1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (c) 2000-2005 Silicon Graphics, Inc.
4 * All Rights Reserved.
5 */
6 #include "xfs_platform.h"
7 #include "xfs_fs.h"
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_log_format.h"
11 #include "xfs_trans_resv.h"
12 #include "xfs_sb.h"
13 #include "xfs_mount.h"
14 #include "xfs_trans.h"
15 #include "xfs_error.h"
16 #include "xfs_alloc.h"
17 #include "xfs_fsops.h"
18 #include "xfs_trans_space.h"
19 #include "xfs_log.h"
20 #include "xfs_log_priv.h"
21 #include "xfs_ag.h"
22 #include "xfs_ag_resv.h"
23 #include "xfs_trace.h"
24 #include "xfs_rtalloc.h"
25 #include "xfs_rtrmap_btree.h"
26 #include "xfs_rtrefcount_btree.h"
27 #include "xfs_metafile.h"
28 #include "xfs_healthmon.h"
29
30 #include <linux/fserror.h>
31
32 /*
33 * Write new AG headers to disk. Non-transactional, but need to be
34 * written and completed prior to the growfs transaction being logged.
35 * To do this, we use a delayed write buffer list and wait for
36 * submission and IO completion of the list as a whole. This allows the
37 * IO subsystem to merge all the AG headers in a single AG into a single
38 * IO and hide most of the latency of the IO from us.
39 *
40 * This also means that if we get an error whilst building the buffer
41 * list to write, we can cancel the entire list without having written
42 * anything.
43 */
44 static int
xfs_resizefs_init_new_ags(struct xfs_trans * tp,struct aghdr_init_data * id,xfs_agnumber_t oagcount,xfs_agnumber_t nagcount,xfs_rfsblock_t delta,struct xfs_perag * last_pag,bool * lastag_extended)45 xfs_resizefs_init_new_ags(
46 struct xfs_trans *tp,
47 struct aghdr_init_data *id,
48 xfs_agnumber_t oagcount,
49 xfs_agnumber_t nagcount,
50 xfs_rfsblock_t delta,
51 struct xfs_perag *last_pag,
52 bool *lastag_extended)
53 {
54 struct xfs_mount *mp = tp->t_mountp;
55 xfs_rfsblock_t nb = mp->m_sb.sb_dblocks + delta;
56 int error;
57
58 *lastag_extended = false;
59
60 INIT_LIST_HEAD(&id->buffer_list);
61 for (id->agno = nagcount - 1;
62 id->agno >= oagcount;
63 id->agno--, delta -= id->agsize) {
64
65 if (id->agno == nagcount - 1)
66 id->agsize = nb - (id->agno *
67 (xfs_rfsblock_t)mp->m_sb.sb_agblocks);
68 else
69 id->agsize = mp->m_sb.sb_agblocks;
70
71 error = xfs_ag_init_headers(mp, id);
72 if (error) {
73 xfs_buf_delwri_cancel(&id->buffer_list);
74 return error;
75 }
76 }
77
78 error = xfs_buf_delwri_submit(&id->buffer_list);
79 if (error)
80 return error;
81
82 if (delta) {
83 *lastag_extended = true;
84 error = xfs_ag_extend_space(last_pag, tp, delta);
85 }
86 return error;
87 }
88
89 /*
90 * growfs operations
91 */
92 static int
xfs_growfs_data_private(struct xfs_mount * mp,struct xfs_growfs_data * in)93 xfs_growfs_data_private(
94 struct xfs_mount *mp, /* mount point for filesystem */
95 struct xfs_growfs_data *in) /* growfs data input struct */
96 {
97 xfs_agnumber_t oagcount = mp->m_sb.sb_agcount;
98 xfs_rfsblock_t nb = in->newblocks;
99 struct xfs_buf *bp;
100 int error;
101 xfs_agnumber_t nagcount;
102 xfs_agnumber_t nagimax = 0;
103 int64_t delta;
104 bool lastag_extended = false;
105 struct xfs_trans *tp;
106 struct aghdr_init_data id = {};
107 struct xfs_perag *last_pag;
108
109 error = xfs_sb_validate_fsb_count(&mp->m_sb, nb);
110 if (error)
111 return error;
112
113 if (nb > mp->m_sb.sb_dblocks) {
114 error = xfs_buf_read_uncached(mp->m_ddev_targp,
115 XFS_FSB_TO_BB(mp, nb) - XFS_FSS_TO_BB(mp, 1),
116 XFS_FSS_TO_BB(mp, 1), &bp, NULL);
117 if (error)
118 return error;
119 xfs_buf_relse(bp);
120 }
121
122 /* Make sure the new fs size won't cause problems with the log. */
123 error = xfs_growfs_check_rtgeom(mp, nb, mp->m_sb.sb_rblocks,
124 mp->m_sb.sb_rextsize);
125 if (error)
126 return error;
127 xfs_growfs_compute_deltas(mp, nb, &delta, &nagcount);
128
129 /*
130 * Reject filesystems with a single AG because they are not
131 * supported, and reject a shrink operation that would cause a
132 * filesystem to become unsupported.
