blob: 67478294f11ae8616195f259a841cdede1f5d2f9 [file] [log] [blame]
// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Copyright (C) 2018-2023 Oracle. All Rights Reserved.
* Author: Darrick J. Wong <djwong@kernel.org>
*/
#include "xfs.h"
#include "xfs_fs.h"
#include "xfs_shared.h"
#include "xfs_format.h"
#include "xfs_trans_resv.h"
#include "xfs_mount.h"
#include "xfs_btree.h"
#include "xfs_log_format.h"
#include "xfs_trans.h"
#include "xfs_sb.h"
#include "xfs_inode.h"
#include "xfs_alloc.h"
#include "xfs_alloc_btree.h"
#include "xfs_ialloc.h"
#include "xfs_ialloc_btree.h"
#include "xfs_rmap.h"
#include "xfs_rmap_btree.h"
#include "xfs_refcount_btree.h"
#include "xfs_extent_busy.h"
#include "xfs_ag.h"
#include "xfs_ag_resv.h"
#include "xfs_quota.h"
#include "xfs_qm.h"
#include "xfs_defer.h"
#include "xfs_errortag.h"
#include "xfs_error.h"
#include "xfs_reflink.h"
#include "xfs_health.h"
#include "xfs_buf_mem.h"
#include "xfs_da_format.h"
#include "xfs_da_btree.h"
#include "xfs_attr.h"
#include "xfs_dir2.h"
#include "scrub/scrub.h"
#include "scrub/common.h"
#include "scrub/trace.h"
#include "scrub/repair.h"
#include "scrub/bitmap.h"
#include "scrub/stats.h"
#include "scrub/xfile.h"
#include "scrub/attr_repair.h"
/*
* Attempt to repair some metadata, if the metadata is corrupt and userspace
* told us to fix it. This function returns -EAGAIN to mean "re-run scrub",
* and will set *fixed to true if it thinks it repaired anything.
*/
int
xrep_attempt(
struct xfs_scrub *sc,
struct xchk_stats_run *run)
{
u64 repair_start;
int error = 0;
trace_xrep_attempt(XFS_I(file_inode(sc->file)), sc->sm, error);
xchk_ag_btcur_free(&sc->sa);
/* Repair whatever's broken. */
ASSERT(sc->ops->repair);
run->repair_attempted = true;
repair_start = xchk_stats_now();
error = sc->ops->repair(sc);
trace_xrep_done(XFS_I(file_inode(sc->file)), sc->sm, error);
run->repair_ns += xchk_stats_elapsed_ns(repair_start);
switch (error) {
case 0:
/*
* Repair succeeded. Commit the fixes and perform a second
* scrub so that we can tell userspace if we fixed the problem.
*/
sc->sm->sm_flags &= ~XFS_SCRUB_FLAGS_OUT;
sc->flags |= XREP_ALREADY_FIXED;
run->repair_succeeded = true;
return -EAGAIN;
case -ECHRNG:
sc->flags |= XCHK_NEED_DRAIN;
run->retries++;
return -EAGAIN;
case -EDEADLOCK:
/* Tell the caller to try again having grabbed all the locks. */
if (!(sc->flags & XCHK_TRY_HARDER)) {
sc->flags |= XCHK_TRY_HARDER;
run->retries++;
return -EAGAIN;
}
/*
* We tried harder but still couldn't grab all the resources
* we needed to fix it. The corruption has not been fixed,
* so exit to userspace with the scan's output flags unchanged.
*/
return 0;
default:
/*
* EAGAIN tells the caller to re-scrub, so we cannot return
* that here.
*/
ASSERT(error != -EAGAIN);
return error;
}
}
/*
* Complain about unfixable problems in the filesystem. We don't log
* corruptions when IFLAG_REPAIR wasn't set on the assumption that the driver
* program is xfs_scrub, which will call back with IFLAG_REPAIR set if the
* administrator isn't running xfs_scrub in no-repairs mode.
*
* Use this helper function because _ratelimited silently declares a static
* structure to track rate limiting information.
*/
void
xrep_failure(
struct xfs_mount *mp)
{
xfs_alert_ratelimited(mp,
"Corruption not fixed during online repair. Unmount and run xfs_repair.");
}
/*
* Repair probe -- userspace uses this to probe if we're willing to repair a
* given mountpoint.
*/
int
xrep_probe(
struct xfs_scrub *sc)
{
int error = 0;
if (xchk_should_terminate(sc, &error))
return error;
return 0;
}
/*
* Roll a transaction, keeping the AG headers locked and reinitializing
* the btree cursors.
*/
int
xrep_roll_ag_trans(
struct xfs_scrub *sc)
{
int error;
/*
* Keep the AG header buffers locked while we roll the transaction.
* Ensure that both AG buffers are dirty and held when we roll the
* transaction so that they move forward in the log without losing the
* bli (and hence the bli type) when the transaction commits.
