Commit Graph

55 Commits

Author SHA1 Message Date
Jessica Clarke
5b13fa7987 ufs: Rework shortlink handling to avoid subobject overflows
Shortlinks occupy the space of both di_db and di_ib when used. However,
everywhere that wants to read or write a shortlink takes a pointer do
di_db and promptly runs off the end of it into di_ib. This is fine on
most architectures, if a little dodgy. However, on CHERI, the compiler
can optionally restrict the bounds on pointers to subobjects to just
that subobject, in order to mitigate intra-object buffer overflows, and
this is enabled in CheriBSD's pure-capability kernels.

Instead, clean this up by inserting a union such that a new di_shortlink
can be added with the right size and element type, avoiding the need to
cast and allowing the use of the DIP macro to access the field. This
also mirrors how the ext2fs code implements extents support, with the
exact same structure other than having a uint32_t i_data[] instead of a
char di_shortlink[].

Reviewed by:	mckusick, jhb
Differential Revision:	https://reviews.freebsd.org/D33650
2022-01-02 20:55:36 +00:00
Kirk McKusick
efe145a745 Correct assert added to dump program.
The dump program was exiting with the message:

Assertion failed: (spcl.c_count + blks < TP_NINDIR), function appendextdata, file /usr/src/sbin/dump/traverse.c, line 759.

The problem arose when dumping external attributes.

This assertion was added in this commit with no review by someone
with expertise in the dump program:

    commit 2d518c6518
    Author:     Warner Losh <imp@FreeBSD.org>
    AuthorDate: Mon Jun 11 19:32:36 2018 +0000
    Commit:     Warner Losh <imp@FreeBSD.org>
    CommitDate: Mon Jun 11 19:32:36 2018 +0000

	Add asserts to prevent overflows of c_addr.

It is clearly wrong as the statement immediately above it in the
code which is deciding if the data will fit is:

	if (spcl.c_count + blks > TP_NINDIR)
		return (0);

As is pointed out in the bug report, the assert should be:

	(spcl.c_count + blks <= TP_NINDIR)

This commit corrects the assert. I am sorry that it took so long to
be brought to my attention and get fixed.

Reported by:  Hampton Finger
PR:           244470
MFC after:    3 days
Sponsored by: Netflix
2021-05-17 16:34:53 -07:00
Kirk McKusick
07436eeb49 Fix build break from dump incompatibility I introduced in -r340411
Pointy-hat to: mckusick
2018-11-14 00:21:52 +00:00
Gleb Smirnoff
d4f7db4764 Plug build break after r340411. 2018-11-13 23:44:27 +00:00
Warner Losh
2d518c6518 Add asserts to prevent overflows of c_addr.
Add some asserts that prevents the overflows of c_addr. This can't
happen, absent bugs. However, certain large filesystems can cause
problems. These have been prevented by r334968, but a solution
is needed. These asserts will help assure that solution is correct.

PR: 228807
Reviewed by: db
2018-06-11 19:32:36 +00:00
Ed Maste
d8ba45e213 Revert r313780 (UFS_ prefix) 2018-03-17 12:59:55 +00:00
Ed Maste
1e2b9afca9 Prefix UFS symbols with UFS_ to reduce namespace pollution
Followup to r313780.  Also prefix ext2's and nandfs's versions with
EXT2_ and NANDFS_.

Reported by:	kib
Reviewed by:	kib, mckusick
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D9623
2018-03-17 01:48:27 +00:00
Kirk McKusick
a770ae06ed In preparation for converting to libufs to read the superblock,
change conflicting function names:

	getino => getinode
	bread => blkread

No functional change.
2017-12-27 22:18:56 +00:00
Pedro F. Giffuni
8a16b7a18f General further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:49:47 +00:00
Warner Losh
fbbd9655e5 Renumber copyright clause 4
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by:	Jan Schaumann <jschauma@stevens.edu>
Pull Request:	https://github.com/freebsd/freebsd/pull/96
2017-02-28 23:42:47 +00:00
Ed Maste
1dc349ab95 prefix UFS symbols with UFS_ to reduce namespace pollution
Specifically:
  ROOTINO -> UFS_ROOTINO
  WINO -> UFS_WINO
  NXADDR -> UFS_NXADDR
  NDADDR -> UFS_NDADDR
  NIADDR -> UFS_NIADDR
  MAXSYMLINKLEN_UFS[12] -> UFS[12]_MAXSYMLINKLEN (for consistency)

Also prefix ext2's and nandfs's NDADDR and NIADDR with EXT2_ and NANDFS_

Reviewed by:	kib, mckusick
Obtained from:	NetBSD
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D9536
2017-02-15 19:50:26 +00:00
Marcelo Araujo
0b410d9c57 Use NULL instead of 0.
malloc will return NULL in case it cannot allocate memory.

