1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2017-2023 Oracle. All Rights Reserved. 4 * Author: Darrick J. Wong <djwong@kernel.org> 5 */ 6 #include "xfs_platform.h" 7 #include "xfs_fs.h" 8 #include "xfs_shared.h" 9 #include "xfs_format.h" 10 #include "xfs_trans_resv.h" 11 #include "xfs_mount.h" 12 #include "xfs_btree.h" 13 #include "xfs_log_format.h" 14 #include "xfs_trans.h" 15 #include "xfs_inode.h" 16 #include "xfs_icache.h" 17 #include "xfs_alloc.h" 18 #include "xfs_alloc_btree.h" 19 #include "xfs_ialloc.h" 20 #include "xfs_ialloc_btree.h" 21 #include "xfs_refcount_btree.h" 22 #include "xfs_rmap.h" 23 #include "xfs_rmap_btree.h" 24 #include "xfs_log.h" 25 #include "xfs_trans_priv.h" 26 #include "xfs_da_format.h" 27 #include "xfs_da_btree.h" 28 #include "xfs_dir2_priv.h" 29 #include "xfs_dir2.h" 30 #include "xfs_attr.h" 31 #include "xfs_reflink.h" 32 #include "xfs_ag.h" 33 #include "xfs_error.h" 34 #include "xfs_quota.h" 35 #include "xfs_exchmaps.h" 36 #include "xfs_rtbitmap.h" 37 #include "xfs_rtgroup.h" 38 #include "xfs_rtrmap_btree.h" 39 #include "xfs_bmap_util.h" 40 #include "xfs_rtrefcount_btree.h" 41 #include "scrub/scrub.h" 42 #include "scrub/common.h" 43 #include "scrub/trace.h" 44 #include "scrub/repair.h" 45 #include "scrub/health.h" 46 #include "scrub/tempfile.h" 47 48 /* Common code for the metadata scrubbers. */ 49 50 /* 51 * Handling operational errors. 52 * 53 * The *_process_error() family of functions are used to process error return 54 * codes from functions called as part of a scrub operation. 55 * 56 * If there's no error, we return true to tell the caller that it's ok 57 * to move on to the next check in its list. 58 * 59 * For non-verifier errors (e.g. ENOMEM) we return false to tell the 60 * caller that something bad happened, and we preserve *error so that 61 * the caller can return the *error up the stack to userspace. 62 * 63 * Verifier errors (EFSBADCRC/EFSCORRUPTED) are recorded by setting 64 * OFLAG_CORRUPT in sm_flags and the *error is cleared. In other words, 65 * we track verifier errors (and failed scrub checks) via OFLAG_CORRUPT, 66 * not via return codes. We return false to tell the caller that 67 * something bad happened. Since the error has been cleared, the caller 68 * will (presumably) return that zero and scrubbing will move on to 69 * whatever's next. 70 * 71 * ftrace can be used to record the precise metadata location and the 72 * approximate code location of the failed operation. 73 */ 74 75 /* Check for operational errors. */ 76 static bool 77 __xchk_process_error( 78 struct xfs_scrub *sc, 79 xfs_agnumber_t agno, 80 xfs_agblock_t bno, 81 int *error, 82 __u32 errflag, 83 void *ret_ip) 84 { 85 switch (*error) { 86 case 0: 87 return true; 88 case -EDEADLOCK: 89 case -ECHRNG: 90 /* Used to restart an op with deadlock avoidance. */ 91 trace_xchk_deadlock_retry( 92 sc->ip ? sc->ip : XFS_I(file_inode(sc->file)), 93 sc->sm, *error); 94 break; 95 case -ECANCELED: 96 /* 97 * ECANCELED here means that the caller set one of the scrub 98 * outcome flags (corrupt, xfail, xcorrupt) and wants to exit 99 * quickly. Set error to zero and do not continue. 100 */ 101 trace_xchk_op_error(sc, agno, bno, *error, ret_ip); 102 *error = 0; 103 break; 104 case -EFSBADCRC: 105 case -EFSCORRUPTED: 106 case -EIO: 107 case -ENODATA: 108 /* Note the badness but don't abort. */ 109 sc->sm->sm_flags |= errflag; 110 *error = 0; 111 fallthrough; 112 default: 113 trace_xchk_op_error(sc, agno, bno, *error, ret_ip); 114 break; 115 } 116 return false; 117 } 118 119 bool 120 xchk_process_error( 121 struct xfs_scrub *sc, 122 xfs_agnumber_t agno, 123 xfs_agblock_t bno, 124 int *error) 125 { 126 return __xchk_process_error(sc, agno, bno, error, 127 XFS_SCRUB_OFLAG_CORRUPT, __return_address); 128 } 129 130 bool 131 xchk_process_rt_error( 132 struct xfs_scrub *sc, 133 xfs_rgnumber_t rgno, 134 xfs_rgblock_t rgbno, 135 int *error) 136 { 137 return __xchk_process_error(sc, rgno, rgbno, error, 138 XFS_SCRUB_OFLAG_CORRUPT, __return_address); 139 } 140 141 bool 142 xchk_xref_process_error( 143 struct xfs_scrub *sc, 144 xfs_agnumber_t agno, 145 xfs_agblock_t bno, 146 int *error) 147 { 148 return __xchk_process_error(sc, agno, bno, error, 149 XFS_SCRUB_OFLAG_XFAIL, __return_address); 150 } 151 152 /* Check for operational errors for a file offset. */ 153 static bool 154 __xchk_fblock_process_error( 155 struct xfs_scrub *sc, 156 int whichfork, 157 xfs_fileoff_t offset, 158 int *error, 159 __u32 errflag, 160 void *ret_ip) 161 { 162 switch (*error) { 163 case 0: 164 return true; 165 case -EDEADLOCK: 166 case -ECHRNG: 167 /* Used to restart an op with deadlock avoidance. */ 168 trace_xchk_deadlock_retry(sc->ip, sc->sm, *error); 169 break; 170 case -ECANCELED: 171 /* 172 * ECANCELED here means that the caller set one of the scrub 173 * outcome flags (corrupt, xfail, xcorrupt) and wants to exit 174 * quickly. Set error to zero and do not continue. 175 */ 176 trace_xchk_file_op_error(sc, whichfork, offset, *error, 177 ret_ip); 178 *error = 0; 179 break; 180 case -EFSBADCRC: 181 case -EFSCORRUPTED: 182 case -EIO: 183 case -ENODATA: 184 /* Note the badness but don't abort. */ 185 sc->sm->sm_flags |= errflag; 186 *error = 0; 187 fallthrough; 188 default: 189 trace_xchk_file_op_error(sc, whichfork, offset, *error, 190 ret_ip); 191 break; 192 } 193 return false; 194 } 195 196 bool 197 xchk_fblock_process_error( 198 struct xfs_scrub *sc, 199 int whichfork, 200 xfs_fileoff_t offset, 201 int *error) 202 { 203 return __xchk_fblock_process_error(sc, whichfork, offset, error, 204 XFS_SCRUB_OFLAG_CORRUPT, __return_address); 205 } 206 207 bool 208 xchk_fblock_xref_process_error( 209 struct xfs_scrub *sc, 210 int whichfork, 211 xfs_fileoff_t offset, 212 int *error) 213 { 214 return __xchk_fblock_process_error(sc, whichfork, offset, error, 215 XFS_SCRUB_OFLAG_XFAIL, __return_address); 216 } 217 218 /* 219 * Handling scrub corruption/optimization/warning checks. 220 * 221 * The *_set_{corrupt,preen,warning}() family of functions are used to 222 * record the presence of metadata that is incorrect (corrupt), could be 223 * optimized somehow (preen), or should be flagged for administrative 224 * review but is not incorrect (warn). 