Fix errata #4 handling for resuming streams

Currently, the handling for errata #4 has two issues which allow the checks for this issue to be bypassed using resumable sends. The first issue is that drc->drc_fromsnapobj is not set in the resuming code as it is in the non-resuming code. This causes dsl_crypto_recv_key_check() to skip its checks for the from_ivset_guid. The second issue is that resumable sends do not clean up their on-disk state if they fail the checks in dmu_recv_stream() that happen before any data is received. As a result of these two bugs, a user can attempt a resumable send of a dataset without a from_ivset_guid. This will fail the initial dmu_recv_stream() checks, leaving a valid resume state. The send can then be resumed, which skips those checks, allowing the receive to be completed. This commit fixes these issues by setting drc->drc_fromsnapobj in the resuming receive path and by ensuring that resumablereceives are properly cleaned up if they fail the initial dmu_recv_stream() checks. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Tom Caputi <tcaputi@datto.com> Closes #9818 Closes #9829
2025-04-06 17:49:11 +03:00 · 2020-01-14 15:25:20 -05:00 · 2020-01-14 15:25:20 -05:00 · 61152d1069
commit 61152d1069
parent f744f36ce5
2 changed files with 14 additions and 1 deletions
--- a/include/sys/dmu_recv.h
+++ b/include/sys/dmu_recv.h
@ -49,6 +49,7 @@ typedef struct dmu_recv_cookie {
 	uint64_t drc_featureflags;
 	boolean_t drc_force;
 	boolean_t drc_resumable;
+	boolean_t drc_should_save;
 	boolean_t drc_raw;
 	boolean_t drc_clone;
 	boolean_t drc_spill;
--- a/module/zfs/dmu_recv.c
+++ b/module/zfs/dmu_recv.c
@ -1018,6 +1018,9 @@ dmu_recv_resume_begin_check(void *arg, dmu_tx_t *tx)
 		return (SET_ERROR(EINVAL));
 	}

+	if (ds->ds_prev != NULL)
+		drc->drc_fromsnapobj = ds->ds_prev->ds_object;
+
 	/*
 	 * If we're resuming, and the send is redacted, then the original send
 	 * must have been redacted, and must have been redacted with respect to
@ -1092,6 +1095,7 @@ dmu_recv_resume_begin_sync(void *arg, dmu_tx_t *tx)
 	rrw_exit(&ds->ds_bp_rwlock, FTAG);

 	drba->drba_cookie->drc_ds = ds;
+	drba->drba_cookie->drc_should_save = B_TRUE;

 	spa_history_log_internal_ds(ds, "resume receive", tx, " ");
 }
@ -2068,7 +2072,8 @@ dmu_recv_cleanup_ds(dmu_recv_cookie_t *drc)
 	ds->ds_objset->os_raw_receive = B_FALSE;

 	rrw_enter(&ds->ds_bp_rwlock, RW_READER, FTAG);
-	if (drc->drc_resumable && !BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) {
+	if (drc->drc_resumable && drc->drc_should_save &&
+	    !BP_IS_HOLE(dsl_dataset_get_blkptr(ds))) {
 		rrw_exit(&ds->ds_bp_rwlock, FTAG);
 		dsl_dataset_disown(ds, dsflags, dmu_recv_tag);
 	} else {
@ -2738,6 +2743,13 @@ dmu_recv_stream(dmu_recv_cookie_t *drc, int cleanup_fd,
 			goto out;
 	}

+	/*
+	 * If we failed before this point we will clean up any new resume
+	 * state that was created. Now that we've gotten past the initial
+	 * checks we are ok to retain that resume state.
+	 */
+	drc->drc_should_save = B_TRUE;
+
 	(void) bqueue_init(&rwa->q, zfs_recv_queue_ff,
 	    MAX(zfs_recv_queue_length, 2 * zfs_max_recordsize),
 	    offsetof(struct receive_record_arg, node));