HURD
doesn't support st_rdev, so we can't solve this problem for the HURD.)
Jan Kara [Fri, 18 Oct 2019 12:50:59 +0000 (14:50 +0200)]
resize2fs: make minimum size estimates more reliable for mounted fs
Currently, the estimate of minimum filesystem size is using free blocks
counter in the superblock. The counter generally doesn't get updated
while the filesystem is mounted and thus the estimate is very unreliable
for a mounted filesystem. For some usecases such as automated
partitioning proposal to the user it is desirable that the estimate of
minimum filesystem size is reasonably accurate even for a mounted
filesystem. So use group descriptor counters of free blocks for the
estimate of minimum filesystem size. These get updated together with
block being allocated and so the resulting estimate is more accurate.
Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Darrick J. Wong [Tue, 5 Nov 2019 01:54:20 +0000 (17:54 -0800)]
e2scrub_all: fix broken stdin redirection
gregor herrmann reports that the weekly e2scrub cronjob emits these
errors:
/sbin/e2scrub_all: line 173: /proc/8234/fd/pipe:[90083173]: No such file or directory
The root cause of this is that the ls_targets stdout is piped to stdin
to the entire ls_targets loop body to prevent the loop body from reading
the loop iteration items. Remove all the broken hackery by reading the
target list into a bash array and iterating the bash array.
Addresses-Debian-Bug: #944033
Reported-by: gregor herrmann <gregoa@debian.org> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Darrick J. Wong [Tue, 5 Nov 2019 01:54:14 +0000 (17:54 -0800)]
e2scrub_all: don't even reap if the config file doesn't allow it
Dave Chinner complains that the automated on-boot e2scrub reaping takes
a long time (because the lvs command can take a while to run) even
though the automated e2scrub is disabled via e2scrub.conf on his
systems.
We still need the reaping service to kill off stale e2scrub snapshots
after a crash, but it's unnecessary to annoy everyone with slow bootup.
Because we can look for the e2scrub snapshots in /dev/mapper, let's
skip reaping if periodic e2scrub is disabled unless we find evidence of
e2scrub snapshots in /dev.
Reported-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Theodore Ts'o [Mon, 4 Nov 2019 21:43:41 +0000 (16:43 -0500)]
libext2fs: fix bug when reading or writing more than 2GB in unix_io
If count * block_size exceeds 2GB, we will overflow a 32-bit signed
integer value. This shouldn't happen in practice except for
fuzz-corrupted file systems, but let's fix the code so it's correct.
Eric Biggers [Tue, 24 Sep 2019 21:59:10 +0000 (14:59 -0700)]
AOSP: Link to production releases, not testing releases
The testing links are not stable and are not guaranteed to exist.
Test: After re-generating the generated files, the link works now.
Change-Id: I36e73ef74571b3246f470280a75ae1098245eff5
From AOSP commit: 5971f6a5113b12b33d9454229bf27621853e1da7
Eric Biggers [Tue, 24 Sep 2019 21:59:10 +0000 (14:59 -0700)]
AOSP: Add new source files to Android.bp files
Test: see I3781b6d1e55923e9410644e8a7ba834b4d13b733
Change-Id: Ie071b30937dcf73f34df5dc3aa08d23ae30d9c63
From AOSP commit: d2a16e1616b807a6143b9c6232a1c54f90dc06f6
e2scrub_all: make sure fd 3 is closed before running lvm commands
Some versions of cron leave fd 3 open for some unknown reason. So
when e2scrub_all is run by cron (on non-systemd systems) this results
in an annoying message from the Cron Daemon because lvm will print
warning messages about "leaked file descriptors. So force close fd 3
at the beginning of e2scrub and e2scrub_all.
libsupport: add checks to prevent buffer overrun bugs in quota code
A maliciously corrupted file systems can trigger buffer overruns in
the quota code used by e2fsck. To fix this, add sanity checks to the
quota header fields as well as to block number references in the quota
tree.
e2fsck: make the low dtime check consistent when using the backup superblock
The backup superblock may have a last mounted time of zero, if it has
never been updated since the file system was created. In that case,
the low dtime check may get disabled when using the backup superblock,
even though subsequent e2fsck runs will end up using the low dtime
check. This can cause a failure of ext4/007, since since when e2fsck
is run a second time after the file system is mounted, the low dtime
check will trigger the e2fsck complaint:
Inode NNNN was part of the orphaned inode list. IGNORED.
Theodore Ts'o [Sun, 18 Aug 2019 23:23:07 +0000 (19:23 -0400)]
e2scrub_all: allow scrubbing in vg's whose free space == snapshot size
If the volume group's free space is exactly the same as snapshot size,
e2scrub_all will skip those logical volumes in those volume groups.
Fix this by changing the test from '>' to '>='.
LTO breaks reproducible builds, and there is some question as to how
reliable LTO's code generator is --- there are some scary stories that
it doesn't work well, and the GCC maintainers aren't super-interested
in fixing the bugs:
debian: skip running "make check" if DEB_BUILD_OPTIONS contains nocheck
This was done automatically by debhelper, but it got dropped when
override_dh_auto_test was added by commit 7f4c3bb120 ("debian: run
"make check" with V=1 to keep blhc happy").
debian: add a hard dependency on logsave to e2fsprogs
The initramfs created by the initramfs-tools package needs logsave and
assumes it comes along with e2fsprogs. If it is not present, the
result systems which will fail to boot. Fix this by adding the
dependency.
