1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (c) 2000-2005 Silicon Graphics, Inc.
4 * All Rights Reserved.
5 */
6 #include "xfs.h"
7 #include "xfs_fs.h"
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_log_format.h"
11 #include "xfs_trans_resv.h"
12 #include "xfs_sb.h"
13 #include "xfs_mount.h"
14 #include "xfs_trans.h"
15 #include "xfs_error.h"
16 #include "xfs_alloc.h"
17 #include "xfs_fsops.h"
18 #include "xfs_trans_space.h"
19 #include "xfs_log.h"
20 #include "xfs_log_priv.h"
21 #include "xfs_ag.h"
22 #include "xfs_ag_resv.h"
23 #include "xfs_trace.h"
24 #include "xfs_rtalloc.h"
25 #include "xfs_rtrmap_btree.h"
26 #include "xfs_rtrefcount_btree.h"
27
28 /*
29 * Write new AG headers to disk. Non-transactional, but need to be
30 * written and completed prior to the growfs transaction being logged.
31 * To do this, we use a delayed write buffer list and wait for
32 * submission and IO completion of the list as a whole. This allows the
33 * IO subsystem to merge all the AG headers in a single AG into a single
34 * IO and hide most of the latency of the IO from us.
35 *
36 * This also means that if we get an error whilst building the buffer
37 * list to write, we can cancel the entire list without having written
38 * anything.
39 */
40 static int
xfs_resizefs_init_new_ags(struct xfs_trans * tp,struct aghdr_init_data * id,xfs_agnumber_t oagcount,xfs_agnumber_t nagcount,xfs_rfsblock_t delta,struct xfs_perag * last_pag,bool * lastag_extended)41 xfs_resizefs_init_new_ags(
42 struct xfs_trans *tp,
43 struct aghdr_init_data *id,
44 xfs_agnumber_t oagcount,
45 xfs_agnumber_t nagcount,
46 xfs_rfsblock_t delta,
47 struct xfs_perag *last_pag,
48 bool *lastag_extended)
49 {
50 struct xfs_mount *mp = tp->t_mountp;
51 xfs_rfsblock_t nb = mp->m_sb.sb_dblocks + delta;
52 int error;
53
54 *lastag_extended = false;
55
56 INIT_LIST_HEAD(&id->buffer_list);
57 for (id->agno = nagcount - 1;
58 id->agno >= oagcount;
59 id->agno--, delta -= id->agsize) {
60
61 if (id->agno == nagcount - 1)
62 id->agsize = nb - (id->agno *
63 (xfs_rfsblock_t)mp->m_sb.sb_agblocks);
64 else
65 id->agsize = mp->m_sb.sb_agblocks;
66
67 error = xfs_ag_init_headers(mp, id);
68 if (error) {
69 xfs_buf_delwri_cancel(&id->buffer_list);
70 return error;
71 }
72 }
73
74 error = xfs_buf_delwri_submit(&id->buffer_list);
75 if (error)
76 return error;
77
78 if (delta) {
79 *lastag_extended = true;
80 error = xfs_ag_extend_space(last_pag, tp, delta);
81 }
82 return error;
83 }
84
85 /*
86 * growfs operations
87 */
88 static int
xfs_growfs_data_private(struct xfs_mount * mp,struct xfs_growfs_data * in)89 xfs_growfs_data_private(
90 struct xfs_mount *mp, /* mount point for filesystem */
91 struct xfs_growfs_data *in) /* growfs data input struct */
92 {
93 xfs_agnumber_t oagcount = mp->m_sb.sb_agcount;
94 struct xfs_buf *bp;
95 int error;
96 xfs_agnumber_t nagcount;
97 xfs_agnumber_t nagimax = 0;
98 xfs_rfsblock_t nb, nb_div, nb_mod;
99 int64_t delta;
100 bool lastag_extended = false;
101 struct xfs_trans *tp;
102 struct aghdr_init_data id = {};
103 struct xfs_perag *last_pag;
104
105 nb = in->newblocks;
106 error = xfs_sb_validate_fsb_count(&mp->m_sb, nb);
107 if (error)
108 return error;
109
110 if (nb > mp->m_sb.sb_dblocks) {
111 error = xfs_buf_read_uncached(mp->m_ddev_targp,
112 XFS_FSB_TO_BB(mp, nb) - XFS_FSS_TO_BB(mp, 1),
113 XFS_FSS_TO_BB(mp, 1), 0, &bp, NULL);
114 if (error)
115 return error;
116 xfs_buf_relse(bp);
117 }
118
119 /* Make sure the new fs size won't cause problems with the log. */
120 error = xfs_growfs_check_rtgeom(mp, nb, mp->m_sb.sb_rblocks,
121 mp->m_sb.sb_rextsize);
122 if (error)
123 return error;
124
125 nb_div = nb;
126 nb_mod = do_div(nb_div, mp->m_sb.sb_agblocks);
127 if (nb_mod && nb_mod >= XFS_MIN_AG_BLOCKS)
128 nb_div++;
129 else if (nb_mod)
130 nb = nb_div * mp->m_sb.sb_agblocks;
131
132 if (nb_div > XFS_MAX_AGNUMBER + 1) {
133 nb_div = XFS_MAX_AGNUMBER + 1;
134 nb = nb_div * mp->m_sb.sb_agblocks;
135 }
136 nagcount = nb_div;
137 delta = nb - mp->m_sb.sb_dblocks;
138 /*
139 * Reject filesystems with a single AG because they are not
140 * supported, and reject a shrink operation that would cause a
141 * filesystem to become unsupported.
