xref: /linux/fs/xfs/scrub/health.c (revision 79d2e1919a2728ef49d938eb20ebd5903c14dfb0) 
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (C) 2019-2023 Oracle.  All Rights Reserved.
4  * Author: Darrick J. Wong <djwong@kernel.org>
5  */
6 #include "xfs.h"
7 #include "xfs_fs.h"
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_btree.h"
13 #include "xfs_ag.h"
14 #include "xfs_health.h"
15 #include "xfs_rtgroup.h"
16 #include "scrub/scrub.h"
17 #include "scrub/health.h"
18 #include "scrub/common.h"
19 
20 /*
21  * Scrub and In-Core Filesystem Health Assessments
22  * ===============================================
23  *
24  * Online scrub and repair have the time and the ability to perform stronger
25  * checks than we can do from the metadata verifiers, because they can
26  * cross-reference records between data structures.  Therefore, scrub is in a
27  * good position to update the online filesystem health assessments to reflect
28  * the good/bad state of the data structure.
29  *
30  * We therefore extend scrub in the following ways to achieve this:
31  *
32  * 1. Create a "sick_mask" field in the scrub context.  When we're setting up a
33  * scrub call, set this to the default XFS_SICK_* flag(s) for the selected
34  * scrub type (call it A).  Scrub and repair functions can override the default
35  * sick_mask value if they choose.
36  *
37  * 2. If the scrubber returns a runtime error code, we exit making no changes
38  * to the incore sick state.
39  *
40  * 3. If the scrubber finds that A is clean, use sick_mask to clear the incore
41  * sick flags before exiting.
42  *
43  * 4. If the scrubber finds that A is corrupt, use sick_mask to set the incore
44  * sick flags.  If the user didn't want to repair then we exit, leaving the
45  * metadata structure unfixed and the sick flag set.
46  *
47  * 5. Now we know that A is corrupt and the user wants to repair, so run the
48  * repairer.  If the repairer returns an error code, we exit with that error
49  * code, having made no further changes to the incore sick state.
50  *
51  * 6. If repair rebuilds A correctly and the subsequent re-scrub of A is clean,
52  * use sick_mask to clear the incore sick flags.  This should have the effect
53  * that A is no longer marked sick.
54  *
55  * 7. If repair rebuilds A incorrectly, the re-scrub will find it corrupt and
56  * use sick_mask to set the incore sick flags.  This should have no externally
57  * visible effect since we already set them in step (4).
58  *
59  * There are some complications to this story, however.  For certain types of
60  * complementary metadata indices (e.g. inobt/finobt), it is easier to rebuild
61  * both structures at the same time.  The following principles apply to this
62  * type of repair strategy:
63  *
64  * 8. Any repair function that rebuilds multiple structures should update
65  * sick_mask_visible to reflect whatever other structures are rebuilt, and
66  * verify that all the rebuilt structures can pass a scrub check.  The outcomes
67  * of 5-7 still apply, but with a sick_mask that covers everything being
68  * rebuilt.