MFC after:	2 weeks.
2016-04-19 01:01:22 +00:00
Hiroki Sato
adbc0311a3 Fix a bug which could break extended attributes in a dump output.
This occurred when a file was >892kB long and had a large data (>1kB)
in the extended attributes.

Reported by:	Masashi Toriumi
Reviewed by:	mckusick
2014-09-10 22:37:20 +00:00
Matthew D Fleming
e25a029eb2 Fix sbin/ build with a 64-bit ino_t.
Original code by:	Gleb Kurtsou
2012-09-27 23:31:06 +00:00
Kirk McKusick
693c40a39a When using dump to generate level 0 dumps which are then rsync'ed
to a remote machine, the fact that the dump date is stored with
each header (inode) record makes rsync significantly less efficient
than necessary. This also applies to inode access times when they
are not important data to retain. When implementing an offsite
backup solution of this type, these dates in particular are not
important, especially if it prevents effective offsite backups.

PR:           bin/91049
Submitted by: Forrest W Christian <fwc@mt.net>
2008-05-23 23:13:14 +00:00
Thomas Quinot
993425ee98 (bread): For a read that is contained entirely within a block, never copy
out more than size bytes to the caller's buffer.

PR:		bin/111191
Reviewed by:	pb
MFC after:	1 week
2007-04-05 20:31:23 +00:00
Kirk McKusick
3ec818266f Fix an error in dumping large sparse files containing extended attributes. 2007-02-27 07:28:17 +00:00
Kirk McKusick
772ad651bf Update the dump program to save extended attributes. Update
the restore program to restore all dumped extended attributes.

If the restore is running as root, it will always be able
to restore all extended attributes. If it is not running
as root, it makes a best effort to set them. Using the -v
command line flag or the `verbose' command in interactive
mode will display all the extended attributes being set on
files (and at the end on directories) that are being restored.
It will note any extended attributes that could not be set.

The extended attributes are placed on the dump image immediately
following each file's data. Older versions of restore can work
with the newer dump images. Old versions of restore will
correctly restore the file data and then (silently) skip
over the extended attribute data and proceed to the next file.

This resolves PR 93085 which will be closed once the code
has been MFC'ed.

Note that this code will not compile until these header
files have been updated: <protocols/dumprestore.h> and
<sys/extattr.h>.

PR:		bin/93085
Comments from:	Poul-Henning Kamp and Robert Watson
MFC after:	3 weeks
2007-02-26 08:15:56 +00:00
David Malone
0b39291ea2 Dump keeps a bitmap of the state of various inodes, which is sized
to match the number of inodes on the disk. If we find a directory
entry with a crazy inode number in it, don't look beyond the end
of the bitmap to find that inode's state. Instead skip that directory
entry and print a warning.

Reviewed by:	iedowse
MFC after:	3 weeks
2006-04-11 14:45:42 +00:00
Xin LI
0c40596cc0 Make gcc4 happy by making consistent signedness. 2005-05-02 10:00:39 +00:00
Alexander Kabaev
8518a74a8f Avoid casts as lvalues. 2004-07-28 05:59:22 +00:00
Mark Murray
4c723140a4 Remove advertising clause from University of California Regent's license,
per letter dated July 22, 1999.

Approved by: core, imp
2004-04-09 19:58:40 +00:00
Ian Dowse
155ea0634c In mapdirs(), do not use the `dp' inode pointer after searchdir()
has been called, since it points to a shared inode buffer that may
be overwritten. The two cases where `dp' was used incorrectly appear
to have been overlooked when "nodump" inheritance was first added
in revision 1.12.

This is reported to correct propagation of the nodump flag on
directories that are larger than one block in size.