133 */
134 if (delta < 0 && nagcount < 2)
135 return -EINVAL;
136
137 /* No work to do */
138 if (delta == 0)
139 return 0;
140
141 /* TODO: shrinking the entire AGs hasn't yet completed */
142 if (nagcount < oagcount)
143 return -EINVAL;
144
145 /* allocate the new per-ag structures */
146 error = xfs_initialize_perag(mp, oagcount, nagcount, nb, &nagimax);
147 if (error)
148 return error;
149
150 if (delta > 0)
151 error = xfs_trans_alloc(mp, &M_RES(mp)->tr_growdata,
152 XFS_GROWFS_SPACE_RES(mp), 0, XFS_TRANS_RESERVE,
153 &tp);
154 else
155 error = xfs_trans_alloc(mp, &M_RES(mp)->tr_growdata, -delta, 0,
156 0, &tp);
157 if (error)
158 goto out_free_unused_perag;
159
160 last_pag = xfs_perag_get(mp, oagcount - 1);
161 if (delta > 0) {
162 error = xfs_resizefs_init_new_ags(tp, &id, oagcount, nagcount,
163 delta, last_pag, &lastag_extended);
164 } else {
165 xfs_warn_experimental(mp, XFS_EXPERIMENTAL_SHRINK);
166 error = xfs_ag_shrink_space(last_pag, &tp, -delta);
167 }
168 xfs_perag_put(last_pag);
169 if (error)
170 goto out_trans_cancel;
171
172 /*
173 * Update changed superblock fields transactionally. These are not
174 * seen by the rest of the world until the transaction commit applies
175 * them atomically to the superblock.
176 */
177 if (nagcount > oagcount)
178 xfs_trans_mod_sb(tp, XFS_TRANS_SB_AGCOUNT, nagcount - oagcount);
179 if (delta)
180 xfs_trans_mod_sb(tp, XFS_TRANS_SB_DBLOCKS, delta);
181 if (id.nfree)
182 xfs_trans_mod_sb(tp, XFS_TRANS_SB_FDBLOCKS, id.nfree);
183
184 /*
185 * Sync sb counters now to reflect the updated values. This is
186 * particularly important for shrink because the write verifier
187 * will fail if sb_fdblocks is ever larger than sb_dblocks.
188 */
189 if (xfs_has_lazysbcount(mp))
190 xfs_log_sb(tp);
191
192 xfs_trans_set_sync(tp);
193 error = xfs_trans_commit(tp);
194 if (error)
195 return error;
196
197 /* New allocation groups fully initialized, so update mount struct */
198 if (nagimax)
199 mp->m_maxagi = nagimax;
200 xfs_set_low_space_thresholds(mp);
201 mp->m_alloc_set_aside = xfs_alloc_set_aside(mp);
202
203 if (delta > 0) {
204 /*
205 * If we expanded the last AG, free the per-AG reservation
206 * so we can reinitialize it with the new size.
207 */
208 if (lastag_extended) {
209 struct xfs_perag *pag;
210
211 pag = xfs_perag_get(mp, id.agno);
212 xfs_ag_resv_free(pag);
213 xfs_perag_put(pag);
214 }
215 /*
216 * Reserve AG metadata blocks. ENOSPC here does not mean there
217 * was a growfs failure, just that there still isn't space for
218 * new user data after the grow has been run.
