1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2017-2023 Oracle. All Rights Reserved. 4 * Author: Darrick J. Wong <djwong@kernel.org> 5 */ 6 #include "xfs.h" 7 #include "xfs_fs.h" 8 #include "xfs_shared.h" 9 #include "xfs_format.h" 10 #include "xfs_trans_resv.h" 11 #include "xfs_mount.h" 12 #include "xfs_btree.h" 13 #include "xfs_log_format.h" 14 #include "xfs_trans.h" 15 #include "xfs_ag.h" 16 #include "xfs_inode.h" 17 #include "xfs_ialloc.h" 18 #include "xfs_icache.h" 19 #include "xfs_da_format.h" 20 #include "xfs_reflink.h" 21 #include "xfs_rmap.h" 22 #include "xfs_bmap_util.h" 23 #include "xfs_rtbitmap.h" 24 #include "scrub/scrub.h" 25 #include "scrub/common.h" 26 #include "scrub/btree.h" 27 #include "scrub/trace.h" 28 #include "scrub/repair.h" 29 30 /* Prepare the attached inode for scrubbing. */ 31 static inline int 32 xchk_prepare_iscrub( 33 struct xfs_scrub *sc) 34 { 35 int error; 36 37 xchk_ilock(sc, XFS_IOLOCK_EXCL); 38 39 error = xchk_trans_alloc(sc, 0); 40 if (error) 41 return error; 42 43 error = xchk_ino_dqattach(sc); 44 if (error) 45 return error; 46 47 xchk_ilock(sc, XFS_ILOCK_EXCL); 48 return 0; 49 } 50 51 /* Install this scrub-by-handle inode and prepare it for scrubbing. */ 52 static inline int 53 xchk_install_handle_iscrub( 54 struct xfs_scrub *sc, 55 struct xfs_inode *ip) 56 { 57 int error; 58 59 error = xchk_install_handle_inode(sc, ip); 60 if (error) 61 return error; 62 63 /* 64 * Don't allow scrubbing by handle of any non-directory inode records 65 * in the metadata directory tree. We don't know if any of the scans 66 * launched by this scrubber will end up indirectly trying to lock this 67 * file. 68 * 69 * Scrubbers of inode-rooted metadata files (e.g. quota files) will 70 * attach all the resources needed to scrub the inode and call 71 * xchk_inode directly. Userspace cannot call this directly. 72 */ 73 if (xfs_is_metadir_inode(ip) && !S_ISDIR(VFS_I(ip)->i_mode)) { 74 xchk_irele(sc, ip); 75 sc->ip = NULL; 76 return -ENOENT; 77 } 78 79 return xchk_prepare_iscrub(sc); 80 } 81 82 /* 83 * Grab total control of the inode metadata. In the best case, we grab the 84 * incore inode and take all locks on it. If the incore inode cannot be 85 * constructed due to corruption problems, lock the AGI so that we can single 86 * step the loading process to fix everything that can go wrong. 87 */ 88 int 89 xchk_setup_inode( 90 struct xfs_scrub *sc) 91 { 92 struct xfs_imap imap; 93 struct xfs_inode *ip; 94 struct xfs_mount *mp = sc->mp; 95 struct xfs_inode *ip_in = XFS_I(file_inode(sc->file)); 96 struct xfs_buf *agi_bp; 97 struct xfs_perag *pag; 98 xfs_agnumber_t agno = XFS_INO_TO_AGNO(mp, sc->sm->sm_ino); 99 int error; 100 101 if (xchk_need_intent_drain(sc)) 102 xchk_fsgates_enable(sc, XCHK_FSGATES_DRAIN); 103 104 /* We want to scan the opened inode, so lock it and exit. */ 105 if (sc->sm->sm_ino == 0 || sc->sm->sm_ino == ip_in->i_ino) { 106 error = xchk_install_live_inode(sc, ip_in); 107 if (error) 108 return error; 109 110 return xchk_prepare_iscrub(sc); 111 } 112 113 /* 114 * On pre-metadir filesystems, reject internal metadata files. For 115 * metadir filesystems, limited scrubbing of any file in the metadata 116 * directory tree by handle is allowed, because that is the only way to 117 * validate the lack of parent pointers in the sb-root metadata inodes. 