1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (C) 2017-2023 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <djwong@kernel.org>
5 */
6 #include "xfs.h"
7 #include "xfs_fs.h"
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_btree.h"
13 #include "xfs_sb.h"
14 #include "xfs_alloc.h"
15 #include "xfs_ialloc.h"
16 #include "xfs_rmap.h"
17 #include "xfs_ag.h"
18 #include "xfs_inode.h"
19 #include "scrub/scrub.h"
20 #include "scrub/common.h"
21
22 int
xchk_setup_agheader(struct xfs_scrub * sc)23 xchk_setup_agheader(
24 struct xfs_scrub *sc)
25 {
26 if (xchk_need_intent_drain(sc))
27 xchk_fsgates_enable(sc, XCHK_FSGATES_DRAIN);
28 return xchk_setup_fs(sc);
29 }
30
31 /* Superblock */
32
33 /* Cross-reference with the other btrees. */
34 STATIC void
xchk_superblock_xref(struct xfs_scrub * sc,struct xfs_buf * bp)35 xchk_superblock_xref(
36 struct xfs_scrub *sc,
37 struct xfs_buf *bp)
38 {
39 struct xfs_mount *mp = sc->mp;
40 xfs_agnumber_t agno = sc->sm->sm_agno;
41 xfs_agblock_t agbno;
42 int error;
43
44 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
45 return;
46
47 agbno = XFS_SB_BLOCK(mp);
48
49 error = xchk_ag_init_existing(sc, agno, &sc->sa);
50 if (!xchk_xref_process_error(sc, agno, agbno, &error))
51 return;
52
53 xchk_xref_is_used_space(sc, agbno, 1);
54 xchk_xref_is_not_inode_chunk(sc, agbno, 1);
55 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_FS);
56 xchk_xref_is_not_shared(sc, agbno, 1);
57 xchk_xref_is_not_cow_staging(sc, agbno, 1);
58
59 /* scrub teardown will take care of sc->sa for us */
60 }
61
62 /*
63 * Calculate the ondisk superblock size in bytes given the feature set of the
64 * mounted filesystem (aka the primary sb). This is subtlely different from
65 * the logic in xfs_repair, which computes the size of a secondary sb given the
66 * featureset listed in the secondary sb.
67 */
68 STATIC size_t
xchk_superblock_ondisk_size(struct xfs_mount * mp)69 xchk_superblock_ondisk_size(
70 struct xfs_mount *mp)
71 {
72 if (xfs_has_metadir(mp))
73 return offsetofend(struct xfs_dsb, sb_pad);
74 if (xfs_has_metauuid(mp))
75 return offsetofend(struct xfs_dsb, sb_meta_uuid);
76 if (xfs_has_crc(mp))
77 return offsetofend(struct xfs_dsb, sb_lsn);
78 if (xfs_sb_version_hasmorebits(&mp->m_sb))
79 return offsetofend(struct xfs_dsb, sb_bad_features2);
80 if (xfs_has_logv2(mp))
81 return offsetofend(struct xfs_dsb, sb_logsunit);
82 if (xfs_has_sector(mp))
83 return offsetofend(struct xfs_dsb, sb_logsectsize);
84 /* only support dirv2 or more recent */
85 return offsetofend(struct xfs_dsb, sb_dirblklog);
86 }
87
88 /*
89 * Scrub the filesystem superblock.
90 *
91 * Note: We do /not/ attempt to check AG 0's superblock. Mount is
92 * responsible for validating all the geometry information in sb 0, so
93 * if the filesystem is capable of initiating online scrub, then clearly
94 * sb 0 is ok and we can use its information to check everything else.
95 */
96 int
xchk_superblock(struct xfs_scrub * sc)97 xchk_superblock(
98 struct xfs_scrub *sc)
99 {
100 struct xfs_mount *mp = sc->mp;
101 struct xfs_buf *bp;
102 struct xfs_dsb *sb;
103 struct xfs_perag *pag;
104 size_t sblen;
105 xfs_agnumber_t agno;
106 uint32_t v2_ok;
107 __be32 features_mask;
108 int error;
109 __be16 vernum_mask;
110
111 agno = sc->sm->sm_agno;
112 if (agno == 0)
113 return 0;
114
115 /*
116 * Grab an active reference to the perag structure. If we can't get
117 * it, we're racing with something that's tearing down the AG, so
118 * signal that the AG no longer exists.
119 */
120 pag = xfs_perag_get(mp, agno);
121 if (!pag)
122 return -ENOENT;
123
124 error = xfs_sb_read_secondary(mp, sc->tp, agno, &bp);
125 /*
126 * The superblock verifier can return several different error codes
127 * if it thinks the superblock doesn't look right. For a mount these
128 * would all get bounced back to userspace, but if we're here then the
129 * fs mounted successfully, which means that this secondary superblock
130 * is simply incorrect. Treat all these codes the same way we treat
131 * any corruption.
132 */
133 switch (error) {
134 case -EINVAL: /* also -EWRONGFS */
135 case -ENOSYS:
136 case -EFBIG:
137 error = -EFSCORRUPTED;
138 fallthrough;
139 default:
140 break;
141 }
142 if (!xchk_process_error(sc, agno, XFS_SB_BLOCK(mp), &error))
143 goto out_pag;
144
145 sb = bp->b_addr;
146
147 /*
148 * Verify the geometries match. Fields that are permanently
149 * set by mkfs are checked; fields that can be updated later
150 * (and are not propagated to backup superblocks) are preen
151 * checked.
