1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2018-2023 Oracle. All Rights Reserved. 4 * Author: Darrick J. Wong <djwong@kernel.org> 5 */ 6 #include "xfs.h" 7 #include "xfs_fs.h" 8 #include "xfs_shared.h" 9 #include "xfs_format.h" 10 #include "xfs_trans_resv.h" 11 #include "xfs_mount.h" 12 #include "xfs_defer.h" 13 #include "xfs_btree.h" 14 #include "xfs_bit.h" 15 #include "xfs_format.h" 16 #include "xfs_log_format.h" 17 #include "xfs_trans.h" 18 #include "xfs_sb.h" 19 #include "xfs_inode.h" 20 #include "xfs_inode_fork.h" 21 #include "xfs_alloc.h" 22 #include "xfs_bmap.h" 23 #include "xfs_quota.h" 24 #include "xfs_qm.h" 25 #include "xfs_dquot.h" 26 #include "xfs_dquot_item.h" 27 #include "xfs_reflink.h" 28 #include "xfs_bmap_btree.h" 29 #include "xfs_trans_space.h" 30 #include "scrub/xfs_scrub.h" 31 #include "scrub/scrub.h" 32 #include "scrub/common.h" 33 #include "scrub/quota.h" 34 #include "scrub/trace.h" 35 #include "scrub/repair.h" 36 37 /* 38 * Quota Repair 39 * ============ 40 * 41 * Quota repairs are fairly simplistic; we fix everything that the dquot 42 * verifiers complain about, cap any counters or limits that make no sense, 43 * and schedule a quotacheck if we had to fix anything. We also repair any 44 * data fork extent records that don't apply to metadata files. 45 */ 46 47 struct xrep_quota_info { 48 struct xfs_scrub *sc; 49 bool need_quotacheck; 50 }; 51 52 /* 53 * Allocate a new block into a sparse hole in the quota file backing this 54 * dquot, initialize the block, and commit the whole mess. 55 */ 56 STATIC int 57 xrep_quota_item_fill_bmap_hole( 58 struct xfs_scrub *sc, 59 struct xfs_dquot *dq, 60 struct xfs_bmbt_irec *irec) 61 { 62 struct xfs_buf *bp; 63 struct xfs_mount *mp = sc->mp; 64 int nmaps = 1; 65 int error; 66 67 xfs_trans_ijoin(sc->tp, sc->ip, 0); 68 69 /* Map a block into the file. */ 70 error = xfs_trans_reserve_more(sc->tp, XFS_QM_DQALLOC_SPACE_RES(mp), 71 0); 72 if (error) 73 return error; 74 75 error = xfs_bmapi_write(sc->tp, sc->ip, dq->q_fileoffset, 76 XFS_DQUOT_CLUSTER_SIZE_FSB, XFS_BMAPI_METADATA, 0, 77 irec, &nmaps); 78 if (error) 79 return error; 80 81 dq->q_blkno = XFS_FSB_TO_DADDR(mp, irec->br_startblock); 82 83 trace_xrep_dquot_item_fill_bmap_hole(sc->mp, dq->q_type, dq->q_id); 84 85 /* Initialize the new block. */ 86 error = xfs_trans_get_buf(sc->tp, mp->m_ddev_targp, dq->q_blkno, 87 mp->m_quotainfo->qi_dqchunklen, 0, &bp); 88 if (error) 89 return error; 90 bp->b_ops = &xfs_dquot_buf_ops; 91 92 xfs_qm_init_dquot_blk(sc->tp, dq->q_id, dq->q_type, bp); 93 xfs_buf_set_ref(bp, XFS_DQUOT_REF); 94 95 /* 96 * Finish the mapping transactions and roll one more time to 97 * disconnect sc->ip from sc->tp. 98 */ 99 error = xrep_defer_finish(sc); 100 if (error) 101 return error; 102 return xfs_trans_roll(&sc->tp); 103 } 104 105 /* Make sure there's a written block backing this dquot */ 106 STATIC int 107 xrep_quota_item_bmap( 108 struct xfs_scrub *sc, 109 struct xfs_dquot *dq, 110 bool *dirty) 111 { 112 struct xfs_bmbt_irec irec; 113 struct xfs_mount *mp = sc->mp; 114 struct xfs_quotainfo *qi = mp->m_quotainfo; 115 xfs_fileoff_t offset = dq->q_id / qi->qi_dqperchunk; 116 int nmaps = 1; 117 int error; 118 119 /* The computed file offset should always be valid. */ 120 if (!xfs_verify_fileoff(mp, offset)) { 121 ASSERT(xfs_verify_fileoff(mp, offset)); 122 return -EFSCORRUPTED; 123 } 124 dq->q_fileoffset = offset; 125 126 error = xfs_bmapi_read(sc->ip, offset, 1, &irec, &nmaps, 0); 127 if (error) 128 return error; 129 130 if (nmaps < 1 || !xfs_bmap_is_real_extent(&irec)) { 131 /* Hole/delalloc extent; allocate a real block. */ 132 error = xrep_quota_item_fill_bmap_hole(sc, dq, &irec); 133 if (error) 134 return error; 135 } else if (irec.br_state != XFS_EXT_NORM) { 136 /* Unwritten extent, which we already took care of? */ 137 ASSERT(irec.br_state == XFS_EXT_NORM); 138 return -EFSCORRUPTED; 139 } else if (dq->q_blkno != XFS_FSB_TO_DADDR(mp, irec.br_startblock)) { 140 /* 141 * If the cached daddr is incorrect, repair probably punched a 142 * hole out of the quota file and filled it back in with a new 143 * block. Update the block mapping in the dquot. 144 */ 145 dq->q_blkno = XFS_FSB_TO_DADDR(mp, irec.br_startblock); 146 } 147 148 *dirty = true; 149 return 0; 150 } 151 152 /* Reset quota timers if incorrectly set. */ 153 static inline void 154 xrep_quota_item_timer( 155 struct xfs_scrub *sc, 156 const struct xfs_dquot_res *res, 157 bool *dirty) 158 { 159 if ((res->softlimit && res->count > res->softlimit) || 160 (res->hardlimit && res->count > res->hardlimit)) { 161 if (!res->timer) 162 *dirty = true; 163 } else { 164 if (res->timer) 165 *dirty = true; 166 } 167 } 168 169 /* Scrub the fields in an individual quota item. */ 170 STATIC int 171 xrep_quota_item( 172 struct xrep_quota_info *rqi, 173 struct xfs_dquot *dq) 174 { 175 struct xfs_scrub *sc = rqi->sc; 176 struct xfs_mount *mp = sc->mp; 177 xfs_ino_t fs_icount; 178 bool dirty = false; 179 int error = 0; 180 181 /* Last chance to abort before we start committing fixes. */ 182 if (xchk_should_terminate(sc, &error)) 183 return error; 184 185 /* 186 * We might need to fix holes in the bmap record for the storage 187 * backing this dquot, so we need to lock the dquot and the quota file. 188 * dqiterate gave us a locked dquot, so drop the dquot lock to get the 189 * ILOCK_EXCL. 190 */ 191 xfs_dqunlock(dq); 192 xchk_ilock(sc, XFS_ILOCK_EXCL); 193 xfs_dqlock(dq); 194 195 error = xrep_quota_item_bmap(sc, dq, &dirty); 196 xchk_iunlock(sc, XFS_ILOCK_EXCL); 197 if (error) 198 return error; 199 200 /* Check the limits. */ 201 if (dq->q_blk.softlimit > dq->q_blk.hardlimit) { 202 dq->q_blk.softlimit = dq->q_blk.hardlimit; 203 dirty = true; 204 } 205 206 if (dq->q_ino.softlimit > dq->q_ino.hardlimit) { 207 dq->q_ino.softlimit = dq->q_ino.hardlimit; 208 dirty = true; 209 } 210 211 if (dq->q_rtb.softlimit > dq->q_rtb.hardlimit) { 212 dq->q_rtb.softlimit = dq->q_rtb.hardlimit; 213 dirty = true; 214 } 215 216 /* 217 * Check that usage doesn't exceed physical limits. However, on 218 * a reflink filesystem we're allowed to exceed physical space 219 * if there are no quota limits. We don't know what the real number 220 * is, but we can make quotacheck find out for us. 221 */ 222 if (!xfs_has_reflink(mp) && dq->q_blk.count > mp->m_sb.sb_dblocks) { 223 dq->q_blk.reserved -= dq->q_blk.count; 224 dq->q_blk.reserved += mp->m_sb.sb_dblocks; 225 dq->q_blk.count = mp->m_sb.sb_dblocks; 226 rqi->need_quotacheck = true; 227 dirty = true; 228 } 229 fs_icount = percpu_counter_sum(&mp->m_icount); 230 if (dq->q_ino.count > fs_icount) { 231 dq->q_ino.reserved -= dq->q_ino.count; 232 dq->q_ino.reserved += fs_icount; 233 dq->q_ino.count = fs_icount; 234 rqi->need_quotacheck = true; 235 dirty = true; 236 } 237 if (dq->q_rtb.count > mp->m_sb.sb_rblocks) { 238 dq->q_rtb.reserved -= dq->q_rtb.count; 239 dq->q_rtb.reserved += mp->m_sb.sb_rblocks; 240 dq->q_rtb.count = mp->m_sb.sb_rblocks; 241 rqi->need_quotacheck = true; 242 dirty = true; 243 } 244 245 xrep_quota_item_timer(sc, &dq->q_blk, &dirty); 246 xrep_quota_item_timer(sc, &dq->q_ino, &dirty); 247 xrep_quota_item_timer(sc, &dq->q_rtb, &dirty); 248 249 if (!dirty) 250 return 0; 251 252 trace_xrep_dquot_item(sc->mp, dq->q_type, dq->q_id); 253 254 dq->q_flags |= XFS_DQFLAG_DIRTY; 255 xfs_trans_dqjoin(sc->tp, dq); 256 if (dq->q_id) { 257 xfs_qm_adjust_dqlimits(dq); 258 xfs_qm_adjust_dqtimers(dq); 259 } 260 xfs_trans_log_dquot(sc->tp, dq); 261 error = xfs_trans_roll(&sc->tp); 262 xfs_dqlock(dq); 263 return error; 264 } 265 266 /* Fix a quota timer so that we can pass the verifier. */ 267 STATIC void 268 xrep_quota_fix_timer( 269 struct xfs_mount *mp, 270 const struct xfs_disk_dquot *ddq, 271 __be64 softlimit, 272 __be64 countnow, 273 __be32 *timer, 274 time64_t timelimit) 275 { 276 uint64_t soft = be64_to_cpu(softlimit); 277 uint64_t count = be64_to_cpu(countnow); 278 time64_t new_timer; 279 uint32_t t; 280 281 if (!soft || count <= soft || *timer != 0) 282 return; 283 284 new_timer = xfs_dquot_set_timeout(mp, 285 ktime_get_real_seconds() + timelimit); 286 if (ddq->d_type & XFS_DQTYPE_BIGTIME) 287 t = xfs_dq_unix_to_bigtime(new_timer); 288 else 289 t = new_timer; 290 291 *timer = cpu_to_be32(t); 292 } 293 294 /* Fix anything the verifiers complain about. */ 295 STATIC int 296 xrep_quota_block( 297 struct xfs_scrub *sc, 298 xfs_daddr_t daddr, 299 xfs_dqtype_t dqtype, 300 xfs_dqid_t id) 301 { 302 struct xfs_dqblk *dqblk; 303 struct xfs_disk_dquot *ddq; 304 struct xfs_quotainfo *qi = sc->mp->m_quotainfo; 305 struct xfs_def_quota *defq = xfs_get_defquota(qi, dqtype); 306 struct xfs_buf *bp = NULL; 307 enum xfs_blft buftype = 0; 308 int i; 309 int error; 310 311 error = xfs_trans_read_buf(sc->mp, sc->tp, sc->mp->m_ddev_targp, daddr, 312 qi->qi_dqchunklen, 0, &bp, &xfs_dquot_buf_ops); 313 switch (error) { 314 case -EFSBADCRC: 315 case -EFSCORRUPTED: 316 /* Failed verifier, retry read with no ops. */ 317 error = xfs_trans_read_buf(sc->mp, sc->tp, 318 sc->mp->m_ddev_targp, daddr, qi->qi_dqchunklen, 319 0, &bp, NULL); 320 if (error) 321 return error; 322 break; 323 case 0: 324 dqblk = bp->b_addr; 325 ddq = &dqblk[0].dd_diskdq; 326 327 /* 328 * If there's nothing that would impede a dqiterate, we're 329 * done. 330 */ 331 if ((ddq->d_type & XFS_DQTYPE_REC_MASK) != dqtype || 332 id == be32_to_cpu(ddq->d_id)) { 333 xfs_trans_brelse(sc->tp, bp); 334 return 0; 335 } 336 