1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright (C) 2017 Oracle. All Rights Reserved.
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_btree.h"
13 #include "xfs_log_format.h"
14 #include "xfs_trans.h"
16 #include "xfs_inode.h"
17 #include "xfs_icache.h"
18 #include "xfs_alloc.h"
19 #include "xfs_alloc_btree.h"
20 #include "xfs_ialloc.h"
21 #include "xfs_ialloc_btree.h"
22 #include "xfs_refcount_btree.h"
24 #include "xfs_rmap_btree.h"
26 #include "xfs_trans_priv.h"
28 #include "xfs_reflink.h"
29 #include "scrub/scrub.h"
30 #include "scrub/common.h"
31 #include "scrub/trace.h"
32 #include "scrub/repair.h"
33 #include "scrub/health.h"
35 /* Common code for the metadata scrubbers. */
38 * Handling operational errors.
40 * The *_process_error() family of functions are used to process error return
41 * codes from functions called as part of a scrub operation.
43 * If there's no error, we return true to tell the caller that it's ok
44 * to move on to the next check in its list.
46 * For non-verifier errors (e.g. ENOMEM) we return false to tell the
47 * caller that something bad happened, and we preserve *error so that
48 * the caller can return the *error up the stack to userspace.
50 * Verifier errors (EFSBADCRC/EFSCORRUPTED) are recorded by setting
51 * OFLAG_CORRUPT in sm_flags and the *error is cleared. In other words,
52 * we track verifier errors (and failed scrub checks) via OFLAG_CORRUPT,
53 * not via return codes. We return false to tell the caller that
54 * something bad happened. Since the error has been cleared, the caller
55 * will (presumably) return that zero and scrubbing will move on to
58 * ftrace can be used to record the precise metadata location and the
59 * approximate code location of the failed operation.
62 /* Check for operational errors. */
76 /* Used to restart an op with deadlock avoidance. */
77 trace_xchk_deadlock_retry(sc->ip, sc->sm, *error);
81 /* Note the badness but don't abort. */
82 sc->sm->sm_flags |= errflag;
86 trace_xchk_op_error(sc, agno, bno, *error,
100 return __xchk_process_error(sc, agno, bno, error,
101 XFS_SCRUB_OFLAG_CORRUPT, __return_address);
105 xchk_xref_process_error(
106 struct xfs_scrub *sc,
111 return __xchk_process_error(sc, agno, bno, error,
112 XFS_SCRUB_OFLAG_XFAIL, __return_address);
115 /* Check for operational errors for a file offset. */
117 __xchk_fblock_process_error(
118 struct xfs_scrub *sc,
120 xfs_fileoff_t offset,
129 /* Used to restart an op with deadlock avoidance. */
130 trace_xchk_deadlock_retry(sc->ip, sc->sm, *error);
134 /* Note the badness but don't abort. */
135 sc->sm->sm_flags |= errflag;
139 trace_xchk_file_op_error(sc, whichfork, offset, *error,
147 xchk_fblock_process_error(
148 struct xfs_scrub *sc,
150 xfs_fileoff_t offset,
153 return __xchk_fblock_process_error(sc, whichfork, offset, error,
154 XFS_SCRUB_OFLAG_CORRUPT, __return_address);
158 xchk_fblock_xref_process_error(
159 struct xfs_scrub *sc,
161 xfs_fileoff_t offset,
164 return __xchk_fblock_process_error(sc, whichfork, offset, error,
165 XFS_SCRUB_OFLAG_XFAIL, __return_address);
169 * Handling scrub corruption/optimization/warning checks.
171 * The *_set_{corrupt,preen,warning}() family of functions are used to
172 * record the presence of metadata that is incorrect (corrupt), could be
173 * optimized somehow (preen), or should be flagged for administrative
174 * review but is not incorrect (warn).
176 * ftrace can be used to record the precise metadata location and
177 * approximate code location of the failed check.
180 /* Record a block which could be optimized. */
182 xchk_block_set_preen(
183 struct xfs_scrub *sc,
186 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_PREEN;
187 trace_xchk_block_preen(sc, bp->b_bn, __return_address);
191 * Record an inode which could be optimized. The trace data will
192 * include the block given by bp if bp is given; otherwise it will use
193 * the block location of the inode record itself.
