2023-04-12 09:59:56 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2017-10-18 12:37:42 +08:00
|
|
|
/*
|
2023-04-12 09:59:57 +08:00
|
|
|
* Copyright (C) 2017-2023 Oracle. All Rights Reserved.
|
2023-04-12 09:59:56 +08:00
|
|
|
* Author: Darrick J. Wong <djwong@kernel.org>
|
2017-10-18 12:37:42 +08:00
|
|
|
*/
|
|
|
|
|
#include "xfs.h"
|
|
|
|
|
#include "xfs_fs.h"
|
|
|
|
|
#include "xfs_shared.h"
|
|
|
|
|
#include "xfs_format.h"
|
|
|
|
|
#include "xfs_trans_resv.h"
|
|
|
|
|
#include "xfs_mount.h"
|
|
|
|
|
#include "xfs_btree.h"
|
|
|
|
|
#include "xfs_log_format.h"
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
#include "xfs_trans.h"
|
|
|
|
|
#include "xfs_ag.h"
|
2017-10-18 12:37:42 +08:00
|
|
|
#include "xfs_inode.h"
|
|
|
|
|
#include "xfs_ialloc.h"
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
#include "xfs_icache.h"
|
2017-10-18 12:37:42 +08:00
|
|
|
#include "xfs_da_format.h"
|
|
|
|
|
#include "xfs_reflink.h"
|
2018-01-17 10:53:08 +08:00
|
|
|
#include "xfs_rmap.h"
|
2018-01-17 10:53:10 +08:00
|
|
|
#include "xfs_bmap_util.h"
|
2023-10-17 00:34:39 +08:00
|
|
|
#include "xfs_rtbitmap.h"
|
2017-10-18 12:37:42 +08:00
|
|
|
#include "scrub/scrub.h"
|
|
|
|
|
#include "scrub/common.h"
|
2018-01-17 10:53:07 +08:00
|
|
|
#include "scrub/btree.h"
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
#include "scrub/trace.h"
|
|
|
|
|
|
|
|
|
|
/* Prepare the attached inode for scrubbing. */
|
|
|
|
|
static inline int
|
|
|
|
|
xchk_prepare_iscrub(
|
|
|
|
|
struct xfs_scrub *sc)
|
|
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
|
2023-08-10 22:48:08 +08:00
|
|
|
xchk_ilock(sc, XFS_IOLOCK_EXCL);
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
|
|
|
|
|
error = xchk_trans_alloc(sc, 0);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
2023-08-10 22:48:08 +08:00
|
|
|
xchk_ilock(sc, XFS_ILOCK_EXCL);
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Install this scrub-by-handle inode and prepare it for scrubbing. */
|
|
|
|
|
static inline int
|
|
|
|
|
xchk_install_handle_iscrub(
|
|
|
|
|
struct xfs_scrub *sc,
|
|
|
|
|
struct xfs_inode *ip)
|
|
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
error = xchk_install_handle_inode(sc, ip);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
return xchk_prepare_iscrub(sc);
|
|
|
|
|
}
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
/*
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
* Grab total control of the inode metadata. In the best case, we grab the
|
|
|
|
|
* incore inode and take all locks on it. If the incore inode cannot be
|
|
|
|
|
* constructed due to corruption problems, lock the AGI so that we can single
|
|
|
|
|
* step the loading process to fix everything that can go wrong.
