xref: /linux/fs/xfs/scrub/reap.c (revision eb01fe7abbe2d0b38824d2a93fdb4cc3eaf2ccc1)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * Copyright (C) 2022-2023 Oracle.  All Rights Reserved.
4  * Author: Darrick J. Wong <djwong@kernel.org>
5  */
6 #include "xfs.h"
7 #include "xfs_fs.h"
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_btree.h"
13 #include "xfs_log_format.h"
14 #include "xfs_trans.h"
15 #include "xfs_sb.h"
16 #include "xfs_inode.h"
17 #include "xfs_alloc.h"
18 #include "xfs_alloc_btree.h"
19 #include "xfs_ialloc.h"
20 #include "xfs_ialloc_btree.h"
21 #include "xfs_rmap.h"
22 #include "xfs_rmap_btree.h"
23 #include "xfs_refcount.h"
24 #include "xfs_refcount_btree.h"
25 #include "xfs_extent_busy.h"
26 #include "xfs_ag.h"
27 #include "xfs_ag_resv.h"
28 #include "xfs_quota.h"
29 #include "xfs_qm.h"
30 #include "xfs_bmap.h"
31 #include "xfs_da_format.h"
32 #include "xfs_da_btree.h"
33 #include "xfs_attr.h"
34 #include "xfs_attr_remote.h"
35 #include "xfs_defer.h"
36 #include "scrub/scrub.h"
37 #include "scrub/common.h"
38 #include "scrub/trace.h"
39 #include "scrub/repair.h"
40 #include "scrub/bitmap.h"
41 #include "scrub/agb_bitmap.h"
42 #include "scrub/fsb_bitmap.h"
43 #include "scrub/reap.h"
44 
45 /*
46  * Disposal of Blocks from Old Metadata
47  *
48  * Now that we've constructed a new btree to replace the damaged one, we want
49  * to dispose of the blocks that (we think) the old btree was using.
50  * Previously, we used the rmapbt to collect the extents (bitmap) with the
51  * rmap owner corresponding to the tree we rebuilt, collected extents for any
52  * blocks with the same rmap owner that are owned by another data structure
53  * (sublist), and subtracted sublist from bitmap.  In theory the extents
54  * remaining in bitmap are the old btree's blocks.
55  *
56  * Unfortunately, it's possible that the btree was crosslinked with other
57  * blocks on disk.  The rmap data can tell us if there are multiple owners, so
58  * if the rmapbt says there is an owner of this block other than @oinfo, then
59  * the block is crosslinked.  Remove the reverse mapping and continue.
60  *
61  * If there is one rmap record, we can free the block, which removes the
62  * reverse mapping but doesn't add the block to the free space.  Our repair
63  * strategy is to hope the other metadata objects crosslinked on this block
64  * will be rebuilt (atop different blocks), thereby removing all the cross
65  * links.
66  *
67  * If there are no rmap records at all, we also free the block.  If the btree
68  * being rebuilt lives in the free space (bnobt/cntbt/rmapbt) then there isn't
69  * supposed to be a rmap record and everything is ok.  For other btrees there
70  * had to have been an rmap entry for the block to have ended up on @bitmap,
71  * so if it's gone now there's something wrong and the fs will shut down.
72  *
73  * Note: If there are multiple rmap records with only the same rmap owner as
74  * the btree we're trying to rebuild and the block is indeed owned by another
75  * data structure with the same rmap owner, then the block will be in sublist
76  * and therefore doesn't need disposal.  If there are multiple rmap records
77  * with only the same rmap owner but the block is not owned by something with
78  * the same rmap owner, the block will be freed.
79  *
80  * The caller is responsible for locking the AG headers/inode for the entire
81  * rebuild operation so that nothing else can sneak in and change the incore
82  * state while we're not looking.  We must also invalidate any buffers
83  * associated with @bitmap.