197 struct xfs_scrub *sc,
200 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_PREEN;
201 trace_xchk_ino_preen(sc, ino, __return_address);
204 /* Record something being wrong with the filesystem primary superblock. */
207 struct xfs_scrub *sc)
209 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT;
210 trace_xchk_fs_error(sc, 0, __return_address);
213 /* Record a corrupt block. */
215 xchk_block_set_corrupt(
216 struct xfs_scrub *sc,
219 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT;
220 trace_xchk_block_error(sc, bp->b_bn, __return_address);
223 /* Record a corruption while cross-referencing. */
225 xchk_block_xref_set_corrupt(
226 struct xfs_scrub *sc,
229 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_XCORRUPT;
230 trace_xchk_block_error(sc, bp->b_bn, __return_address);
234 * Record a corrupt inode. The trace data will include the block given
235 * by bp if bp is given; otherwise it will use the block location of the
236 * inode record itself.
239 xchk_ino_set_corrupt(
240 struct xfs_scrub *sc,
243 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT;
244 trace_xchk_ino_error(sc, ino, __return_address);
247 /* Record a corruption while cross-referencing with an inode. */
249 xchk_ino_xref_set_corrupt(
250 struct xfs_scrub *sc,
253 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_XCORRUPT;
254 trace_xchk_ino_error(sc, ino, __return_address);
257 /* Record corruption in a block indexed by a file fork. */
259 xchk_fblock_set_corrupt(
260 struct xfs_scrub *sc,
262 xfs_fileoff_t offset)
264 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT;
265 trace_xchk_fblock_error(sc, whichfork, offset, __return_address);
268 /* Record a corruption while cross-referencing a fork block. */
270 xchk_fblock_xref_set_corrupt(
271 struct xfs_scrub *sc,
273 xfs_fileoff_t offset)
275 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_XCORRUPT;
276 trace_xchk_fblock_error(sc, whichfork, offset, __return_address);
280 * Warn about inodes that need administrative review but is not
284 xchk_ino_set_warning(
285 struct xfs_scrub *sc,
288 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_WARNING;
289 trace_xchk_ino_warning(sc, ino, __return_address);
292 /* Warn about a block indexed by a file fork that needs review. */
294 xchk_fblock_set_warning(
295 struct xfs_scrub *sc,
297 xfs_fileoff_t offset)
299 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_WARNING;
300 trace_xchk_fblock_warning(sc, whichfork, offset, __return_address);
303 /* Signal an incomplete scrub. */
306 struct xfs_scrub *sc)
308 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_INCOMPLETE;
309 trace_xchk_incomplete(sc, __return_address);
313 * rmap scrubbing -- compute the number of blocks with a given owner,
314 * at least according to the reverse mapping data.
317 struct xchk_rmap_ownedby_info {
318 const struct xfs_owner_info *oinfo;
319 xfs_filblks_t *blocks;
323 xchk_count_rmap_ownedby_irec(
324 struct xfs_btree_cur *cur,
325 struct xfs_rmap_irec *rec,
328 struct xchk_rmap_ownedby_info *sroi = priv;
332 irec_attr = rec->rm_flags & XFS_RMAP_ATTR_FORK;
333 oinfo_attr = sroi->oinfo->oi_flags & XFS_OWNER_INFO_ATTR_FORK;
335 if (rec->rm_owner != sroi->oinfo->oi_owner)
338 if (XFS_RMAP_NON_INODE_OWNER(rec->rm_owner) || irec_attr == oinfo_attr)
339 (*sroi->blocks) += rec->rm_blockcount;
345 * Calculate the number of blocks the rmap thinks are owned by something.
346 * The caller should pass us an rmapbt cursor.
349 xchk_count_rmap_ownedby_ag(
350 struct xfs_scrub *sc,
351 struct xfs_btree_cur *cur,
352 const struct xfs_owner_info *oinfo,
353 xfs_filblks_t *blocks)
355 struct xchk_rmap_ownedby_info sroi = {
361 return xfs_rmap_query_all(cur, xchk_count_rmap_ownedby_irec,
368 * These helpers facilitate locking an allocation group's header
369 * buffers, setting up cursors for all btrees that are present, and
370 * cleaning everything up once we're through.
373 /* Decide if we want to return an AG header read failure. */
375 want_ag_read_header_failure(
376 struct xfs_scrub *sc,
379 /* Return all AG header read failures when scanning btrees. */
380 if (sc->sm->sm_type != XFS_SCRUB_TYPE_AGF &&
381 sc->sm->sm_type != XFS_SCRUB_TYPE_AGFL &&
382 sc->sm->sm_type != XFS_SCRUB_TYPE_AGI)
385 * If we're scanning a given type of AG header, we only want to
386 * see read failures from that specific header. We'd like the
387 * other headers to cross-check them, but this isn't required.
