osdc/Journaler: validate header on load and save

Previously if the journal header contained invalid
write, expire or trimmed offsets, we would end up
hitting a hard-to-understand assertion much later.

Instead, raise the error right away if the fields
are identifiably bad at load time, and assert that
they're valid before persisting them.

Signed-off-by: John Spray <john.spray@redhat.com>

diff --git a/src/osdc/Journaler.cc b/src/osdc/Journaler.cc
index 941fe41b217d7d44260769c3f487c02d4f1eccf5..94a7fd2a25599f52355f5e6b283fb1830656e650 100644 (file)
--- a/src/osdc/Journaler.cc
+++ b/src/osdc/Journaler.cc
@@ -216,9 +216,17 @@ void Journaler::_finish_read_head(int r, bufferlist& bl)
   bufferlist::iterator p = bl.begin();
   ::decode(h, p);
 
+  bool corrupt = false;
   if (h.magic != magic) {
     ldout(cct, 0) << "on disk magic '" << h.magic << "' != my magic '"
            << magic << "'" << dendl;
+    corrupt = true;
+  } else if (h.write_pos < h.expire_pos || h.expire_pos < h.trimmed_pos) {
+    ldout(cct, 0) << "Corrupt header (bad offsets): " << h << dendl;
+    corrupt = true;
+  }
+
+  if (corrupt) {
     list<Context*> ls;
     ls.swap(waitfor_recover);
     finish_contexts(cct, ls, -EINVAL);
@@ -349,6 +357,10 @@ void Journaler::write_head(Context *oncommit)
   last_written.stream_format = stream_format;
   ldout(cct, 10) << "write_head " << last_written << dendl;
   
+  // Avoid persisting bad pointers in case of bugs
+  assert(last_written.write_pos >= last_written.expire_pos);
+  assert(last_written.expire_pos >= last_written.trimmed_pos);
+
   last_wrote_head = ceph_clock_now(cct);
 
   bufferlist bl;