84  */
85 
86 /* Information about reaping extents after a repair. */
87 struct xreap_state {
88 	struct xfs_scrub		*sc;
89 
90 	/* Reverse mapping owner and metadata reservation type. */
91 	const struct xfs_owner_info	*oinfo;
92 	enum xfs_ag_resv_type		resv;
93 
94 	/* If true, roll the transaction before reaping the next extent. */
95 	bool				force_roll;
96 
97 	/* Number of deferred reaps attached to the current transaction. */
98 	unsigned int			deferred;
99 
100 	/* Number of invalidated buffers logged to the current transaction. */
101 	unsigned int			invalidated;
102 
103 	/* Number of deferred reaps queued during the whole reap sequence. */
104 	unsigned long long		total_deferred;
105 };
106 
107 /* Put a block back on the AGFL. */
108 STATIC int
109 xreap_put_freelist(
110 	struct xfs_scrub	*sc,
111 	xfs_agblock_t		agbno)
112 {
113 	struct xfs_buf		*agfl_bp;
114 	int			error;
115 
116 	/* Make sure there's space on the freelist. */
117 	error = xrep_fix_freelist(sc, 0);
118 	if (error)
119 		return error;
120 
121 	/*
122 	 * Since we're "freeing" a lost block onto the AGFL, we have to
123 	 * create an rmap for the block prior to merging it or else other
124 	 * parts will break.
125 	 */
126 	error = xfs_rmap_alloc(sc->tp, sc->sa.agf_bp, sc->sa.pag, agbno, 1,
127 			&XFS_RMAP_OINFO_AG);
128 	if (error)
129 		return error;
130 
131 	/* Put the block on the AGFL. */
132 	error = xfs_alloc_read_agfl(sc->sa.pag, sc->tp, &agfl_bp);
133 	if (error)
134 		return error;
135 
136 	error = xfs_alloc_put_freelist(sc->sa.pag, sc->tp, sc->sa.agf_bp,
137 			agfl_bp, agbno, 0);
138 	if (error)
139 		return error;
140 	xfs_extent_busy_insert(sc->tp, sc->sa.pag, agbno, 1,
141 			XFS_EXTENT_BUSY_SKIP_DISCARD);
142 
143 	return 0;
144 }
145 
146 /* Are there any uncommitted reap operations? */
147 static inline bool xreap_dirty(const struct xreap_state *rs)
148 {
149 	if (rs->force_roll)
150 		return true;
151 	if (rs->deferred)
152 		return true;
153 	if (rs->invalidated)
154 		return true;
155 	if (rs->total_deferred)
156 		return true;
157 	return false;
158 }
159 
160 #define XREAP_MAX_BINVAL	(2048)
161 
162 /*
163  * Decide if we want to roll the transaction after reaping an extent.  We don't
164  * want to overrun the transaction reservation, so we prohibit more than
165  * 128 EFIs per transaction.  For the same reason, we limit the number
166  * of buffer invalidations to 2048.
167  */
168 static inline bool xreap_want_roll(const struct xreap_state *rs)
169 {
170 	if (rs->force_roll)
171 		return true;
172 	if (rs->deferred > XREP_MAX_ITRUNCATE_EFIS)
173 		return true;
174 	if (rs->invalidated > XREAP_MAX_BINVAL)
175 		return true;
176 	return false;
177 }
178 
179 static inline void xreap_reset(struct xreap_state *rs)
180 {
181 	rs->total_deferred += rs->deferred;
182 	rs->deferred = 0;
183 	rs->invalidated = 0;
184 	rs->force_roll = false;
185 }
186 
187 #define XREAP_MAX_DEFER_CHAIN		(2048)
188 
189 /*
190  * Decide if we want to finish the deferred ops that are attached to the scrub
191  * transaction.  We don't want to queue huge chains of deferred ops because
192  * that can consume a lot of log space and kernel memory.  Hence we trigger a
193  * xfs_defer_finish if there are more than 2048 deferred reap operations or the
194  * caller did some real work.