118 */ 119 if (!xfs_has_metadir(mp) && xfs_is_sb_inum(mp, sc->sm->sm_ino)) 120 return -ENOENT; 121 /* Reject obviously bad inode numbers. */ 122 if (!xfs_verify_ino(sc->mp, sc->sm->sm_ino)) 123 return -ENOENT; 124 125 /* Try a safe untrusted iget. */ 126 error = xchk_iget_safe(sc, sc->sm->sm_ino, &ip); 127 if (!error) 128 return xchk_install_handle_iscrub(sc, ip); 129 if (error == -ENOENT) 130 return error; 131 if (error != -EFSCORRUPTED && error != -EFSBADCRC && error != -EINVAL) 132 goto out_error; 133 134 /* 135 * EINVAL with IGET_UNTRUSTED probably means one of several things: 136 * userspace gave us an inode number that doesn't correspond to fs 137 * space; the inode btree lacks a record for this inode; or there is 138 * a record, and it says this inode is free. 139 * 140 * EFSCORRUPTED/EFSBADCRC could mean that the inode was mappable, but 141 * some other metadata corruption (e.g. inode forks) prevented 142 * instantiation of the incore inode. Or it could mean the inobt is 143 * corrupt. 144 * 145 * We want to look up this inode in the inobt directly to distinguish 146 * three different scenarios: (1) the inobt says the inode is free, 147 * in which case there's nothing to do; (2) the inobt is corrupt so we 148 * should flag the corruption and exit to userspace to let it fix the 149 * inobt; and (3) the inobt says the inode is allocated, but loading it 150 * failed due to corruption. 151 * 152 * Allocate a transaction and grab the AGI to prevent inobt activity in 153 * this AG. Retry the iget in case someone allocated a new inode after 154 * the first iget failed. 155 */ 156 error = xchk_trans_alloc(sc, 0); 157 if (error) 158 goto out_error; 159 160 error = xchk_iget_agi(sc, sc->sm->sm_ino, &agi_bp, &ip); 161 if (error == 0) { 162 /* Actually got the incore inode, so install it and proceed. */ 163 xchk_trans_cancel(sc); 164 return xchk_install_handle_iscrub(sc, ip); 165 } 166 if (error == -ENOENT) 167 goto out_gone; 168 if (error != -EFSCORRUPTED && error != -EFSBADCRC && error != -EINVAL) 169 goto out_cancel; 170 171 /* Ensure that we have protected against inode allocation/freeing. */ 172 if (agi_bp == NULL) { 173 ASSERT(agi_bp != NULL); 174 error = -ECANCELED; 175 goto out_cancel; 176 } 177 178 /* 179 * Untrusted iget failed a second time. Let's try an inobt lookup. 180 * If the inobt doesn't think this is an allocated inode then we'll 181 * return ENOENT to signal that the check can be skipped. 182 * 183 * If the lookup signals corruption, we'll mark this inode corrupt and 184 * exit to userspace. There's little chance of fixing anything until 185 * the inobt is straightened out, but there's nothing we can do here. 186 * 187 * If the lookup encounters a runtime error, exit to userspace. 