PR:		bin/58912
Submitted by:	Volker Paepcke <vpaepcke@incore.de>
MFC after:	1 week
2003-11-04 14:20:14 +00:00
Kirk McKusick
924a7003b0 Dump is hard-wired to believe that it can read disks on
1024-byte boundaries. For many years this was a reasonable
assumption. However, in recent years we have begun seeing
devices with 2048-byte sectors. These devices return errors
when dump tries to read starting in the middle of a sector
or when it tries to read only the first half of a sector.
Rather than change the native block size used by dump (and
thus create an incompatible dump format), this fix checks
for transfer requests that start and/or end on a non-sector
boundary. When such a read is detected, the new code reads
the entire sector and copies out just the part that dump
needs.

Reviewed by:	Poul-Henning Kamp <phk@critter.freebsd.dk>
Approved by:	re (John Baldwin <jhb@FreeBSD.org>)
Sponsored by:   DARPA & NAI Labs.
2003-05-07 18:27:09 +00:00
Matthew Dillon
5941e412ca Add a caching option to dump. Use -C. Note that NetBSD has a caching option
called -r but it takes 512 byte blocks instead of megabytes, and I felt a
megabytes specification would be far more useful so I did not use the same
option character.

This will *greatly* improve dump performance at the cost of possibly
missing filesystem changes that occur between passes, and does a fairly
good job making up for the loss of buffered block devices.  Caching is disabled
by default to retain historical behavior.

In tests, dump performance improved by about 40% when dumping / or /usr.

Beware that dump forks and the cache may wind up being larger then you
specify, but a more complex shared memory implementation would not produce
results that are all that much better so I kept it simple for now.

MFC after:	3 days
2003-01-13 19:42:41 +00:00
Kirk McKusick
6bfd0bdc80 Correct the estimated block count calculated by dump to account
for the minimal amount of space used by a snapshot.

Sponsored by:   DARPA & NAI Labs.
2002-12-03 05:12:53 +00:00
Kirk McKusick
69becf4a5e Properly handle UFS2 sparsely allocated inodes. The UFS2 filesystem
only preallocates a small number of inodes. The dump program tries
to scan through all the allocated inodes on a filesystem which
causes bad behavior if they have never been allocated. Thus dump
must calculate the set of inodes that have actually been allocated
and scan only those inodes.

Sponsored by:   DARPA & NAI Labs.
2002-12-03 05:10:07 +00:00
Kirk McKusick
be5b142531 Mark snapshots so that dump will dump them as zero length
regular files rather than trying to interpret the snapshot.

Sponsored by:   DARPA & NAI Labs.
2002-11-30 23:28:22 +00:00
Mike Barcroft
89fdc4e117 Use the standardized CHAR_BIT constant instead of NBBY in userland. 2002-09-25 04:06:37 +00:00
Philippe Charnier
7fed38d0a0 Replace various spelling with FALLTHROUGH which is lint()able 2002-08-25 13:10:45 +00:00
Tom Rhodes
ce66ddb763 s/filesystem/file system/g as discussed on -developers 2002-08-21 18:11:48 +00:00
Kirk McKusick
fb36a3d847 Change utimes to set the file creation time (for filesystems that
support creation times such as UFS2) to the value of the
modification time if the value of the modification time is older
than the current creation time. See utimes(2) for further details.

Sponsored by:	DARPA & NAI Labs.
2002-07-17 02:03:19 +00:00
Ian Dowse
7680e41ce2 Oops, the previous revision (1.22) introduced a potential alignment
issue, since the MAXBSIZE-sized buffers are accessed as arrays of
block pointers, but were declared as char[] arrays. Use a union to
avoid this, which also makes a number of casts unnecessary.

Pointed out by:	bde
Reviewed by:		bde
2002-07-08 23:53:21 +00:00
Ian Dowse
1e0276afb3 Use a fixed MAXBSIZE-size auto array instead of a static pointer
to a malloc'd buffer in dmpindir() and dirindir(). These functions
recursively call themselves to handle deeper levels of indirect
blocks, so a single static buffer was not suitable.