195  */
196 static inline bool
197 xreap_want_defer_finish(const struct xreap_state *rs)
198 {
199 	if (rs->force_roll)
200 		return true;
201 	if (rs->total_deferred > XREAP_MAX_DEFER_CHAIN)
202 		return true;
203 	return false;
204 }
205 
206 static inline void xreap_defer_finish_reset(struct xreap_state *rs)
207 {
208 	rs->total_deferred = 0;
209 	rs->deferred = 0;
210 	rs->invalidated = 0;
211 	rs->force_roll = false;
212 }
213 
214 /* Try to invalidate the incore buffers for an extent that we're freeing. */
215 STATIC void
216 xreap_agextent_binval(
217 	struct xreap_state	*rs,
218 	xfs_agblock_t		agbno,
219 	xfs_extlen_t		*aglenp)
220 {
221 	struct xfs_scrub	*sc = rs->sc;
222 	struct xfs_perag	*pag = sc->sa.pag;
223 	struct xfs_mount	*mp = sc->mp;
224 	xfs_agnumber_t		agno = sc->sa.pag->pag_agno;
225 	xfs_agblock_t		agbno_next = agbno + *aglenp;
226 	xfs_agblock_t		bno = agbno;
227 
228 	/*
229 	 * Avoid invalidating AG headers and post-EOFS blocks because we never
230 	 * own those.
231 	 */
232 	if (!xfs_verify_agbno(pag, agbno) ||
233 	    !xfs_verify_agbno(pag, agbno_next - 1))
234 		return;
235 
236 	/*
237 	 * If there are incore buffers for these blocks, invalidate them.  We
238 	 * assume that the lack of any other known owners means that the buffer
239 	 * can be locked without risk of deadlocking.  The buffer cache cannot
240 	 * detect aliasing, so employ nested loops to scan for incore buffers
241 	 * of any plausible size.
242 	 */
243 	while (bno < agbno_next) {
244 		xfs_agblock_t	fsbcount;
245 		xfs_agblock_t	max_fsbs;
246 
247 		/*
248 		 * Max buffer size is the max remote xattr buffer size, which
249 		 * is one fs block larger than 64k.
250 		 */
251 		max_fsbs = min_t(xfs_agblock_t, agbno_next - bno,
252 				xfs_attr3_rmt_blocks(mp, XFS_XATTR_SIZE_MAX));
253 
254 		for (fsbcount = 1; fsbcount <= max_fsbs; fsbcount++) {
255 			struct xfs_buf	*bp = NULL;
256 			xfs_daddr_t	daddr;
257 			int		error;
258 
259 			daddr = XFS_AGB_TO_DADDR(mp, agno, bno);
260 			error = xfs_buf_incore(mp->m_ddev_targp, daddr,
261 					XFS_FSB_TO_BB(mp, fsbcount),
262 					XBF_LIVESCAN, &bp);
263 			if (error)
264 				continue;
265 
266 			xfs_trans_bjoin(sc->tp, bp);
267 			xfs_trans_binval(sc->tp, bp);
268 			rs->invalidated++;
269 
270 			/*
271 			 * Stop invalidating if we've hit the limit; we should
272 			 * still have enough reservation left to free however
273 			 * far we've gotten.
274 			 */
275 			if (rs->invalidated > XREAP_MAX_BINVAL) {
276 				*aglenp -= agbno_next - bno;
277 				goto out;
278 			}
279 		}
280 
281 		bno++;
282 	}
283 
284 out:
285 	trace_xreap_agextent_binval(sc->sa.pag, agbno, *aglenp);
286 }
287 
288 /*
289  * Figure out the longest run of blocks that we can dispose of with a single
290  * call.  Cross-linked blocks should have their reverse mappings removed, but
291  * single-owner extents can be freed.  AGFL blocks can only be put back one at
292  * a time.
293  */
294 STATIC int
295 xreap_agextent_select(
296 	struct xreap_state	*rs,
297 	xfs_agblock_t		agbno,
298 	xfs_agblock_t		agbno_next,
299 	bool			*crosslinked,
300 	xfs_extlen_t		*aglenp)
301 {
302 	struct xfs_scrub	*sc = rs->sc;
303 	struct xfs_btree_cur	*cur;
304 	xfs_agblock_t		bno = agbno + 1;
305 	xfs_extlen_t		len = 1;
306 	int			error;
307 
308 	/*
309 	 * Determine if there are any other rmap records covering the first
310 	 * block of this extent.  If so, the block is crosslinked.