*
* Normal code would never hold clean buffers across a roll, but repair
* needs both buffers to maintain a total lock on the AG.
*/
if (sc->sa.agi_bp) {
xfs_ialloc_log_agi(sc->tp, sc->sa.agi_bp, XFS_AGI_MAGICNUM);
xfs_trans_bhold(sc->tp, sc->sa.agi_bp);
}
if (sc->sa.agf_bp) {
xfs_alloc_log_agf(sc->tp, sc->sa.agf_bp, XFS_AGF_MAGICNUM);
xfs_trans_bhold(sc->tp, sc->sa.agf_bp);
}
/*
* Roll the transaction. We still hold the AG header buffers locked
* regardless of whether or not that succeeds. On failure, the buffers
* will be released during teardown on our way out of the kernel. If
* successful, join the buffers to the new transaction and move on.
*/
error = xfs_trans_roll(&sc->tp);
if (error)
return error;
/* Join the AG headers to the new transaction. */
if (sc->sa.agi_bp)
xfs_trans_bjoin(sc->tp, sc->sa.agi_bp);
if (sc->sa.agf_bp)
xfs_trans_bjoin(sc->tp, sc->sa.agf_bp);
return 0;
}
/* Roll the scrub transaction, holding the primary metadata locked. */
int
xrep_roll_trans(
struct xfs_scrub *sc)
{
if (!sc->ip)
return xrep_roll_ag_trans(sc);
return xfs_trans_roll_inode(&sc->tp, sc->ip);
}
/* Finish all deferred work attached to the repair transaction. */
int
xrep_defer_finish(
struct xfs_scrub *sc)
{
int error;
/*
* Keep the AG header buffers locked while we complete deferred work
* items. Ensure that both AG buffers are dirty and held when we roll
* the transaction so that they move forward in the log without losing
* the bli (and hence the bli type) when the transaction commits.
*
* Normal code would never hold clean buffers across a roll, but repair
* needs both buffers to maintain a total lock on the AG.
*/
if (sc->sa.agi_bp) {
xfs_ialloc_log_agi(sc->tp, sc->sa.agi_bp, XFS_AGI_MAGICNUM);
xfs_trans_bhold(sc->tp, sc->sa.agi_bp);
}
if (sc->sa.agf_bp) {
xfs_alloc_log_agf(sc->tp, sc->sa.agf_bp, XFS_AGF_MAGICNUM);
xfs_trans_bhold(sc->tp, sc->sa.agf_bp);
}
/*
* Finish all deferred work items. We still hold the AG header buffers
* locked regardless of whether or not that succeeds. On failure, the
* buffers will be released during teardown on our way out of the
* kernel. If successful, join the buffers to the new transaction
* and move on.
*/
error = xfs_defer_finish(&sc->tp);
if (error)
return error;
/*
* Release the hold that we set above because defer_finish won't do
* that for us. The defer roll code redirties held buffers after each
* roll, so the AG header buffers should be ready for logging.
*/
if (sc->sa.agi_bp)
xfs_trans_bhold_release(sc->tp, sc->sa.agi_bp);
if (sc->sa.agf_bp)
xfs_trans_bhold_release(sc->tp, sc->sa.agf_bp);
return 0;
}
/*
* Does the given AG have enough space to rebuild a btree? Neither AG
* reservation can be critical, and we must have enough space (factoring
* in AG reservations) to construct a whole btree.
*/
bool
xrep_ag_has_space(
struct xfs_perag *pag,
xfs_extlen_t nr_blocks,
enum xfs_ag_resv_type type)
{
return !xfs_ag_resv_critical(pag, XFS_AG_RESV_RMAPBT) &&
!xfs_ag_resv_critical(pag, XFS_AG_RESV_METADATA) &&
pag->pagf_freeblks > xfs_ag_resv_needed(pag, type) + nr_blocks;
}
/*
* Figure out how many blocks to reserve for an AG repair. We calculate the
* worst case estimate for the number of blocks we'd need to rebuild one of
* any type of per-AG btree.