152 */
153 if (sb->sb_blocksize != cpu_to_be32(mp->m_sb.sb_blocksize))
154 xchk_block_set_corrupt(sc, bp);
155
156 if (sb->sb_dblocks != cpu_to_be64(mp->m_sb.sb_dblocks))
157 xchk_block_set_corrupt(sc, bp);
158
159 if (sb->sb_rblocks != cpu_to_be64(mp->m_sb.sb_rblocks))
160 xchk_block_set_corrupt(sc, bp);
161
162 if (sb->sb_rextents != cpu_to_be64(mp->m_sb.sb_rextents))
163 xchk_block_set_corrupt(sc, bp);
164
165 if (!uuid_equal(&sb->sb_uuid, &mp->m_sb.sb_uuid))
166 xchk_block_set_preen(sc, bp);
167
168 if (sb->sb_logstart != cpu_to_be64(mp->m_sb.sb_logstart))
169 xchk_block_set_corrupt(sc, bp);
170
171 if (sb->sb_rootino != cpu_to_be64(mp->m_sb.sb_rootino))
172 xchk_block_set_preen(sc, bp);
173
174 if (xfs_has_metadir(sc->mp)) {
175 if (sb->sb_rbmino != cpu_to_be64(0))
176 xchk_block_set_corrupt(sc, bp);
177
178 if (sb->sb_rsumino != cpu_to_be64(0))
179 xchk_block_set_corrupt(sc, bp);
180 } else {
181 if (sb->sb_rbmino != cpu_to_be64(mp->m_sb.sb_rbmino))
182 xchk_block_set_preen(sc, bp);
183
184 if (sb->sb_rsumino != cpu_to_be64(mp->m_sb.sb_rsumino))
185 xchk_block_set_preen(sc, bp);
186 }
187
188 if (sb->sb_rextsize != cpu_to_be32(mp->m_sb.sb_rextsize))
189 xchk_block_set_corrupt(sc, bp);
190
191 if (sb->sb_agblocks != cpu_to_be32(mp->m_sb.sb_agblocks))
192 xchk_block_set_corrupt(sc, bp);
193
194 if (sb->sb_agcount != cpu_to_be32(mp->m_sb.sb_agcount))
195 xchk_block_set_corrupt(sc, bp);
196
197 if (sb->sb_rbmblocks != cpu_to_be32(mp->m_sb.sb_rbmblocks))
198 xchk_block_set_corrupt(sc, bp);
199
200 if (sb->sb_logblocks != cpu_to_be32(mp->m_sb.sb_logblocks))
201 xchk_block_set_corrupt(sc, bp);
202
203 /* Check sb_versionnum bits that are set at mkfs time. */
204 vernum_mask = cpu_to_be16(XFS_SB_VERSION_NUMBITS |
205 XFS_SB_VERSION_ALIGNBIT |
206 XFS_SB_VERSION_DALIGNBIT |
207 XFS_SB_VERSION_SHAREDBIT |
208 XFS_SB_VERSION_LOGV2BIT |
209 XFS_SB_VERSION_SECTORBIT |
210 XFS_SB_VERSION_EXTFLGBIT |
211 XFS_SB_VERSION_DIRV2BIT);
212 if ((sb->sb_versionnum & vernum_mask) !=
213 (cpu_to_be16(mp->m_sb.sb_versionnum) & vernum_mask))
214 xchk_block_set_corrupt(sc, bp);
215
216 /* Check sb_versionnum bits that can be set after mkfs time. */
217 vernum_mask = cpu_to_be16(XFS_SB_VERSION_ATTRBIT |
218 XFS_SB_VERSION_NLINKBIT |
219 XFS_SB_VERSION_QUOTABIT);
220 if ((sb->sb_versionnum & vernum_mask) !=
221 (cpu_to_be16(mp->m_sb.sb_versionnum) & vernum_mask))
222 xchk_block_set_preen(sc, bp);
223
224 if (sb->sb_sectsize != cpu_to_be16(mp->m_sb.sb_sectsize))
225 xchk_block_set_corrupt(sc, bp);
226
227 if (sb->sb_inodesize != cpu_to_be16(mp->m_sb.sb_inodesize))
228 xchk_block_set_corrupt(sc, bp);
229
230 if (sb->sb_inopblock != cpu_to_be16(mp->m_sb.sb_inopblock))
231 xchk_block_set_corrupt(sc, bp);
232
233 if (memcmp(sb->sb_fname, mp->m_sb.sb_fname, sizeof(sb->sb_fname)))
234 xchk_block_set_preen(sc, bp);
235
236 if (sb->sb_blocklog != mp->m_sb.sb_blocklog)
237 xchk_block_set_corrupt(sc, bp);
238
239 if (sb->sb_sectlog != mp->m_sb.sb_sectlog)
240 xchk_block_set_corrupt(sc, bp);
241
242 if (sb->sb_inodelog != mp->m_sb.sb_inodelog)
243 xchk_block_set_corrupt(sc, bp);
244
245 if (sb->sb_inopblog != mp->m_sb.sb_inopblog)
246 xchk_block_set_corrupt(sc, bp);
247
248 if (sb->sb_agblklog != mp->m_sb.sb_agblklog)
249 xchk_block_set_corrupt(sc, bp);
250
251 if (sb->sb_rextslog != mp->m_sb.sb_rextslog)
252 xchk_block_set_corrupt(sc, bp);
253
254 if (sb->sb_imax_pct != mp->m_sb.sb_imax_pct)
255 xchk_block_set_preen(sc, bp);
256
257 /*
258 * Skip the summary counters since we track them in memory anyway.