219 */
220 error = xfs_fs_reserve_ag_blocks(mp);
221 if (error == -ENOSPC)
222 error = 0;
223
224 /* Compute new maxlevels for rt btrees. */
225 xfs_rtrmapbt_compute_maxlevels(mp);
226 xfs_rtrefcountbt_compute_maxlevels(mp);
227 }
228
229 return error;
230
231 out_trans_cancel:
232 xfs_trans_cancel(tp);
233 out_free_unused_perag:
234 if (nagcount > oagcount)
235 xfs_free_perag_range(mp, oagcount, nagcount);
236 return error;
237 }
238
239 static int
xfs_growfs_log_private(struct xfs_mount * mp,struct xfs_growfs_log * in)240 xfs_growfs_log_private(
241 struct xfs_mount *mp, /* mount point for filesystem */
242 struct xfs_growfs_log *in) /* growfs log input struct */
243 {
244 xfs_extlen_t nb;
245
246 nb = in->newblocks;
247 if (nb < XFS_MIN_LOG_BLOCKS || nb < XFS_B_TO_FSB(mp, XFS_MIN_LOG_BYTES))
248 return -EINVAL;
249 if (nb == mp->m_sb.sb_logblocks &&
250 in->isint == (mp->m_sb.sb_logstart != 0))
251 return -EINVAL;
252 /*
253 * Moving the log is hard, need new interfaces to sync
254 * the log first, hold off all activity while moving it.
255 * Can have shorter or longer log in the same space,
256 * or transform internal to external log or vice versa.
257 */
258 return -ENOSYS;
259 }
260
261 static int
xfs_growfs_imaxpct(struct xfs_mount * mp,__u32 imaxpct)262 xfs_growfs_imaxpct(
263 struct xfs_mount *mp,
264 __u32 imaxpct)
265 {
266 struct xfs_trans *tp;
267 int dpct;
268 int error;
269
270 if (imaxpct > 100)
271 return -EINVAL;
272
273 error = xfs_trans_alloc(mp, &M_RES(mp)->tr_growdata,
274 XFS_GROWFS_SPACE_RES(mp), 0, XFS_TRANS_RESERVE, &tp);
275 if (error)
276 return error;
277
278 dpct = imaxpct - mp->m_sb.sb_imax_pct;
279 xfs_trans_mod_sb(tp, XFS_TRANS_SB_IMAXPCT, dpct);
280 xfs_trans_set_sync(tp);
281 return xfs_trans_commit(tp);
282 }
283
284 /*
285 * protected versions of growfs function acquire and release locks on the mount
286 * point - exported through ioctls: XFS_IOC_FSGROWFSDATA, XFS_IOC_FSGROWFSLOG,
287 * XFS_IOC_FSGROWFSRT
288 */
289 int
xfs_growfs_data(struct xfs_mount * mp,struct xfs_growfs_data * in)290 xfs_growfs_data(
291 struct xfs_mount *mp,
292 struct xfs_growfs_data *in)
293 {
294 int error;
295
296 if (!capable(CAP_SYS_ADMIN))
297 return -EPERM;
298 if (!mutex_trylock(&mp->m_growlock))
299 return -EWOULDBLOCK;
300
301 /* we can't grow the data section when an internal RT section exists */
302 if (in->newblocks != mp->m_sb.sb_dblocks && mp->m_sb.sb_rtstart) {
303 error = -EINVAL;
304 goto out_unlock;
305 }
306
307 /* update imaxpct separately to the physical grow of the filesystem */
308 if (in->imaxpct != mp->m_sb.sb_imax_pct) {
309 error = xfs_growfs_imaxpct(mp, in->imaxpct);
310 if (error)
311 goto out_unlock;
312 }
313
314 if (in->newblocks != mp->m_sb.sb_dblocks) {
315 error = xfs_growfs_data_private(mp, in);
316 if (error)
317 goto out_unlock;
318 }
319
320 /* Post growfs calculations needed to reflect new state in operations */
321 if (mp->m_sb.sb_imax_pct) {
322 uint64_t icount = mp->m_sb.sb_dblocks * mp->m_sb.sb_imax_pct;
323 do_div(icount, 100);
324 M_IGEO(mp)->maxicount = XFS_FSB_TO_INO(mp, icount);
325 } else
326 M_IGEO(mp)->maxicount = 0;
327
328 /* Update secondary superblocks now the physical grow has completed */
329 error = xfs_update_secondary_sbs(mp);
330
331 /*
332 * Increment the generation unconditionally, after trying to update the
333 * secondary superblocks, as the new size is live already at this point.
334 */
335 mp->m_generation++;
336 out_unlock:
337 mutex_unlock(&mp->m_growlock);
338 return error;
339 }
340
341 int
xfs_growfs_log(xfs_mount_t * mp,struct xfs_growfs_log * in)342 xfs_growfs_log(
343 xfs_mount_t *mp,
344 struct xfs_growfs_log *in)
345 {
346 int error;
347
348 if (!capable(CAP_SYS_ADMIN))
349 return -EPERM;
350 if (!mutex_trylock(&mp->m_growlock))
351 return -EWOULDBLOCK;
352 error = xfs_growfs_log_private(mp, in);
353 mutex_unlock(&mp->m_growlock);
354 return error;
355 }
356
357 /*
358 * Reserve the requested number of blocks if available. Otherwise return
359 * as many as possible to satisfy the request. The actual number
360 * reserved are returned in outval.