69  */
70 
71 /* Map our scrub type to a sick mask and a set of health update functions. */
72 
73 enum xchk_health_group {
74 	XHG_NONE = 1,
75 	XHG_FS,
76 	XHG_AG,
77 	XHG_INO,
78 	XHG_RTGROUP,
79 };
80 
81 struct xchk_health_map {
82 	enum xchk_health_group	group;
83 	unsigned int		sick_mask;
84 };
85 
86 static const struct xchk_health_map type_to_health_flag[XFS_SCRUB_TYPE_NR] = {
87 	[XFS_SCRUB_TYPE_PROBE]		= { XHG_NONE,  0 },
88 	[XFS_SCRUB_TYPE_SB]		= { XHG_AG,  XFS_SICK_AG_SB },
89 	[XFS_SCRUB_TYPE_AGF]		= { XHG_AG,  XFS_SICK_AG_AGF },
90 	[XFS_SCRUB_TYPE_AGFL]		= { XHG_AG,  XFS_SICK_AG_AGFL },
91 	[XFS_SCRUB_TYPE_AGI]		= { XHG_AG,  XFS_SICK_AG_AGI },
92 	[XFS_SCRUB_TYPE_BNOBT]		= { XHG_AG,  XFS_SICK_AG_BNOBT },
93 	[XFS_SCRUB_TYPE_CNTBT]		= { XHG_AG,  XFS_SICK_AG_CNTBT },
94 	[XFS_SCRUB_TYPE_INOBT]		= { XHG_AG,  XFS_SICK_AG_INOBT },
95 	[XFS_SCRUB_TYPE_FINOBT]		= { XHG_AG,  XFS_SICK_AG_FINOBT },
96 	[XFS_SCRUB_TYPE_RMAPBT]		= { XHG_AG,  XFS_SICK_AG_RMAPBT },
97 	[XFS_SCRUB_TYPE_REFCNTBT]	= { XHG_AG,  XFS_SICK_AG_REFCNTBT },
98 	[XFS_SCRUB_TYPE_INODE]		= { XHG_INO, XFS_SICK_INO_CORE },
99 	[XFS_SCRUB_TYPE_BMBTD]		= { XHG_INO, XFS_SICK_INO_BMBTD },
100 	[XFS_SCRUB_TYPE_BMBTA]		= { XHG_INO, XFS_SICK_INO_BMBTA },
101 	[XFS_SCRUB_TYPE_BMBTC]		= { XHG_INO, XFS_SICK_INO_BMBTC },
102 	[XFS_SCRUB_TYPE_DIR]		= { XHG_INO, XFS_SICK_INO_DIR },
103 	[XFS_SCRUB_TYPE_XATTR]		= { XHG_INO, XFS_SICK_INO_XATTR },
104 	[XFS_SCRUB_TYPE_SYMLINK]	= { XHG_INO, XFS_SICK_INO_SYMLINK },
105 	[XFS_SCRUB_TYPE_PARENT]		= { XHG_INO, XFS_SICK_INO_PARENT },
106 	[XFS_SCRUB_TYPE_RTBITMAP]	= { XHG_RTGROUP, XFS_SICK_RG_BITMAP },
107 	[XFS_SCRUB_TYPE_RTSUM]		= { XHG_RTGROUP, XFS_SICK_RG_SUMMARY },
108 	[XFS_SCRUB_TYPE_UQUOTA]		= { XHG_FS,  XFS_SICK_FS_UQUOTA },
109 	[XFS_SCRUB_TYPE_GQUOTA]		= { XHG_FS,  XFS_SICK_FS_GQUOTA },
110 	[XFS_SCRUB_TYPE_PQUOTA]		= { XHG_FS,  XFS_SICK_FS_PQUOTA },
111 	[XFS_SCRUB_TYPE_FSCOUNTERS]	= { XHG_FS,  XFS_SICK_FS_COUNTERS },
112 	[XFS_SCRUB_TYPE_QUOTACHECK]	= { XHG_FS,  XFS_SICK_FS_QUOTACHECK },
113 	[XFS_SCRUB_TYPE_NLINKS]		= { XHG_FS,  XFS_SICK_FS_NLINKS },
114 	[XFS_SCRUB_TYPE_DIRTREE]	= { XHG_INO, XFS_SICK_INO_DIRTREE },
115 	[XFS_SCRUB_TYPE_METAPATH]	= { XHG_FS,  XFS_SICK_FS_METAPATH },
116 	[XFS_SCRUB_TYPE_RGSUPER]	= { XHG_RTGROUP, XFS_SICK_RG_SUPER },
117 };
118 
119 /* Return the health status mask for this scrub type. */
120 unsigned int
121 xchk_health_mask_for_scrub_type(
122 	__u32			scrub_type)
123 {
124 	return type_to_health_flag[scrub_type].sick_mask;
125 }
126 
127 /*
128  * If the scrub state is clean, add @mask to the scrub sick mask to clear
129  * additional sick flags from the metadata object's sick state.