|
2017-10-18 12:37:42 +08:00
|
|
|
*/
|
|
|
|
|
int
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_setup_inode(
|
2021-04-08 08:59:39 +08:00
|
|
|
struct xfs_scrub *sc)
|
2017-10-18 12:37:42 +08:00
|
|
|
{
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
struct xfs_imap imap;
|
|
|
|
|
struct xfs_inode *ip;
|
|
|
|
|
struct xfs_mount *mp = sc->mp;
|
|
|
|
|
struct xfs_inode *ip_in = XFS_I(file_inode(sc->file));
|
|
|
|
|
struct xfs_buf *agi_bp;
|
|
|
|
|
struct xfs_perag *pag;
|
|
|
|
|
xfs_agnumber_t agno = XFS_INO_TO_AGNO(mp, sc->sm->sm_ino);
|
2018-07-20 03:29:12 +08:00
|
|
|
int error;
|
2017-10-18 12:37:42 +08:00
|
|
|
|
2023-04-12 09:59:59 +08:00
|
|
|
if (xchk_need_intent_drain(sc))
|
|
|
|
|
xchk_fsgates_enable(sc, XCHK_FSGATES_DRAIN);
|
|
|
|
|
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
/* We want to scan the opened inode, so lock it and exit. */
|
|
|
|
|
if (sc->sm->sm_ino == 0 || sc->sm->sm_ino == ip_in->i_ino) {
|
2023-08-10 22:48:08 +08:00
|
|
|
error = xchk_install_live_inode(sc, ip_in);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
return xchk_prepare_iscrub(sc);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Reject internal metadata files and obviously bad inode numbers. */
|
|
|
|
|
if (xfs_internal_inum(mp, sc->sm->sm_ino))
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
if (!xfs_verify_ino(sc->mp, sc->sm->sm_ino))
|
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
|
|
/* Try a regular untrusted iget. */
|
|
|
|
|
error = xchk_iget(sc, sc->sm->sm_ino, &ip);
|
|
|
|
|
if (!error)
|
|
|
|
|
return xchk_install_handle_iscrub(sc, ip);
|
|
|
|
|
if (error == -ENOENT)
|
|
|
|
|
return error;
|
|
|
|
|
if (error != -EFSCORRUPTED && error != -EFSBADCRC && error != -EINVAL)
|
|
|
|
|
goto out_error;
|
|
|
|
|
|
2017-10-18 12:37:42 +08:00
|
|
|
/*
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
* EINVAL with IGET_UNTRUSTED probably means one of several things:
|
|
|
|
|
* userspace gave us an inode number that doesn't correspond to fs
|
|
|
|
|
* space; the inode btree lacks a record for this inode; or there is
|
|
|
|
|
* a record, and it says this inode is free.
|
|
|
|
|
*
|
|
|
|
|
* EFSCORRUPTED/EFSBADCRC could mean that the inode was mappable, but
|
|
|
|
|
* some other metadata corruption (e.g. inode forks) prevented
|
|
|
|
|
* instantiation of the incore inode. Or it could mean the inobt is
|
|
|
|
|
* corrupt.
|
|
|
|
|
*
|
|
|
|
|
* We want to look up this inode in the inobt directly to distinguish
|
|
|
|
|
* three different scenarios: (1) the inobt says the inode is free,
|
|
|
|
|
* in which case there's nothing to do; (2) the inobt is corrupt so we
|
|
|
|
|
* should flag the corruption and exit to userspace to let it fix the
|
|
|
|
|
* inobt; and (3) the inobt says the inode is allocated, but loading it
|
|
|
|
|
* failed due to corruption.
|
|
|
|
|
*
|
|
|
|
|
* Allocate a transaction and grab the AGI to prevent inobt activity in
|
|
|
|
|
* this AG. Retry the iget in case someone allocated a new inode after
|
|
|
|
|
* the first iget failed.
|
2017-10-18 12:37:42 +08:00
|
|
|
*/
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
error = xchk_trans_alloc(sc, 0);
|
|
|
|
|
if (error)
|
|
|
|
|
goto out_error;
|
|
|
|
|
|
|
|
|
|
error = xchk_iget_agi(sc, sc->sm->sm_ino, &agi_bp, &ip);
|
|
|
|
|
if (error == 0) {
|
|
|
|
|
/* Actually got the incore inode, so install it and proceed. */
|
|
|
|
|
xchk_trans_cancel(sc);
|
|
|
|
|
return xchk_install_handle_iscrub(sc, ip);
|
2017-10-18 12:37:42 +08:00
|
|
|
}
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
if (error == -ENOENT)
|
|
|
|
|
goto out_gone;
|
|
|
|
|
if (error != -EFSCORRUPTED && error != -EFSBADCRC && error != -EINVAL)
|
|
|
|
|
goto out_cancel;
|
2017-10-18 12:37:42 +08:00
|
|
|
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
/* Ensure that we have protected against inode allocation/freeing. */
|
|
|
|
|
if (agi_bp == NULL) {
|
|
|
|
|
ASSERT(agi_bp != NULL);
|
|
|
|
|
error = -ECANCELED;
|
|
|
|
|
goto out_cancel;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Untrusted iget failed a second time. Let's try an inobt lookup.