259 * sb_icount, sb_ifree, sb_fdblocks, sb_frexents
260 */
261
262 if (xfs_has_metadir(mp)) {
263 if (sb->sb_uquotino != cpu_to_be64(0))
264 xchk_block_set_corrupt(sc, bp);
265
266 if (sb->sb_gquotino != cpu_to_be64(0))
267 xchk_block_set_preen(sc, bp);
268 } else {
269 if (sb->sb_uquotino != cpu_to_be64(mp->m_sb.sb_uquotino))
270 xchk_block_set_preen(sc, bp);
271
272 if (sb->sb_gquotino != cpu_to_be64(mp->m_sb.sb_gquotino))
273 xchk_block_set_preen(sc, bp);
274 }
275
276 /*
277 * Skip the quota flags since repair will force quotacheck.
278 * sb_qflags
279 */
280
281 if (sb->sb_flags != mp->m_sb.sb_flags)
282 xchk_block_set_corrupt(sc, bp);
283
284 if (sb->sb_shared_vn != mp->m_sb.sb_shared_vn)
285 xchk_block_set_corrupt(sc, bp);
286
287 if (sb->sb_inoalignmt != cpu_to_be32(mp->m_sb.sb_inoalignmt))
288 xchk_block_set_corrupt(sc, bp);
289
290 if (sb->sb_unit != cpu_to_be32(mp->m_sb.sb_unit))
291 xchk_block_set_preen(sc, bp);
292
293 if (sb->sb_width != cpu_to_be32(mp->m_sb.sb_width))
294 xchk_block_set_preen(sc, bp);
295
296 if (sb->sb_dirblklog != mp->m_sb.sb_dirblklog)
297 xchk_block_set_corrupt(sc, bp);
298
299 if (sb->sb_logsectlog != mp->m_sb.sb_logsectlog)
300 xchk_block_set_corrupt(sc, bp);
301
302 if (sb->sb_logsectsize != cpu_to_be16(mp->m_sb.sb_logsectsize))
303 xchk_block_set_corrupt(sc, bp);
304
305 if (sb->sb_logsunit != cpu_to_be32(mp->m_sb.sb_logsunit))
306 xchk_block_set_corrupt(sc, bp);
307
308 /* Do we see any invalid bits in sb_features2? */
309 if (!xfs_sb_version_hasmorebits(&mp->m_sb)) {
310 if (sb->sb_features2 != 0)
311 xchk_block_set_corrupt(sc, bp);
312 } else {
313 v2_ok = XFS_SB_VERSION2_OKBITS;
314 if (xfs_sb_is_v5(&mp->m_sb))
315 v2_ok |= XFS_SB_VERSION2_CRCBIT;
316
317 if (!!(sb->sb_features2 & cpu_to_be32(~v2_ok)))
318 xchk_block_set_corrupt(sc, bp);
319
320 if (sb->sb_features2 != sb->sb_bad_features2)
321 xchk_block_set_preen(sc, bp);
322 }
323
324 /* Check sb_features2 flags that are set at mkfs time. */
325 features_mask = cpu_to_be32(XFS_SB_VERSION2_LAZYSBCOUNTBIT |
326 XFS_SB_VERSION2_PROJID32BIT |
327 XFS_SB_VERSION2_CRCBIT |
328 XFS_SB_VERSION2_FTYPE);
329 if ((sb->sb_features2 & features_mask) !=
330 (cpu_to_be32(mp->m_sb.sb_features2) & features_mask))
331 xchk_block_set_corrupt(sc, bp);
332
333 /* Check sb_features2 flags that can be set after mkfs time. */
334 features_mask = cpu_to_be32(XFS_SB_VERSION2_ATTR2BIT);
335 if ((sb->sb_features2 & features_mask) !=
336 (cpu_to_be32(mp->m_sb.sb_features2) & features_mask))
337 xchk_block_set_preen(sc, bp);
338
339 if (!xfs_has_crc(mp)) {
340 /* all v5 fields must be zero */
341 if (memchr_inv(&sb->sb_features_compat, 0,
342 sizeof(struct xfs_dsb) -
343 offsetof(struct xfs_dsb, sb_features_compat)))
344 xchk_block_set_corrupt(sc, bp);
345 } else {
346 /* compat features must match */
347 if (sb->sb_features_compat !=
348 cpu_to_be32(mp->m_sb.sb_features_compat))
349 xchk_block_set_corrupt(sc, bp);
350
351 /* ro compat features must match */
352 if (sb->sb_features_ro_compat !=
353 cpu_to_be32(mp->m_sb.sb_features_ro_compat))
354 xchk_block_set_corrupt(sc, bp);
355
356 /*
357 * NEEDSREPAIR is ignored on a secondary super, so we should
358 * clear it when we find it, though it's not a corruption.