225 * 226 * ftrace can be used to record the precise metadata location and 227 * approximate code location of the failed check. 228 */ 229 230 /* Record a block which could be optimized. */ 231 void 232 xchk_block_set_preen( 233 struct xfs_scrub *sc, 234 struct xfs_buf *bp) 235 { 236 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_PREEN; 237 trace_xchk_block_preen(sc, xfs_buf_daddr(bp), __return_address); 238 } 239 240 /* 241 * Record an inode which could be optimized. The trace data will 242 * include the block given by bp if bp is given; otherwise it will use 243 * the block location of the inode record itself. 244 */ 245 void 246 xchk_ino_set_preen( 247 struct xfs_scrub *sc, 248 xfs_ino_t ino) 249 { 250 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_PREEN; 251 trace_xchk_ino_preen(sc, ino, __return_address); 252 } 253 254 /* Record something being wrong with the filesystem primary superblock. */ 255 void 256 xchk_set_corrupt( 257 struct xfs_scrub *sc) 258 { 259 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT; 260 trace_xchk_fs_error(sc, 0, __return_address); 261 } 262 263 /* Record a corrupt block. */ 264 void 265 xchk_block_set_corrupt( 266 struct xfs_scrub *sc, 267 struct xfs_buf *bp) 268 { 269 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT; 270 trace_xchk_block_error(sc, xfs_buf_daddr(bp), __return_address); 271 } 272 273 #ifdef CONFIG_XFS_QUOTA 274 /* Record a corrupt quota counter. */ 275 void 276 xchk_qcheck_set_corrupt( 277 struct xfs_scrub *sc, 278 unsigned int dqtype, 279 xfs_dqid_t id) 280 { 281 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT; 282 trace_xchk_qcheck_error(sc, dqtype, id, __return_address); 283 } 284 #endif 285 286 /* Record a corruption while cross-referencing. */ 287 void 288 xchk_block_xref_set_corrupt( 289 struct xfs_scrub *sc, 290 struct xfs_buf *bp) 291 { 292 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_XCORRUPT; 293 trace_xchk_block_error(sc, xfs_buf_daddr(bp), __return_address); 294 } 295 296 /* 297 * Record a corrupt inode. The trace data will include the block given 298 * by bp if bp is given; otherwise it will use the block location of the 299 * inode record itself. 300 */ 301 void 302 xchk_ino_set_corrupt( 303 struct xfs_scrub *sc, 304 xfs_ino_t ino) 305 { 306 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT; 307 trace_xchk_ino_error(sc, ino, __return_address); 308 } 309 310 /* Record a corruption while cross-referencing with an inode. */ 311 void 312 xchk_ino_xref_set_corrupt( 313 struct xfs_scrub *sc, 314 xfs_ino_t ino) 315 { 316 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_XCORRUPT; 317 trace_xchk_ino_error(sc, ino, __return_address); 318 } 319 320 /* Record corruption in a block indexed by a file fork. */ 321 void 322 xchk_fblock_set_corrupt( 323 struct xfs_scrub *sc, 324 int whichfork, 325 xfs_fileoff_t offset) 326 { 327 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT; 328 trace_xchk_fblock_error(sc, whichfork, offset, __return_address); 329 } 330 331 /* Record a corruption while cross-referencing a fork block. */ 332 void 333 xchk_fblock_xref_set_corrupt( 334 struct xfs_scrub *sc, 335 int whichfork, 336 xfs_fileoff_t offset) 337 { 338 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_XCORRUPT; 339 trace_xchk_fblock_error(sc, whichfork, offset, __return_address); 340 } 341 342 /* 343 * Warn about inodes that need administrative review but is not 344 * incorrect. 345 */ 346 void 347 xchk_ino_set_warning( 348 struct xfs_scrub *sc, 349 xfs_ino_t ino) 350 { 351 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_WARNING; 352 trace_xchk_ino_warning(sc, ino, __return_address); 353 } 354 355 /* Warn about a block indexed by a file fork that needs review. */ 356 void 357 xchk_fblock_set_warning( 358 struct xfs_scrub *sc, 359 int whichfork, 360 xfs_fileoff_t offset) 361 { 362 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_WARNING; 363 trace_xchk_fblock_warning(sc, whichfork, offset, __return_address); 364 } 365 366 /* Signal an incomplete scrub. */ 367 void 368 xchk_set_incomplete( 369 struct xfs_scrub *sc) 370 { 371 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_INCOMPLETE; 372 trace_xchk_incomplete(sc, __return_address); 373 } 374 375 /* 376 * rmap scrubbing -- compute the number of blocks with a given owner, 377 * at least according to the reverse mapping data. 378 */ 379 380 struct xchk_rmap_ownedby_info { 381 const struct xfs_owner_info *oinfo; 382 xfs_filblks_t *blocks; 383 }; 384 385 STATIC int 386 xchk_count_rmap_ownedby_irec( 387 struct xfs_btree_cur *cur, 388 const struct xfs_rmap_irec *rec, 389 void *priv) 390 { 391 struct xchk_rmap_ownedby_info *sroi = priv; 392 bool irec_attr; 393 bool oinfo_attr; 394 395 irec_attr = rec->rm_flags & XFS_RMAP_ATTR_FORK; 396 oinfo_attr = sroi->oinfo->oi_flags & XFS_OWNER_INFO_ATTR_FORK; 397 398 if (rec->rm_owner != sroi->oinfo->oi_owner) 399 return 0; 400 401 if (XFS_RMAP_NON_INODE_OWNER(rec->rm_owner) || irec_attr == oinfo_attr) 402 (*sroi->blocks) += rec->rm_blockcount; 403 404 return 0; 405 } 406 407 /* 408 * Calculate the number of blocks the rmap thinks are owned by something. 409 * The caller should pass us an rmapbt cursor. 410 */ 411 int 412 xchk_count_rmap_ownedby_ag( 413 struct xfs_scrub *sc, 414 struct xfs_btree_cur *cur, 415 const struct xfs_owner_info *oinfo, 416 xfs_filblks_t *blocks) 417 { 418 struct xchk_rmap_ownedby_info sroi = { 419 .oinfo = oinfo, 420 .blocks = blocks, 421 }; 422 423 *blocks = 0; 424 return xfs_rmap_query_all(cur, xchk_count_rmap_ownedby_irec, 425 &sroi); 426 } 427 428 /* 429 * AG scrubbing 430 * 431 * These helpers facilitate locking an allocation group's header 432 * buffers, setting up cursors for all btrees that are present, and 433 * cleaning everything up once we're through. 434 */ 435 436 /* Decide if we want to return an AG header read failure. */ 437 static inline bool 438 want_ag_read_header_failure( 439 struct xfs_scrub *sc, 440 unsigned int type) 441 { 442 /* Return all AG header read failures when scanning btrees. */ 443 if (sc->sm->sm_type != XFS_SCRUB_TYPE_AGF && 444 sc->sm->sm_type != XFS_SCRUB_TYPE_AGFL && 445 sc->sm->sm_type != XFS_SCRUB_TYPE_AGI) 446 return true; 447 /* 448 * If we're scanning a given type of AG header, we only want to 449 * see read failures from that specific header. We'd like the 450 * other headers to cross-check them, but this isn't required. 