389 if (sc->sm->sm_type == type)
395 * Grab all the headers for an AG.
397 * The headers should be released by xchk_ag_free, but as a fail
398 * safe we attach all the buffers we grab to the scrub transaction so
399 * they'll all be freed when we cancel it.
402 xchk_ag_read_headers(
403 struct xfs_scrub *sc,
405 struct xfs_buf **agi,
406 struct xfs_buf **agf,
407 struct xfs_buf **agfl)
409 struct xfs_mount *mp = sc->mp;
412 error = xfs_ialloc_read_agi(mp, sc->tp, agno, agi);
413 if (error && want_ag_read_header_failure(sc, XFS_SCRUB_TYPE_AGI))
416 error = xfs_alloc_read_agf(mp, sc->tp, agno, 0, agf);
417 if (error && want_ag_read_header_failure(sc, XFS_SCRUB_TYPE_AGF))
420 error = xfs_alloc_read_agfl(mp, sc->tp, agno, agfl);
421 if (error && want_ag_read_header_failure(sc, XFS_SCRUB_TYPE_AGFL))
428 /* Release all the AG btree cursors. */
434 xfs_btree_del_cursor(sa->refc_cur, XFS_BTREE_ERROR);
436 xfs_btree_del_cursor(sa->rmap_cur, XFS_BTREE_ERROR);
438 xfs_btree_del_cursor(sa->fino_cur, XFS_BTREE_ERROR);
440 xfs_btree_del_cursor(sa->ino_cur, XFS_BTREE_ERROR);
442 xfs_btree_del_cursor(sa->cnt_cur, XFS_BTREE_ERROR);
444 xfs_btree_del_cursor(sa->bno_cur, XFS_BTREE_ERROR);
454 /* Initialize all the btree cursors for an AG. */
457 struct xfs_scrub *sc,
460 struct xfs_mount *mp = sc->mp;
461 xfs_agnumber_t agno = sa->agno;
463 xchk_perag_get(sc->mp, sa);
465 xchk_ag_btree_healthy_enough(sc, sa->pag, XFS_BTNUM_BNO)) {
466 /* Set up a bnobt cursor for cross-referencing. */
467 sa->bno_cur = xfs_allocbt_init_cursor(mp, sc->tp, sa->agf_bp,
468 agno, XFS_BTNUM_BNO);
472 xchk_ag_btree_healthy_enough(sc, sa->pag, XFS_BTNUM_CNT)) {
473 /* Set up a cntbt cursor for cross-referencing. */
474 sa->cnt_cur = xfs_allocbt_init_cursor(mp, sc->tp, sa->agf_bp,
475 agno, XFS_BTNUM_CNT);
478 /* Set up a inobt cursor for cross-referencing. */
480 xchk_ag_btree_healthy_enough(sc, sa->pag, XFS_BTNUM_INO)) {
481 sa->ino_cur = xfs_inobt_init_cursor(mp, sc->tp, sa->agi_bp,
482 agno, XFS_BTNUM_INO);
485 /* Set up a finobt cursor for cross-referencing. */
486 if (sa->agi_bp && xfs_sb_version_hasfinobt(&mp->m_sb) &&
487 xchk_ag_btree_healthy_enough(sc, sa->pag, XFS_BTNUM_FINO)) {
488 sa->fino_cur = xfs_inobt_init_cursor(mp, sc->tp, sa->agi_bp,
489 agno, XFS_BTNUM_FINO);
492 /* Set up a rmapbt cursor for cross-referencing. */
493 if (sa->agf_bp && xfs_sb_version_hasrmapbt(&mp->m_sb) &&
494 xchk_ag_btree_healthy_enough(sc, sa->pag, XFS_BTNUM_RMAP)) {
495 sa->rmap_cur = xfs_rmapbt_init_cursor(mp, sc->tp, sa->agf_bp,
499 /* Set up a refcountbt cursor for cross-referencing. */
500 if (sa->agf_bp && xfs_sb_version_hasreflink(&mp->m_sb) &&
501 xchk_ag_btree_healthy_enough(sc, sa->pag, XFS_BTNUM_REFC)) {
502 sa->refc_cur = xfs_refcountbt_init_cursor(mp, sc->tp,
509 /* Release the AG header context and btree cursors. */
512 struct xfs_scrub *sc,
515 xchk_ag_btcur_free(sa);
517 xfs_trans_brelse(sc->tp, sa->agfl_bp);
521 xfs_trans_brelse(sc->tp, sa->agf_bp);
525 xfs_trans_brelse(sc->tp, sa->agi_bp);
529 xfs_perag_put(sa->pag);
532 sa->agno = NULLAGNUMBER;
536 * For scrub, grab the AGI and the AGF headers, in that order. Locking
537 * order requires us to get the AGI before the AGF. We use the
538 * transaction to avoid deadlocking on crosslinked metadata buffers;
539 * either the caller passes one in (bmap scrub) or we have to create a
540 * transaction ourselves.