359 */
360 features_mask = cpu_to_be32(XFS_SB_FEAT_INCOMPAT_NEEDSREPAIR);
361 if ((cpu_to_be32(mp->m_sb.sb_features_incompat) ^
362 sb->sb_features_incompat) & features_mask)
363 xchk_block_set_preen(sc, bp);
364
365 /* all other incompat features must match */
366 if ((cpu_to_be32(mp->m_sb.sb_features_incompat) ^
367 sb->sb_features_incompat) & ~features_mask)
368 xchk_block_set_corrupt(sc, bp);
369
370 /*
371 * log incompat features protect newer log record types from
372 * older log recovery code. Log recovery doesn't check the
373 * secondary supers, so we can clear these if needed.
374 */
375 if (sb->sb_features_log_incompat)
376 xchk_block_set_preen(sc, bp);
377
378 /* Don't care about sb_crc */
379
380 if (sb->sb_spino_align != cpu_to_be32(mp->m_sb.sb_spino_align))
381 xchk_block_set_corrupt(sc, bp);
382
383 if (xfs_has_metadir(mp)) {
384 if (sb->sb_pquotino != cpu_to_be64(0))
385 xchk_block_set_corrupt(sc, bp);
386 } else {
387 if (sb->sb_pquotino != cpu_to_be64(mp->m_sb.sb_pquotino))
388 xchk_block_set_preen(sc, bp);
389 }
390
391 /* Don't care about sb_lsn */
392 }
393
394 if (xfs_has_metauuid(mp)) {
395 /* The metadata UUID must be the same for all supers */
396 if (!uuid_equal(&sb->sb_meta_uuid, &mp->m_sb.sb_meta_uuid))
397 xchk_block_set_corrupt(sc, bp);
398 }
399
400 if (xfs_has_metadir(mp)) {
401 if (sb->sb_metadirino != cpu_to_be64(mp->m_sb.sb_metadirino))
402 xchk_block_set_preen(sc, bp);
403
404 if (sb->sb_rgcount != cpu_to_be32(mp->m_sb.sb_rgcount))
405 xchk_block_set_corrupt(sc, bp);
406
407 if (sb->sb_rgextents != cpu_to_be32(mp->m_sb.sb_rgextents))
408 xchk_block_set_corrupt(sc, bp);
409
410 if (sb->sb_rgblklog != mp->m_sb.sb_rgblklog)
411 xchk_block_set_corrupt(sc, bp);
412
413 if (memchr_inv(sb->sb_pad, 0, sizeof(sb->sb_pad)))
414 xchk_block_set_corrupt(sc, bp);
415 }
416
417 /* Everything else must be zero. */
418 sblen = xchk_superblock_ondisk_size(mp);
419 if (memchr_inv((char *)sb + sblen, 0, BBTOB(bp->b_length) - sblen))
420 xchk_block_set_corrupt(sc, bp);
421
422 xchk_superblock_xref(sc, bp);
423 out_pag:
424 xfs_perag_put(pag);
425 return error;
426 }
427
428 /* AGF */
429
430 /* Tally freespace record lengths. */
431 STATIC int
xchk_agf_record_bno_lengths(struct xfs_btree_cur * cur,const struct xfs_alloc_rec_incore * rec,void * priv)432 xchk_agf_record_bno_lengths(
433 struct xfs_btree_cur *cur,
434 const struct xfs_alloc_rec_incore *rec,
435 void *priv)
436 {
437 xfs_extlen_t *blocks = priv;
438
439 (*blocks) += rec->ar_blockcount;
440 return 0;
441 }
442
443 /* Check agf_freeblks */
444 static inline void
xchk_agf_xref_freeblks(struct xfs_scrub * sc)445 xchk_agf_xref_freeblks(
446 struct xfs_scrub *sc)
447 {
448 struct xfs_agf *agf = sc->sa.agf_bp->b_addr;
449 xfs_extlen_t blocks = 0;
450 int error;
451
452 if (!sc->sa.bno_cur)
453 return;
454
455 error = xfs_alloc_query_all(sc->sa.bno_cur,
456 xchk_agf_record_bno_lengths, &blocks);
457 if (!xchk_should_check_xref(sc, &error, &sc->sa.bno_cur))
458 return;
459 if (blocks != be32_to_cpu(agf->agf_freeblks))
460 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp);
461 }
462
463 /* Cross reference the AGF with the cntbt (freespace by length btree) */
464 static inline void
xchk_agf_xref_cntbt(struct xfs_scrub * sc)465 xchk_agf_xref_cntbt(
466 struct xfs_scrub *sc)
467 {
468 struct xfs_agf *agf = sc->sa.agf_bp->b_addr;
469 xfs_agblock_t agbno;
470 xfs_extlen_t blocks;
471 int have;
472 int error;
473
474 if (!sc->sa.cnt_cur)
475 return;
476
477 /* Any freespace at all? */
478 error = xfs_alloc_lookup_le(sc->sa.cnt_cur, 0, -1U, &have);
479 if (!xchk_should_check_xref(sc, &error, &sc->sa.cnt_cur))
480 return;
481 if (!have) {
482 if (agf->agf_freeblks != cpu_to_be32(0))
483 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp);
484 return;
485 }
486
487 /* Check agf_longest */
488 error = xfs_alloc_get_rec(sc->sa.cnt_cur, &agbno, &blocks, &have);
489 if (!xchk_should_check_xref(sc, &error, &sc->sa.cnt_cur))
490 return;
491 if (!have || blocks != be32_to_cpu(agf->agf_longest))
492 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp);
493 }
494
495 /* Check the btree block counts in the AGF against the btrees. */
496 STATIC void
xchk_agf_xref_btreeblks(struct xfs_scrub * sc)497 xchk_agf_xref_btreeblks(
498 struct xfs_scrub *sc)
499 {
500 struct xfs_agf *agf = sc->sa.agf_bp->b_addr;
501 struct xfs_mount *mp = sc->mp;
502 xfs_filblks_t blocks;
503 xfs_agblock_t btreeblks;
504 int error;
505
506 /* agf_btreeblks didn't exist before lazysbcount */
507 if (!xfs_has_lazysbcount(sc->mp))
508 return;
509
510 /* Check agf_rmap_blocks; set up for agf_btreeblks check */
511 if (sc->sa.rmap_cur) {
512 error = xfs_btree_count_blocks(sc->sa.rmap_cur, &blocks);
513 if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
514 return;
515 btreeblks = blocks - 1;
516 if (blocks != be32_to_cpu(agf->agf_rmap_blocks))
517 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp);
518 } else {
519 btreeblks = 0;
520 }
521
522 /*
523 * No rmap cursor; we can't xref if we have the rmapbt feature.