142 */
143 if (delta < 0 && nagcount < 2)
144 return -EINVAL;
145
146 /* No work to do */
147 if (delta == 0)
148 return 0;
149
150 /* TODO: shrinking the entire AGs hasn't yet completed */
151 if (nagcount < oagcount)
152 return -EINVAL;
153
154 /* allocate the new per-ag structures */
155 error = xfs_initialize_perag(mp, oagcount, nagcount, nb, &nagimax);
156 if (error)
157 return error;
158
159 if (delta > 0)
160 error = xfs_trans_alloc(mp, &M_RES(mp)->tr_growdata,
161 XFS_GROWFS_SPACE_RES(mp), 0, XFS_TRANS_RESERVE,
162 &tp);
163 else
164 error = xfs_trans_alloc(mp, &M_RES(mp)->tr_growdata, -delta, 0,
165 0, &tp);
166 if (error)
167 goto out_free_unused_perag;
168
169 last_pag = xfs_perag_get(mp, oagcount - 1);
170 if (delta > 0) {
171 error = xfs_resizefs_init_new_ags(tp, &id, oagcount, nagcount,
172 delta, last_pag, &lastag_extended);
173 } else {
174 xfs_warn_experimental(mp, XFS_EXPERIMENTAL_SHRINK);
175 error = xfs_ag_shrink_space(last_pag, &tp, -delta);
176 }
177 xfs_perag_put(last_pag);
178 if (error)
179 goto out_trans_cancel;
180
181 /*
182 * Update changed superblock fields transactionally. These are not
183 * seen by the rest of the world until the transaction commit applies
184 * them atomically to the superblock.
185 */
186 if (nagcount > oagcount)
187 xfs_trans_mod_sb(tp, XFS_TRANS_SB_AGCOUNT, nagcount - oagcount);
188 if (delta)
189 xfs_trans_mod_sb(tp, XFS_TRANS_SB_DBLOCKS, delta);
190 if (id.nfree)
191 xfs_trans_mod_sb(tp, XFS_TRANS_SB_FDBLOCKS, id.nfree);
192
193 /*
194 * Sync sb counters now to reflect the updated values. This is
195 * particularly important for shrink because the write verifier
196 * will fail if sb_fdblocks is ever larger than sb_dblocks.
197 */
198 if (xfs_has_lazysbcount(mp))
199 xfs_log_sb(tp);
200
201 xfs_trans_set_sync(tp);
202 error = xfs_trans_commit(tp);
203 if (error)
204 return error;
205
206 /* New allocation groups fully initialized, so update mount struct */
207 if (nagimax)
208 mp->m_maxagi = nagimax;
209 xfs_set_low_space_thresholds(mp);
210 mp->m_alloc_set_aside = xfs_alloc_set_aside(mp);
211
212 if (delta > 0) {
213 /*
214 * If we expanded the last AG, free the per-AG reservation
215 * so we can reinitialize it with the new size.
216 */
217 if (lastag_extended) {
218 struct xfs_perag *pag;
219
220 pag = xfs_perag_get(mp, id.agno);
221 xfs_ag_resv_free(pag);
222 xfs_perag_put(pag);
223 }
224 /*
225 * Reserve AG metadata blocks. ENOSPC here does not mean there
226 * was a growfs failure, just that there still isn't space for
227 * new user data after the grow has been run.