311 	 */
312 	cur = xfs_rmapbt_init_cursor(sc->mp, sc->tp, sc->sa.agf_bp,
313 			sc->sa.pag);
314 	error = xfs_rmap_has_other_keys(cur, agbno, 1, rs->oinfo,
315 			crosslinked);
316 	if (error)
317 		goto out_cur;
318 
319 	/* AGFL blocks can only be deal with one at a time. */
320 	if (rs->resv == XFS_AG_RESV_AGFL)
321 		goto out_found;
322 
323 	/*
324 	 * Figure out how many of the subsequent blocks have the same crosslink
325 	 * status.
326 	 */
327 	while (bno < agbno_next) {
328 		bool		also_crosslinked;
329 
330 		error = xfs_rmap_has_other_keys(cur, bno, 1, rs->oinfo,
331 				&also_crosslinked);
332 		if (error)
333 			goto out_cur;
334 
335 		if (*crosslinked != also_crosslinked)
336 			break;
337 
338 		len++;
339 		bno++;
340 	}
341 
342 out_found:
343 	*aglenp = len;
344 	trace_xreap_agextent_select(sc->sa.pag, agbno, len, *crosslinked);
345 out_cur:
346 	xfs_btree_del_cursor(cur, error);
347 	return error;
348 }
349 
350 /*
351  * Dispose of as much of the beginning of this AG extent as possible.  The
352  * number of blocks disposed of will be returned in @aglenp.
353  */
354 STATIC int
355 xreap_agextent_iter(
356 	struct xreap_state	*rs,
357 	xfs_agblock_t		agbno,
358 	xfs_extlen_t		*aglenp,
359 	bool			crosslinked)
360 {
361 	struct xfs_scrub	*sc = rs->sc;
362 	xfs_fsblock_t		fsbno;
363 	int			error = 0;
364 
365 	fsbno = XFS_AGB_TO_FSB(sc->mp, sc->sa.pag->pag_agno, agbno);
366 
367 	/*
368 	 * If there are other rmappings, this block is cross linked and must
369 	 * not be freed.  Remove the reverse mapping and move on.  Otherwise,
370 	 * we were the only owner of the block, so free the extent, which will
371 	 * also remove the rmap.
372 	 *
373 	 * XXX: XFS doesn't support detecting the case where a single block
374 	 * metadata structure is crosslinked with a multi-block structure
375 	 * because the buffer cache doesn't detect aliasing problems, so we
376 	 * can't fix 100% of crosslinking problems (yet).  The verifiers will
377 	 * blow on writeout, the filesystem will shut down, and the admin gets
378 	 * to run xfs_repair.
379 	 */
380 	if (crosslinked) {
381 		trace_xreap_dispose_unmap_extent(sc->sa.pag, agbno, *aglenp);
382 
383 		rs->force_roll = true;
384 
385 		if (rs->oinfo == &XFS_RMAP_OINFO_COW) {
386 			/*
387 			 * If we're unmapping CoW staging extents, remove the
388 			 * records from the refcountbt, which will remove the
389 			 * rmap record as well.
390 			 */
391 			xfs_refcount_free_cow_extent(sc->tp, fsbno, *aglenp);
392 			return 0;
393 		}
394 
395 		return xfs_rmap_free(sc->tp, sc->sa.agf_bp, sc->sa.pag, agbno,
396 				*aglenp, rs->oinfo);
397 	}
398 
399 	trace_xreap_dispose_free_extent(sc->sa.pag, agbno, *aglenp);
400 
401 	/*
402 	 * Invalidate as many buffers as we can, starting at agbno.  If this
403 	 * function sets *aglenp to zero, the transaction is full of logged
404 	 * buffer invalidations, so we need to return early so that we can
405 	 * roll and retry.
406 	 */
407 	xreap_agextent_binval(rs, agbno, aglenp);
408 	if (*aglenp == 0) {
409 		ASSERT(xreap_want_roll(rs));
410 		return 0;
411 	}
412 
413 	/*
414 	 * If we're getting rid of CoW staging extents, use deferred work items
415 	 * to remove the refcountbt records (which removes the rmap records)
416 	 * and free the extent.  We're not worried about the system going down
417 	 * here because log recovery walks the refcount btree to clean out the
418 	 * CoW staging extents.