|
|
|
|
|
* If the inobt doesn't think this is an allocated inode then we'll
|
|
|
|
|
* return ENOENT to signal that the check can be skipped.
|
|
|
|
|
*
|
|
|
|
|
* If the lookup signals corruption, we'll mark this inode corrupt and
|
|
|
|
|
* exit to userspace. There's little chance of fixing anything until
|
|
|
|
|
* the inobt is straightened out, but there's nothing we can do here.
|
|
|
|
|
*
|
|
|
|
|
* If the lookup encounters a runtime error, exit to userspace.
|
|
|
|
|
*/
|
|
|
|
|
pag = xfs_perag_get(mp, XFS_INO_TO_AGNO(mp, sc->sm->sm_ino));
|
|
|
|
|
if (!pag) {
|
|
|
|
|
error = -EFSCORRUPTED;
|
|
|
|
|
goto out_cancel;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
error = xfs_imap(pag, sc->tp, sc->sm->sm_ino, &imap,
|
|
|
|
|
XFS_IGET_UNTRUSTED);
|
|
|
|
|
xfs_perag_put(pag);
|
|
|
|
|
if (error == -EINVAL || error == -ENOENT)
|
|
|
|
|
goto out_gone;
|
2017-10-18 12:37:42 +08:00
|
|
|
if (error)
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
goto out_cancel;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The lookup succeeded. Chances are the ondisk inode is corrupt and
|
|
|
|
|
* preventing iget from reading it. Retain the scrub transaction and
|
|
|
|
|
* the AGI buffer to prevent anyone from allocating or freeing inodes.
|
|
|
|
|
* This ensures that we preserve the inconsistency between the inobt
|
|
|
|
|
* saying the inode is allocated and the icache being unable to load
|
|
|
|
|
* the inode until we can flag the corruption in xchk_inode. The
|
|
|
|
|
* scrub function has to note the corruption, since we're not really
|
|
|
|
|
* supposed to do that from the setup function.
|
|
|
|
|
*/
|
|
|
|
|
return 0;
|
2017-10-18 12:37:42 +08:00
|
|
|
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
out_cancel:
|
|
|
|
|
xchk_trans_cancel(sc);
|
|
|
|
|
out_error:
|
|
|
|
|
trace_xchk_op_error(sc, agno, XFS_INO_TO_AGBNO(mp, sc->sm->sm_ino),
|
|
|
|
|
error, __return_address);
|
2017-10-18 12:37:42 +08:00
|
|
|
return error;
|
xfs: retain the AGI when we can't iget an inode to scrub the core
xchk_get_inode is not quite the right function to be calling from the
inode scrubber setup function. The common get_inode function either
gets an inode and installs it in the scrub context, or it returns an
error code explaining what happened. This is acceptable for most file
scrubbers because it is not in their scope to fix corruptions in the
inode core and fork areas that cause iget to fail.
Dealing with these problems is within the scope of the inode scrubber,
however. If iget fails with EFSCORRUPTED, we need to xchk_inode to flag
that as corruption. Since we can't get our hands on an incore inode, we
need to hold the AGI to prevent inode allocation activity so that
nothing changes in the inode metadata.
Looking ahead to the inode core repair patches, we will also need to
hold the AGI buffer into xrep_inode so that we can make modifications to
the xfs_dinode structure without any other thread swooping in to
allocate or free the inode.
