The goal of this change is to prevent accidental foot shooting by

folks running filesystems created on check-hash enabled kernels
(which I will call "new") on a non-check-hash enabled kernels (which
I will call "old). The idea here is to detect when a filesystem is
run on an old kernel and flag the filesystem so that when it gets
moved back to a new kernel, it will not start getting a slew of
check-hash errors.

Back when the UFS version 2 filesystem was created, it added a file
flag FS_INDEXDIRS that was to be set on any filesystem that kept
some sort of on-disk indexing for directories. The idea was precisely
to solve the issue we have today. Specifically that a newer kernel
that supported indexing would be able to tell that the filesystem
had been run on an older non-indexing kernel and that the indexes
should not be used until they had been rebuilt. Since we have never
implemented on-disk directory indicies, the FS_INDEXDIRS flag is
cleared every time any UFS version 2 filesystem ever created is
mounted for writing.

This commit repurposes the FS_INDEXDIRS flag as the FS_METACKHASH
flag. Thus, the FS_METACKHASH is definitively known to have always
been cleared. The FS_INDEXDIRS flag has been moved to a new block
of flags that will always be cleared starting with this commit
(until they get used to implement some future feature which needs
to detect that the filesystem was mounted on a kernel that predates
the new feature).

If a filesystem with check-hashes enabled is mounted on an old
kernel the FS_METACKHASH flag is cleared. When that filesystem is
mounted on a new kernel it will see that the FS_METACKHASH has been
cleared and clears all of the fs_metackhash flags. To get them
re-enabled the user must run fsck (in interactive mode without the
-y flag) which will ask for each supported check hash whether it
should be rebuilt and enabled. When fsck is run in its default preen
mode, it will just ignore the check hashes so they will remain
disabled.

The kernel has always disabled any check hash functions that it
does not support, so as more types of check hashes are added, we
will get a non-surprising result. Specifically if filesystems get
moved to kernels supporting fewer of the check hashes, those that
are not supported will be disabled. If the filesystem is moved back
to a kernel with more of the check-hashes available and fsck is run
interactively to rebuild them, then their checking will resume.
Otherwise just the smaller subset will be checked.

A side effect of this commit is that filesystems running with
cylinder-group check hashes will stop having them checked until
fsck is run to re-enable them (since none of them currently have
the FS_METACKHASH flag set). So, if you want check hashes enabled
on your filesystems after booting a kernel with these changes, you
need to run fsck to enable them. Any newly created filesystems will
have check hashes enabled. If in doubt as to whether you have check
hashes emabled, run dumpfs and look at the list of enabled flags
at the end of the superblock details.
This commit is contained in:
Kirk McKusick 2018-02-08 23:06:58 +00:00
parent 11421c37f0
commit 068beacf21
5 changed files with 71 additions and 46 deletions

View File

@ -257,9 +257,9 @@ dumpfs(const char *name)
if (fsflags & FS_DOSOFTDEP)
printf("soft-updates%s ", (fsflags & FS_SUJ) ? "+journal" : "");
if (fsflags & FS_NEEDSFSCK)
printf("needs fsck run ");
printf("needs-fsck-run ");
if (fsflags & FS_INDEXDIRS)
printf("indexed directories ");
printf("indexed-directories ");
if (fsflags & FS_ACLS)
printf("acls ");
if (fsflags & FS_MULTILABEL)
@ -267,31 +267,33 @@ dumpfs(const char *name)
if (fsflags & FS_GJOURNAL)
printf("gjournal ");
if (fsflags & FS_FLAGS_UPDATED)
printf("fs_flags expanded ");
printf("fs_flags-expanded ");
if (fsflags & FS_NFS4ACLS)
printf("nfsv4acls ");
if (fsflags & FS_TRIM)
printf("trim ");
fsflags &= ~(FS_UNCLEAN | FS_DOSOFTDEP | FS_NEEDSFSCK | FS_INDEXDIRS |
fsflags &= ~(FS_UNCLEAN | FS_DOSOFTDEP | FS_NEEDSFSCK | FS_METACKHASH |
FS_ACLS | FS_MULTILABEL | FS_GJOURNAL | FS_FLAGS_UPDATED |
FS_NFS4ACLS | FS_SUJ | FS_TRIM);
FS_NFS4ACLS | FS_SUJ | FS_TRIM | FS_INDEXDIRS);
if (fsflags != 0)
printf("unknown flags (%#x)", fsflags);
printf("unknown-flags (%#x)", fsflags);
putchar('\n');
printf("check hashes\t");
fsflags = afs.fs_metackhash;
if (fsflags == 0)
printf("none");
if (fsflags & CK_SUPERBLOCK)
printf("superblock ");
if (fsflags & CK_CYLGRP)
printf("cylinder-groups ");
if (fsflags & CK_INODE)
printf("inodes ");
if (fsflags & CK_INDIR)
printf("indirect-blocks ");
if (fsflags & CK_DIR)
printf("directories ");
if (afs.fs_flags & FS_METACKHASH) {
printf("check hashes\t");
fsflags = afs.fs_metackhash;
if (fsflags == 0)
printf("none");
if (fsflags & CK_SUPERBLOCK)
printf("superblock ");
if (fsflags & CK_CYLGRP)
printf("cylinder-groups ");
if (fsflags & CK_INODE)
printf("inodes ");
if (fsflags & CK_INDIR)
printf("indirect-blocks ");
if (fsflags & CK_DIR)
printf("directories ");
}
fsflags &= ~(CK_SUPERBLOCK | CK_CYLGRP | CK_INODE | CK_INDIR | CK_DIR);
if (fsflags != 0)
printf("unknown flags (%#x)", fsflags);