188 */ 189 pag = xfs_perag_get(mp, XFS_INO_TO_AGNO(mp, sc->sm->sm_ino)); 190 if (!pag) { 191 error = -EFSCORRUPTED; 192 goto out_cancel; 193 } 194 195 error = xfs_imap(pag, sc->tp, sc->sm->sm_ino, &imap, 196 XFS_IGET_UNTRUSTED); 197 xfs_perag_put(pag); 198 if (error == -EINVAL || error == -ENOENT) 199 goto out_gone; 200 if (error) 201 goto out_cancel; 202 203 /* 204 * The lookup succeeded. Chances are the ondisk inode is corrupt and 205 * preventing iget from reading it. Retain the scrub transaction and 206 * the AGI buffer to prevent anyone from allocating or freeing inodes. 207 * This ensures that we preserve the inconsistency between the inobt 208 * saying the inode is allocated and the icache being unable to load 209 * the inode until we can flag the corruption in xchk_inode. The 210 * scrub function has to note the corruption, since we're not really 211 * supposed to do that from the setup function. Save the mapping to 212 * make repairs to the ondisk inode buffer. 213 */ 214 if (xchk_could_repair(sc)) 215 xrep_setup_inode(sc, &imap); 216 return 0; 217 218 out_cancel: 219 xchk_trans_cancel(sc); 220 out_error: 221 trace_xchk_op_error(sc, agno, XFS_INO_TO_AGBNO(mp, sc->sm->sm_ino), 222 error, __return_address); 223 return error; 224 out_gone: 225 /* The file is gone, so there's nothing to check. */ 226 xchk_trans_cancel(sc); 227 return -ENOENT; 228 } 229 230 /* Inode core */ 231 232 /* Validate di_extsize hint. */ 233 STATIC void 234 xchk_inode_extsize( 235 struct xfs_scrub *sc, 236 struct xfs_dinode *dip, 237 xfs_ino_t ino, 238 uint16_t mode, 239 uint16_t flags) 240 { 241 xfs_failaddr_t fa; 242 uint32_t value = be32_to_cpu(dip->di_extsize); 243 244 fa = xfs_inode_validate_extsize(sc->mp, value, mode, flags); 245 if (fa) 246 xchk_ino_set_corrupt(sc, ino); 247 248 /* 249 * XFS allows a sysadmin to change the rt extent size when adding a rt 250 * section to a filesystem after formatting. If there are any 251 * directories with extszinherit and rtinherit set, the hint could 252 * become misaligned with the new rextsize. The verifier doesn't check 253 * this, because we allow rtinherit directories even without an rt 254 * device. Flag this as an administrative warning since we will clean 255 * this up eventually. 256 */ 257 if ((flags & XFS_DIFLAG_RTINHERIT) && 258 (flags & XFS_DIFLAG_EXTSZINHERIT) && 259 xfs_extlen_to_rtxmod(sc->mp, value) > 0) 260 xchk_ino_set_warning(sc, ino); 261 } 262 263 /* 264 * Validate di_cowextsize hint. 265 * 266 * The rules are documented at xfs_ioctl_setattr_check_cowextsize(). 267 * These functions must be kept in sync with each other. 