524 * We also can't do it if we're missing the free space btree cursors.
525 */
526 if ((xfs_has_rmapbt(mp) && !sc->sa.rmap_cur) ||
527 !sc->sa.bno_cur || !sc->sa.cnt_cur)
528 return;
529
530 /* Check agf_btreeblks */
531 error = xfs_btree_count_blocks(sc->sa.bno_cur, &blocks);
532 if (!xchk_should_check_xref(sc, &error, &sc->sa.bno_cur))
533 return;
534 btreeblks += blocks - 1;
535
536 error = xfs_btree_count_blocks(sc->sa.cnt_cur, &blocks);
537 if (!xchk_should_check_xref(sc, &error, &sc->sa.cnt_cur))
538 return;
539 btreeblks += blocks - 1;
540
541 if (btreeblks != be32_to_cpu(agf->agf_btreeblks))
542 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp);
543 }
544
545 /* Check agf_refcount_blocks against tree size */
546 static inline void
xchk_agf_xref_refcblks(struct xfs_scrub * sc)547 xchk_agf_xref_refcblks(
548 struct xfs_scrub *sc)
549 {
550 struct xfs_agf *agf = sc->sa.agf_bp->b_addr;
551 xfs_filblks_t blocks;
552 int error;
553
554 if (!sc->sa.refc_cur)
555 return;
556
557 error = xfs_btree_count_blocks(sc->sa.refc_cur, &blocks);
558 if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
559 return;
560 if (blocks != be32_to_cpu(agf->agf_refcount_blocks))
561 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp);
562 }
563
564 /* Cross-reference with the other btrees. */
565 STATIC void
xchk_agf_xref(struct xfs_scrub * sc)566 xchk_agf_xref(
567 struct xfs_scrub *sc)
568 {
569 struct xfs_mount *mp = sc->mp;
570 xfs_agblock_t agbno;
571
572 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
573 return;
574
575 agbno = XFS_AGF_BLOCK(mp);
576
577 xchk_ag_btcur_init(sc, &sc->sa);
578
579 xchk_xref_is_used_space(sc, agbno, 1);
580 xchk_agf_xref_freeblks(sc);
581 xchk_agf_xref_cntbt(sc);
582 xchk_xref_is_not_inode_chunk(sc, agbno, 1);
583 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_FS);
584 xchk_agf_xref_btreeblks(sc);
585 xchk_xref_is_not_shared(sc, agbno, 1);
586 xchk_xref_is_not_cow_staging(sc, agbno, 1);
587 xchk_agf_xref_refcblks(sc);
588
589 /* scrub teardown will take care of sc->sa for us */
590 }
591
592 /* Scrub the AGF. */
593 int
xchk_agf(struct xfs_scrub * sc)594 xchk_agf(
595 struct xfs_scrub *sc)
596 {
597 struct xfs_mount *mp = sc->mp;
598 struct xfs_agf *agf;
599 struct xfs_perag *pag;
600 xfs_agnumber_t agno = sc->sm->sm_agno;
601 xfs_agblock_t agbno;
602 xfs_agblock_t eoag;
603 xfs_agblock_t agfl_first;
604 xfs_agblock_t agfl_last;
605 xfs_agblock_t agfl_count;
606 xfs_agblock_t fl_count;
607 int level;
608 int error = 0;
609
610 error = xchk_ag_read_headers(sc, agno, &sc->sa);
611 if (!xchk_process_error(sc, agno, XFS_AGF_BLOCK(sc->mp), &error))
612 goto out;
613 xchk_buffer_recheck(sc, sc->sa.agf_bp);
614
615 agf = sc->sa.agf_bp->b_addr;
616 pag = sc->sa.pag;
617
618 /* Check the AG length */
619 eoag = be32_to_cpu(agf->agf_length);
620 if (eoag != pag_group(pag)->xg_block_count)
621 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
622
623 /* Check the AGF btree roots and levels */
624 agbno = be32_to_cpu(agf->agf_bno_root);
625 if (!xfs_verify_agbno(pag, agbno))
626 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
627
628 agbno = be32_to_cpu(agf->agf_cnt_root);
629 if (!xfs_verify_agbno(pag, agbno))
630 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
631
632 level = be32_to_cpu(agf->agf_bno_level);
633 if (level <= 0 || level > mp->m_alloc_maxlevels)
634 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
635
636 level = be32_to_cpu(agf->agf_cnt_level);
637 if (level <= 0 || level > mp->m_alloc_maxlevels)
638 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
639
640 if (xfs_has_rmapbt(mp)) {
641 agbno = be32_to_cpu(agf->agf_rmap_root);
642 if (!xfs_verify_agbno(pag, agbno))
643 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
644
645 level = be32_to_cpu(agf->agf_rmap_level);
646 if (level <= 0 || level > mp->m_rmap_maxlevels)