Bug tracked down by:	Don Lewis <dl-freebsd@catspoiler.org>
Approach suggested by:	bde
2002-07-08 01:25:54 +00:00
Ian Dowse
617dbd3c84 Replace the use of %qd with intmax_t/%jd and fix a number of -Wall
and -Wformat warnings:
 o Include timeconv.h for the time conversion functions.
 o Remove unused variables.
 o Correct a few cases where %d was used when printing longs.
2002-07-08 00:29:23 +00:00
Ian Dowse
325167c3a5 Fix some printf format errors.
Submitted by:	Don Lewis <dl-freebsd@catspoiler.org>
2002-07-07 12:30:20 +00:00
Kirk McKusick
1c85e6a35d This commit adds basic support for the UFS2 filesystem. The UFS2
filesystem expands the inode to 256 bytes to make space for 64-bit
block pointers. It also adds a file-creation time field, an ability
to use jumbo blocks per inode to allow extent like pointer density,
and space for extended attributes (up to twice the filesystem block
size worth of attributes, e.g., on a 16K filesystem, there is space
for 32K of attributes). UFS2 fully supports and runs existing UFS1
filesystems. New filesystems built using newfs can be built in either
UFS1 or UFS2 format using the -O option. In this commit UFS1 is
the default format, so if you want to build UFS2 format filesystems,
you must specify -O 2. This default will be changed to UFS2 when
UFS2 proves itself to be stable. In this commit the boot code for
reading UFS2 filesystems is not compiled (see /sys/boot/common/ufsread.c)
as there is insufficient space in the boot block. Once the size of the
boot block is increased, this code can be defined.

Things to note: the definition of SBSIZE has changed to SBLOCKSIZE.
The header file <ufs/ufs/dinode.h> must be included before
<ufs/ffs/fs.h> so as to get the definitions of ufs2_daddr_t and
ufs_lbn_t.

Still TODO:
Verify that the first level bootstraps work for all the architectures.
Convert the utility ffsinfo to understand UFS2 and test growfs.
Add support for the extended attribute storage. Update soft updates
to ensure integrity of extended attribute storage. Switch the
current extended attribute interfaces to use the extended attribute
storage. Add the extent like functionality (framework is there,
but is currently never used).

Sponsored by: DARPA & NAI Labs.
Reviewed by:	Poul-Henning Kamp <phk@freebsd.org>
2002-06-21 06:18:05 +00:00
Poul-Henning Kamp
d266a28647 s/daddr_t/ufs_daddr_t/g
This should fix the issues which cropped up after daddr_t grew up.

Sponsored by:	DARPA & NAI Labs.
2002-06-06 19:59:46 +00:00
Warner Losh
2db673ab00 o remove __P
o Use ANSI function definitions
o unifdef -D__STDC__
2002-03-20 22:49:40 +00:00
David E. O'Brien
016298551c Files in subdirectories of directories that have the nodump flag set
are sometimes incorrectly being dumped.

The problem arises because the subdirectory only gets its entry
cleared from usedinomap if it is also present in dumpinomap, and it is
the absence of a directory in usedinomap that internally indicates
that the directory is under the effects of UF_NODUMP (either directly
or inherited).

PR:		32414
Submitted by:	David C Lawrence <tale@dd.org>
2001-12-05 20:42:52 +00:00
Ian Dowse
d2334e27e9 Zap a number of #ifdef sunos blocks, and all of the `register'
keywords.
2001-11-17 00:06:55 +00:00
Mike Heffner
be1bf707c9 Convert two instances of a lseek()+read() combination to a pread().
PR:		bin/17640
MFC after:	2 weeks
2001-07-01 04:46:20 +00:00
Jordan K. Hubbard
2c8094f344 Fix bogon with the nodump flag.
Submitted by:	Dima Dorfman <dima@unixfreak.org>
2001-04-19 01:39:27 +00:00
David E. O'Brien
801382fa98 Support inheritance of the "nodump" flag down a hierarchy.
Submitted by:	Dima Dorfman <dima@unixfreak.org>
Obtained from:	NetBSD
2001-03-03 11:35:50 +00:00
Warner Losh
37736675d1 Add include of errno.h where needed, remove extern int errno where not.
These commits were inspired by a similar commit to netbsd.
2000-04-14 06:15:01 +00:00
Peter Wemm
7f3dea244c $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
Bill Fumerola
16c4e40827 Fix nested if/else within an if 1999-07-08 22:27:00 +00:00
Dima Ruban
97b465b142 64bit fixes.
(Note: ``dump'' doesn't work on alpha yet. Apparently there's a problem
somewhere is the physio() area)

Submitted by:	myself && Matt Dillon.
1998-10-27 04:01:19 +00:00
Philippe Charnier
7580ffbbbd Correct use of .Nm. Add rcsid. Remove unused #includes. 1998-06-15 06:58:13 +00:00
Peter Wemm
a37c38b8d8 Merge Lite2 changes (rather bigish, the dump/restore folks should check) 1997-03-11 12:09:50 +00:00