268 */ 269 STATIC void 270 xchk_inode_cowextsize( 271 struct xfs_scrub *sc, 272 struct xfs_dinode *dip, 273 xfs_ino_t ino, 274 uint16_t mode, 275 uint16_t flags, 276 uint64_t flags2) 277 { 278 xfs_failaddr_t fa; 279 280 fa = xfs_inode_validate_cowextsize(sc->mp, 281 be32_to_cpu(dip->di_cowextsize), mode, flags, 282 flags2); 283 if (fa) 284 xchk_ino_set_corrupt(sc, ino); 285 } 286 287 /* Make sure the di_flags make sense for the inode. */ 288 STATIC void 289 xchk_inode_flags( 290 struct xfs_scrub *sc, 291 struct xfs_dinode *dip, 292 xfs_ino_t ino, 293 uint16_t mode, 294 uint16_t flags) 295 { 296 struct xfs_mount *mp = sc->mp; 297 298 /* di_flags are all taken, last bit cannot be used */ 299 if (flags & ~XFS_DIFLAG_ANY) 300 goto bad; 301 302 /* rt flags require rt device */ 303 if ((flags & XFS_DIFLAG_REALTIME) && !mp->m_rtdev_targp) 304 goto bad; 305 306 /* new rt bitmap flag only valid for rbmino */ 307 if ((flags & XFS_DIFLAG_NEWRTBM) && ino != mp->m_sb.sb_rbmino) 308 goto bad; 309 310 /* directory-only flags */ 311 if ((flags & (XFS_DIFLAG_RTINHERIT | 312 XFS_DIFLAG_EXTSZINHERIT | 313 XFS_DIFLAG_PROJINHERIT | 314 XFS_DIFLAG_NOSYMLINKS)) && 315 !S_ISDIR(mode)) 316 goto bad; 317 318 /* file-only flags */ 319 if ((flags & (XFS_DIFLAG_REALTIME | FS_XFLAG_EXTSIZE)) && 320 !S_ISREG(mode)) 321 goto bad; 322 323 /* filestreams and rt make no sense */ 324 if ((flags & XFS_DIFLAG_FILESTREAM) && (flags & XFS_DIFLAG_REALTIME)) 325 goto bad; 326 327 return; 328 bad: 329 xchk_ino_set_corrupt(sc, ino); 330 } 331 332 /* Make sure the di_flags2 make sense for the inode. */ 333 STATIC void 334 xchk_inode_flags2( 335 struct xfs_scrub *sc, 336 struct xfs_dinode *dip, 337 xfs_ino_t ino, 338 uint16_t mode, 339 uint16_t flags, 340 uint64_t flags2) 341 { 342 struct xfs_mount *mp = sc->mp; 343 344 /* Unknown di_flags2 could be from a future kernel */ 345 if (flags2 & ~XFS_DIFLAG2_ANY) 346 xchk_ino_set_warning(sc, ino); 347 348 /* reflink flag requires reflink feature */ 349 if ((flags2 & XFS_DIFLAG2_REFLINK) && 350 !xfs_has_reflink(mp)) 351 goto bad; 352 353 /* cowextsize flag is checked w.r.t. mode separately */ 354 355 /* file/dir-only flags */ 356 if ((flags2 & XFS_DIFLAG2_DAX) && !(S_ISREG(mode) || S_ISDIR(mode))) 357 goto bad; 358 359 /* file-only flags */ 360 if ((flags2 & XFS_DIFLAG2_REFLINK) && !S_ISREG(mode)) 361 goto bad; 362 363 /* realtime and reflink make no sense, currently */ 364 if ((flags & XFS_DIFLAG_REALTIME) && (flags2 & XFS_DIFLAG2_REFLINK)) 365 goto bad; 366 367 /* no bigtime iflag without the bigtime feature */ 368 if (xfs_dinode_has_bigtime(dip) && !xfs_has_bigtime(mp)) 369 goto bad; 370 371 /* no large extent counts without the filesystem feature */ 372 if ((flags2 & XFS_DIFLAG2_NREXT64) && !xfs_has_large_extent_counts(mp)) 373 goto bad; 374 375 return; 376 bad: 377 xchk_ino_set_corrupt(sc, ino); 378 } 379 380 static inline void 381 xchk_dinode_nsec( 382 struct xfs_scrub *sc, 383 xfs_ino_t ino, 384 struct xfs_dinode *dip, 385 const xfs_timestamp_t ts) 386 { 387 struct timespec64 tv; 388 389 tv = xfs_inode_from_disk_ts(dip, ts); 390 if (tv.tv_nsec < 0 || tv.tv_nsec >= NSEC_PER_SEC) 391 xchk_ino_set_corrupt(sc, ino); 392 } 393 394 /* Scrub all the ondisk inode fields. */ 395 STATIC void 396 xchk_dinode( 397 struct xfs_scrub *sc, 398 struct xfs_dinode *dip, 399 xfs_ino_t ino) 400 { 401 struct xfs_mount *mp = sc->mp; 402 size_t fork_recs; 