228 */
229 error = xfs_fs_reserve_ag_blocks(mp);
230 if (error == -ENOSPC)
231 error = 0;
232
233 /* Compute new maxlevels for rt btrees. */
234 xfs_rtrmapbt_compute_maxlevels(mp);
235 xfs_rtrefcountbt_compute_maxlevels(mp);
236 }
237
238 return error;
239
240 out_trans_cancel:
241 xfs_trans_cancel(tp);
242 out_free_unused_perag:
243 if (nagcount > oagcount)
244 xfs_free_perag_range(mp, oagcount, nagcount);
245 return error;
246 }
247
248 static int
xfs_growfs_log_private(struct xfs_mount * mp,struct xfs_growfs_log * in)249 xfs_growfs_log_private(
250 struct xfs_mount *mp, /* mount point for filesystem */
251 struct xfs_growfs_log *in) /* growfs log input struct */
252 {
253 xfs_extlen_t nb;
254
255 nb = in->newblocks;
256 if (nb < XFS_MIN_LOG_BLOCKS || nb < XFS_B_TO_FSB(mp, XFS_MIN_LOG_BYTES))
257 return -EINVAL;
258 if (nb == mp->m_sb.sb_logblocks &&
259 in->isint == (mp->m_sb.sb_logstart != 0))
260 return -EINVAL;
261 /*
262 * Moving the log is hard, need new interfaces to sync
263 * the log first, hold off all activity while moving it.
264 * Can have shorter or longer log in the same space,
265 * or transform internal to external log or vice versa.
266 */
267 return -ENOSYS;
268 }
269
270 static int
xfs_growfs_imaxpct(struct xfs_mount * mp,__u32 imaxpct)271 xfs_growfs_imaxpct(
272 struct xfs_mount *mp,
273 __u32 imaxpct)
274 {
275 struct xfs_trans *tp;
276 int dpct;
277 int error;
278
279 if (imaxpct > 100)
280 return -EINVAL;
281
282 error = xfs_trans_alloc(mp, &M_RES(mp)->tr_growdata,
283 XFS_GROWFS_SPACE_RES(mp), 0, XFS_TRANS_RESERVE, &tp);
284 if (error)
285 return error;
286
287 dpct = imaxpct - mp->m_sb.sb_imax_pct;
288 xfs_trans_mod_sb(tp, XFS_TRANS_SB_IMAXPCT, dpct);
289 xfs_trans_set_sync(tp);
290 return xfs_trans_commit(tp);
291 }
292
293 /*
294 * protected versions of growfs function acquire and release locks on the mount
295 * point - exported through ioctls: XFS_IOC_FSGROWFSDATA, XFS_IOC_FSGROWFSLOG,
296 * XFS_IOC_FSGROWFSRT
297 */
298 int
xfs_growfs_data(struct xfs_mount * mp,struct xfs_growfs_data * in)299 xfs_growfs_data(
300 struct xfs_mount *mp,
301 struct xfs_growfs_data *in)
302 {
303 int error = 0;
304
305 if (!capable(CAP_SYS_ADMIN))
306 return -EPERM;
307 if (!mutex_trylock(&mp->m_growlock))
308 return -EWOULDBLOCK;
309
310 /* update imaxpct separately to the physical grow of the filesystem */
311 if (in->imaxpct != mp->m_sb.sb_imax_pct) {
312 error = xfs_growfs_imaxpct(mp, in->imaxpct);
313 if (error)
314 goto out_error;
315 }
316
317 if (in->newblocks != mp->m_sb.sb_dblocks) {
318 error = xfs_growfs_data_private(mp, in);
319 if (error)
320 goto out_error;
321 }
322
323 /* Post growfs calculations needed to reflect new state in operations */
324 if (mp->m_sb.sb_imax_pct) {
325 uint64_t icount = mp->m_sb.sb_dblocks * mp->m_sb.sb_imax_pct;
326 do_div(icount, 100);
327 M_IGEO(mp)->maxicount = XFS_FSB_TO_INO(mp, icount);
328 } else
329 M_IGEO(mp)->maxicount = 0;
330
331 /* Update secondary superblocks now the physical grow has completed */
332 error = xfs_update_secondary_sbs(mp);
333
334 out_error:
335 /*
336 * Increment the generation unconditionally, the error could be from
337 * updating the secondary superblocks, in which case the new size
338 * is live already.