419 	 */
420 	if (rs->oinfo == &XFS_RMAP_OINFO_COW) {
421 		ASSERT(rs->resv == XFS_AG_RESV_NONE);
422 
423 		xfs_refcount_free_cow_extent(sc->tp, fsbno, *aglenp);
424 		error = xfs_free_extent_later(sc->tp, fsbno, *aglenp, NULL,
425 				rs->resv, true);
426 		if (error)
427 			return error;
428 
429 		rs->force_roll = true;
430 		return 0;
431 	}
432 
433 	/* Put blocks back on the AGFL one at a time. */
434 	if (rs->resv == XFS_AG_RESV_AGFL) {
435 		ASSERT(*aglenp == 1);
436 		error = xreap_put_freelist(sc, agbno);
437 		if (error)
438 			return error;
439 
440 		rs->force_roll = true;
441 		return 0;
442 	}
443 
444 	/*
445 	 * Use deferred frees to get rid of the old btree blocks to try to
446 	 * minimize the window in which we could crash and lose the old blocks.
447 	 * Add a defer ops barrier every other extent to avoid stressing the
448 	 * system with large EFIs.
449 	 */
450 	error = xfs_free_extent_later(sc->tp, fsbno, *aglenp, rs->oinfo,
451 			rs->resv, true);
452 	if (error)
453 		return error;
454 
455 	rs->deferred++;
456 	if (rs->deferred % 2 == 0)
457 		xfs_defer_add_barrier(sc->tp);
458 	return 0;
459 }
460 
461 /*
462  * Break an AG metadata extent into sub-extents by fate (crosslinked, not
463  * crosslinked), and dispose of each sub-extent separately.
464  */
465 STATIC int
466 xreap_agmeta_extent(
467 	uint32_t		agbno,
468 	uint32_t		len,
469 	void			*priv)
470 {
471 	struct xreap_state	*rs = priv;
472 	struct xfs_scrub	*sc = rs->sc;
473 	xfs_agblock_t		agbno_next = agbno + len;
474 	int			error = 0;
475 
476 	ASSERT(len <= XFS_MAX_BMBT_EXTLEN);
477 	ASSERT(sc->ip == NULL);
478 
479 	while (agbno < agbno_next) {
480 		xfs_extlen_t	aglen;
481 		bool		crosslinked;
482 
483 		error = xreap_agextent_select(rs, agbno, agbno_next,
484 				&crosslinked, &aglen);
485 		if (error)
486 			return error;
487 
488 		error = xreap_agextent_iter(rs, agbno, &aglen, crosslinked);
489 		if (error)
490 			return error;
491 
492 		if (xreap_want_defer_finish(rs)) {
493 			error = xrep_defer_finish(sc);
494 			if (error)
495 				return error;
496 			xreap_defer_finish_reset(rs);
497 		} else if (xreap_want_roll(rs)) {
498 			error = xrep_roll_ag_trans(sc);
499 			if (error)
500 				return error;
501 			xreap_reset(rs);
502 		}
503 
504 		agbno += aglen;
505 	}
506 
507 	return 0;
508 }
509 
510 /* Dispose of every block of every AG metadata extent in the bitmap. */
511 int
512 xrep_reap_agblocks(
513 	struct xfs_scrub		*sc,
514 	struct xagb_bitmap		*bitmap,
515 	const struct xfs_owner_info	*oinfo,
516 	enum xfs_ag_resv_type		type)
517 {
518 	struct xreap_state		rs = {
519 		.sc			= sc,
520 		.oinfo			= oinfo,
521 		.resv			= type,
522 	};
523 	int				error;
524 
525 	ASSERT(xfs_has_rmapbt(sc->mp));
526 	ASSERT(sc->ip == NULL);
527 
528 	error = xagb_bitmap_walk(bitmap, xreap_agmeta_extent, &rs);
529 	if (error)
530 		return error;
531 
532 	if (xreap_dirty(&rs))
533 		return xrep_defer_finish(sc);
534 
535 	return 0;
536 }
537 
538 /*
539  * Break a file metadata extent into sub-extents by fate (crosslinked, not
540  * crosslinked), and dispose of each sub-extent separately.  The extent must
541  * not cross an AG boundary.