403 unsigned long long isize; 404 uint64_t flags2; 405 xfs_extnum_t nextents; 406 xfs_extnum_t naextents; 407 prid_t prid; 408 uint16_t flags; 409 uint16_t mode; 410 411 flags = be16_to_cpu(dip->di_flags); 412 if (dip->di_version >= 3) 413 flags2 = be64_to_cpu(dip->di_flags2); 414 else 415 flags2 = 0; 416 417 /* di_mode */ 418 mode = be16_to_cpu(dip->di_mode); 419 switch (mode & S_IFMT) { 420 case S_IFLNK: 421 case S_IFREG: 422 case S_IFDIR: 423 case S_IFCHR: 424 case S_IFBLK: 425 case S_IFIFO: 426 case S_IFSOCK: 427 /* mode is recognized */ 428 break; 429 default: 430 xchk_ino_set_corrupt(sc, ino); 431 break; 432 } 433 434 /* v1/v2 fields */ 435 switch (dip->di_version) { 436 case 1: 437 /* 438 * We autoconvert v1 inodes into v2 inodes on writeout, 439 * so just mark this inode for preening. 440 */ 441 xchk_ino_set_preen(sc, ino); 442 prid = 0; 443 break; 444 case 2: 445 case 3: 446 if (xfs_dinode_is_metadir(dip)) { 447 if (be16_to_cpu(dip->di_metatype) >= XFS_METAFILE_MAX) 448 xchk_ino_set_corrupt(sc, ino); 449 } else { 450 if (dip->di_metatype != 0) 451 xchk_ino_set_corrupt(sc, ino); 452 } 453 454 if (dip->di_mode == 0 && sc->ip) 455 xchk_ino_set_corrupt(sc, ino); 456 457 if (dip->di_projid_hi != 0 && 458 !xfs_has_projid32(mp)) 459 xchk_ino_set_corrupt(sc, ino); 460 461 prid = be16_to_cpu(dip->di_projid_lo); 462 break; 463 default: 464 xchk_ino_set_corrupt(sc, ino); 465 return; 466 } 467 468 if (xfs_has_projid32(mp)) 469 prid |= (prid_t)be16_to_cpu(dip->di_projid_hi) << 16; 470 471 /* 472 * di_uid/di_gid -- -1 isn't invalid, but there's no way that 473 * userspace could have created that. 474 */ 475 if (dip->di_uid == cpu_to_be32(-1U) || 476 dip->di_gid == cpu_to_be32(-1U)) 477 xchk_ino_set_warning(sc, ino); 478 479 /* 480 * project id of -1 isn't supposed to be valid, but the kernel didn't 481 * always validate that. 482 */ 483 if (prid == -1U) 484 xchk_ino_set_warning(sc, ino); 485 486 /* di_format */ 487 switch (dip->di_format) { 488 case XFS_DINODE_FMT_DEV: 489 if (!S_ISCHR(mode) && !S_ISBLK(mode) && 490 !S_ISFIFO(mode) && !S_ISSOCK(mode)) 491 xchk_ino_set_corrupt(sc, ino); 492 break; 493 case XFS_DINODE_FMT_LOCAL: 494 if (!S_ISDIR(mode) && !S_ISLNK(mode)) 495 xchk_ino_set_corrupt(sc, ino); 496 break; 497 case XFS_DINODE_FMT_EXTENTS: 498 if (!S_ISREG(mode) && !S_ISDIR(mode) && !S_ISLNK(mode)) 499 xchk_ino_set_corrupt(sc, ino); 500 break; 501 case XFS_DINODE_FMT_BTREE: 502 if (!S_ISREG(mode) && !S_ISDIR(mode)) 503 xchk_ino_set_corrupt(sc, ino); 504 break; 505 case XFS_DINODE_FMT_UUID: 506 default: 507 xchk_ino_set_corrupt(sc, ino); 508 break; 509 } 510 511 /* di_[amc]time.nsec */ 512 xchk_dinode_nsec(sc, ino, dip, dip->di_atime); 513 xchk_dinode_nsec(sc, ino, dip, dip->di_mtime); 514 xchk_dinode_nsec(sc, ino, dip, dip->di_ctime); 515 516 /* 517 * di_size. xfs_dinode_verify checks for things that screw up 518 * the VFS such as the upper bit being set and zero-length 519 * symlinks/directories, but we can do more here. 520 */ 521 isize = be64_to_cpu(dip->di_size); 