647 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
648 }
649
650 if (xfs_has_reflink(mp)) {
651 agbno = be32_to_cpu(agf->agf_refcount_root);
652 if (!xfs_verify_agbno(pag, agbno))
653 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
654
655 level = be32_to_cpu(agf->agf_refcount_level);
656 if (level <= 0 || level > mp->m_refc_maxlevels)
657 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
658 }
659
660 /* Check the AGFL counters */
661 agfl_first = be32_to_cpu(agf->agf_flfirst);
662 agfl_last = be32_to_cpu(agf->agf_fllast);
663 agfl_count = be32_to_cpu(agf->agf_flcount);
664 if (agfl_last > agfl_first)
665 fl_count = agfl_last - agfl_first + 1;
666 else
667 fl_count = xfs_agfl_size(mp) - agfl_first + agfl_last + 1;
668 if (agfl_count != 0 && fl_count != agfl_count)
669 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
670
671 /* Do the incore counters match? */
672 if (pag->pagf_freeblks != be32_to_cpu(agf->agf_freeblks))
673 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
674 if (pag->pagf_flcount != be32_to_cpu(agf->agf_flcount))
675 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
676 if (xfs_has_lazysbcount(sc->mp) &&
677 pag->pagf_btreeblks != be32_to_cpu(agf->agf_btreeblks))
678 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
679
680 xchk_agf_xref(sc);
681 out:
682 return error;
683 }
684
685 /* AGFL */
686
687 struct xchk_agfl_info {
688 /* Number of AGFL entries that the AGF claims are in use. */
689 unsigned int agflcount;
690
691 /* Number of AGFL entries that we found. */
692 unsigned int nr_entries;
693
694 /* Buffer to hold AGFL entries for extent checking. */
695 xfs_agblock_t *entries;
696
697 struct xfs_buf *agfl_bp;
698 struct xfs_scrub *sc;
699 };
700
701 /* Cross-reference with the other btrees. */
702 STATIC void
xchk_agfl_block_xref(struct xfs_scrub * sc,xfs_agblock_t agbno)703 xchk_agfl_block_xref(
704 struct xfs_scrub *sc,
705 xfs_agblock_t agbno)
706 {
707 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
708 return;
709
710 xchk_xref_is_used_space(sc, agbno, 1);
711 xchk_xref_is_not_inode_chunk(sc, agbno, 1);
712 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_AG);
713 xchk_xref_is_not_shared(sc, agbno, 1);
714 xchk_xref_is_not_cow_staging(sc, agbno, 1);
715 }
716
717 /* Scrub an AGFL block. */
718 STATIC int
xchk_agfl_block(struct xfs_mount * mp,xfs_agblock_t agbno,void * priv)719 xchk_agfl_block(
720 struct xfs_mount *mp,
721 xfs_agblock_t agbno,
722 void *priv)
723 {
724 struct xchk_agfl_info *sai = priv;
725 struct xfs_scrub *sc = sai->sc;
726
727 if (xfs_verify_agbno(sc->sa.pag, agbno) &&
728 sai->nr_entries < sai->agflcount)
729 sai->entries[sai->nr_entries++] = agbno;
730 else
731 xchk_block_set_corrupt(sc, sai->agfl_bp);
732
733 xchk_agfl_block_xref(sc, agbno);
734
735 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
736 return -ECANCELED;
737
738 return 0;
739 }
740
741 static int
xchk_agblock_cmp(const void * pa,const void * pb)742 xchk_agblock_cmp(
743 const void *pa,
744 const void *pb)
745 {
746 const xfs_agblock_t *a = pa;
747 const xfs_agblock_t *b = pb;
748
749 return (int)*a - (int)*b;
750 }
751
752 /* Cross-reference with the other btrees. */
753 STATIC void
xchk_agfl_xref(struct xfs_scrub * sc)754 xchk_agfl_xref(
755 struct xfs_scrub *sc)
756 {
757 struct xfs_mount *mp = sc->mp;
758 xfs_agblock_t agbno;
759
760 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
761 return;
762
763 agbno = XFS_AGFL_BLOCK(mp);
764
765 xchk_ag_btcur_init(sc, &sc->sa);
766
767 xchk_xref_is_used_space(sc, agbno, 1);
768 xchk_xref_is_not_inode_chunk(sc, agbno, 1);
769 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_FS);
770 xchk_xref_is_not_shared(sc, agbno, 1);
771 xchk_xref_is_not_cow_staging(sc, agbno, 1);
772
773 /*
774 * Scrub teardown will take care of sc->sa for us. Leave sc->sa
775 * active so that the agfl block xref can use it too.