130  */
131 void
132 xchk_mark_healthy_if_clean(
133 	struct xfs_scrub	*sc,
134 	unsigned int		mask)
135 {
136 	if (!(sc->sm->sm_flags & (XFS_SCRUB_OFLAG_CORRUPT |
137 				  XFS_SCRUB_OFLAG_XCORRUPT)))
138 		sc->healthy_mask |= mask;
139 }
140 
141 /*
142  * If we're scrubbing a piece of file metadata for the first time, does it look
143  * like it has been zapped?  Skip the check if we just repaired the metadata
144  * and are revalidating it.
145  */
146 bool
147 xchk_file_looks_zapped(
148 	struct xfs_scrub	*sc,
149 	unsigned int		mask)
150 {
151 	ASSERT((mask & ~XFS_SICK_INO_ZAPPED) == 0);
152 
153 	if (sc->flags & XREP_ALREADY_FIXED)
154 		return false;
155 
156 	return xfs_inode_has_sickness(sc->ip, mask);
157 }
158 
159 /*
160  * Scrub gave the filesystem a clean bill of health, so clear all the indirect
161  * markers of past problems (at least for the fs and ags) so that we can be
162  * healthy again.
163  */
164 STATIC void
165 xchk_mark_all_healthy(
166 	struct xfs_mount	*mp)
167 {
168 	struct xfs_perag	*pag = NULL;
169 	struct xfs_rtgroup	*rtg = NULL;
170 
171 	xfs_fs_mark_healthy(mp, XFS_SICK_FS_INDIRECT);
172 	while ((pag = xfs_perag_next(mp, pag)))
173 		xfs_group_mark_healthy(pag_group(pag), XFS_SICK_AG_INDIRECT);
174 	while ((rtg = xfs_rtgroup_next(mp, rtg)))
175 		xfs_group_mark_healthy(rtg_group(rtg), XFS_SICK_RG_INDIRECT);
176 }
177 
178 /*
179  * Update filesystem health assessments based on what we found and did.
180  *
181  * If the scrubber finds errors, we mark sick whatever's mentioned in
182  * sick_mask, no matter whether this is a first scan or an
183  * evaluation of repair effectiveness.
184  *
185  * Otherwise, no direct corruption was found, so mark whatever's in
186  * sick_mask as healthy.
187  */
188 void
189 xchk_update_health(
190 	struct xfs_scrub	*sc)
191 {
192 	struct xfs_perag	*pag;
193 	struct xfs_rtgroup	*rtg;
194 	unsigned int		mask = sc->sick_mask;
195 	bool			bad;
196 
197 	/*
198 	 * The HEALTHY scrub type is a request from userspace to clear all the
199 	 * indirect flags after a clean scan of the entire filesystem.  As such
200 	 * there's no sick flag defined for it, so we branch here ahead of the
201 	 * mask check.
202 	 */
203 	if (sc->sm->sm_type == XFS_SCRUB_TYPE_HEALTHY &&
204 	    !(sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)) {
205 		xchk_mark_all_healthy(sc->mp);
206 		return;
207 	}
208 
209 	bad = (sc->sm->sm_flags & (XFS_SCRUB_OFLAG_CORRUPT |
210 				   XFS_SCRUB_OFLAG_XCORRUPT));
211 	if (!bad)
212 		mask |= sc->healthy_mask;
213 	switch (type_to_health_flag[sc->sm->sm_type].group) {
214 	case XHG_NONE:
215 		break;
216 	case XHG_AG:
217 		if (!mask)
218 			return;
219 		pag = xfs_perag_get(sc->mp, sc->sm->sm_agno);
220 		if (bad)
221 			xfs_group_mark_corrupt(pag_group(pag), mask);
222 		else
223 			xfs_group_mark_healthy(pag_group(pag), mask);
224 		xfs_perag_put(pag);
225 		break;
226 	case XHG_INO:
227 		if (!sc->ip)
228 			return;
229 		/*
230 		 * If we're coming in for repairs then we don't want sickness
231 		 * flags to propagate to the incore health status if the inode
232 		 * gets inactivated before we can fix it.