Adapt the xchk_get_inode into xchk_setup_inode since this is a one-off
use case where the error codes we check for are a little different, and
the return state is much different from the common function.
xchk_setup_inode prepares to check or repair an inode record, so it must
continue the scrub operation even if the inode/inobt verifiers cause
xfs_iget to return EFSCORRUPTED. This is done by attaching the locked
AGI buffer to the scrub transaction and returning 0 to move on to the
actual scrub. (Later, the online inode repair code will also want the
xfs_imap structure so that it can reset the ondisk xfs_dinode
structure.)
xchk_get_inode retrieves an inode on behalf of a scrubber that operates
on an incore inode -- data/attr/cow forks, directories, xattrs,
symlinks, parent pointers, etc. If the inode/inobt verifiers fail and
xfs_iget returns EFSCORRUPTED, we want to exit to userspace (because the
caller should be fix the inode first) and drop everything we acquired
along the way.
A behavior common to both functions is that it's possible that xfs_scrub
asked for a scrub-by-handle concurrent with the inode being freed or the
passed-in inumber is invalid. In this case, we call xfs_imap to see if
the inobt index thinks the inode is allocated, and return ENOENT
("nothing to check here") to userspace if this is not the case. The
imap lookup is why both functions call xchk_iget_agi.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-12 10:00:22 +08:00
|
|
|
out_gone:
|
|
|
|
|
/* The file is gone, so there's nothing to check. */
|
|
|
|
|
xchk_trans_cancel(sc);
|
|
|
|
|
return -ENOENT;
|
2017-10-18 12:37:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Inode core */
|
|
|
|
|
|
2018-03-24 01:06:55 +08:00
|
|
|
/* Validate di_extsize hint. */
|
2017-10-18 12:37:42 +08:00
|
|
|
STATIC void
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_extsize(
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_dinode *dip,
|
|
|
|
|
xfs_ino_t ino,
|
|
|
|
|
uint16_t mode,
|
|
|
|
|
uint16_t flags)
|
2017-10-18 12:37:42 +08:00
|
|
|
{
|
2018-07-20 03:29:12 +08:00
|
|
|
xfs_failaddr_t fa;
|
2021-07-15 00:03:41 +08:00
|
|
|
uint32_t value = be32_to_cpu(dip->di_extsize);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
2021-07-15 00:03:41 +08:00
|
|
|
fa = xfs_inode_validate_extsize(sc->mp, value, mode, flags);
|
2018-03-24 01:06:55 +08:00
|
|
|
if (fa)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2021-07-15 00:03:41 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* XFS allows a sysadmin to change the rt extent size when adding a rt
|
|
|
|
|
* section to a filesystem after formatting. If there are any
|
|
|
|
|
* directories with extszinherit and rtinherit set, the hint could
|
|
|
|
|
* become misaligned with the new rextsize. The verifier doesn't check
|
|
|
|
|
* this, because we allow rtinherit directories even without an rt
|
|
|
|
|
* device. Flag this as an administrative warning since we will clean
|
|
|
|
|
* this up eventually.
|
|
|
|
|
*/
|
|
|
|
|
if ((flags & XFS_DIFLAG_RTINHERIT) &&
|
|
|
|
|
(flags & XFS_DIFLAG_EXTSZINHERIT) &&
|
2023-10-17 00:34:39 +08:00
|
|
|
xfs_extlen_to_rtxmod(sc->mp, value) > 0)
|
2021-07-15 00:03:41 +08:00
|
|
|
xchk_ino_set_warning(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Validate di_cowextsize hint.
|
|
|
|
|
*
|
|
|
|
|
* The rules are documented at xfs_ioctl_setattr_check_cowextsize().
|
|
|
|
|
* These functions must be kept in sync with each other.