break; 337 default: 338 return error; 339 } 340 341 /* Something's wrong with the block, fix the whole thing. */ 342 dqblk = bp->b_addr; 343 bp->b_ops = &xfs_dquot_buf_ops; 344 for (i = 0; i < qi->qi_dqperchunk; i++, dqblk++) { 345 ddq = &dqblk->dd_diskdq; 346 347 trace_xrep_disk_dquot(sc->mp, dqtype, id + i); 348 349 ddq->d_magic = cpu_to_be16(XFS_DQUOT_MAGIC); 350 ddq->d_version = XFS_DQUOT_VERSION; 351 ddq->d_type = dqtype; 352 ddq->d_id = cpu_to_be32(id + i); 353 354 if (xfs_has_bigtime(sc->mp) && ddq->d_id) 355 ddq->d_type |= XFS_DQTYPE_BIGTIME; 356 357 xrep_quota_fix_timer(sc->mp, ddq, ddq->d_blk_softlimit, 358 ddq->d_bcount, &ddq->d_btimer, 359 defq->blk.time); 360 361 xrep_quota_fix_timer(sc->mp, ddq, ddq->d_ino_softlimit, 362 ddq->d_icount, &ddq->d_itimer, 363 defq->ino.time); 364 365 xrep_quota_fix_timer(sc->mp, ddq, ddq->d_rtb_softlimit, 366 ddq->d_rtbcount, &ddq->d_rtbtimer, 367 defq->rtb.time); 368 369 /* We only support v5 filesystems so always set these. */ 370 uuid_copy(&dqblk->dd_uuid, &sc->mp->m_sb.sb_meta_uuid); 371 xfs_update_cksum((char *)dqblk, sizeof(struct xfs_dqblk), 372 XFS_DQUOT_CRC_OFF); 373 dqblk->dd_lsn = 0; 374 } 375 switch (dqtype) { 376 case XFS_DQTYPE_USER: 377 buftype = XFS_BLFT_UDQUOT_BUF; 378 break; 379 case XFS_DQTYPE_GROUP: 380 buftype = XFS_BLFT_GDQUOT_BUF; 381 break; 382 case XFS_DQTYPE_PROJ: 383 buftype = XFS_BLFT_PDQUOT_BUF; 384 break; 385 } 386 xfs_trans_buf_set_type(sc->tp, bp, buftype); 387 xfs_trans_log_buf(sc->tp, bp, 0, BBTOB(bp->b_length) - 1); 388 return xrep_roll_trans(sc); 389 } 390 391 /* 392 * Repair a quota file's data fork. The function returns with the inode 393 * joined. 394 */ 395 STATIC int 396 xrep_quota_data_fork( 397 struct xfs_scrub *sc, 398 xfs_dqtype_t dqtype) 399 { 400 struct xfs_bmbt_irec irec = { 0 }; 401 struct xfs_iext_cursor icur; 402 struct xfs_quotainfo *qi = sc->mp->m_quotainfo; 403 struct xfs_ifork *ifp; 404 xfs_fileoff_t max_dqid_off; 405 xfs_fileoff_t off; 406 xfs_fsblock_t fsbno; 407 bool truncate = false; 408 bool joined = false; 409 int error = 0; 410 411 error = xrep_metadata_inode_forks(sc); 412 if (error) 413 goto out; 414 415 /* Check for data fork problems that apply only to quota files. */ 416 max_dqid_off = XFS_DQ_ID_MAX / qi->qi_dqperchunk; 417 ifp = xfs_ifork_ptr(sc->ip, XFS_DATA_FORK); 418 for_each_xfs_iext(ifp, &icur, &irec) { 419 if (isnullstartblock(irec.br_startblock)) { 420 error = -EFSCORRUPTED; 421 goto out; 422 } 423 424 if (irec.br_startoff > max_dqid_off || 425 irec.br_startoff + irec.br_blockcount - 1 > max_dqid_off) { 426 truncate = true; 427 break; 428 } 429 430 /* Convert unwritten extents to real ones. */ 431 if (irec.br_state == XFS_EXT_UNWRITTEN) { 432 struct xfs_bmbt_irec nrec; 433 int nmap = 1; 434 435 if (!joined) { 436 xfs_trans_ijoin(sc->tp, sc->ip, 0); 437 joined = true; 438 } 439 440 error = xfs_bmapi_write(sc->tp, sc->ip, 441 irec.br_startoff, irec.br_blockcount, 442 XFS_BMAPI_CONVERT, 0, &nrec, &nmap); 443 if (error) 444 goto out; 445 ASSERT(nrec.br_startoff == irec.br_startoff); 446 ASSERT(nrec.br_blockcount == irec.br_blockcount); 447 448 error = xfs_defer_finish(&sc->tp); 