361 */
362 int
xfs_reserve_blocks(struct xfs_mount * mp,enum xfs_free_counter ctr,uint64_t request)363 xfs_reserve_blocks(
364 struct xfs_mount *mp,
365 enum xfs_free_counter ctr,
366 uint64_t request)
367 {
368 int64_t lcounter, delta;
369 int64_t fdblks_delta = 0;
370 int64_t free;
371 int error = 0;
372
373 ASSERT(ctr < XC_FREE_NR);
374
375 /*
376 * With per-cpu counters, this becomes an interesting problem. we need
377 * to work out if we are freeing or allocation blocks first, then we can
378 * do the modification as necessary.
379 *
380 * We do this under the m_sb_lock so that if we are near ENOSPC, we will
381 * hold out any changes while we work out what to do. This means that
382 * the amount of free space can change while we do this, so we need to
383 * retry if we end up trying to reserve more space than is available.
384 */
385 spin_lock(&mp->m_sb_lock);
386
387 /*
388 * If our previous reservation was larger than the current value,
389 * then move any unused blocks back to the free pool. Modify the resblks
390 * counters directly since we shouldn't have any problems unreserving
391 * space.
392 */
393 if (mp->m_free[ctr].res_total > request) {
394 lcounter = mp->m_free[ctr].res_avail - request;
395 if (lcounter > 0) { /* release unused blocks */
396 fdblks_delta = lcounter;
397 mp->m_free[ctr].res_avail -= lcounter;
398 }
399 mp->m_free[ctr].res_total = request;
400 if (fdblks_delta) {
401 spin_unlock(&mp->m_sb_lock);
402 xfs_add_freecounter(mp, ctr, fdblks_delta);
403 spin_lock(&mp->m_sb_lock);
404 }
405
406 goto out;
407 }
408
409 /*
410 * If the request is larger than the current reservation, reserve the
411 * blocks before we update the reserve counters. Sample m_free and
412 * perform a partial reservation if the request exceeds free space.
413 *
414 * The code below estimates how many blocks it can request from
415 * fdblocks to stash in the reserve pool. This is a classic TOCTOU
416 * race since fdblocks updates are not always coordinated via
417 * m_sb_lock. Set the reserve size even if there's not enough free
418 * space to fill it because mod_fdblocks will refill an undersized
419 * reserve when it can.
420 */
421 free = xfs_sum_freecounter_raw(mp, ctr) -
422 xfs_freecounter_unavailable(mp, ctr);
423 delta = request - mp->m_free[ctr].res_total;
424 mp->m_free[ctr].res_total = request;
425 if (delta > 0 && free > 0) {
426 /*
427 * We'll either succeed in getting space from the free block
428 * count or we'll get an ENOSPC. Don't set the reserved flag
429 * here - we don't want to reserve the extra reserve blocks
430 * from the reserve.
431 *
432 * The desired reserve size can change after we drop the lock.
433 * Use mod_fdblocks to put the space into the reserve or into
434 * fdblocks as appropriate.
435 */
436 fdblks_delta = min(free, delta);
437 spin_unlock(&mp->m_sb_lock);
438 error = xfs_dec_freecounter(mp, ctr, fdblks_delta, 0);
439 if (!error)
440 xfs_add_freecounter(mp, ctr, fdblks_delta);
441 spin_lock(&mp->m_sb_lock);
442 }
443 out:
444 spin_unlock(&mp->m_sb_lock);
445 return error;
446 }
447
448 int
xfs_fs_goingdown(xfs_mount_t * mp,uint32_t inflags)449 xfs_fs_goingdown(
450 xfs_mount_t *mp,
451 uint32_t inflags)
452 {
453 switch (inflags) {
454 case XFS_FSOP_GOING_FLAGS_DEFAULT: {
455 if (!bdev_freeze(mp->m_super->s_bdev)) {
456 xfs_force_shutdown(mp, SHUTDOWN_FORCE_UMOUNT);
457 bdev_thaw(mp->m_super->s_bdev);
458 }
459 break;
460 }
461 case XFS_FSOP_GOING_FLAGS_LOGFLUSH:
462 xfs_force_shutdown(mp, SHUTDOWN_FORCE_UMOUNT);
463 break;
464 case XFS_FSOP_GOING_FLAGS_NOLOGFLUSH:
465 xfs_force_shutdown(mp,
466 SHUTDOWN_FORCE_UMOUNT | SHUTDOWN_LOG_IO_ERROR);
467 break;
468 default:
469 return -EINVAL;
470 }
471
472 return 0;
473 }
474
475 /*
476 * Force a shutdown of the filesystem instantly while keeping the filesystem
477 * consistent. We don't do an unmount here; just shutdown the shop, make sure
478 * that absolutely nothing persistent happens to this filesystem after this
479 * point.