544 struct xfs_scrub *sc,
551 error = xchk_ag_read_headers(sc, agno, &sa->agi_bp,
552 &sa->agf_bp, &sa->agfl_bp);
556 return xchk_ag_btcur_init(sc, sa);
560 * Grab the per-ag structure if we haven't already gotten it. Teardown of the
561 * xchk_ag will release it for us.
565 struct xfs_mount *mp,
569 sa->pag = xfs_perag_get(mp, sa->agno);
572 /* Per-scrubber setup functions */
575 * Grab an empty transaction so that we can re-grab locked buffers if
576 * one of our btrees turns out to be cyclic.
578 * If we're going to repair something, we need to ask for the largest possible
579 * log reservation so that we can handle the worst case scenario for metadata
580 * updates while rebuilding a metadata item. We also need to reserve as many
581 * blocks in the head transaction as we think we're going to need to rebuild
582 * the metadata object.
586 struct xfs_scrub *sc,
589 if (sc->sm->sm_flags & XFS_SCRUB_IFLAG_REPAIR)
590 return xfs_trans_alloc(sc->mp, &M_RES(sc->mp)->tr_itruncate,
591 resblks, 0, 0, &sc->tp);
593 return xfs_trans_alloc_empty(sc->mp, &sc->tp);
596 /* Set us up with a transaction and an empty context. */
599 struct xfs_scrub *sc,
600 struct xfs_inode *ip)
604 resblks = xrep_calc_ag_resblks(sc);
605 return xchk_trans_alloc(sc, resblks);
608 /* Set us up with AG headers and btree cursors. */
611 struct xfs_scrub *sc,
612 struct xfs_inode *ip,
615 struct xfs_mount *mp = sc->mp;
619 * If the caller asks us to checkpont the log, do so. This
620 * expensive operation should be performed infrequently and only
621 * as a last resort. Any caller that sets force_log should
622 * document why they need to do so.
625 error = xchk_checkpoint_log(mp);
630 error = xchk_setup_fs(sc, ip);
634 return xchk_ag_init(sc, sc->sm->sm_agno, &sc->sa);
637 /* Push everything out of the log onto disk. */
640 struct xfs_mount *mp)
644 error = xfs_log_force(mp, XFS_LOG_SYNC);
647 xfs_ail_push_all_sync(mp->m_ail);
652 * Given an inode and the scrub control structure, grab either the
653 * inode referenced in the control structure or the inode passed in.
654 * The inode is not locked.
658 struct xfs_scrub *sc,
659 struct xfs_inode *ip_in)
661 struct xfs_imap imap;
662 struct xfs_mount *mp = sc->mp;
663 struct xfs_inode *ip = NULL;
666 /* We want to scan the inode we already had opened. */
667 if (sc->sm->sm_ino == 0 || sc->sm->sm_ino == ip_in->i_ino) {
672 /* Look up the inode, see if the generation number matches. */
673 if (xfs_internal_inum(mp, sc->sm->sm_ino))
675 error = xfs_iget(mp, NULL, sc->sm->sm_ino,
676 XFS_IGET_UNTRUSTED | XFS_IGET_DONTCACHE, 0, &ip);
679 /* Inode doesn't exist, just bail out. */
682 /* Got an inode, continue. */
686 * -EINVAL with IGET_UNTRUSTED could mean one of several
687 * things: userspace gave us an inode number that doesn't
688 * correspond to fs space, or doesn't have an inobt entry;
689 * or it could simply mean that the inode buffer failed the
692 * Try just the inode mapping lookup -- if it succeeds, then
693 * the inode buffer verifier failed and something needs fixing.
694 * Otherwise, we really couldn't find it so tell userspace
695 * that it no longer exists.