522 if (isize & (1ULL << 63)) 523 xchk_ino_set_corrupt(sc, ino); 524 525 /* Devices, fifos, and sockets must have zero size */ 526 if (!S_ISDIR(mode) && !S_ISREG(mode) && !S_ISLNK(mode) && isize != 0) 527 xchk_ino_set_corrupt(sc, ino); 528 529 /* Directories can't be larger than the data section size (32G) */ 530 if (S_ISDIR(mode) && (isize == 0 || isize >= XFS_DIR2_SPACE_SIZE)) 531 xchk_ino_set_corrupt(sc, ino); 532 533 /* Symlinks can't be larger than SYMLINK_MAXLEN */ 534 if (S_ISLNK(mode) && (isize == 0 || isize >= XFS_SYMLINK_MAXLEN)) 535 xchk_ino_set_corrupt(sc, ino); 536 537 /* 538 * Warn if the running kernel can't handle the kinds of offsets 539 * needed to deal with the file size. In other words, if the 540 * pagecache can't cache all the blocks in this file due to 541 * overly large offsets, flag the inode for admin review. 542 */ 543 if (isize > mp->m_super->s_maxbytes) 544 xchk_ino_set_warning(sc, ino); 545 546 /* di_nblocks */ 547 if (flags2 & XFS_DIFLAG2_REFLINK) { 548 ; /* nblocks can exceed dblocks */ 549 } else if (flags & XFS_DIFLAG_REALTIME) { 550 /* 551 * nblocks is the sum of data extents (in the rtdev), 552 * attr extents (in the datadev), and both forks' bmbt 553 * blocks (in the datadev). This clumsy check is the 554 * best we can do without cross-referencing with the 555 * inode forks. 556 */ 557 if (be64_to_cpu(dip->di_nblocks) >= 558 mp->m_sb.sb_dblocks + mp->m_sb.sb_rblocks) 559 xchk_ino_set_corrupt(sc, ino); 560 } else { 561 if (be64_to_cpu(dip->di_nblocks) >= mp->m_sb.sb_dblocks) 562 xchk_ino_set_corrupt(sc, ino); 563 } 564 565 xchk_inode_flags(sc, dip, ino, mode, flags); 566 567 xchk_inode_extsize(sc, dip, ino, mode, flags); 568 569 nextents = xfs_dfork_data_extents(dip); 570 naextents = xfs_dfork_attr_extents(dip); 571 572 /* di_nextents */ 573 fork_recs = XFS_DFORK_DSIZE(dip, mp) / sizeof(struct xfs_bmbt_rec); 574 switch (dip->di_format) { 575 case XFS_DINODE_FMT_EXTENTS: 576 if (nextents > fork_recs) 577 xchk_ino_set_corrupt(sc, ino); 578 break; 579 case XFS_DINODE_FMT_BTREE: 580 if (nextents <= fork_recs) 581 xchk_ino_set_corrupt(sc, ino); 582 break; 583 default: 584 if (nextents != 0) 585 xchk_ino_set_corrupt(sc, ino); 586 break; 587 } 588 589 /* di_forkoff */ 590 if (XFS_DFORK_BOFF(dip) >= mp->m_sb.sb_inodesize) 591 xchk_ino_set_corrupt(sc, ino); 592 if (naextents != 0 && dip->di_forkoff == 0) 593 xchk_ino_set_corrupt(sc, ino); 594 if (dip->di_forkoff == 0 && dip->di_aformat != XFS_DINODE_FMT_EXTENTS) 595 xchk_ino_set_corrupt(sc, ino); 596 597 /* di_aformat */ 598 if (dip->di_aformat != XFS_DINODE_FMT_LOCAL && 599 dip->di_aformat != XFS_DINODE_FMT_EXTENTS && 600 dip->di_aformat != XFS_DINODE_FMT_BTREE) 601 xchk_ino_set_corrupt(sc, ino); 602 603 /* di_anextents */ 604 fork_recs = XFS_DFORK_ASIZE(dip, mp) / sizeof(struct xfs_bmbt_rec); 605 switch (dip->di_aformat) { 606 case XFS_DINODE_FMT_EXTENTS: 607 if (naextents > fork_recs) 608 xchk_ino_set_corrupt(sc, ino); 609 break; 610 case XFS_DINODE_FMT_BTREE: 611 if (naextents <= fork_recs) 612 xchk_ino_set_corrupt(sc, ino); 613 break; 614 default: 615 if (naextents != 0) 616 xchk_ino_set_corrupt(sc, ino); 617 } 618 619 if (dip->di_version >= 3) { 620 xchk_dinode_nsec(sc, ino, dip, dip->di_crtime); 621 xchk_inode_flags2(sc, dip, ino, mode, flags, flags2); 622 xchk_inode_cowextsize(sc, dip, ino, mode, flags, 623 flags2); 624 } 625 } 626 627 /* 628 * Make sure the finobt doesn't think this inode is free. 629 * We don't have to check the inobt ourselves because we got the inode via 630 * IGET_UNTRUSTED, which checks the inobt for us. 631 */ 632 static void 633 xchk_inode_xref_finobt( 634 struct xfs_scrub *sc, 635 xfs_ino_t ino) 636 { 637 struct xfs_inobt_rec_incore rec; 638 xfs_agino_t agino; 639 int has_record; 640 int error; 641 642 if (!sc->sa.fino_cur || xchk_skip_xref(sc->sm)) 643 return; 644 645 agino = XFS_INO_TO_AGINO(sc->mp, ino); 646 647 /* 648 * Try to get the finobt record. If we can't get it, then we're 649 * in good shape. 650 */ 651 error = xfs_inobt_lookup(sc->sa.fino_cur, agino, XFS_LOOKUP_LE, 652 &has_record); 653 if (!xchk_should_check_xref(sc, &error, &sc->sa.fino_cur) || 654 !has_record) 655 return; 656 657 error = xfs_inobt_get_rec(sc->sa.fino_cur, &rec, &has_record); 658 if (!xchk_should_check_xref(sc, &error, &sc->sa.fino_cur) || 659 !has_record) 660 return; 661 662 /* 663 * Otherwise, make sure this record either doesn't cover this inode, 664 * or that it does but it's marked present. 665 */ 666 if (rec.ir_startino > agino || 667 rec.ir_startino + XFS_INODES_PER_CHUNK <= agino) 668 return; 669 670 if (rec.ir_free & XFS_INOBT_MASK(agino - rec.ir_startino)) 671 xchk_btree_xref_set_corrupt(sc, sc->sa.fino_cur, 0); 672 } 673 674 /* Cross reference the inode fields with the forks. */ 675 STATIC void 676 xchk_inode_xref_bmap( 677 struct xfs_scrub *sc, 678 struct xfs_dinode *dip) 679 { 680 xfs_extnum_t nextents; 681 xfs_filblks_t count; 682 xfs_filblks_t acount; 683 int error; 684 685 if (xchk_skip_xref(sc->sm)) 686 return; 687 688 /* Walk all the extents to check nextents/naextents/nblocks. */ 689 error = xfs_bmap_count_blocks(sc->tp, sc->ip, XFS_DATA_FORK, 690 &nextents, &count); 691 if (!xchk_should_check_xref(sc, &error, NULL)) 692 return; 693 if (nextents < xfs_dfork_data_extents(dip)) 694 xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino); 695 696 error = xfs_bmap_count_blocks(sc->tp, sc->ip, XFS_ATTR_FORK, 697 &nextents, &acount); 698 if (!xchk_should_check_xref(sc, &error, NULL)) 699 return; 700 if (nextents != xfs_dfork_attr_extents(dip)) 701 xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino); 702 703 /* Check nblocks against the inode. */ 704 if (count + acount != be64_to_cpu(dip->di_nblocks)) 705 xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino); 706 } 707 708 /* Cross-reference with the other btrees. */ 709 STATIC void 710 xchk_inode_xref( 711 struct xfs_scrub *sc, 712 xfs_ino_t ino, 713 struct xfs_dinode *dip) 714 { 715 xfs_agnumber_t agno; 716 xfs_agblock_t agbno; 717 int error; 718 719 