*/
xfs_extlen_t
xrep_calc_ag_resblks(
struct xfs_scrub *sc)
{
struct xfs_mount *mp = sc->mp;
struct xfs_scrub_metadata *sm = sc->sm;
struct xfs_perag *pag;
struct xfs_buf *bp;
xfs_agino_t icount = NULLAGINO;
xfs_extlen_t aglen = NULLAGBLOCK;
xfs_extlen_t usedlen;
xfs_extlen_t freelen;
xfs_extlen_t bnobt_sz;
xfs_extlen_t inobt_sz;
xfs_extlen_t rmapbt_sz;
xfs_extlen_t refcbt_sz;
int error;
if (!(sm->sm_flags & XFS_SCRUB_IFLAG_REPAIR))
return 0;
pag = xfs_perag_get(mp, sm->sm_agno);
if (xfs_perag_initialised_agi(pag)) {
/* Use in-core icount if possible. */
icount = pag->pagi_count;
} else {
/* Try to get the actual counters from disk. */
error = xfs_ialloc_read_agi(pag, NULL, 0, &bp);
if (!error) {
icount = pag->pagi_count;
xfs_buf_relse(bp);
}
}
/* Now grab the block counters from the AGF. */
error = xfs_alloc_read_agf(pag, NULL, 0, &bp);
if (error) {
aglen = pag->block_count;
freelen = aglen;
usedlen = aglen;
} else {
struct xfs_agf *agf = bp->b_addr;
aglen = be32_to_cpu(agf->agf_length);
freelen = be32_to_cpu(agf->agf_freeblks);
usedlen = aglen - freelen;
xfs_buf_relse(bp);
}
/* If the icount is impossible, make some worst-case assumptions. */
if (icount == NULLAGINO ||
!xfs_verify_agino(pag, icount)) {
icount = pag->agino_max - pag->agino_min + 1;
}
/* If the block counts are impossible, make worst-case assumptions. */
if (aglen == NULLAGBLOCK ||
aglen != pag->block_count ||
freelen >= aglen) {
aglen = pag->block_count;
freelen = aglen;
usedlen = aglen;
}
xfs_perag_put(pag);
trace_xrep_calc_ag_resblks(mp, sm->sm_agno, icount, aglen,
freelen, usedlen);
/*
* Figure out how many blocks we'd need worst case to rebuild
* each type of btree. Note that we can only rebuild the
* bnobt/cntbt or inobt/finobt as pairs.
*/
bnobt_sz = 2 * xfs_allocbt_calc_size(mp, freelen);
if (xfs_has_sparseinodes(mp))
inobt_sz = xfs_iallocbt_calc_size(mp, icount /
XFS_INODES_PER_HOLEMASK_BIT);
else
inobt_sz = xfs_iallocbt_calc_size(mp, icount /
XFS_INODES_PER_CHUNK);
if (xfs_has_finobt(mp))
inobt_sz *= 2;
if (xfs_has_reflink(mp))
refcbt_sz = xfs_refcountbt_calc_size(mp, usedlen);
else
refcbt_sz = 0;
if (xfs_has_rmapbt(mp)) {
/*
* Guess how many blocks we need to rebuild the rmapbt.
* For non-reflink filesystems we can't have more records than
* used blocks. However, with reflink it's possible to have
* more than one rmap record per AG block. We don't know how
* many rmaps there could be in the AG, so we start off with
* what we hope is an generous over-estimation.
*/
if (xfs_has_reflink(mp))
rmapbt_sz = xfs_rmapbt_calc_size(mp,
(unsigned long long)aglen * 2);
else
rmapbt_sz = xfs_rmapbt_calc_size(mp, usedlen);
} else {
rmapbt_sz = 0;
}
trace_xrep_calc_ag_resblks_btsize(mp, sm->sm_agno, bnobt_sz,
inobt_sz, rmapbt_sz, refcbt_sz);
return max(max(bnobt_sz, inobt_sz), max(rmapbt_sz, refcbt_sz));
}
/*
* Reconstructing per-AG Btrees
*
* When a space btree is corrupt, we don't bother trying to fix it. Instead,
* we scan secondary space metadata to derive the records that should be in
* the damaged btree, initialize a fresh btree root, and insert the records.
* Note that for rebuilding the rmapbt we scan all the primary data to
* generate the new records.
*
* However, that leaves the matter of removing all the metadata describing the
* old broken structure. For primary metadata we use the rmap data to collect
* every extent with a matching rmap owner (bitmap); we then iterate all other
* metadata structures with the same rmap owner to collect the extents that
* cannot be removed (sublist). We then subtract sublist from bitmap to
* derive the blocks that were used by the old btree. These blocks can be
* reaped.
*
* For rmapbt reconstructions we must use different tactics for extent
* collection. First we iterate all primary metadata (this excludes the old
* rmapbt, obviously) to generate new rmap records. The gaps in the rmap
* records are collected as bitmap. The bnobt records are collected as
* sublist. As with the other btrees we subtract sublist from bitmap, and the
* result (since the rmapbt lives in the free space) are the blocks from the
* old rmapbt.
*/
/* Ensure the freelist is the correct size. */
int
xrep_fix_freelist(
struct xfs_scrub *sc,
int alloc_flags)
{
struct xfs_alloc_arg args = {0};
args.mp = sc->mp;
args.tp = sc->tp;
args.agno = sc->sa.pag->pag_agno;
args.alignment = 1;
args.pag = sc->sa.pag;
return xfs_alloc_fix_freelist(&args, alloc_flags);
}
/*
* Finding per-AG Btree Roots for AGF/AGI Reconstruction
*
* If the AGF or AGI become slightly corrupted, it may be necessary to rebuild
* the AG headers by using the rmap data to rummage through the AG looking for
* btree roots. This is not guaranteed to work if the AG is heavily damaged
* or the rmap data are corrupt.
