Verify embedded blkptr's in arc_read() #12535

behlendorf · 2021-09-02T23:59:42Z

Motivation and Context

When attempting to recover a pool it was determined that it
somehow contained at least one damaged embedded block
pointer. Since this blkptr was always accessed during import
it effectively prevented the pool from being imported. By
detecting the damaged embedded block pointer and treating
it as a normal checksum error it was possible to import and
recover the pool.

Description

The block pointer verification check in arc_read() should also
cover embedded block pointers. While highly unlikely, accessing
a damaged block pointer can result in panic. To further harden
the code extend the existing check to include embedded block
pointers and add a comment explaining the rational for this
sanity check.

How Has This Been Tested?

Used to recover a pool which contained a damaged blkptr which
was protected by a valid checksum.

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Performance enhancement (non-breaking change which improves efficiency)
Code cleanup (non-breaking change which makes code smaller or more readable)
Breaking change (fix or feature that would cause existing functionality to change)
Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
Documentation (a change to man pages or other documentation)

Checklist:

My code follows the OpenZFS code style requirements.
I have updated the documentation accordingly.
I have read the contributing document.
I have added tests to cover my changes.
I have run the ZFS Test Suite with this change applied.
All commit messages are properly formatted and contain Signed-off-by.

behlendorf · 2021-09-03T00:00:01Z

cc: @tcaputi would you mind reviewing this.

ahrens

This seems fine. However, I took a look at zfs_blkptr_verify() and I don't understand this code:

	 * Do not verify individual DVAs if the config is not trusted. This
	 * will be done once the zio is executed in vdev_mirror_map_alloc.
	 */
	if (!spa->spa_trust_config)
		return (B_TRUE);

Shouldn't it be returning errors == 0, so that we are checking the non-pool-specific parts of the BP?

module/zfs/arc.c

behlendorf · 2021-09-07T17:11:22Z

Shouldn't it be returning errors == 0, so that we are checking the non-pool-specific parts of the BP?

Good catch. Yes, it looks like this case was missed when commit bc67cba updated zfs_blkptr_verify to return if there was an error or not. I've included a fix for this in the updated PR.

The block pointer verification check in arc_read() should also cover embedded block pointers. While highly unlikely, accessing a damaged block pointer can result in panic. To further harden the code extend the existing check to include embedded block pointers and add a comment explaining the rational for this sanity check. Lastly, correct a flaw in zfs_blkptr_verify() so the error count is checked even when checking a untrusted config to verify the non-pool-specific portions of a block pointer. Signed-off-by: Brian Behlendorf <[email protected]>

tonynguien

Looks good to me.

The block pointer verification check in arc_read() should also cover embedded block pointers. While highly unlikely, accessing a damaged block pointer can result in panic. To further harden the code extend the existing check to include embedded block pointers and add a comment explaining the rational for this sanity check. Lastly, correct a flaw in zfs_blkptr_verify() so the error count is checked even when checking a untrusted config to verify the non-pool-specific portions of a block pointer. Reviewed-by: Matthew Ahrens <[email protected]> Reviewed-by: Tony Nguyen <[email protected]> Signed-off-by: Brian Behlendorf <[email protected]> Closes openzfs#12535

behlendorf added the Status: Code Review Needed Ready for review and testing label Sep 2, 2021

ahrens approved these changes Sep 3, 2021

View reviewed changes

ceedriic reviewed Sep 7, 2021

View reviewed changes

module/zfs/arc.c Outdated Show resolved Hide resolved

behlendorf force-pushed the verify-blkptr branch from 8a0d3eb to dcb7ed6 Compare September 7, 2021 17:08

behlendorf force-pushed the verify-blkptr branch from dcb7ed6 to f273b75 Compare September 8, 2021 20:04

behlendorf assigned tonynguien Sep 8, 2021

behlendorf force-pushed the verify-blkptr branch from f273b75 to a9d9a26 Compare September 9, 2021 17:53

tonynguien approved these changes Sep 9, 2021

View reviewed changes

tonynguien added Status: Accepted Ready to integrate (reviewed, tested) and removed Status: Code Review Needed Ready for review and testing labels Sep 9, 2021

tonynguien merged commit b9ec4a1 into openzfs:master Sep 10, 2021

behlendorf mentioned this pull request Feb 25, 2022

Kernel panics on pool import #13124

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Verify embedded blkptr's in arc_read() #12535

Verify embedded blkptr's in arc_read() #12535

Uh oh!

behlendorf commented Sep 2, 2021

Uh oh!

behlendorf commented Sep 3, 2021

Uh oh!

ahrens left a comment

Uh oh!

Uh oh!

behlendorf commented Sep 7, 2021

Uh oh!

tonynguien left a comment

Uh oh!

Uh oh!

Verify embedded blkptr's in arc_read() #12535

Verify embedded blkptr's in arc_read() #12535

Uh oh!

Conversation

behlendorf commented Sep 2, 2021

Motivation and Context

Description

How Has This Been Tested?

Types of changes

Checklist:

Uh oh!

behlendorf commented Sep 3, 2021

Uh oh!

ahrens left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

behlendorf commented Sep 7, 2021

Uh oh!

tonynguien left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!