View File

@ -37,7 +37,6 @@ static const char sccsid[] = "@(#)pass5.c 8.9 (Berkeley) 4/28/95";
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#define IN_RTLD /* So we pickup the P_OSREL defines */
#include <sys/param.h>
#include <sys/sysctl.h>
@ -63,7 +62,7 @@ pass5(void)
int inomapsize, blkmapsize;
struct fs *fs = &sblock;
ufs2_daddr_t d, dbase, dmax, start;
int rewritecg = 0, cgckadd = 0;
int rewritecg = 0;
struct csum *cs;
struct csum_total cstotal;
struct inodesc idesc[3];
@ -74,13 +73,10 @@ pass5(void)
inoinfo(UFS_WINO)->ino_state = USTATE;
memset(newcg, 0, (size_t)fs->fs_cgsize);
newcg->cg_niblk = fs->fs_ipg;
if (preen == 0 && yflag == 0 && fs->fs_magic == FS_UFS2_MAGIC &&
fswritefd != -1 && (fs->fs_metackhash & CK_CYLGRP) == 0 &&
getosreldate() >= P_OSREL_CK_CYLGRP &&
reply("ADD CYLINDER GROUP CHECKSUM PROTECTION") != 0) {
/* check to see if we are to add a cylinder group check hash */
if ((ckhashadd & CK_CYLGRP) != 0) {
fs->fs_metackhash |= CK_CYLGRP;
rewritecg = 1;
cgckadd = 1;
sbdirty();
}
if (cvtlevel >= 3) {
@ -178,14 +174,20 @@ pass5(void)
cg = cgbp->b_un.b_cg;
if (!cg_chkmagic(cg))
pfatal("CG %d: BAD MAGIC NUMBER\n", c);
if ((fs->fs_metackhash & CK_CYLGRP) != 0 && cgckadd == 0) {
/*
* If we have a cylinder group check hash and are not adding
* it for the first time, verify that it is good.
*/
if ((fs->fs_metackhash & CK_CYLGRP) != 0 &&
(ckhashadd & CK_CYLGRP) == 0) {
uint32_t ckhash, thishash;
ckhash = cg->cg_ckhash;
cg->cg_ckhash = 0;
thishash = calculate_crc32c(~0L, cg, fs->fs_cgsize);
if (ckhash != thishash)
pwarn("CG %d: BAD CHECKSUM %#x vs %#x", c, ckhash, thishash);
pwarn("CG %d: BAD CHECK-HASH %#x vs %#x",
c, ckhash, thishash);
cg->cg_ckhash = ckhash;
}
newcg->cg_time = cg->cg_time;

View File

@ -489,9 +489,15 @@ mkfs(struct partition *pp, char *fsys)
}
/*
* Set flags for metadata that is being check-hashed.
*
* Metadata check hashes are not supported in the UFS version 1
* filesystem to keep it as small and simple as possible.
*/
if (Oflag > 1 && getosreldate() >= P_OSREL_CK_CYLGRP)
sblock.fs_metackhash = CK_CYLGRP;
if (Oflag > 1) {
sblock.fs_flags |= FS_METACKHASH;
if (getosreldate() >= P_OSREL_CK_CYLGRP)
sblock.fs_metackhash = CK_CYLGRP;
}
/*
* Dump out summary information about file system.