|
|
|
|
|
*/
|
|
|
|
|
STATIC void
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_cowextsize(
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_dinode *dip,
|
|
|
|
|
xfs_ino_t ino,
|
|
|
|
|
uint16_t mode,
|
|
|
|
|
uint16_t flags,
|
|
|
|
|
uint64_t flags2)
|
2017-10-18 12:37:42 +08:00
|
|
|
{
|
2018-07-20 03:29:12 +08:00
|
|
|
xfs_failaddr_t fa;
|
2017-10-18 12:37:42 +08:00
|
|
|
|
2018-03-24 01:06:55 +08:00
|
|
|
fa = xfs_inode_validate_cowextsize(sc->mp,
|
|
|
|
|
be32_to_cpu(dip->di_cowextsize), mode, flags,
|
|
|
|
|
flags2);
|
|
|
|
|
if (fa)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Make sure the di_flags make sense for the inode. */
|
|
|
|
|
STATIC void
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_flags(
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_dinode *dip,
|
|
|
|
|
xfs_ino_t ino,
|
|
|
|
|
uint16_t mode,
|
|
|
|
|
uint16_t flags)
|
2017-10-18 12:37:42 +08:00
|
|
|
{
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_mount *mp = sc->mp;
|
2017-10-18 12:37:42 +08:00
|
|
|
|
2018-09-29 11:49:00 +08:00
|
|
|
/* di_flags are all taken, last bit cannot be used */
|
2017-10-18 12:37:42 +08:00
|
|
|
if (flags & ~XFS_DIFLAG_ANY)
|
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
/* rt flags require rt device */
|
2020-11-03 09:14:07 +08:00
|
|
|
if ((flags & XFS_DIFLAG_REALTIME) && !mp->m_rtdev_targp)
|
2017-10-18 12:37:42 +08:00
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
/* new rt bitmap flag only valid for rbmino */
|
|
|
|
|
if ((flags & XFS_DIFLAG_NEWRTBM) && ino != mp->m_sb.sb_rbmino)
|
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
/* directory-only flags */
|
|
|
|
|
if ((flags & (XFS_DIFLAG_RTINHERIT |
|
|
|
|
|
XFS_DIFLAG_EXTSZINHERIT |
|
|
|
|
|
XFS_DIFLAG_PROJINHERIT |
|
|
|
|
|
XFS_DIFLAG_NOSYMLINKS)) &&
|
|
|
|
|
!S_ISDIR(mode))
|
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
/* file-only flags */
|
|
|
|
|
if ((flags & (XFS_DIFLAG_REALTIME | FS_XFLAG_EXTSIZE)) &&
|
|
|
|
|
!S_ISREG(mode))
|
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
/* filestreams and rt make no sense */
|
|
|
|
|
if ((flags & XFS_DIFLAG_FILESTREAM) && (flags & XFS_DIFLAG_REALTIME))
|
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
return;
|
|
|
|
|
bad:
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Make sure the di_flags2 make sense for the inode. */
|
|
|
|
|
STATIC void
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_flags2(
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_dinode *dip,
|
|
|
|
|
xfs_ino_t ino,
|
|
|
|
|
uint16_t mode,
|
|
|
|
|
uint16_t flags,
|
|
|
|
|
uint64_t flags2)
|
2017-10-18 12:37:42 +08:00
|
|
|
{
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_mount *mp = sc->mp;
|
2017-10-18 12:37:42 +08:00
|
|
|
|
2018-09-29 11:49:00 +08:00
|
|
|
/* Unknown di_flags2 could be from a future kernel */
|
2017-10-18 12:37:42 +08:00
|
|
|
if (flags2 & ~XFS_DIFLAG2_ANY)
|
2018-09-29 11:49:00 +08:00
|
|
|
xchk_ino_set_warning(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
/* reflink flag requires reflink feature */