451 */ 452 if (sc->sm->sm_type == type) 453 return true; 454 return false; 455 } 456 457 /* 458 * Grab the AG header buffers for the attached perag structure. 459 * 460 * The headers should be released by xchk_ag_free, but as a fail safe we attach 461 * all the buffers we grab to the scrub transaction so they'll all be freed 462 * when we cancel it. 463 */ 464 static inline int 465 xchk_perag_read_headers( 466 struct xfs_scrub *sc, 467 struct xchk_ag *sa) 468 { 469 int error; 470 471 error = xfs_ialloc_read_agi(sa->pag, sc->tp, 0, &sa->agi_bp); 472 if (error && want_ag_read_header_failure(sc, XFS_SCRUB_TYPE_AGI)) 473 return error; 474 475 error = xfs_alloc_read_agf(sa->pag, sc->tp, 0, &sa->agf_bp); 476 if (error && want_ag_read_header_failure(sc, XFS_SCRUB_TYPE_AGF)) 477 return error; 478 479 return 0; 480 } 481 482 /* 483 * Grab the AG headers for the attached perag structure and wait for pending 484 * intents to drain. 485 */ 486 int 487 xchk_perag_drain_and_lock( 488 struct xfs_scrub *sc) 489 { 490 struct xchk_ag *sa = &sc->sa; 491 int error = 0; 492 493 ASSERT(sa->pag != NULL); 494 ASSERT(sa->agi_bp == NULL); 495 ASSERT(sa->agf_bp == NULL); 496 497 do { 498 if (xchk_should_terminate(sc, &error)) 499 return error; 500 501 error = xchk_perag_read_headers(sc, sa); 502 if (error) 503 return error; 504 505 /* 506 * If we've grabbed an inode for scrubbing then we assume that 507 * holding its ILOCK will suffice to coordinate with any intent 508 * chains involving this inode. 509 */ 510 if (sc->ip) 511 return 0; 512 513 /* 514 * Decide if this AG is quiet enough for all metadata to be 515 * consistent with each other. XFS allows the AG header buffer 516 * locks to cycle across transaction rolls while processing 517 * chains of deferred ops, which means that there could be 518 * other threads in the middle of processing a chain of 519 * deferred ops. For regular operations we are careful about 520 * ordering operations to prevent collisions between threads 521 * (which is why we don't need a per-AG lock), but scrub and 522 * repair have to serialize against chained operations. 523 * 524 * We just locked all the AG headers buffers; now take a look 525 * to see if there are any intents in progress. If there are, 526 * drop the AG headers and wait for the intents to drain. 527 * Since we hold all the AG header locks for the duration of 528 * the scrub, this is the only time we have to sample the 529 * intents counter; any threads increasing it after this point 530 * can't possibly be in the middle of a chain of AG metadata 531 * updates. 532 * 533 * Obviously, this should be slanted against scrub and in favor 534 * of runtime threads. 535 */ 536 if (!xfs_group_intent_busy(pag_group(sa->pag))) 537 return 0; 538 539 if (sa->agf_bp) { 540 xfs_trans_brelse(sc->tp, sa->agf_bp); 541 sa->agf_bp = NULL; 542 } 543 544 if (sa->agi_bp) { 545 xfs_trans_brelse(sc->tp, sa->agi_bp); 546 sa->agi_bp = NULL; 547 } 548 549 if (!(sc->flags & XCHK_FSGATES_DRAIN)) 550 return -ECHRNG; 551 error = xfs_group_intent_drain(pag_group(sa->pag)); 552 if (error == -ERESTARTSYS) 553 error = -EINTR; 554 } while (!error); 555 556 return error; 557 } 558 559 /* 560 * Grab the per-AG structure, grab all AG header buffers, and wait until there 561 * aren't any pending intents. Returns -ENOENT if we can't grab the perag 562 * structure. 563 */ 564 int 565 xchk_ag_read_headers( 566 struct xfs_scrub *sc, 567 xfs_agnumber_t agno, 568 struct xchk_ag *sa) 569 { 570 struct xfs_mount *mp = sc->mp; 571 572 ASSERT(!sa->pag); 573 sa->pag = xfs_perag_get(mp, agno); 574 if (!sa->pag) 575 return -ENOENT; 576 577 return xchk_perag_drain_and_lock(sc); 578 } 579 580 /* Release all the AG btree cursors. */ 581 void 582 xchk_ag_btcur_free( 583 struct xchk_ag *sa) 584 { 585 if (sa->refc_cur) 586 xfs_btree_del_cursor(sa->refc_cur, XFS_BTREE_ERROR); 587 if (sa->rmap_cur) 588 xfs_btree_del_cursor(sa->rmap_cur, XFS_BTREE_ERROR); 589 if (sa->fino_cur) 590 xfs_btree_del_cursor(sa->fino_cur, XFS_BTREE_ERROR); 591 if (sa->ino_cur) 592 xfs_btree_del_cursor(sa->ino_cur, XFS_BTREE_ERROR); 593 if (sa->cnt_cur) 594 xfs_btree_del_cursor(sa->cnt_cur, XFS_BTREE_ERROR); 595 if (sa->bno_cur) 596 xfs_btree_del_cursor(sa->bno_cur, XFS_BTREE_ERROR); 597 598 sa->refc_cur = NULL; 599 sa->rmap_cur = NULL; 600 sa->fino_cur = NULL; 601 sa->ino_cur = NULL; 602 sa->bno_cur = NULL; 603 sa->cnt_cur = NULL; 604 } 605 606 /* Initialize all the btree cursors for an AG. */ 607 void 608 xchk_ag_btcur_init( 609 struct xfs_scrub *sc, 610 struct xchk_ag *sa) 611 { 612 struct xfs_mount *mp = sc->mp; 613 614 if (sa->agf_bp) { 615 /* Set up a bnobt cursor for cross-referencing. */ 616 sa->bno_cur = xfs_bnobt_init_cursor(mp, sc->tp, sa->agf_bp, 617 sa->pag); 618 xchk_ag_btree_del_cursor_if_sick(sc, &sa->bno_cur, 619 XFS_SCRUB_TYPE_BNOBT); 620 621 /* Set up a cntbt cursor for cross-referencing. */ 622 sa->cnt_cur = xfs_cntbt_init_cursor(mp, sc->tp, sa->agf_bp, 623 sa->pag); 624 xchk_ag_btree_del_cursor_if_sick(sc, &sa->cnt_cur, 625 XFS_SCRUB_TYPE_CNTBT); 626 627 /* Set up a rmapbt cursor for cross-referencing. */ 628 if (xfs_has_rmapbt(mp)) { 629 sa->rmap_cur = xfs_rmapbt_init_cursor(mp, sc->tp, 630 sa->agf_bp, sa->pag); 631 xchk_ag_btree_del_cursor_if_sick(sc, &sa->rmap_cur, 632 XFS_SCRUB_TYPE_RMAPBT); 633 } 634 635 /* Set up a refcountbt cursor for cross-referencing. */ 636 if (xfs_has_reflink(mp)) { 637 sa->refc_cur = xfs_refcountbt_init_cursor(mp, sc->tp, 638 sa->agf_bp, sa->pag); 639 xchk_ag_btree_del_cursor_if_sick(sc, &sa->refc_cur, 640 XFS_SCRUB_TYPE_REFCNTBT); 641 } 642 } 643 644 if (sa->agi_bp) { 645 /* Set up a inobt cursor for cross-referencing. */ 646 sa->ino_cur = xfs_inobt_init_cursor(sa->pag, sc->tp, 647 sa->agi_bp); 648 xchk_ag_btree_del_cursor_if_sick(sc, &sa->ino_cur, 649 XFS_SCRUB_TYPE_INOBT); 650 651 /* Set up a finobt cursor for cross-referencing. */ 652 if (xfs_has_finobt(mp)) { 653 sa->fino_cur = xfs_finobt_init_cursor(sa->pag, sc->tp, 654 sa->agi_bp); 655 xchk_ag_btree_del_cursor_if_sick(sc, &sa->fino_cur, 656 XFS_SCRUB_TYPE_FINOBT); 657 } 658 } 659 } 660 661 /* Release the AG header context and btree cursors. */ 662 void 663 xchk_ag_free( 664 struct xfs_scrub *sc, 665 struct xchk_ag *sa) 666 { 667 xchk_ag_btcur_free(sa); 668 xrep_reset_perag_resv(sc); 669 if (sa->agf_bp) { 670 xfs_trans_brelse(sc->tp, sa->agf_bp); 671 sa->agf_bp = NULL; 672 } 673 if (sa->agi_bp) { 674 xfs_trans_brelse(sc->tp, sa->agi_bp); 675 sa->agi_bp = NULL; 676 } 677 if (sa->pag) { 678 xfs_perag_put(sa->pag); 679 sa->pag = NULL; 680 } 681 } 682 683 /* 684 * For scrub, grab the perag structure, the AGI, and the AGF headers, in that 685 * order. Locking order requires us to get the AGI before the AGF. We use the 686 * transaction to avoid deadlocking on crosslinked metadata buffers; either the 687 * caller passes one in (bmap scrub) or we have to create a transaction 688 * ourselves. Returns ENOENT if the perag struct cannot be grabbed. 