233 		 */
234 		if (sc->sm->sm_flags & XFS_SCRUB_IFLAG_REPAIR)
235 			mask |= XFS_SICK_INO_FORGET;
236 		if (!mask)
237 			return;
238 		if (bad)
239 			xfs_inode_mark_corrupt(sc->ip, mask);
240 		else
241 			xfs_inode_mark_healthy(sc->ip, mask);
242 		break;
243 	case XHG_FS:
244 		if (!mask)
245 			return;
246 		if (bad)
247 			xfs_fs_mark_corrupt(sc->mp, mask);
248 		else
249 			xfs_fs_mark_healthy(sc->mp, mask);
250 		break;
251 	case XHG_RTGROUP:
252 		if (!mask)
253 			return;
254 		rtg = xfs_rtgroup_get(sc->mp, sc->sm->sm_agno);
255 		if (bad)
256 			xfs_group_mark_corrupt(rtg_group(rtg), mask);
257 		else
258 			xfs_group_mark_healthy(rtg_group(rtg), mask);
259 		xfs_rtgroup_put(rtg);
260 		break;
261 	default:
262 		ASSERT(0);
263 		break;
264 	}
265 }
266 
267 /* Is the given per-AG btree healthy enough for scanning? */
268 void
269 xchk_ag_btree_del_cursor_if_sick(
270 	struct xfs_scrub	*sc,
271 	struct xfs_btree_cur	**curp,
272 	unsigned int		sm_type)
273 {
274 	unsigned int		mask = (*curp)->bc_ops->sick_mask;
275 
276 	/*
277 	 * We always want the cursor if it's the same type as whatever we're
278 	 * scrubbing, even if we already know the structure is corrupt.
279 	 *
280 	 * Otherwise, we're only interested in the btree for cross-referencing.
281 	 * If we know the btree is bad then don't bother, just set XFAIL.
282 	 */
283 	if (sc->sm->sm_type == sm_type)
284 		return;
285 
286 	/*
287 	 * If we just repaired some AG metadata, sc->sick_mask will reflect all
288 	 * the per-AG metadata types that were repaired.  Exclude these from
289 	 * the filesystem health query because we have not yet updated the
290 	 * health status and we want everything to be scanned.
291 	 */
292 	if ((sc->flags & XREP_ALREADY_FIXED) &&
293 	    type_to_health_flag[sc->sm->sm_type].group == XHG_AG)
294 		mask &= ~sc->sick_mask;
295 
296 	if (xfs_group_has_sickness((*curp)->bc_group, mask)) {
297 		sc->sm->sm_flags |= XFS_SCRUB_OFLAG_XFAIL;
298 		xfs_btree_del_cursor(*curp, XFS_BTREE_NOERROR);
299 		*curp = NULL;
300 	}
301 }
302 
303 /*
304  * Quick scan to double-check that there isn't any evidence of lingering
305  * primary health problems.  If we're still clear, then the health update will
306  * take care of clearing the indirect evidence.
307  */
308 int
309 xchk_health_record(
310 	struct xfs_scrub	*sc)
311 {
312 	struct xfs_mount	*mp = sc->mp;
313 	struct xfs_perag	*pag = NULL;
314 	struct xfs_rtgroup	*rtg = NULL;
315 	unsigned int		sick;
316 	unsigned int		checked;
317 
318 	xfs_fs_measure_sickness(mp, &sick, &checked);
319 	if (sick & XFS_SICK_FS_PRIMARY)
320 		xchk_set_corrupt(sc);
321 
322 	while ((pag = xfs_perag_next(mp, pag))) {
323 		xfs_group_measure_sickness(pag_group(pag), &sick, &checked);
324 		if (sick & XFS_SICK_AG_PRIMARY)
325 			xchk_set_corrupt(sc);
326 	}
327 
328 	while ((rtg = xfs_rtgroup_next(mp, rtg))) {
329 		xfs_group_measure_sickness(rtg_group(rtg), &sick, &checked);
330 		if (sick & XFS_SICK_RG_PRIMARY)
331 			xchk_set_corrupt(sc);
332 	}
333 
334 	return 0;
335 }
336