542  */
543 STATIC int
544 xreap_fsmeta_extent(
545 	uint64_t		fsbno,
546 	uint64_t		len,
547 	void			*priv)
548 {
549 	struct xreap_state	*rs = priv;
550 	struct xfs_scrub	*sc = rs->sc;
551 	xfs_agnumber_t		agno = XFS_FSB_TO_AGNO(sc->mp, fsbno);
552 	xfs_agblock_t		agbno = XFS_FSB_TO_AGBNO(sc->mp, fsbno);
553 	xfs_agblock_t		agbno_next = agbno + len;
554 	int			error = 0;
555 
556 	ASSERT(len <= XFS_MAX_BMBT_EXTLEN);
557 	ASSERT(sc->ip != NULL);
558 	ASSERT(!sc->sa.pag);
559 
560 	/*
561 	 * We're reaping blocks after repairing file metadata, which means that
562 	 * we have to init the xchk_ag structure ourselves.
563 	 */
564 	sc->sa.pag = xfs_perag_get(sc->mp, agno);
565 	if (!sc->sa.pag)
566 		return -EFSCORRUPTED;
567 
568 	error = xfs_alloc_read_agf(sc->sa.pag, sc->tp, 0, &sc->sa.agf_bp);
569 	if (error)
570 		goto out_pag;
571 
572 	while (agbno < agbno_next) {
573 		xfs_extlen_t	aglen;
574 		bool		crosslinked;
575 
576 		error = xreap_agextent_select(rs, agbno, agbno_next,
577 				&crosslinked, &aglen);
578 		if (error)
579 			goto out_agf;
580 
581 		error = xreap_agextent_iter(rs, agbno, &aglen, crosslinked);
582 		if (error)
583 			goto out_agf;
584 
585 		if (xreap_want_defer_finish(rs)) {
586 			/*
587 			 * Holds the AGF buffer across the deferred chain
588 			 * processing.
589 			 */
590 			error = xrep_defer_finish(sc);
591 			if (error)
592 				goto out_agf;
593 			xreap_defer_finish_reset(rs);
594 		} else if (xreap_want_roll(rs)) {
595 			/*
596 			 * Hold the AGF buffer across the transaction roll so
597 			 * that we don't have to reattach it to the scrub
598 			 * context.
599 			 */
600 			xfs_trans_bhold(sc->tp, sc->sa.agf_bp);
601 			error = xfs_trans_roll_inode(&sc->tp, sc->ip);
602 			xfs_trans_bjoin(sc->tp, sc->sa.agf_bp);
603 			if (error)
604 				goto out_agf;
605 			xreap_reset(rs);
606 		}
607 
608 		agbno += aglen;
609 	}
610 
611 out_agf:
612 	xfs_trans_brelse(sc->tp, sc->sa.agf_bp);
613 	sc->sa.agf_bp = NULL;
614 out_pag:
615 	xfs_perag_put(sc->sa.pag);
616 	sc->sa.pag = NULL;
617 	return error;
618 }
619 
620 /*
621  * Dispose of every block of every fs metadata extent in the bitmap.
622  * Do not use this to dispose of the mappings in an ondisk inode fork.
623  */
624 int
625 xrep_reap_fsblocks(
626 	struct xfs_scrub		*sc,
627 	struct xfsb_bitmap		*bitmap,
628 	const struct xfs_owner_info	*oinfo)
629 {
630 	struct xreap_state		rs = {
631 		.sc			= sc,
632 		.oinfo			= oinfo,
633 		.resv			= XFS_AG_RESV_NONE,
634 	};
635 	int				error;
636 
637 	ASSERT(xfs_has_rmapbt(sc->mp));
638 	ASSERT(sc->ip != NULL);
639 
640 	error = xfsb_bitmap_walk(bitmap, xreap_fsmeta_extent, &rs);
641 	if (error)
642 		return error;
643 
644 	if (xreap_dirty(&rs))
645 		return xrep_defer_finish(sc);
646 
647 	return 0;
648 }
649