689 */ 690 int 691 xchk_ag_init( 692 struct xfs_scrub *sc, 693 xfs_agnumber_t agno, 694 struct xchk_ag *sa) 695 { 696 int error; 697 698 error = xchk_ag_read_headers(sc, agno, sa); 699 if (error) 700 return error; 701 702 xchk_ag_btcur_init(sc, sa); 703 return 0; 704 } 705 706 #ifdef CONFIG_XFS_RT 707 /* 708 * For scrubbing a realtime group, grab all the in-core resources we'll need to 709 * check the metadata, which means taking the ILOCK of the realtime group's 710 * metadata inodes. Callers must not join these inodes to the transaction with 711 * non-zero lockflags or concurrency problems will result. The @rtglock_flags 712 * argument takes XFS_RTGLOCK_* flags. 713 */ 714 int 715 xchk_rtgroup_init( 716 struct xfs_scrub *sc, 717 xfs_rgnumber_t rgno, 718 struct xchk_rt *sr) 719 { 720 ASSERT(sr->rtg == NULL); 721 ASSERT(sr->rtlock_flags == 0); 722 723 sr->rtg = xfs_rtgroup_get(sc->mp, rgno); 724 if (!sr->rtg) 725 return -ENOENT; 726 return 0; 727 } 728 729 /* Lock all the rt group metadata inode ILOCKs and wait for intents. */ 730 int 731 xchk_rtgroup_lock( 732 struct xfs_scrub *sc, 733 struct xchk_rt *sr, 734 unsigned int rtglock_flags) 735 { 736 int error = 0; 737 738 ASSERT(sr->rtg != NULL); 739 740 /* 741 * If we're /only/ locking the rtbitmap in shared mode, then we're 742 * obviously not trying to compare records in two metadata inodes. 743 * There's no need to drain intents here because the caller (most 744 * likely the rgsuper scanner) doesn't need that level of consistency. 745 */ 746 if (rtglock_flags == XFS_RTGLOCK_BITMAP_SHARED) { 747 xfs_rtgroup_lock(sr->rtg, rtglock_flags); 748 sr->rtlock_flags = rtglock_flags; 749 return 0; 750 } 751 752 do { 753 if (xchk_should_terminate(sc, &error)) 754 return error; 755 756 xfs_rtgroup_lock(sr->rtg, rtglock_flags); 757 758 /* 759 * If we've grabbed a non-metadata file for scrubbing, we 760 * assume that holding its ILOCK will suffice to coordinate 761 * with any rt intent chains involving this inode. 762 */ 763 if (sc->ip && !xfs_is_internal_inode(sc->ip)) 764 break; 765 766 /* 767 * Decide if the rt group is quiet enough for all metadata to 768 * be consistent with each other. Regular file IO doesn't get 769 * to lock all the rt inodes at the same time, which means that 770 * there could be other threads in the middle of processing a 771 * chain of deferred ops. 772 * 773 * We just locked all the metadata inodes for this rt group; 774 * now take a look to see if there are any intents in progress. 775 * If there are, drop the rt group inode locks and wait for the 776 * intents to drain. Since we hold the rt group inode locks 777 * for the duration of the scrub, this is the only time we have 778 * to sample the intents counter; any threads increasing it 779 * after this point can't possibly be in the middle of a chain 780 * of rt metadata updates. 781 * 782 * Obviously, this should be slanted against scrub and in favor 783 * of runtime threads. 784 */ 785 if (!xfs_group_intent_busy(rtg_group(sr->rtg))) 786 break; 787 788 xfs_rtgroup_unlock(sr->rtg, rtglock_flags); 789 790 if (!(sc->flags & XCHK_FSGATES_DRAIN)) 791 return -ECHRNG; 792 error = xfs_group_intent_drain(rtg_group(sr->rtg)); 793 if (error) { 794 if (error == -ERESTARTSYS) 795 error = -EINTR; 796 return error; 797 } 798 } while (1); 799 800 sr->rtlock_flags = rtglock_flags; 801 802 if (xfs_has_rtrmapbt(sc->mp) && (rtglock_flags & XFS_RTGLOCK_RMAP)) 803 sr->rmap_cur = xfs_rtrmapbt_init_cursor(sc->tp, sr->rtg); 804 805 if (xfs_has_rtreflink(sc->mp) && (rtglock_flags & XFS_RTGLOCK_REFCOUNT)) 806 sr->refc_cur = xfs_rtrefcountbt_init_cursor(sc->tp, sr->rtg); 807 808 return 0; 809 } 810 811 /* 812 * Free all the btree cursors and other incore data relating to the realtime 813 * group. This has to be done /before/ committing (or cancelling) the scrub 814 * transaction. 815 */ 816 void 817 xchk_rtgroup_btcur_free( 818 struct xchk_rt *sr) 819 { 820 if (sr->rmap_cur) 821 xfs_btree_del_cursor(sr->rmap_cur, XFS_BTREE_ERROR); 822 if (sr->refc_cur) 823 xfs_btree_del_cursor(sr->refc_cur, XFS_BTREE_ERROR); 824 825 sr->refc_cur = NULL; 826 sr->rmap_cur = NULL; 827 } 828 829 /* 830 * Unlock the realtime group. This must be done /after/ committing (or 831 * cancelling) the scrub transaction. 832 */ 833 void 834 xchk_rtgroup_unlock( 835 struct xchk_rt *sr) 836 { 837 ASSERT(sr->rtg != NULL); 838 839 if (sr->rtlock_flags) { 840 xfs_rtgroup_unlock(sr->rtg, sr->rtlock_flags); 841 sr->rtlock_flags = 0; 842 } 843 } 844 845 /* 846 * Unlock the realtime group and release its resources. This must be done 847 * /after/ committing (or cancelling) the scrub transaction. 848 */ 849 void 850 xchk_rtgroup_free( 851 struct xfs_scrub *sc, 852 struct xchk_rt *sr) 853 { 854 ASSERT(sr->rtg != NULL); 855 856 xchk_rtgroup_unlock(sr); 857 858 xfs_rtgroup_put(sr->rtg); 859 sr->rtg = NULL; 860 } 861 #endif /* CONFIG_XFS_RT */ 862 863 /* Per-scrubber setup functions */ 864 865 void 866 xchk_trans_cancel( 867 struct xfs_scrub *sc) 868 { 869 xfs_trans_cancel(sc->tp); 870 sc->tp = NULL; 871 } 872 873 void 874 xchk_trans_alloc_empty( 875 struct xfs_scrub *sc) 876 { 877 sc->tp = xfs_trans_alloc_empty(sc->mp); 878 } 879 880 /* 881 * Grab an empty transaction so that we can re-grab locked buffers if 882 * one of our btrees turns out to be cyclic. 