480 *
481 * The shutdown state change is atomic, resulting in the first and only the
482 * first shutdown call processing the shutdown. This means we only shutdown the
483 * log once as it requires, and we don't spam the logs when multiple concurrent
484 * shutdowns race to set the shutdown flags.
485 */
486 void
xfs_do_force_shutdown(struct xfs_mount * mp,uint32_t flags,char * fname,int lnnum)487 xfs_do_force_shutdown(
488 struct xfs_mount *mp,
489 uint32_t flags,
490 char *fname,
491 int lnnum)
492 {
493 int tag;
494 const char *why;
495
496
497 if (xfs_set_shutdown(mp)) {
498 xlog_shutdown_wait(mp->m_log);
499 return;
500 }
501 if (mp->m_sb_bp)
502 mp->m_sb_bp->b_flags |= XBF_DONE;
503
504 if (flags & SHUTDOWN_FORCE_UMOUNT)
505 xfs_alert(mp, "User initiated shutdown received.");
506
507 if (xlog_force_shutdown(mp->m_log, flags)) {
508 tag = XFS_PTAG_SHUTDOWN_LOGERROR;
509 why = "Log I/O Error";
510 } else if (flags & SHUTDOWN_CORRUPT_INCORE) {
511 tag = XFS_PTAG_SHUTDOWN_CORRUPT;
512 why = "Corruption of in-memory data";
513 } else if (flags & SHUTDOWN_CORRUPT_ONDISK) {
514 tag = XFS_PTAG_SHUTDOWN_CORRUPT;
515 why = "Corruption of on-disk metadata";
516 } else if (flags & SHUTDOWN_DEVICE_REMOVED) {
517 tag = XFS_PTAG_SHUTDOWN_IOERROR;
518 why = "Block device removal";
519 } else {
520 tag = XFS_PTAG_SHUTDOWN_IOERROR;
521 why = "Metadata I/O Error";
522 }
523
524 trace_xfs_force_shutdown(mp, tag, flags, fname, lnnum);
525
526 xfs_alert_tag(mp, tag,
527 "%s (0x%x) detected at %pS (%s:%d). Shutting down filesystem.",
528 why, flags, __return_address, fname, lnnum);
529 xfs_alert(mp,
530 "Please unmount the filesystem and rectify the problem(s)");
531 if (xfs_error_level >= XFS_ERRLEVEL_HIGH)
532 xfs_stack_trace();
533
534 fserror_report_shutdown(mp->m_super, GFP_KERNEL);
535 xfs_healthmon_report_shutdown(mp, flags);
536 }
537
538 /*
539 * Reserve free space for per-AG metadata.
540 */
541 int
xfs_fs_reserve_ag_blocks(struct xfs_mount * mp)542 xfs_fs_reserve_ag_blocks(
543 struct xfs_mount *mp)
544 {
545 struct xfs_perag *pag = NULL;
546 int error = 0;
547 int err2;
548
549 mp->m_finobt_nores = false;
550 while ((pag = xfs_perag_next(mp, pag))) {
551 err2 = xfs_ag_resv_init(pag, NULL);
552 if (err2 && !error)
553 error = err2;
554 }
555
556 if (error && error != -ENOSPC) {
557 xfs_warn(mp,
558 "Error %d reserving per-AG metadata reserve pool.", error);
559 xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
560 return error;
561 }
562
563 err2 = xfs_metafile_resv_init(mp);
564 if (err2 && err2 != -ENOSPC) {
565 xfs_warn(mp,
566 "Error %d reserving realtime metadata reserve pool.", err2);
567 xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
568
569 if (!error)
570 error = err2;
571 }
572
573 return error;
574 }
575
576 /*
577 * Free space reserved for per-AG metadata.
578 */
579 void
xfs_fs_unreserve_ag_blocks(struct xfs_mount * mp)580 xfs_fs_unreserve_ag_blocks(
581 struct xfs_mount *mp)
582 {
583 struct xfs_perag *pag = NULL;
584
585 xfs_metafile_resv_free(mp);
586 while ((pag = xfs_perag_next(mp, pag)))
587 xfs_ag_resv_free(pag);
588 }
589