776 */
777 }
778
779 /* Scrub the AGFL. */
780 int
xchk_agfl(struct xfs_scrub * sc)781 xchk_agfl(
782 struct xfs_scrub *sc)
783 {
784 struct xchk_agfl_info sai = {
785 .sc = sc,
786 };
787 struct xfs_agf *agf;
788 xfs_agnumber_t agno = sc->sm->sm_agno;
789 unsigned int i;
790 int error;
791
792 /* Lock the AGF and AGI so that nobody can touch this AG. */
793 error = xchk_ag_read_headers(sc, agno, &sc->sa);
794 if (!xchk_process_error(sc, agno, XFS_AGFL_BLOCK(sc->mp), &error))
795 return error;
796 if (!sc->sa.agf_bp)
797 return -EFSCORRUPTED;
798
799 /* Try to read the AGFL, and verify its structure if we get it. */
800 error = xfs_alloc_read_agfl(sc->sa.pag, sc->tp, &sai.agfl_bp);
801 if (!xchk_process_error(sc, agno, XFS_AGFL_BLOCK(sc->mp), &error))
802 return error;
803 xchk_buffer_recheck(sc, sai.agfl_bp);
804
805 xchk_agfl_xref(sc);
806
807 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
808 goto out;
809
810 /* Allocate buffer to ensure uniqueness of AGFL entries. */
811 agf = sc->sa.agf_bp->b_addr;
812 sai.agflcount = be32_to_cpu(agf->agf_flcount);
813 if (sai.agflcount > xfs_agfl_size(sc->mp)) {
814 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
815 goto out;
816 }
817 sai.entries = kvcalloc(sai.agflcount, sizeof(xfs_agblock_t),
818 XCHK_GFP_FLAGS);
819 if (!sai.entries) {
820 error = -ENOMEM;
821 goto out;
822 }
823
824 /* Check the blocks in the AGFL. */
825 error = xfs_agfl_walk(sc->mp, sc->sa.agf_bp->b_addr, sai.agfl_bp,
826 xchk_agfl_block, &sai);
827 if (error == -ECANCELED) {
828 error = 0;
829 goto out_free;
830 }
831 if (error)
832 goto out_free;
833
834 if (sai.agflcount != sai.nr_entries) {
835 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
836 goto out_free;
837 }
838
839 /* Sort entries, check for duplicates. */
840 sort(sai.entries, sai.nr_entries, sizeof(sai.entries[0]),
841 xchk_agblock_cmp, NULL);
842 for (i = 1; i < sai.nr_entries; i++) {
843 if (sai.entries[i] == sai.entries[i - 1]) {
844 xchk_block_set_corrupt(sc, sc->sa.agf_bp);
845 break;
846 }
847 }
848
849 out_free:
850 kvfree(sai.entries);
851 out:
852 return error;
853 }
854
855 /* AGI */
856
857 /* Check agi_count/agi_freecount */
858 static inline void
xchk_agi_xref_icounts(struct xfs_scrub * sc)859 xchk_agi_xref_icounts(
860 struct xfs_scrub *sc)
861 {
862 struct xfs_agi *agi = sc->sa.agi_bp->b_addr;
863 xfs_agino_t icount;
864 xfs_agino_t freecount;
865 int error;
866
867 if (!sc->sa.ino_cur)
868 return;
869
870 error = xfs_ialloc_count_inodes(sc->sa.ino_cur, &icount, &freecount);
871 if (!xchk_should_check_xref(sc, &error, &sc->sa.ino_cur))
872 return;
873 if (be32_to_cpu(agi->agi_count) != icount ||
874 be32_to_cpu(agi->agi_freecount) != freecount)
875 xchk_block_xref_set_corrupt(sc, sc->sa.agi_bp);
876 }
877
878 /* Check agi_[fi]blocks against tree size */
879 static inline void
xchk_agi_xref_fiblocks(struct xfs_scrub * sc)880 xchk_agi_xref_fiblocks(
881 struct xfs_scrub *sc)
882 {
883 struct xfs_agi *agi = sc->sa.agi_bp->b_addr;
884 xfs_filblks_t blocks;
885 int error = 0;
886
887 if (!xfs_has_inobtcounts(sc->mp))
888 return;
889
890 if (sc->sa.ino_cur) {
891 error = xfs_btree_count_blocks(sc->sa.ino_cur, &blocks);
892 if (!xchk_should_check_xref(sc, &error, &sc->sa.ino_cur))
893 return;
894 if (blocks != be32_to_cpu(agi->agi_iblocks))
895 xchk_block_xref_set_corrupt(sc, sc->sa.agi_bp);
896 }
897
898 if (sc->sa.fino_cur) {
899 error = xfs_btree_count_blocks(sc->sa.fino_cur, &blocks);
900 if (!xchk_should_check_xref(sc, &error, &sc->sa.fino_cur))
901 return;
902 if (blocks != be32_to_cpu(agi->agi_fblocks))
903 xchk_block_xref_set_corrupt(sc, sc->sa.agi_bp);
904 }
905 }
906
907 /* Cross-reference with the other btrees. */
908 STATIC void
xchk_agi_xref(struct xfs_scrub * sc)909 xchk_agi_xref(
910 struct xfs_scrub *sc)
911 {
912 struct xfs_mount *mp = sc->mp;
913 xfs_agblock_t agbno;
914
915 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
916 return;
917
918 agbno = XFS_AGI_BLOCK(mp);
919
920 xchk_ag_btcur_init(sc, &sc->sa);
921
922 xchk_xref_is_used_space(sc, agbno, 1);
923 xchk_xref_is_not_inode_chunk(sc, agbno, 1);
924 xchk_agi_xref_icounts(sc);
925 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_FS);
926 xchk_xref_is_not_shared(sc, agbno, 1);
927 xchk_xref_is_not_cow_staging(sc, agbno, 1);
928 xchk_agi_xref_fiblocks(sc);
929
930 /* scrub teardown will take care of sc->sa for us */
931 }
932
933 /*
934 * Check the unlinked buckets for links to bad inodes. We hold the AGI, so
935 * there cannot be any threads updating unlinked list pointers in this AG.