883 * 884 * If we're going to repair something, we need to ask for the largest possible 885 * log reservation so that we can handle the worst case scenario for metadata 886 * updates while rebuilding a metadata item. We also need to reserve as many 887 * blocks in the head transaction as we think we're going to need to rebuild 888 * the metadata object. 889 */ 890 int 891 xchk_trans_alloc( 892 struct xfs_scrub *sc, 893 uint resblks) 894 { 895 if (sc->sm->sm_flags & XFS_SCRUB_IFLAG_REPAIR) 896 return xfs_trans_alloc(sc->mp, &M_RES(sc->mp)->tr_itruncate, 897 resblks, 0, 0, &sc->tp); 898 899 xchk_trans_alloc_empty(sc); 900 return 0; 901 } 902 903 /* Set us up with a transaction and an empty context. */ 904 int 905 xchk_setup_fs( 906 struct xfs_scrub *sc) 907 { 908 uint resblks; 909 910 resblks = xrep_calc_ag_resblks(sc); 911 return xchk_trans_alloc(sc, resblks); 912 } 913 914 /* Set us up with a transaction and an empty context to repair rt metadata. */ 915 int 916 xchk_setup_rt( 917 struct xfs_scrub *sc) 918 { 919 return xchk_trans_alloc(sc, xrep_calc_rtgroup_resblks(sc)); 920 } 921 922 /* Set us up with AG headers and btree cursors. */ 923 int 924 xchk_setup_ag_btree( 925 struct xfs_scrub *sc, 926 bool force_log) 927 { 928 struct xfs_mount *mp = sc->mp; 929 int error; 930 931 /* 932 * If the caller asks us to checkpont the log, do so. This 933 * expensive operation should be performed infrequently and only 934 * as a last resort. Any caller that sets force_log should 935 * document why they need to do so. 936 */ 937 if (force_log) { 938 error = xchk_checkpoint_log(mp); 939 if (error) 940 return error; 941 } 942 943 error = xchk_setup_fs(sc); 944 if (error) 945 return error; 946 947 return xchk_ag_init(sc, sc->sm->sm_agno, &sc->sa); 948 } 949 950 /* Push everything out of the log onto disk. */ 951 int 952 xchk_checkpoint_log( 953 struct xfs_mount *mp) 954 { 955 int error; 956 957 error = xfs_log_force(mp, XFS_LOG_SYNC); 958 if (error) 959 return error; 960 xfs_ail_push_all_sync(mp->m_ail); 961 return 0; 962 } 963 964 /* Verify that an inode is allocated ondisk, then return its cached inode. */ 965 int 966 xchk_iget( 967 struct xfs_scrub *sc, 968 xfs_ino_t inum, 969 struct xfs_inode **ipp) 970 { 971 ASSERT(sc->tp != NULL); 972 973 return xfs_iget(sc->mp, sc->tp, inum, XCHK_IGET_FLAGS, 0, ipp); 974 } 975 976 /* 977 * Try to grab an inode in a manner that avoids races with physical inode 978 * allocation. If we can't, return the locked AGI buffer so that the caller 979 * can single-step the loading process to see where things went wrong. 980 * Callers must have a valid scrub transaction. 981 * 982 * If the iget succeeds, return 0, a NULL AGI, and the inode. 983 * 984 * If the iget fails, return the error, the locked AGI, and a NULL inode. This 985 * can include -EINVAL and -ENOENT for invalid inode numbers or inodes that are 986 * no longer allocated; or any other corruption or runtime error. 987 * 988 * If the AGI read fails, return the error, a NULL AGI, and NULL inode. 989 * 990 * If a fatal signal is pending, return -EINTR, a NULL AGI, and a NULL inode. 991 */ 992 int 993 xchk_iget_agi( 994 struct xfs_scrub *sc, 995 xfs_ino_t inum, 996 struct xfs_buf **agi_bpp, 997 struct xfs_inode **ipp) 998 { 999 struct xfs_mount *mp = sc->mp; 1000 struct xfs_trans *tp = sc->tp; 1001 struct xfs_perag *pag; 1002 int error; 1003 1004 ASSERT(sc->tp != NULL); 1005 1006 again: 1007 *agi_bpp = NULL; 1008 *ipp = NULL; 1009 error = 0; 1010 1011 if (xchk_should_terminate(sc, &error)) 1012 return error; 1013 1014 /* 1015 * Attach the AGI buffer to the scrub transaction to avoid deadlocks 1016 * in the iget cache miss path. 1017 */ 1018 pag = xfs_perag_get(mp, XFS_INO_TO_AGNO(mp, inum)); 1019 error = xfs_ialloc_read_agi(pag, tp, 0, agi_bpp); 1020 xfs_perag_put(pag); 1021 if (error) 1022 return error; 1023 1024 error = xfs_iget(mp, tp, inum, XFS_IGET_NORETRY | XCHK_IGET_FLAGS, 0, 1025 ipp); 1026 if (error == -EAGAIN) { 1027 /* 1028 * The inode may be in core but temporarily unavailable and may 1029 * require the AGI buffer before it can be returned. Drop the 1030 * AGI buffer and retry the lookup. 1031 * 1032 * Incore lookup will fail with EAGAIN on a cache hit if the 1033 * inode is queued to the inactivation list. The inactivation 1034 * worker may remove the inode from the unlinked list and hence 1035 * needs the AGI. 1036 * 1037 * Hence xchk_iget_agi() needs to drop the AGI lock on EAGAIN 1038 * to allow inodegc to make progress and move the inode to 1039 * IRECLAIMABLE state where xfs_iget will be able to return it 1040 * again if it can lock the inode. 1041 */ 1042 xfs_trans_brelse(tp, *agi_bpp); 1043 delay(1); 1044 goto again; 1045 } 1046 if (error) 1047 return error; 1048 1049 /* We got the inode, so we can release the AGI. */ 1050 ASSERT(*ipp != NULL); 1051 xfs_trans_brelse(tp, *agi_bpp); 1052 *agi_bpp = NULL; 1053 return 0; 1054 } 1055 1056 #ifdef CONFIG_XFS_QUOTA 1057 /* 1058 * Try to attach dquots to this inode if we think we might want to repair it. 1059 * Callers must not hold any ILOCKs. If the dquots are broken and cannot be 1060 * attached, a quotacheck will be scheduled. 1061 */ 1062 int 1063 xchk_ino_dqattach( 1064 struct xfs_scrub *sc) 1065 { 1066 ASSERT(sc->tp != NULL); 1067 ASSERT(sc->ip != NULL); 1068 1069 if (!xchk_could_repair(sc)) 1070 return 0; 1071 1072 return xrep_ino_dqattach(sc); 1073 } 1074 #endif 1075 1076 /* Install an inode that we opened by handle for scrubbing. */ 1077 int 1078 xchk_install_handle_inode( 1079 struct xfs_scrub *sc, 1080 struct xfs_inode *ip) 1081 { 1082 if (VFS_I(ip)->i_generation != sc->sm->sm_gen) { 1083 xchk_irele(sc, ip); 1084 return -ENOENT; 1085 } 1086 1087 sc->ip = ip; 1088 return 0; 1089 } 1090 1091 /* 1092 * Install an already-referenced inode for scrubbing. Get our own reference to 1093 * the inode to make disposal simpler. The inode must not be in I_FREEING or 1094 * I_WILL_FREE state! 1095 */ 1096 int 1097 xchk_install_live_inode( 1098 struct xfs_scrub *sc, 1099 struct xfs_inode *ip) 1100 { 1101 if (!igrab(VFS_I(ip))) { 1102 xchk_ino_set_corrupt(sc, ip->i_ino); 1103 return -EFSCORRUPTED; 1104 } 1105 1106 sc->ip = ip; 1107 return 0; 1108 } 1109 1110 /* 1111 * In preparation to scrub metadata structures that hang off of an inode, 1112 * grab either the inode referenced in the scrub control structure or the 1113 * inode passed in. If the inumber does not reference an allocated inode 1114 * record, the function returns ENOENT to end the scrub early. The inode 1115 * is not locked. 