*
* Callers of xrep_find_ag_btree_roots must lock the AGF and AGFL
* buffers if the AGF is being rebuilt; or the AGF and AGI buffers if the
* AGI is being rebuilt. It must maintain these locks until it's safe for
* other threads to change the btrees' shapes. The caller provides
* information about the btrees to look for by passing in an array of
* xrep_find_ag_btree with the (rmap owner, buf_ops, magic) fields set.
* The (root, height) fields will be set on return if anything is found. The
* last element of the array should have a NULL buf_ops to mark the end of the
* array.
*
* For every rmapbt record matching any of the rmap owners in btree_info,
* read each block referenced by the rmap record. If the block is a btree
* block from this filesystem matching any of the magic numbers and has a
* level higher than what we've already seen, remember the block and the
* height of the tree required to have such a block. When the call completes,
* we return the highest block we've found for each btree description; those
* should be the roots.
*/
struct xrep_findroot {
struct xfs_scrub *sc;
struct xfs_buf *agfl_bp;
struct xfs_agf *agf;
struct xrep_find_ag_btree *btree_info;
};
/* See if our block is in the AGFL. */
STATIC int
xrep_findroot_agfl_walk(
struct xfs_mount *mp,
xfs_agblock_t bno,
void *priv)
{
xfs_agblock_t *agbno = priv;
return (*agbno == bno) ? -ECANCELED : 0;
}
/* Does this block match the btree information passed in? */
STATIC int
xrep_findroot_block(
struct xrep_findroot *ri,
struct xrep_find_ag_btree *fab,
uint64_t owner,
xfs_agblock_t agbno,
bool *done_with_block)
{
struct xfs_mount *mp = ri->sc->mp;
struct xfs_buf *bp;
struct xfs_btree_block *btblock;
xfs_daddr_t daddr;
int block_level;
int error = 0;
daddr = XFS_AGB_TO_DADDR(mp, ri->sc->sa.pag->pag_agno, agbno);
/*
* Blocks in the AGFL have stale contents that might just happen to
* have a matching magic and uuid. We don't want to pull these blocks
* in as part of a tree root, so we have to filter out the AGFL stuff
* here. If the AGFL looks insane we'll just refuse to repair.
*/
if (owner == XFS_RMAP_OWN_AG) {
error = xfs_agfl_walk(mp, ri->agf, ri->agfl_bp,
xrep_findroot_agfl_walk, &agbno);
if (error == -ECANCELED)
return 0;
if (error)
return error;
}
/*
* Read the buffer into memory so that we can see if it's a match for
* our btree type. We have no clue if it is beforehand, and we want to
* avoid xfs_trans_read_buf's behavior of dumping the DONE state (which
* will cause needless disk reads in subsequent calls to this function)
* and logging metadata verifier failures.
*
* Therefore, pass in NULL buffer ops. If the buffer was already in
* memory from some other caller it will already have b_ops assigned.
* If it was in memory from a previous unsuccessful findroot_block
* call, the buffer won't have b_ops but it should be clean and ready
* for us to try to verify if the read call succeeds. The same applies
* if the buffer wasn't in memory at all.
*
* Note: If we never match a btree type with this buffer, it will be
* left in memory with NULL b_ops. This shouldn't be a problem unless
* the buffer gets written.
*/
error = xfs_trans_read_buf(mp, ri->sc->tp, mp->m_ddev_targp, daddr,
mp->m_bsize, 0, &bp, NULL);
if (error)
return error;
/* Ensure the block magic matches the btree type we're looking for. */
btblock = XFS_BUF_TO_BLOCK(bp);
ASSERT(fab->buf_ops->magic[1] != 0);
if (btblock->bb_magic != fab->buf_ops->magic[1])
goto out;
/*
* If the buffer already has ops applied and they're not the ones for
* this btree type, we know this block doesn't match the btree and we
* can bail out.
*
* If the buffer ops match ours, someone else has already validated
* the block for us, so we can move on to checking if this is a root
* block candidate.
*
* If the buffer does not have ops, nobody has successfully validated
* the contents and the buffer cannot be dirty. If the magic, uuid,
* and structure match this btree type then we'll move on to checking
* if it's a root block candidate. If there is no match, bail out.
*/
if (bp->b_ops) {
if (bp->b_ops != fab->buf_ops)
goto out;
} else {
ASSERT(!xfs_trans_buf_is_dirty(bp));
if (!uuid_equal(&btblock->bb_u.s.bb_uuid,
&mp->m_sb.sb_meta_uuid))
goto out;
/*
* Read verifiers can reference b_ops, so we set the pointer
* here. If the verifier fails we'll reset the buffer state
* to what it was before we touched the buffer.