936 */
937 STATIC void
xchk_iunlink(struct xfs_scrub * sc,struct xfs_agi * agi)938 xchk_iunlink(
939 struct xfs_scrub *sc,
940 struct xfs_agi *agi)
941 {
942 unsigned int i;
943 struct xfs_inode *ip;
944
945 for (i = 0; i < XFS_AGI_UNLINKED_BUCKETS; i++) {
946 xfs_agino_t agino = be32_to_cpu(agi->agi_unlinked[i]);
947
948 while (agino != NULLAGINO) {
949 if (agino % XFS_AGI_UNLINKED_BUCKETS != i) {
950 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
951 return;
952 }
953
954 ip = xfs_iunlink_lookup(sc->sa.pag, agino);
955 if (!ip) {
956 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
957 return;
958 }
959
960 if (!xfs_inode_on_unlinked_list(ip)) {
961 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
962 return;
963 }
964
965 agino = ip->i_next_unlinked;
966 }
967 }
968 }
969
970 /* Scrub the AGI. */
971 int
xchk_agi(struct xfs_scrub * sc)972 xchk_agi(
973 struct xfs_scrub *sc)
974 {
975 struct xfs_mount *mp = sc->mp;
976 struct xfs_agi *agi;
977 struct xfs_perag *pag;
978 struct xfs_ino_geometry *igeo = M_IGEO(sc->mp);
979 xfs_agnumber_t agno = sc->sm->sm_agno;
980 xfs_agblock_t agbno;
981 xfs_agblock_t eoag;
982 xfs_agino_t agino;
983 xfs_agino_t first_agino;
984 xfs_agino_t last_agino;
985 xfs_agino_t icount;
986 int i;
987 int level;
988 int error = 0;
989
990 error = xchk_ag_read_headers(sc, agno, &sc->sa);
991 if (!xchk_process_error(sc, agno, XFS_AGI_BLOCK(sc->mp), &error))
992 goto out;
993 xchk_buffer_recheck(sc, sc->sa.agi_bp);
994
995 agi = sc->sa.agi_bp->b_addr;
996 pag = sc->sa.pag;
997
998 /* Check the AG length */
999 eoag = be32_to_cpu(agi->agi_length);
1000 if (eoag != pag_group(pag)->xg_block_count)
1001 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1002
1003 /* Check btree roots and levels */
1004 agbno = be32_to_cpu(agi->agi_root);
1005 if (!xfs_verify_agbno(pag, agbno))
1006 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1007
1008 level = be32_to_cpu(agi->agi_level);
1009 if (level <= 0 || level > igeo->inobt_maxlevels)
1010 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1011
1012 if (xfs_has_finobt(mp)) {
1013 agbno = be32_to_cpu(agi->agi_free_root);
1014 if (!xfs_verify_agbno(pag, agbno))
1015 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1016
1017 level = be32_to_cpu(agi->agi_free_level);
1018 if (level <= 0 || level > igeo->inobt_maxlevels)
1019 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1020 }
1021
1022 /* Check inode counters */
1023 xfs_agino_range(mp, agno, &first_agino, &last_agino);
1024 icount = be32_to_cpu(agi->agi_count);
1025 if (icount > last_agino - first_agino + 1 ||
1026 icount < be32_to_cpu(agi->agi_freecount))
1027 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1028
1029 /* Check inode pointers */
1030 agino = be32_to_cpu(agi->agi_newino);
1031 if (!xfs_verify_agino_or_null(pag, agino))
1032 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1033
1034 agino = be32_to_cpu(agi->agi_dirino);
1035 if (!xfs_verify_agino_or_null(pag, agino))
1036 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1037
1038 /* Check unlinked inode buckets */
1039 for (i = 0; i < XFS_AGI_UNLINKED_BUCKETS; i++) {
1040 agino = be32_to_cpu(agi->agi_unlinked[i]);
1041 if (!xfs_verify_agino_or_null(pag, agino))
1042 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1043 }
1044
1045 if (agi->agi_pad32 != cpu_to_be32(0))
1046 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1047
1048 /* Do the incore counters match? */
1049 if (pag->pagi_count != be32_to_cpu(agi->agi_count))
1050 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1051 if (pag->pagi_freecount != be32_to_cpu(agi->agi_freecount))
1052 xchk_block_set_corrupt(sc, sc->sa.agi_bp);
1053
1054 xchk_iunlink(sc, agi);
1055
1056 xchk_agi_xref(sc);
1057 out:
1058 return error;
1059 }
1060