1116 */ 1117 int 1118 xchk_iget_for_scrubbing( 1119 struct xfs_scrub *sc) 1120 { 1121 struct xfs_imap imap; 1122 struct xfs_mount *mp = sc->mp; 1123 struct xfs_perag *pag; 1124 struct xfs_buf *agi_bp; 1125 struct xfs_inode *ip_in = XFS_I(file_inode(sc->file)); 1126 struct xfs_inode *ip = NULL; 1127 xfs_agnumber_t agno = XFS_INO_TO_AGNO(mp, sc->sm->sm_ino); 1128 int error; 1129 1130 ASSERT(sc->tp == NULL); 1131 1132 /* We want to scan the inode we already had opened. */ 1133 if (sc->sm->sm_ino == 0 || sc->sm->sm_ino == ip_in->i_ino) 1134 return xchk_install_live_inode(sc, ip_in); 1135 1136 /* 1137 * On pre-metadir filesystems, reject internal metadata files. For 1138 * metadir filesystems, limited scrubbing of any file in the metadata 1139 * directory tree by handle is allowed, because that is the only way to 1140 * validate the lack of parent pointers in the sb-root metadata inodes. 1141 */ 1142 if (!xfs_has_metadir(mp) && xfs_is_sb_inum(mp, sc->sm->sm_ino)) 1143 return -ENOENT; 1144 /* Reject obviously bad inode numbers. */ 1145 if (!xfs_verify_ino(sc->mp, sc->sm->sm_ino)) 1146 return -ENOENT; 1147 1148 /* Try a safe untrusted iget. */ 1149 error = xchk_iget_safe(sc, sc->sm->sm_ino, &ip); 1150 if (!error) 1151 return xchk_install_handle_inode(sc, ip); 1152 if (error == -ENOENT) 1153 return error; 1154 if (error != -EINVAL) 1155 goto out_error; 1156 1157 /* 1158 * EINVAL with IGET_UNTRUSTED probably means one of several things: 1159 * userspace gave us an inode number that doesn't correspond to fs 1160 * space; the inode btree lacks a record for this inode; or there is a 1161 * record, and it says this inode is free. 1162 * 1163 * We want to look up this inode in the inobt to distinguish two 1164 * scenarios: (1) the inobt says the inode is free, in which case 1165 * there's nothing to do; and (2) the inobt says the inode is 1166 * allocated, but loading it failed due to corruption. 1167 * 1168 * Allocate a transaction and grab the AGI to prevent inobt activity 1169 * in this AG. Retry the iget in case someone allocated a new inode 1170 * after the first iget failed. 1171 */ 1172 error = xchk_trans_alloc(sc, 0); 1173 if (error) 1174 goto out_error; 1175 1176 error = xchk_iget_agi(sc, sc->sm->sm_ino, &agi_bp, &ip); 1177 if (error == 0) { 1178 /* Actually got the inode, so install it. */ 1179 xchk_trans_cancel(sc); 1180 return xchk_install_handle_inode(sc, ip); 1181 } 1182 if (error == -ENOENT) 1183 goto out_gone; 1184 if (error != -EINVAL) 1185 goto out_cancel; 1186 1187 /* Ensure that we have protected against inode allocation/freeing. */ 1188 if (agi_bp == NULL) { 1189 ASSERT(agi_bp != NULL); 1190 error = -ECANCELED; 1191 goto out_cancel; 1192 } 1193 1194 /* 1195 * Untrusted iget failed a second time. Let's try an inobt lookup. 1196 * If the inobt thinks this the inode neither can exist inside the 1197 * filesystem nor is allocated, return ENOENT to signal that the check 1198 * can be skipped. 1199 * 1200 * If the lookup returns corruption, we'll mark this inode corrupt and 1201 * exit to userspace. There's little chance of fixing anything until 1202 * the inobt is straightened out, but there's nothing we can do here. 1203 * 1204 * If the lookup encounters any other error, exit to userspace. 1205 * 1206 * If the lookup succeeds, something else must be very wrong in the fs 1207 * such that setting up the incore inode failed in some strange way. 1208 * Treat those as corruptions. 1209 */ 1210 pag = xfs_perag_get(mp, XFS_INO_TO_AGNO(mp, sc->sm->sm_ino)); 1211 if (!pag) { 1212 error = -EFSCORRUPTED; 1213 goto out_cancel; 1214 } 1215 1216 error = xfs_imap(pag, sc->tp, sc->sm->sm_ino, &imap, 1217 XFS_IGET_UNTRUSTED); 1218 xfs_perag_put(pag); 1219 if (error == -EINVAL || error == -ENOENT) 1220 goto out_gone; 1221 if (!error) 1222 error = -EFSCORRUPTED; 1223 1224 out_cancel: 1225 xchk_trans_cancel(sc); 1226 out_error: 1227 trace_xchk_op_error(sc, agno, XFS_INO_TO_AGBNO(mp, sc->sm->sm_ino), 1228 error, __return_address); 1229 return error; 1230 out_gone: 1231 /* The file is gone, so there's nothing to check. */ 1232 xchk_trans_cancel(sc); 1233 return -ENOENT; 1234 } 1235 1236 /* Release an inode, possibly dropping it in the process. */ 1237 void 1238 xchk_irele( 1239 struct xfs_scrub *sc, 1240 struct xfs_inode *ip) 1241 { 1242 if (sc->tp) { 1243 /* 1244 * If we are in a transaction, we /cannot/ drop the inode 1245 * ourselves, because the VFS will trigger writeback, which 1246 * can require a transaction. Clear DONTCACHE to force the 1247 * inode to the LRU, where someone else can take care of 1248 * dropping it. 1249 * 1250 * Note that when we grabbed our reference to the inode, it 1251 * could have had an active ref and DONTCACHE set if a sysadmin 1252 * is trying to coerce a change in file access mode. icache 1253 * hits do not clear DONTCACHE, so we must do it here. 1254 */ 1255 spin_lock(&VFS_I(ip)->i_lock); 1256 inode_state_clear(VFS_I(ip), I_DONTCACHE); 1257 spin_unlock(&VFS_I(ip)->i_lock); 1258 } 1259 1260 xfs_irele(ip); 1261 } 1262 1263 /* 1264 * Set us up to scrub metadata mapped by a file's fork. Callers must not use 1265 * this to operate on user-accessible regular file data because the MMAPLOCK is 1266 * not taken. 1267 */ 1268 int 1269 xchk_setup_inode_contents( 1270 struct xfs_scrub *sc, 1271 unsigned int resblks) 1272 { 1273 int error; 1274 1275 error = xchk_iget_for_scrubbing(sc); 1276 if (error) 1277 return error; 1278 1279 error = xrep_tempfile_adjust_directory_tree(sc); 1280 if (error) 1281 return error; 1282 1283 /* Lock the inode so the VFS cannot touch this file. */ 1284 xchk_ilock(sc, XFS_IOLOCK_EXCL); 1285 1286 error = xchk_trans_alloc(sc, resblks); 1287 if (error) 1288 goto out; 1289 1290 error = xchk_ino_dqattach(sc); 1291 if (error) 1292 goto out; 1293 1294 xchk_ilock(sc, XFS_ILOCK_EXCL); 1295 out: 1296 /* scrub teardown will unlock and release the inode for us */ 1297 return error; 1298 } 1299 1300 void 1301 xchk_ilock( 1302 struct xfs_scrub *sc, 1303 unsigned int ilock_flags) 1304 { 1305 xfs_ilock(sc->ip, ilock_flags); 1306 sc->ilock_flags |= ilock_flags; 1307 } 1308 1309 bool 1310 xchk_ilock_nowait( 1311 struct xfs_scrub *sc, 1312 unsigned int ilock_flags) 1313 { 1314 if (xfs_ilock_nowait(sc->ip, ilock_flags)) { 1315 sc->ilock_flags |= ilock_flags; 1316 return true; 1317 } 1318 1319 return false; 1320 } 1321 1322 void 1323 xchk_iunlock( 1324 struct xfs_scrub *sc, 1325 unsigned int ilock_flags) 1326 { 1327 sc->ilock_flags &= ~ilock_flags; 1328 xfs_iunlock(sc->ip, ilock_flags); 1329 } 1330 1331 /* 1332 * Predicate that decides if we need to evaluate the cross-reference check. 