In the future initramfs-tools will explicitly ask for logsave (tracked
in Debian Bug: #932854), but we'll need to keep this dependency until
the next stable release of Debian.
e2scrub_all_cron: check to make sure e2scrub_all exists
Since e2scrub_all.cron is marked as a config file, it can hang around
after the package is removed, in which case e2scrub_all might not be
present. So check to make sure e2scrub_all exists before trying to
execute it.
fuse2fs: stop using the nonempty option by default
The nonempty option isn't supported by fuse3, and so if fusermount is
from fuse3, having fuse2fs specify nonempty automatically will prevent
fuse2fs from working correctly.
The strings in e2fsck/problem.c use a special %-expansion scheme,
where %b gets expanded to a block number, %i gets expanded to an inode
number, etc., where these values are in a problem context data
structure. As such, there is no need to use a printf style positional
indicator (e.g., %2$s). Indeed, the use of things like %1$i or %2$b
will cause the %-expansion code to just print %1$i or %2$b, instead of
the inode or block number, respectively.
Addresses-Debian-Bug: #892173
Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: Philipp Thomas <pth@suse.de> Cc: Benno Schulenberg <vertaling@coevern.nl> Cc: Trần Ngọc Quân <vnwildman@gmail.com> Cc: Petr Pisar <petr.pisar@atlas.cz>
debian: drop special case CFLAGS for Alpha and PowerMac architectures
Defining HAVE_NETINET_IN_H for Alpha and __NO_STRING_INLINES for the
PowerMac QUICK bootloader date back to over two decades, to 1997 and
1998, respectively. These two architectures are no longer supported
by Debian, and it's not clear they are actually needed in 2019 even
for someone building for these architectures. So let's drop them and
see if anyone complains (or notices).
The e2scrub_all program was broken by commit c7d6525ecaab
("e2scrub_all: refactor device probe loop") so that it would use the
path of the snapshot volume instead of the base volume. This caused
"e2scrub_all -r" to pass the wrong pathname to e2scrub, with the
result that e2scrub would abort with an error instead of removing the
snapshot volume.
debian: drop support for not building the e2fsck-static and udebs packages
The ability to not build udebs packages and e2fsck-static made sense
when we were doing a separate e2fsprogs builds for those packages.
Since we're not doing that any more, we can simplify things by
dropping that flexibility.
debian: stop building a special version of e2fsprogs for e2fsprogs-udeb
Previously, we configured and built a separate version of e2fsprogs
for the e2fsprogs-udeb package. This was important back when we still
cared about build floppies, but going to extra lengths to save 145k of
disk space isn't worth it any more.
e2scrub_all: correctly handle the case where LUKS is stacked on an LV
We handle the case where an LVM's PV is stacked on top of a dm-crypt
device, but not the case where it's the other way around, where a LVM
LV contains a LUKS encrypted file system. Fix this oversight.
Addresses-Debian-Bug: #931387
Reported-by: Marc Haber <mh+debian-bugs@zugschlus.de> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
e2fsck: correctly handle inline directories when large_dir is enabled.
Historically, e2fsck has required that directories not contain holes.
(In fact, as of this writing, ext4 still requires this to be the
case.) Commit ae9efd05a98 ("e2fsck: 3 level hash tree directory
optimization") removed this requirement if the large_dir feature is
enabled; however, the way it was done caused it to incorrectly handle
inline directories.
To reproduce the problem fixed by this commit:
truncate -s 100000000 ext4.img
misc/mke2fs -t ext4 -I 512 -O 'inline_data,large_dir' ext4.img
mkdir m
sudo mount ext4.img m
mkdir m/aa
sudo umount m
e2fsck/e2fsck -f -n ext4.img
The last command gives this output:
[root@localhost e2fsprogs-kernel]# e2fsck/e2fsck -f -n ext4-2.img
e2fsck 1.45.2 (27-May-2019)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
'..' in /aa (12) is <The NULL inode> (0), should be / (2).
Fix? no
Pass 4: Checking reference counts
Inode 2 ref count is 4, should be 3. Fix? no
Inode 12 ref count is 2, should be 1. Fix? no
Pass 5: Checking group summary information
ext4-2.img: ********** WARNING: Filesystem still has errors **********
Theodore Ts'o [Fri, 7 Jun 2019 17:07:12 +0000 (13:07 -0400)]
Fix posix_memalign and posix_fadvise calls.
Almost all posix_ functions return a positive errno value (without
setting errno) rather than -1 and setting errno. Most calls in this
project were correct, but these two weren't.
Darrick J. Wong [Tue, 4 Jun 2019 04:27:12 +0000 (21:27 -0700)]
e2scrub: remove -C from e2scrub_all
We already have the "SERVICE_MODE=1" feature that signals to e2scrub
that we're running as a background daemon and therefore we should exit
quietly if conditions aren't right.
It's therefore unnecessary to have a separate -C flag to achieve the
same outcome for cron jobs. Merge the two together.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>