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 720 return; 721 722 agno = XFS_INO_TO_AGNO(sc->mp, ino); 723 agbno = XFS_INO_TO_AGBNO(sc->mp, ino); 724 725 error = xchk_ag_init_existing(sc, agno, &sc->sa); 726 if (!xchk_xref_process_error(sc, agno, agbno, &error)) 727 goto out_free; 728 729 xchk_xref_is_used_space(sc, agbno, 1); 730 xchk_inode_xref_finobt(sc, ino); 731 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_INODES); 732 xchk_xref_is_not_shared(sc, agbno, 1); 733 xchk_xref_is_not_cow_staging(sc, agbno, 1); 734 xchk_inode_xref_bmap(sc, dip); 735 736 out_free: 737 xchk_ag_free(sc, &sc->sa); 738 } 739 740 /* 741 * If the reflink iflag disagrees with a scan for shared data fork extents, 742 * either flag an error (shared extents w/ no flag) or a preen (flag set w/o 743 * any shared extents). We already checked for reflink iflag set on a non 744 * reflink filesystem. 745 */ 746 static void 747 xchk_inode_check_reflink_iflag( 748 struct xfs_scrub *sc, 749 xfs_ino_t ino) 750 { 751 struct xfs_mount *mp = sc->mp; 752 bool has_shared; 753 int error; 754 755 if (!xfs_has_reflink(mp)) 756 return; 757 758 error = xfs_reflink_inode_has_shared_extents(sc->tp, sc->ip, 759 &has_shared); 760 if (!xchk_xref_process_error(sc, XFS_INO_TO_AGNO(mp, ino), 761 XFS_INO_TO_AGBNO(mp, ino), &error)) 762 return; 763 if (xfs_is_reflink_inode(sc->ip) && !has_shared) 764 xchk_ino_set_preen(sc, ino); 765 else if (!xfs_is_reflink_inode(sc->ip) && has_shared) 766 xchk_ino_set_corrupt(sc, ino); 767 } 768 769 /* 770 * If this inode has zero link count, it must be on the unlinked list. If 771 * it has nonzero link count, it must not be on the unlinked list. 772 */ 773 STATIC void 774 xchk_inode_check_unlinked( 775 struct xfs_scrub *sc) 776 { 777 if (VFS_I(sc->ip)->i_nlink == 0) { 778 if (!xfs_inode_on_unlinked_list(sc->ip)) 779 xchk_ino_set_corrupt(sc, sc->ip->i_ino); 780 } else { 781 if (xfs_inode_on_unlinked_list(sc->ip)) 782 xchk_ino_set_corrupt(sc, sc->ip->i_ino); 783 } 784 } 785 786 /* Scrub an inode. */ 787 int 788 xchk_inode( 789 struct xfs_scrub *sc) 790 { 791 struct xfs_dinode di; 792 int error = 0; 793 794 /* 795 * If sc->ip is NULL, that means that the setup function called 796 * xfs_iget to look up the inode. xfs_iget returned a EFSCORRUPTED 797 * and a NULL inode, so flag the corruption error and return. 798 */ 799 if (!sc->ip) { 800 xchk_ino_set_corrupt(sc, sc->sm->sm_ino); 801 return 0; 802 } 803 804 /* Scrub the inode core. */ 805 xfs_inode_to_disk(sc->ip, &di, 0); 806 xchk_dinode(sc, &di, sc->ip->i_ino); 807 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 808 goto out; 809 810 /* 811 * Look for discrepancies between file's data blocks and the reflink 812 * iflag. We already checked the iflag against the file mode when 813 * we scrubbed the dinode. 814 */ 815 if (S_ISREG(VFS_I(sc->ip)->i_mode)) 816 xchk_inode_check_reflink_iflag(sc, sc->ip->i_ino); 817 818 xchk_inode_check_unlinked(sc); 819 820 xchk_inode_xref(sc, sc->ip->i_ino, &di); 821 out: 822 return error; 823 } 824