*/
bp->b_ops = fab->buf_ops;
fab->buf_ops->verify_read(bp);
if (bp->b_error) {
bp->b_ops = NULL;
bp->b_error = 0;
goto out;
}
/*
* Some read verifiers will (re)set b_ops, so we must be
* careful not to change b_ops after running the verifier.
*/
}
/*
* This block passes the magic/uuid and verifier tests for this btree
* type. We don't need the caller to try the other tree types.
*/
*done_with_block = true;
/*
* Compare this btree block's level to the height of the current
* candidate root block.
*
* If the level matches the root we found previously, throw away both
* blocks because there can't be two candidate roots.
*
* If level is lower in the tree than the root we found previously,
* ignore this block.
*/
block_level = xfs_btree_get_level(btblock);
if (block_level + 1 == fab->height) {
fab->root = NULLAGBLOCK;
goto out;
} else if (block_level < fab->height) {
goto out;
}
/*
* This is the highest block in the tree that we've found so far.
* Update the btree height to reflect what we've learned from this
* block.
*/
fab->height = block_level + 1;
/*
* If this block doesn't have sibling pointers, then it's the new root
* block candidate. Otherwise, the root will be found farther up the
* tree.
*/
if (btblock->bb_u.s.bb_leftsib == cpu_to_be32(NULLAGBLOCK) &&
btblock->bb_u.s.bb_rightsib == cpu_to_be32(NULLAGBLOCK))
fab->root = agbno;
else
fab->root = NULLAGBLOCK;
trace_xrep_findroot_block(mp, ri->sc->sa.pag->pag_agno, agbno,
be32_to_cpu(btblock->bb_magic), fab->height - 1);
out:
xfs_trans_brelse(ri->sc->tp, bp);
return error;
}
/*
* Do any of the blocks in this rmap record match one of the btrees we're
* looking for?
*/
STATIC int
xrep_findroot_rmap(
struct xfs_btree_cur *cur,
const struct xfs_rmap_irec *rec,
void *priv)
{
struct xrep_findroot *ri = priv;
struct xrep_find_ag_btree *fab;
xfs_agblock_t b;
bool done;
int error = 0;
/* Ignore anything that isn't AG metadata. */
if (!XFS_RMAP_NON_INODE_OWNER(rec->rm_owner))
return 0;
/* Otherwise scan each block + btree type. */
for (b = 0; b < rec->rm_blockcount; b++) {
done = false;
for (fab = ri->btree_info; fab->buf_ops; fab++) {
if (rec->rm_owner != fab->rmap_owner)
continue;
error = xrep_findroot_block(ri, fab,
rec->rm_owner, rec->rm_startblock + b,
&done);
if (error)
return error;
if (done)
break;
}
}
return 0;
}
/* Find the roots of the per-AG btrees described in btree_info. */
int
xrep_find_ag_btree_roots(
struct xfs_scrub *sc,
struct xfs_buf *agf_bp,
struct xrep_find_ag_btree *btree_info,
struct xfs_buf *agfl_bp)
{
struct xfs_mount *mp = sc->mp;
struct xrep_findroot ri;
struct xrep_find_ag_btree *fab;
struct xfs_btree_cur *cur;
int error;
ASSERT(xfs_buf_islocked(agf_bp));
ASSERT(agfl_bp == NULL || xfs_buf_islocked(agfl_bp));
ri.sc = sc;
ri.btree_info = btree_info;
ri.agf = agf_bp->b_addr;
ri.agfl_bp = agfl_bp;
for (fab = btree_info; fab->buf_ops; fab++) {
ASSERT(agfl_bp || fab->rmap_owner != XFS_RMAP_OWN_AG);
ASSERT(XFS_RMAP_NON_INODE_OWNER(fab->rmap_owner));
fab->root = NULLAGBLOCK;
fab->height = 0;
}
cur = xfs_rmapbt_init_cursor(mp, sc->tp, agf_bp, sc->sa.pag);
error = xfs_rmap_query_all(cur, xrep_findroot_rmap, &ri);
xfs_btree_del_cursor(cur, error);
return error;
}
#ifdef CONFIG_XFS_QUOTA
/* Update some quota flags in the superblock. */
void
xrep_update_qflags(
struct xfs_scrub *sc,
unsigned int clear_flags,
unsigned int set_flags)
{
struct xfs_mount *mp = sc->mp;
struct xfs_buf *bp;
mutex_lock(&mp->m_quotainfo->qi_quotaofflock);
if ((mp->m_qflags & clear_flags) == 0 &&
(mp->m_qflags & set_flags) == set_flags)
goto no_update;
mp->m_qflags &= ~clear_flags;
mp->m_qflags |= set_flags;
spin_lock(&mp->m_sb_lock);
mp->m_sb.sb_qflags &= ~clear_flags;
mp->m_sb.sb_qflags |= set_flags;
spin_unlock(&mp->m_sb_lock);
/*
* Update the quota flags in the ondisk superblock without touching
* the summary counters. We have not quiesced inode chunk allocation,
* so we cannot coordinate with updates to the icount and ifree percpu
* counters.