1333 * If there was an error accessing the cross-reference btree, just delete 1334 * the cursor and skip the check. 1335 */ 1336 bool 1337 xchk_should_check_xref( 1338 struct xfs_scrub *sc, 1339 int *error, 1340 struct xfs_btree_cur **curpp) 1341 { 1342 /* No point in xref if we already know we're corrupt. */ 1343 if (xchk_skip_xref(sc->sm)) 1344 return false; 1345 1346 if (*error == 0) 1347 return true; 1348 1349 if (curpp) { 1350 /* If we've already given up on xref, just bail out. */ 1351 if (!*curpp) 1352 return false; 1353 1354 /* xref error, delete cursor and bail out. */ 1355 xfs_btree_del_cursor(*curpp, XFS_BTREE_ERROR); 1356 *curpp = NULL; 1357 } 1358 1359 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_XFAIL; 1360 trace_xchk_xref_error(sc, *error, __return_address); 1361 1362 /* 1363 * Errors encountered during cross-referencing with another 1364 * data structure should not cause this scrubber to abort. 1365 */ 1366 *error = 0; 1367 return false; 1368 } 1369 1370 /* Run the structure verifiers on in-memory buffers to detect bad memory. */ 1371 void 1372 xchk_buffer_recheck( 1373 struct xfs_scrub *sc, 1374 struct xfs_buf *bp) 1375 { 1376 xfs_failaddr_t fa; 1377 1378 if (bp->b_ops == NULL) { 1379 xchk_block_set_corrupt(sc, bp); 1380 return; 1381 } 1382 if (bp->b_ops->verify_struct == NULL) { 1383 xchk_set_incomplete(sc); 1384 return; 1385 } 1386 fa = bp->b_ops->verify_struct(bp); 1387 if (!fa) 1388 return; 1389 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT; 1390 trace_xchk_block_error(sc, xfs_buf_daddr(bp), fa); 1391 } 1392 1393 static inline int 1394 xchk_metadata_inode_subtype( 1395 struct xfs_scrub *sc, 1396 unsigned int scrub_type) 1397 { 1398 struct xfs_scrub_subord *sub; 1399 int error; 1400 1401 sub = xchk_scrub_create_subord(sc, scrub_type); 1402 if (!sub) 1403 return -ENOMEM; 1404 1405 error = sub->sc.ops->scrub(&sub->sc); 1406 xchk_scrub_free_subord(sub); 1407 return error; 1408 } 1409 1410 /* 1411 * Scrub the attr/data forks of a metadata inode. The metadata inode must be 1412 * pointed to by sc->ip and the ILOCK must be held. 1413 */ 1414 int 1415 xchk_metadata_inode_forks( 1416 struct xfs_scrub *sc) 1417 { 1418 bool shared; 1419 int error; 1420 1421 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 1422 return 0; 1423 1424 /* Check the inode record. */ 1425 error = xchk_metadata_inode_subtype(sc, XFS_SCRUB_TYPE_INODE); 1426 if (error || (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)) 1427 return error; 1428 1429 /* Metadata inodes don't live on the rt device. */ 1430 if (sc->ip->i_diflags & XFS_DIFLAG_REALTIME) { 1431 xchk_ino_set_corrupt(sc, sc->ip->i_ino); 1432 return 0; 1433 } 1434 1435 /* They should never participate in reflink. */ 1436 if (xfs_is_reflink_inode(sc->ip)) { 1437 xchk_ino_set_corrupt(sc, sc->ip->i_ino); 1438 return 0; 1439 } 1440 1441 /* Invoke the data fork scrubber. */ 1442 error = xchk_metadata_inode_subtype(sc, XFS_SCRUB_TYPE_BMBTD); 1443 if (error || (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)) 1444 return error; 1445 1446 /* Look for incorrect shared blocks. */ 1447 if (xfs_has_reflink(sc->mp)) { 1448 error = xfs_reflink_inode_has_shared_extents(sc->tp, sc->ip, 1449 &shared); 1450 if (!xchk_fblock_process_error(sc, XFS_DATA_FORK, 0, 1451 &error)) 1452 return error; 1453 if (shared) 1454 xchk_ino_set_corrupt(sc, sc->ip->i_ino); 1455 } 1456 1457 /* 1458 * Metadata files can only have extended attributes on metadir 1459 * filesystems, either for parent pointers or for actual xattr data. 1460 */ 1461 if (xfs_inode_hasattr(sc->ip)) { 1462 if (!xfs_has_metadir(sc->mp)) { 1463 xchk_ino_set_corrupt(sc, sc->ip->i_ino); 1464 return 0; 1465 } 1466 1467 error = xchk_metadata_inode_subtype(sc, XFS_SCRUB_TYPE_BMBTA); 1468 if (error || (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)) 1469 return error; 1470 } 1471 1472 return 0; 1473 } 1474 1475 /* 1476 * Enable filesystem hooks (i.e. runtime code patching) before starting a scrub 1477 * operation. Callers must not hold any locks that intersect with the CPU 1478 * hotplug lock (e.g. writeback locks) because code patching must halt the CPUs 1479 * to change kernel code. 1480 */ 1481 void 1482 xchk_fsgates_enable( 1483 struct xfs_scrub *sc, 1484 unsigned int scrub_fsgates) 1485 { 1486 ASSERT(!(scrub_fsgates & ~XCHK_FSGATES_ALL)); 1487 ASSERT(!(sc->flags & scrub_fsgates)); 1488 1489 trace_xchk_fsgates_enable(sc, scrub_fsgates); 1490 1491 if (scrub_fsgates & XCHK_FSGATES_DRAIN) 1492 xfs_defer_drain_wait_enable(); 1493 1494 if (scrub_fsgates & XCHK_FSGATES_QUOTA) 1495 xfs_dqtrx_hook_enable(); 1496 1497 if (scrub_fsgates & XCHK_FSGATES_DIRENTS) 1498 xfs_dir_hook_enable(); 1499 1500 if (scrub_fsgates & XCHK_FSGATES_RMAP) 1501 xfs_rmap_hook_enable(); 1502 1503 sc->flags |= scrub_fsgates; 1504 } 1505 1506 /* 1507 * Decide if this is this a cached inode that's also allocated. The caller 1508 * must hold a reference to an AG and the AGI buffer lock to prevent inodes 1509 * from being allocated or freed. 1510 * 1511 * Look up an inode by number in the given file system. If the inode number 1512 * is invalid, return -EINVAL. If the inode is not in cache, return -ENODATA. 1513 * If the inode is being reclaimed, return -ENODATA because we know the inode 1514 * cache cannot be updating the ondisk metadata. 