339 */
340 mp->m_generation++;
341 mutex_unlock(&mp->m_growlock);
342 return error;
343 }
344
345 int
xfs_growfs_log(xfs_mount_t * mp,struct xfs_growfs_log * in)346 xfs_growfs_log(
347 xfs_mount_t *mp,
348 struct xfs_growfs_log *in)
349 {
350 int error;
351
352 if (!capable(CAP_SYS_ADMIN))
353 return -EPERM;
354 if (!mutex_trylock(&mp->m_growlock))
355 return -EWOULDBLOCK;
356 error = xfs_growfs_log_private(mp, in);
357 mutex_unlock(&mp->m_growlock);
358 return error;
359 }
360
361 /*
362 * Reserve the requested number of blocks if available. Otherwise return
363 * as many as possible to satisfy the request. The actual number
364 * reserved are returned in outval.
365 */
366 int
xfs_reserve_blocks(struct xfs_mount * mp,uint64_t request)367 xfs_reserve_blocks(
368 struct xfs_mount *mp,
369 uint64_t request)
370 {
371 int64_t lcounter, delta;
372 int64_t fdblks_delta = 0;
373 int64_t free;
374 int error = 0;
375
376 /*
377 * With per-cpu counters, this becomes an interesting problem. we need
378 * to work out if we are freeing or allocation blocks first, then we can
379 * do the modification as necessary.
380 *
381 * We do this under the m_sb_lock so that if we are near ENOSPC, we will
382 * hold out any changes while we work out what to do. This means that
383 * the amount of free space can change while we do this, so we need to
384 * retry if we end up trying to reserve more space than is available.
385 */
386 spin_lock(&mp->m_sb_lock);
387
388 /*
389 * If our previous reservation was larger than the current value,
390 * then move any unused blocks back to the free pool. Modify the resblks
391 * counters directly since we shouldn't have any problems unreserving
392 * space.
393 */
394 if (mp->m_resblks > request) {
395 lcounter = mp->m_resblks_avail - request;
396 if (lcounter > 0) { /* release unused blocks */
397 fdblks_delta = lcounter;
398 mp->m_resblks_avail -= lcounter;
399 }
400 mp->m_resblks = request;
401 if (fdblks_delta) {
402 spin_unlock(&mp->m_sb_lock);
403 xfs_add_fdblocks(mp, fdblks_delta);
404 spin_lock(&mp->m_sb_lock);
405 }
406
407 goto out;
408 }
409
410 /*
411 * If the request is larger than the current reservation, reserve the
412 * blocks before we update the reserve counters. Sample m_fdblocks and
413 * perform a partial reservation if the request exceeds free space.
414 *
415 * The code below estimates how many blocks it can request from
416 * fdblocks to stash in the reserve pool. This is a classic TOCTOU
417 * race since fdblocks updates are not always coordinated via
418 * m_sb_lock. Set the reserve size even if there's not enough free
419 * space to fill it because mod_fdblocks will refill an undersized
420 * reserve when it can.
421 */
422 free = percpu_counter_sum(&mp->m_fdblocks) -
423 xfs_fdblocks_unavailable(mp);
424 delta = request - mp->m_resblks;
425 mp->m_resblks = request;
426 if (delta > 0 && free > 0) {
427 /*
428 * We'll either succeed in getting space from the free block
429 * count or we'll get an ENOSPC. Don't set the reserved flag
430 * here - we don't want to reserve the extra reserve blocks
431 * from the reserve.
432 *
433 * The desired reserve size can change after we drop the lock.
434 * Use mod_fdblocks to put the space into the reserve or into
435 * fdblocks as appropriate.
436 */
437 fdblks_delta = min(free, delta);
438 spin_unlock(&mp->m_sb_lock);
439 error = xfs_dec_fdblocks(mp, fdblks_delta, 0);
440 if (!error)
441 xfs_add_fdblocks(mp, fdblks_delta);
442 spin_lock(&mp->m_sb_lock);
443 }
444 out:
445 spin_unlock(&mp->m_sb_lock);
446 return error;
447 }
448
449 int
xfs_fs_goingdown(xfs_mount_t * mp,uint32_t inflags)450 xfs_fs_goingdown(
451 xfs_mount_t *mp,
452 uint32_t inflags)
453 {
454 switch (inflags) {
455 case XFS_FSOP_GOING_FLAGS_DEFAULT: {
456 if (!bdev_freeze(mp->m_super->s_bdev)) {
457 xfs_force_shutdown(mp, SHUTDOWN_FORCE_UMOUNT);
458 bdev_thaw(mp->m_super->s_bdev);
459 }
460 break;
461 }
462 case XFS_FSOP_GOING_FLAGS_LOGFLUSH:
463 xfs_force_shutdown(mp, SHUTDOWN_FORCE_UMOUNT);
464 break;
465 case XFS_FSOP_GOING_FLAGS_NOLOGFLUSH:
466 xfs_force_shutdown(mp,
467 SHUTDOWN_FORCE_UMOUNT | SHUTDOWN_LOG_IO_ERROR);
468 break;
469 default:
470 return -EINVAL;
471 }
472
473 return 0;
474 }
475
476 /*
477 * Force a shutdown of the filesystem instantly while keeping the filesystem
478 * consistent. We don't do an unmount here; just shutdown the shop, make sure
479 * that absolutely nothing persistent happens to this filesystem after this
480 * point.