*/
bp = xfs_trans_getsb(sc->tp);
xfs_sb_to_disk(bp->b_addr, &mp->m_sb);
xfs_trans_buf_set_type(sc->tp, bp, XFS_BLFT_SB_BUF);
xfs_trans_log_buf(sc->tp, bp, 0, sizeof(struct xfs_dsb) - 1);
no_update:
mutex_unlock(&mp->m_quotainfo->qi_quotaofflock);
}
/* Force a quotacheck the next time we mount. */
void
xrep_force_quotacheck(
struct xfs_scrub *sc,
xfs_dqtype_t type)
{
uint flag;
flag = xfs_quota_chkd_flag(type);
if (!(flag & sc->mp->m_qflags))
return;
xrep_update_qflags(sc, flag, 0);
}
/*
* Attach dquots to this inode, or schedule quotacheck to fix them.
*
* This function ensures that the appropriate dquots are attached to an inode.
* We cannot allow the dquot code to allocate an on-disk dquot block here
* because we're already in transaction context. The on-disk dquot should
* already exist anyway. If the quota code signals corruption or missing quota
* information, schedule quotacheck, which will repair corruptions in the quota
* metadata.
*/
int
xrep_ino_dqattach(
struct xfs_scrub *sc)
{
int error;
ASSERT(sc->tp != NULL);
ASSERT(sc->ip != NULL);
error = xfs_qm_dqattach(sc->ip);
switch (error) {
case -EFSBADCRC:
case -EFSCORRUPTED:
case -ENOENT:
xfs_err_ratelimited(sc->mp,
"inode %llu repair encountered quota error %d, quotacheck forced.",
(unsigned long long)sc->ip->i_ino, error);
if (XFS_IS_UQUOTA_ON(sc->mp) && !sc->ip->i_udquot)
xrep_force_quotacheck(sc, XFS_DQTYPE_USER);
if (XFS_IS_GQUOTA_ON(sc->mp) && !sc->ip->i_gdquot)
xrep_force_quotacheck(sc, XFS_DQTYPE_GROUP);
if (XFS_IS_PQUOTA_ON(sc->mp) && !sc->ip->i_pdquot)
xrep_force_quotacheck(sc, XFS_DQTYPE_PROJ);
fallthrough;
case -ESRCH:
error = 0;
break;
default:
break;
}
return error;
}
#endif /* CONFIG_XFS_QUOTA */
/*
* Ensure that the inode being repaired is ready to handle a certain number of
* extents, or return EFSCORRUPTED. Caller must hold the ILOCK of the inode
* being repaired and have joined it to the scrub transaction.
*/
int
xrep_ino_ensure_extent_count(
struct xfs_scrub *sc,
int whichfork,
xfs_extnum_t nextents)
{
xfs_extnum_t max_extents;
bool inode_has_nrext64;
inode_has_nrext64 = xfs_inode_has_large_extent_counts(sc->ip);
max_extents = xfs_iext_max_nextents(inode_has_nrext64, whichfork);
if (nextents <= max_extents)
return 0;
if (inode_has_nrext64)
return -EFSCORRUPTED;
if (!xfs_has_large_extent_counts(sc->mp))
return -EFSCORRUPTED;
max_extents = xfs_iext_max_nextents(true, whichfork);
if (nextents > max_extents)
return -EFSCORRUPTED;
sc->ip->i_diflags2 |= XFS_DIFLAG2_NREXT64;
xfs_trans_log_inode(sc->tp, sc->ip, XFS_ILOG_CORE);
return 0;
}
/*
* Initialize all the btree cursors for an AG repair except for the btree that
* we're rebuilding.
*/
void
xrep_ag_btcur_init(
struct xfs_scrub *sc,
struct xchk_ag *sa)
{
struct xfs_mount *mp = sc->mp;
/* Set up a bnobt cursor for cross-referencing. */
if (sc->sm->sm_type != XFS_SCRUB_TYPE_BNOBT &&
sc->sm->sm_type != XFS_SCRUB_TYPE_CNTBT) {
sa->bno_cur = xfs_bnobt_init_cursor(mp, sc->tp, sa->agf_bp,
sc->sa.pag);
sa->cnt_cur = xfs_cntbt_init_cursor(mp, sc->tp, sa->agf_bp,
sc->sa.pag);
}
/* Set up a inobt cursor for cross-referencing. */
if (sc->sm->sm_type != XFS_SCRUB_TYPE_INOBT &&
sc->sm->sm_type != XFS_SCRUB_TYPE_FINOBT) {
sa->ino_cur = xfs_inobt_init_cursor(sc->sa.pag, sc->tp,
sa->agi_bp);
if (xfs_has_finobt(mp))
sa->fino_cur = xfs_finobt_init_cursor(sc->sa.pag,
sc->tp, sa->agi_bp);
}
/* Set up a rmapbt cursor for cross-referencing. */
if (sc->sm->sm_type != XFS_SCRUB_TYPE_RMAPBT &&
xfs_has_rmapbt(mp))
sa->rmap_cur = xfs_rmapbt_init_cursor(mp, sc->tp, sa->agf_bp,
sc->sa.pag);
/* Set up a refcountbt cursor for cross-referencing. */
if (sc->sm->sm_type != XFS_SCRUB_TYPE_REFCNTBT &&
xfs_has_reflink(mp))
sa->refc_cur = xfs_refcountbt_init_cursor(mp, sc->tp,
sa->agf_bp, sc->sa.pag);
}
/*
* Reinitialize the in-core AG state after a repair by rereading the AGF
* buffer. We had better get the same AGF buffer as the one that's attached
* to the scrub context.