697 error = xfs_imap(sc->mp, sc->tp, sc->sm->sm_ino, &imap,
698 XFS_IGET_UNTRUSTED | XFS_IGET_DONTCACHE);
701 error = -EFSCORRUPTED;
704 trace_xchk_op_error(sc,
705 XFS_INO_TO_AGNO(mp, sc->sm->sm_ino),
706 XFS_INO_TO_AGBNO(mp, sc->sm->sm_ino),
707 error, __return_address);
710 if (VFS_I(ip)->i_generation != sc->sm->sm_gen) {
719 /* Set us up to scrub a file's contents. */
721 xchk_setup_inode_contents(
722 struct xfs_scrub *sc,
723 struct xfs_inode *ip,
724 unsigned int resblks)
728 error = xchk_get_inode(sc, ip);
732 /* Got the inode, lock it and we're ready to go. */
733 sc->ilock_flags = XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL;
734 xfs_ilock(sc->ip, sc->ilock_flags);
735 error = xchk_trans_alloc(sc, resblks);
738 sc->ilock_flags |= XFS_ILOCK_EXCL;
739 xfs_ilock(sc->ip, XFS_ILOCK_EXCL);
742 /* scrub teardown will unlock and release the inode for us */
747 * Predicate that decides if we need to evaluate the cross-reference check.
748 * If there was an error accessing the cross-reference btree, just delete
749 * the cursor and skip the check.
752 xchk_should_check_xref(
753 struct xfs_scrub *sc,
755 struct xfs_btree_cur **curpp)
757 /* No point in xref if we already know we're corrupt. */
758 if (xchk_skip_xref(sc->sm))
765 /* If we've already given up on xref, just bail out. */
769 /* xref error, delete cursor and bail out. */
770 xfs_btree_del_cursor(*curpp, XFS_BTREE_ERROR);
774 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_XFAIL;
775 trace_xchk_xref_error(sc, *error, __return_address);
778 * Errors encountered during cross-referencing with another
779 * data structure should not cause this scrubber to abort.
785 /* Run the structure verifiers on in-memory buffers to detect bad memory. */
788 struct xfs_scrub *sc,
793 if (bp->b_ops == NULL) {
794 xchk_block_set_corrupt(sc, bp);
797 if (bp->b_ops->verify_struct == NULL) {
798 xchk_set_incomplete(sc);
801 fa = bp->b_ops->verify_struct(bp);
804 sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT;
805 trace_xchk_block_error(sc, bp->b_bn, fa);
809 * Scrub the attr/data forks of a metadata inode. The metadata inode must be
810 * pointed to by sc->ip and the ILOCK must be held.
813 xchk_metadata_inode_forks(
814 struct xfs_scrub *sc)
820 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
823 /* Metadata inodes don't live on the rt device. */
824 if (sc->ip->i_d.di_flags & XFS_DIFLAG_REALTIME) {
825 xchk_ino_set_corrupt(sc, sc->ip->i_ino);
829 /* They should never participate in reflink. */
830 if (xfs_is_reflink_inode(sc->ip)) {
831 xchk_ino_set_corrupt(sc, sc->ip->i_ino);
835 /* They also should never have extended attributes. */
836 if (xfs_inode_hasattr(sc->ip)) {
837 xchk_ino_set_corrupt(sc, sc->ip->i_ino);
841 /* Invoke the data fork scrubber. */
842 smtype = sc->sm->sm_type;
843 sc->sm->sm_type = XFS_SCRUB_TYPE_BMBTD;
844 error = xchk_bmap_data(sc);
845 sc->sm->sm_type = smtype;
846 if (error || (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT))
849 /* Look for incorrect shared blocks. */
850 if (xfs_sb_version_hasreflink(&sc->mp->m_sb)) {
851 error = xfs_reflink_inode_has_shared_extents(sc->tp, sc->ip,
853 if (!xchk_fblock_process_error(sc, XFS_DATA_FORK, 0,
857 xchk_ino_set_corrupt(sc, sc->ip->i_ino);
864 * Try to lock an inode in violation of the usual locking order rules. For
865 * example, trying to get the IOLOCK while in transaction context, or just
866 * plain breaking AG-order or inode-order inode locking rules. Either way,
867 * the only way to avoid an ABBA deadlock is to use trylock and back off if
872 struct xfs_inode *ip,
877 for (i = 0; i < 20; i++) {
878 if (xfs_ilock_nowait(ip, lock_mode))
885 /* Pause background reaping of resources. */
888 struct xfs_scrub *sc)
890 sc->flags |= XCHK_REAPING_DISABLED;
891 xfs_blockgc_stop(sc->mp);
894 /* Restart background reaping of resources. */
897 struct xfs_scrub *sc)
899 xfs_blockgc_start(sc->mp);
900 sc->flags &= ~XCHK_REAPING_DISABLED;
projects / linux.git / blob