481 *
482 * The shutdown state change is atomic, resulting in the first and only the
483 * first shutdown call processing the shutdown. This means we only shutdown the
484 * log once as it requires, and we don't spam the logs when multiple concurrent
485 * shutdowns race to set the shutdown flags.
486 */
487 void
xfs_do_force_shutdown(struct xfs_mount * mp,uint32_t flags,char * fname,int lnnum)488 xfs_do_force_shutdown(
489 struct xfs_mount *mp,
490 uint32_t flags,
491 char *fname,
492 int lnnum)
493 {
494 int tag;
495 const char *why;
496
497
498 if (xfs_set_shutdown(mp)) {
499 xlog_shutdown_wait(mp->m_log);
500 return;
501 }
502 if (mp->m_sb_bp)
503 mp->m_sb_bp->b_flags |= XBF_DONE;
504
505 if (flags & SHUTDOWN_FORCE_UMOUNT)
506 xfs_alert(mp, "User initiated shutdown received.");
507
508 if (xlog_force_shutdown(mp->m_log, flags)) {
509 tag = XFS_PTAG_SHUTDOWN_LOGERROR;
510 why = "Log I/O Error";
511 } else if (flags & SHUTDOWN_CORRUPT_INCORE) {
512 tag = XFS_PTAG_SHUTDOWN_CORRUPT;
513 why = "Corruption of in-memory data";
514 } else if (flags & SHUTDOWN_CORRUPT_ONDISK) {
515 tag = XFS_PTAG_SHUTDOWN_CORRUPT;
516 why = "Corruption of on-disk metadata";
517 } else if (flags & SHUTDOWN_DEVICE_REMOVED) {
518 tag = XFS_PTAG_SHUTDOWN_IOERROR;
519 why = "Block device removal";
520 } else {
521 tag = XFS_PTAG_SHUTDOWN_IOERROR;
522 why = "Metadata I/O Error";
523 }
524
525 trace_xfs_force_shutdown(mp, tag, flags, fname, lnnum);
526
527 xfs_alert_tag(mp, tag,
528 "%s (0x%x) detected at %pS (%s:%d). Shutting down filesystem.",
529 why, flags, __return_address, fname, lnnum);
530 xfs_alert(mp,
531 "Please unmount the filesystem and rectify the problem(s)");
532 if (xfs_error_level >= XFS_ERRLEVEL_HIGH)
533 xfs_stack_trace();
534 }
535
536 /*
537 * Reserve free space for per-AG metadata.
538 */
539 int
xfs_fs_reserve_ag_blocks(struct xfs_mount * mp)540 xfs_fs_reserve_ag_blocks(
541 struct xfs_mount *mp)
542 {
543 struct xfs_perag *pag = NULL;
544 int error = 0;
545 int err2;
546
547 mp->m_finobt_nores = false;
548 while ((pag = xfs_perag_next(mp, pag))) {
549 err2 = xfs_ag_resv_init(pag, NULL);
550 if (err2 && !error)
551 error = err2;
552 }
553
554 if (error && error != -ENOSPC) {
555 xfs_warn(mp,
556 "Error %d reserving per-AG metadata reserve pool.", error);
557 xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
558 return error;
559 }
560
561 if (xfs_has_realtime(mp)) {
562 err2 = xfs_rt_resv_init(mp);
563 if (err2 && err2 != -ENOSPC) {
564 xfs_warn(mp,
565 "Error %d reserving realtime metadata reserve pool.", err2);
566 xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
567 }
568
569 if (err2 && !error)
570 error = err2;
571 }
572
573 return error;
574 }
575
576 /*
577 * Free space reserved for per-AG metadata.
578 */
579 void
xfs_fs_unreserve_ag_blocks(struct xfs_mount * mp)580 xfs_fs_unreserve_ag_blocks(
581 struct xfs_mount *mp)
582 {
583 struct xfs_perag *pag = NULL;
584
585 if (xfs_has_realtime(mp))
586 xfs_rt_resv_free(mp);
587
588 while ((pag = xfs_perag_next(mp, pag)))
589 xfs_ag_resv_free(pag);
590 }
591