*/
int
xrep_reinit_pagf(
struct xfs_scrub *sc)
{
struct xfs_perag *pag = sc->sa.pag;
struct xfs_buf *bp;
int error;
ASSERT(pag);
ASSERT(xfs_perag_initialised_agf(pag));
clear_bit(XFS_AGSTATE_AGF_INIT, &pag->pag_opstate);
error = xfs_alloc_read_agf(pag, sc->tp, 0, &bp);
if (error)
return error;
if (bp != sc->sa.agf_bp) {
ASSERT(bp == sc->sa.agf_bp);
return -EFSCORRUPTED;
}
return 0;
}
/*
* Reinitialize the in-core AG state after a repair by rereading the AGI
* buffer. We had better get the same AGI buffer as the one that's attached
* to the scrub context.
*/
int
xrep_reinit_pagi(
struct xfs_scrub *sc)
{
struct xfs_perag *pag = sc->sa.pag;
struct xfs_buf *bp;
int error;
ASSERT(pag);
ASSERT(xfs_perag_initialised_agi(pag));
clear_bit(XFS_AGSTATE_AGI_INIT, &pag->pag_opstate);
error = xfs_ialloc_read_agi(pag, sc->tp, 0, &bp);
if (error)
return error;
if (bp != sc->sa.agi_bp) {
ASSERT(bp == sc->sa.agi_bp);
return -EFSCORRUPTED;
}
return 0;
}
/*
* Given an active reference to a perag structure, load AG headers and cursors.
* This should only be called to scan an AG while repairing file-based metadata.
*/
int
xrep_ag_init(
struct xfs_scrub *sc,
struct xfs_perag *pag,
struct xchk_ag *sa)
{
int error;
ASSERT(!sa->pag);
error = xfs_ialloc_read_agi(pag, sc->tp, 0, &sa->agi_bp);
if (error)
return error;
error = xfs_alloc_read_agf(pag, sc->tp, 0, &sa->agf_bp);
if (error)
return error;
/* Grab our own passive reference from the caller's ref. */
sa->pag = xfs_perag_hold(pag);
xrep_ag_btcur_init(sc, sa);
return 0;
}
/* Reinitialize the per-AG block reservation for the AG we just fixed. */
int
xrep_reset_perag_resv(
struct xfs_scrub *sc)
{
int error;
if (!(sc->flags & XREP_RESET_PERAG_RESV))
return 0;
ASSERT(sc->sa.pag != NULL);
ASSERT(sc->ops->type == ST_PERAG);
ASSERT(sc->tp);
sc->flags &= ~XREP_RESET_PERAG_RESV;
xfs_ag_resv_free(sc->sa.pag);
error = xfs_ag_resv_init(sc->sa.pag, sc->tp);
if (error == -ENOSPC) {
xfs_err(sc->mp,
"Insufficient free space to reset per-AG reservation for AG %u after repair.",
sc->sa.pag->pag_agno);
error = 0;
}
return error;
}
/* Decide if we are going to call the repair function for a scrub type. */
bool
xrep_will_attempt(
struct xfs_scrub *sc)
{
/* Userspace asked us to rebuild the structure regardless. */
if (sc->sm->sm_flags & XFS_SCRUB_IFLAG_FORCE_REBUILD)
return true;
/* Let debug users force us into the repair routines. */
if (XFS_TEST_ERROR(false, sc->mp, XFS_ERRTAG_FORCE_SCRUB_REPAIR))
return true;
/* Metadata is corrupt or failed cross-referencing. */
if (xchk_needs_repair(sc->sm))
return true;
return false;
}
/* Try to fix some part of a metadata inode by calling another scrubber. */
STATIC int
xrep_metadata_inode_subtype(
struct xfs_scrub *sc,
unsigned int scrub_type)
{
struct xfs_scrub_subord *sub;
int error;
/*
* Let's see if the inode needs repair. Use a subordinate scrub context
* to call the scrub and repair functions so that we can hang on to the
* resources that we already acquired instead of using the standard
* setup/teardown routines.