449 if (error) 450 goto out; 451 } 452 } 453 454 if (!joined) { 455 xfs_trans_ijoin(sc->tp, sc->ip, 0); 456 joined = true; 457 } 458 459 if (truncate) { 460 /* Erase everything after the block containing the max dquot */ 461 error = xfs_bunmapi_range(&sc->tp, sc->ip, 0, 462 max_dqid_off * sc->mp->m_sb.sb_blocksize, 463 XFS_MAX_FILEOFF); 464 if (error) 465 goto out; 466 467 /* Remove all CoW reservations. */ 468 error = xfs_reflink_cancel_cow_blocks(sc->ip, &sc->tp, 0, 469 XFS_MAX_FILEOFF, true); 470 if (error) 471 goto out; 472 sc->ip->i_diflags2 &= ~XFS_DIFLAG2_REFLINK; 473 474 /* 475 * Always re-log the inode so that our permanent transaction 476 * can keep on rolling it forward in the log. 477 */ 478 xfs_trans_log_inode(sc->tp, sc->ip, XFS_ILOG_CORE); 479 } 480 481 /* Now go fix anything that fails the verifiers. */ 482 for_each_xfs_iext(ifp, &icur, &irec) { 483 for (fsbno = irec.br_startblock, off = irec.br_startoff; 484 fsbno < irec.br_startblock + irec.br_blockcount; 485 fsbno += XFS_DQUOT_CLUSTER_SIZE_FSB, 486 off += XFS_DQUOT_CLUSTER_SIZE_FSB) { 487 error = xrep_quota_block(sc, 488 XFS_FSB_TO_DADDR(sc->mp, fsbno), 489 dqtype, off * qi->qi_dqperchunk); 490 if (error) 491 goto out; 492 } 493 } 494 495 out: 496 return error; 497 } 498 499 /* 500 * Go fix anything in the quota items that we could have been mad about. Now 501 * that we've checked the quota inode data fork we have to drop ILOCK_EXCL to 502 * use the regular dquot functions. 503 */ 504 STATIC int 505 xrep_quota_problems( 506 struct xfs_scrub *sc, 507 xfs_dqtype_t dqtype) 508 { 509 struct xchk_dqiter cursor = { }; 510 struct xrep_quota_info rqi = { .sc = sc }; 511 struct xfs_dquot *dq; 512 int error; 513 514 xchk_dqiter_init(&cursor, sc, dqtype); 515 while ((error = xchk_dquot_iter(&cursor, &dq)) == 1) { 516 error = xrep_quota_item(&rqi, dq); 517 xfs_qm_dqput(dq); 518 if (error) 519 break; 520 } 521 if (error) 522 return error; 523 524 /* Make a quotacheck happen. */ 525 if (rqi.need_quotacheck) 526 xrep_force_quotacheck(sc, dqtype); 527 return 0; 528 } 529 530 /* Repair all of a quota type's items. */ 531 int 532 xrep_quota( 533 struct xfs_scrub *sc) 534 { 535 xfs_dqtype_t dqtype; 536 int error; 537 538 dqtype = xchk_quota_to_dqtype(sc); 539 540 /* 541 * Re-take the ILOCK so that we can fix any problems that we found 542 * with the data fork mappings, or with the dquot bufs themselves. 543 */ 544 if (!(sc->ilock_flags & XFS_ILOCK_EXCL)) 545 xchk_ilock(sc, XFS_ILOCK_EXCL); 546 error = xrep_quota_data_fork(sc, dqtype); 547 if (error) 548 return error; 549 550 /* 551 * Finish deferred items and roll the transaction to unjoin the quota 552 * inode from transaction so that we can unlock the quota inode; we 553 * play only with dquots from now on. 554 */ 555 error = xrep_defer_finish(sc); 556 if (error) 557 return error; 558 error = xfs_trans_roll(&sc->tp); 559 if (error) 560 return error; 561 xchk_iunlock(sc, sc->ilock_flags); 562 563 /* Fix anything the dquot verifiers don't complain about. */ 564 error = xrep_quota_problems(sc, dqtype); 565 if (error) 566 return error; 567 568 return xrep_trans_commit(sc); 569 } 570