1515 * 1516 * Otherwise, the incore inode is the one we want, and it is either live, 1517 * somewhere in the inactivation machinery, or reclaimable. The inode is 1518 * allocated if i_mode is nonzero. In all three cases, the cached inode will 1519 * be more up to date than the ondisk inode buffer, so we must use the incore 1520 * i_mode. 1521 */ 1522 int 1523 xchk_inode_is_allocated( 1524 struct xfs_scrub *sc, 1525 xfs_agino_t agino, 1526 bool *inuse) 1527 { 1528 struct xfs_mount *mp = sc->mp; 1529 struct xfs_perag *pag = sc->sa.pag; 1530 xfs_ino_t ino; 1531 struct xfs_inode *ip; 1532 int error; 1533 1534 /* caller must hold perag reference */ 1535 if (pag == NULL) { 1536 ASSERT(pag != NULL); 1537 return -EINVAL; 1538 } 1539 1540 /* caller must have AGI buffer */ 1541 if (sc->sa.agi_bp == NULL) { 1542 ASSERT(sc->sa.agi_bp != NULL); 1543 return -EINVAL; 1544 } 1545 1546 /* reject inode numbers outside existing AGs */ 1547 ino = xfs_agino_to_ino(pag, agino); 1548 if (!xfs_verify_ino(mp, ino)) 1549 return -EINVAL; 1550 1551 error = -ENODATA; 1552 rcu_read_lock(); 1553 ip = radix_tree_lookup(&pag->pag_ici_root, agino); 1554 if (!ip) { 1555 /* cache miss */ 1556 goto out_rcu; 1557 } 1558 1559 /* 1560 * If the inode number doesn't match, the incore inode got reused 1561 * during an RCU grace period and the radix tree hasn't been updated. 1562 * This isn't the inode we want. 1563 */ 1564 spin_lock(&ip->i_flags_lock); 1565 if (ip->i_ino != ino) 1566 goto out_skip; 1567 1568 trace_xchk_inode_is_allocated(ip); 1569 1570 /* 1571 * We have an incore inode that matches the inode we want, and the 1572 * caller holds the perag structure and the AGI buffer. Let's check 1573 * our assumptions below: 1574 */ 1575 1576 #ifdef DEBUG 1577 /* 1578 * (1) If the incore inode is live (i.e. referenced from the dcache), 1579 * it will not be INEW, nor will it be in the inactivation or reclaim 1580 * machinery. The ondisk inode had better be allocated. This is the 1581 * most trivial case. 1582 */ 1583 if (!(ip->i_flags & (XFS_NEED_INACTIVE | XFS_INEW | XFS_IRECLAIMABLE | 1584 XFS_INACTIVATING))) { 1585 /* live inode */ 1586 ASSERT(VFS_I(ip)->i_mode != 0); 1587 } 1588 1589 /* 1590 * If the incore inode is INEW, there are several possibilities: 1591 * 1592 * (2) For a file that is being created, note that we allocate the 1593 * ondisk inode before allocating, initializing, and adding the incore 1594 * inode to the radix tree. 1595 * 1596 * (3) If the incore inode is being recycled, the inode has to be 1597 * allocated because we don't allow freed inodes to be recycled. 1598 * Recycling doesn't touch i_mode. 1599 */ 1600 if (ip->i_flags & XFS_INEW) { 1601 /* created on disk already or recycling */ 1602 ASSERT(VFS_I(ip)->i_mode != 0); 1603 } 1604 1605 /* 1606 * (4) If the inode is queued for inactivation (NEED_INACTIVE) but 1607 * inactivation has not started (!INACTIVATING), it is still allocated. 1608 */ 1609 if ((ip->i_flags & XFS_NEED_INACTIVE) && 1610 !(ip->i_flags & XFS_INACTIVATING)) { 1611 /* definitely before difree */ 1612 ASSERT(VFS_I(ip)->i_mode != 0); 1613 } 1614 #endif 1615 1616 /* 1617 * If the incore inode is undergoing inactivation (INACTIVATING), there 1618 * are two possibilities: 1619 * 1620 * (5) It is before the point where it would get freed ondisk, in which 1621 * case i_mode is still nonzero. 1622 * 1623 * (6) It has already been freed, in which case i_mode is zero. 1624 * 1625 * We don't take the ILOCK here, but difree and dialloc update the AGI, 1626 * and we've taken the AGI buffer lock, which prevents that from 1627 * happening. 1628 */ 1629 1630 /* 1631 * (7) Inodes undergoing inactivation (INACTIVATING) or queued for 1632 * reclaim (IRECLAIMABLE) could be allocated or free. i_mode still 1633 * reflects the ondisk state. 1634 */ 1635 1636 /* 1637 * (8) If the inode is in IFLUSHING, it's safe to query i_mode because 1638 * the flush code uses i_mode to format the ondisk inode. 1639 */ 1640 1641 /* 1642 * (9) If the inode is in IRECLAIM and was reachable via the radix 1643 * tree, it still has the same i_mode as it did before it entered 1644 * reclaim. The inode object is still alive because we hold the RCU 1645 * read lock. 1646 */ 1647 1648 *inuse = VFS_I(ip)->i_mode != 0; 1649 error = 0; 1650 1651 out_skip: 1652 spin_unlock(&ip->i_flags_lock); 1653 out_rcu: 1654 rcu_read_unlock(); 1655 return error; 1656 } 1657 1658 /* Is this inode a root directory for either tree? */ 1659 bool 1660 xchk_inode_is_dirtree_root(const struct xfs_inode *ip) 1661 { 1662 struct xfs_mount *mp = ip->i_mount; 1663 1664 return ip == mp->m_rootip || 1665 (xfs_has_metadir(mp) && ip == mp->m_metadirip); 1666 } 1667 1668 /* Does the superblock point down to this inode? */ 1669 bool 1670 xchk_inode_is_sb_rooted(const struct xfs_inode *ip) 1671 { 1672 return xchk_inode_is_dirtree_root(ip) || 1673 xfs_is_sb_inum(ip->i_mount, ip->i_ino); 1674 } 1675 1676 /* What is the root directory inumber for this inode? */ 1677 xfs_ino_t 1678 xchk_inode_rootdir_inum(const struct xfs_inode *ip) 1679 { 1680 struct xfs_mount *mp = ip->i_mount; 1681 1682 if (xfs_is_metadir_inode(ip)) 1683 return mp->m_metadirip->i_ino; 1684 return mp->m_rootip->i_ino; 1685 } 1686 1687 static int 1688 xchk_meta_btree_count_blocks( 1689 struct xfs_scrub *sc, 1690 xfs_extnum_t *nextents, 1691 xfs_filblks_t *count) 1692 { 1693 struct xfs_btree_cur *cur; 1694 int error; 1695 1696 if (!sc->sr.rtg) { 1697 ASSERT(0); 1698 return -EFSCORRUPTED; 1699 } 1700 1701 switch (sc->ip->i_metatype) { 1702 case XFS_METAFILE_RTRMAP: 1703 cur = xfs_rtrmapbt_init_cursor(sc->tp, sc->sr.rtg); 1704 break; 1705 case XFS_METAFILE_RTREFCOUNT: 1706 cur = xfs_rtrefcountbt_init_cursor(sc->tp, sc->sr.rtg); 1707 break; 1708 default: 1709 ASSERT(0); 1710 return -EFSCORRUPTED; 1711 } 1712 1713 error = xfs_btree_count_blocks(cur, count); 1714 xfs_btree_del_cursor(cur, error); 1715 if (!error) { 1716 *nextents = 0; 1717 (*count)--; /* don't count the btree iroot */ 1718 } 1719 return error; 1720 } 1721 1722 /* Count the blocks used by a file, even if it's a metadata inode. */ 1723 int 1724 xchk_inode_count_blocks( 1725 struct xfs_scrub *sc, 1726 int whichfork, 1727 xfs_extnum_t *nextents, 1728 xfs_filblks_t *count) 1729 { 1730 struct xfs_ifork *ifp = xfs_ifork_ptr(sc->ip, whichfork); 1731 1732 if (!ifp) { 1733 *nextents = 0; 1734 *count = 0; 1735 return 0; 1736 } 1737 1738 if (ifp->if_format == XFS_DINODE_FMT_META_BTREE) { 1739 ASSERT(whichfork == XFS_DATA_FORK); 1740 return xchk_meta_btree_count_blocks(sc, nextents, count); 1741 } 1742 1743 return xfs_bmap_count_blocks(sc->tp, sc->ip, whichfork, nextents, 1744 count); 1745 } 1746