View File

@ -809,10 +809,12 @@ ffs_mountfs(devvp, mp, td)
if ((error = ffs_sbget(devvp, &fs, -1, M_UFSMNT, ffs_use_bread)) != 0)
goto out;
fs->fs_fmod = 0;
/* none of these types of check-hashes are maintained */
/* if we ran on a kernel without metadata check hashes, disable them */
if ((fs->fs_flags & FS_METACKHASH) == 0)
fs->fs_metackhash = 0;
/* none of these types of check-hashes are maintained by this kernel */
fs->fs_metackhash &= ~(CK_SUPERBLOCK | CK_INODE | CK_INDIR | CK_DIR);
/* no support for directory indices or any other undefined flags */
fs->fs_flags &= ~FS_INDEXDIRS;
/* no support for any undefined flags */
fs->fs_flags &= FS_SUPPORTED;
fs->fs_flags &= ~FS_UNCLEAN;
if (fs->fs_clean == 0) {

View File

@ -433,18 +433,31 @@ CTASSERT(sizeof(struct fs) == 1376);
* labels into extended attributes on the file system rather than maintain
* a single mount label for all objects.
*/
#define FS_UNCLEAN 0x0001 /* filesystem not clean at mount */
#define FS_DOSOFTDEP 0x0002 /* filesystem using soft dependencies */
#define FS_NEEDSFSCK 0x0004 /* filesystem needs sync fsck before mount */
#define FS_SUJ 0x0008 /* Filesystem using softupdate journal */
#define FS_ACLS 0x0010 /* file system has POSIX.1e ACLs enabled */
#define FS_MULTILABEL 0x0020 /* file system is MAC multi-label */
#define FS_GJOURNAL 0x0040 /* gjournaled file system */
#define FS_FLAGS_UPDATED 0x0080 /* flags have been moved to new location */
#define FS_NFS4ACLS 0x0100 /* file system has NFSv4 ACLs enabled */
#define FS_INDEXDIRS 0x0200 /* kernel supports indexed directories */
#define FS_TRIM 0x0400 /* issue BIO_DELETE for deleted blocks */
#define FS_SUPPORTED 0xFFFF /* supported flags, others cleared at mount */
#define FS_UNCLEAN 0x00000001 /* filesystem not clean at mount */
#define FS_DOSOFTDEP 0x00000002 /* filesystem using soft dependencies */
#define FS_NEEDSFSCK 0x00000004 /* filesystem needs sync fsck before mount */
#define FS_SUJ 0x00000008 /* Filesystem using softupdate journal */
#define FS_ACLS 0x00000010 /* file system has POSIX.1e ACLs enabled */
#define FS_MULTILABEL 0x00000020 /* file system is MAC multi-label */
#define FS_GJOURNAL 0x00000040 /* gjournaled file system */
#define FS_FLAGS_UPDATED 0x0000080 /* flags have been moved to new location */
#define FS_NFS4ACLS 0x00000100 /* file system has NFSv4 ACLs enabled */
#define FS_METACKHASH 0x00000200 /* kernel supports metadata check hashes */
#define FS_TRIM 0x00000400 /* issue BIO_DELETE for deleted blocks */
#define FS_SUPPORTED 0x00FFFFFF /* supported flags, others cleared at mount*/
/*
* Things that we may someday support, but currently do not.
* These flags are all cleared so we know if we ran on a kernel
* that does not support them.
*/
#define FS_INDEXDIRS 0x01000000 /* kernel supports indexed directories */
#define FS_VARBLKSIZE 0x02000000 /* kernel supports variable block sizes */
#define FS_COOLOPT1 0x04000000 /* kernel supports cool option 1 */
#define FS_COOLOPT2 0x08000000 /* kernel supports cool option 2 */
#define FS_COOLOPT3 0x10000000 /* kernel supports cool option 3 */
#define FS_COOLOPT4 0x20000000 /* kernel supports cool option 4 */
#define FS_COOLOPT5 0x40000000 /* kernel supports cool option 5 */
#define FS_COOLOPT6 0x80000000 /* kernel supports cool option 6 */
/*
* The fs_metackhash field indicates the types of metadata check-hash