*/
sub = xchk_scrub_create_subord(sc, scrub_type);
error = sub->sc.ops->scrub(&sub->sc);
if (error)
goto out;
if (!xrep_will_attempt(&sub->sc))
goto out;
/*
* Repair some part of the inode. This will potentially join the inode
* to the transaction.
*/
error = sub->sc.ops->repair(&sub->sc);
if (error)
goto out;
/*
* Finish all deferred intent items and then roll the transaction so
* that the inode will not be joined to the transaction when we exit
* the function.
*/
error = xfs_defer_finish(&sub->sc.tp);
if (error)
goto out;
error = xfs_trans_roll(&sub->sc.tp);
if (error)
goto out;
/*
* Clear the corruption flags and re-check the metadata that we just
* repaired.
*/
sub->sc.sm->sm_flags &= ~XFS_SCRUB_FLAGS_OUT;
error = sub->sc.ops->scrub(&sub->sc);
if (error)
goto out;
/* If corruption persists, the repair has failed. */
if (xchk_needs_repair(sub->sc.sm)) {
error = -EFSCORRUPTED;
goto out;
}
out:
xchk_scrub_free_subord(sub);
return error;
}
/*
* Repair the ondisk forks of a metadata inode. The caller must ensure that
* sc->ip points to the metadata inode and the ILOCK is held on that inode.
* The inode must not be joined to the transaction before the call, and will
* not be afterwards.
*/
int
xrep_metadata_inode_forks(
struct xfs_scrub *sc)
{
bool dirty = false;
int error;
/* Repair the inode record and the data fork. */
error = xrep_metadata_inode_subtype(sc, XFS_SCRUB_TYPE_INODE);
if (error)
return error;
error = xrep_metadata_inode_subtype(sc, XFS_SCRUB_TYPE_BMBTD);
if (error)
return error;
/* Make sure the attr fork looks ok before we delete it. */
error = xrep_metadata_inode_subtype(sc, XFS_SCRUB_TYPE_BMBTA);
if (error)
return error;
/* Clear the reflink flag since metadata never shares. */
if (xfs_is_reflink_inode(sc->ip)) {
dirty = true;
xfs_trans_ijoin(sc->tp, sc->ip, 0);
error = xfs_reflink_clear_inode_flag(sc->ip, &sc->tp);
if (error)
return error;
}
/* Clear the attr forks since metadata shouldn't have that. */
if (xfs_inode_hasattr(sc->ip)) {
if (!dirty) {
dirty = true;
xfs_trans_ijoin(sc->tp, sc->ip, 0);
}
error = xrep_xattr_reset_fork(sc);
if (error)
return error;
}
/*
* If we modified the inode, roll the transaction but don't rejoin the
* inode to the new transaction because xrep_bmap_data can do that.
*/
if (dirty) {
error = xfs_trans_roll(&sc->tp);
if (error)
return error;
dirty = false;
}
return 0;
}
/*
* Set up an in-memory buffer cache so that we can use the xfbtree. Allocating
* a shmem file might take loks, so we cannot be in transaction context. Park
* our resources in the scrub context and let the teardown function take care
* of them at the right time.
*/
int
xrep_setup_xfbtree(
struct xfs_scrub *sc,
const char *descr)
{
ASSERT(sc->tp == NULL);
return xmbuf_alloc(sc->mp, descr, &sc->xmbtp);
}
/*
* Create a dummy transaction for use in a live update hook function. This
* function MUST NOT be called from regular repair code because the current
* process' transaction is saved via the cookie.
*/
int
xrep_trans_alloc_hook_dummy(
struct xfs_mount *mp,
void **cookiep,
struct xfs_trans **tpp)
{
int error;
*cookiep = current->journal_info;
current->journal_info = NULL;
error = xfs_trans_alloc_empty(mp, tpp);
if (!error)
return 0;
current->journal_info = *cookiep;
*cookiep = NULL;
return error;
}
/* Cancel a dummy transaction used by a live update hook function. */
void
xrep_trans_cancel_hook_dummy(
void **cookiep,
struct xfs_trans *tp)
{
xfs_trans_cancel(tp);
current->journal_info = *cookiep;
*cookiep = NULL;
}
/*
* See if this buffer can pass the given ->verify_struct() function.
*
* If the buffer already has ops attached and they're not the ones that were
* passed in, we reject the buffer. Otherwise, we perform the structure test
* (note that we do not check CRCs) and return the outcome of the test. The
* buffer ops and error state are left unchanged.
*/
bool
xrep_buf_verify_struct(
struct xfs_buf *bp,
const struct xfs_buf_ops *ops)
{
const struct xfs_buf_ops *old_ops = bp->b_ops;
xfs_failaddr_t fa;
int old_error;
if (old_ops) {
if (old_ops != ops)
return false;
}
old_error = bp->b_error;
bp->b_ops = ops;
fa = bp->b_ops->verify_struct(bp);
bp->b_ops = old_ops;
bp->b_error = old_error;
return fa == NULL;
}