|
|
|
|
|
if ((flags2 & XFS_DIFLAG2_REFLINK) &&
|
2021-08-19 09:46:37 +08:00
|
|
|
!xfs_has_reflink(mp))
|
2017-10-18 12:37:42 +08:00
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
/* cowextsize flag is checked w.r.t. mode separately */
|
|
|
|
|
|
|
|
|
|
/* file/dir-only flags */
|
|
|
|
|
if ((flags2 & XFS_DIFLAG2_DAX) && !(S_ISREG(mode) || S_ISDIR(mode)))
|
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
/* file-only flags */
|
|
|
|
|
if ((flags2 & XFS_DIFLAG2_REFLINK) && !S_ISREG(mode))
|
|
|
|
|
goto bad;
|
|
|
|
|
|
|
|
|
|
/* realtime and reflink make no sense, currently */
|
|
|
|
|
if ((flags & XFS_DIFLAG_REALTIME) && (flags2 & XFS_DIFLAG2_REFLINK))
|
|
|
|
|
goto bad;
|
|
|
|
|
|
2020-08-18 00:59:07 +08:00
|
|
|
/* no bigtime iflag without the bigtime feature */
|
2021-08-19 09:46:55 +08:00
|
|
|
if (xfs_dinode_has_bigtime(dip) && !xfs_has_bigtime(mp))
|
2020-08-18 00:59:07 +08:00
|
|
|
goto bad;
|
|
|
|
|
|
2017-10-18 12:37:42 +08:00
|
|
|
return;
|
|
|
|
|
bad:
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
}
|
|
|
|
|
|
2020-08-25 06:15:46 +08:00
|
|
|
static inline void
|
|
|
|
|
xchk_dinode_nsec(
|
|
|
|
|
struct xfs_scrub *sc,
|
|
|
|
|
xfs_ino_t ino,
|
2020-08-18 00:59:07 +08:00
|
|
|
struct xfs_dinode *dip,
|
2020-08-25 06:15:46 +08:00
|
|
|
const xfs_timestamp_t ts)
|
|
|
|
|
{
|
|
|
|
|
struct timespec64 tv;
|
|
|
|
|
|
2020-08-18 00:59:07 +08:00
|
|
|
tv = xfs_inode_from_disk_ts(dip, ts);
|
2020-08-25 06:15:46 +08:00
|
|
|
if (tv.tv_nsec < 0 || tv.tv_nsec >= NSEC_PER_SEC)
|
|
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-18 12:37:42 +08:00
|
|
|
/* Scrub all the ondisk inode fields. */
|
|
|
|
|
STATIC void
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_dinode(
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_dinode *dip,
|
|
|
|
|
xfs_ino_t ino)
|
2017-10-18 12:37:42 +08:00
|
|
|
{
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_mount *mp = sc->mp;
|
|
|
|
|
size_t fork_recs;
|
|
|
|
|
unsigned long long isize;
|
|
|
|
|
uint64_t flags2;
|
2021-02-26 13:54:31 +08:00
|
|
|
xfs_extnum_t nextents;
|
2020-08-27 18:04:34 +08:00
|
|
|
xfs_extnum_t naextents;
|
2022-01-06 03:14:19 +08:00
|
|
|
prid_t prid;
|
2018-07-20 03:29:12 +08:00
|
|
|
uint16_t flags;
|
|
|
|
|
uint16_t mode;
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
flags = be16_to_cpu(dip->di_flags);
|
|
|
|
|
if (dip->di_version >= 3)
|
|
|
|
|
flags2 = be64_to_cpu(dip->di_flags2);
|
|
|
|
|
else
|
|
|
|
|
flags2 = 0;
|
|
|
|
|
|
|
|
|
|
/* di_mode */
|
|
|
|
|
mode = be16_to_cpu(dip->di_mode);
|
2017-11-28 13:40:19 +08:00
|
|
|
switch (mode & S_IFMT) {
|
|
|
|
|
case S_IFLNK:
|
|
|
|
|
case S_IFREG:
|
|
|
|
|
case S_IFDIR:
|
|
|
|
|
case S_IFCHR:
|
|
|
|
|
case S_IFBLK:
|
|
|
|
|
case S_IFIFO:
|
|
|
|
|
case S_IFSOCK:
|
|
|
|
|
/* mode is recognized */
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-11-28 13:40:19 +08:00
|
|
|
break;
|
|
|
|
|
}
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
/* v1/v2 fields */
|
|
|
|
|
switch (dip->di_version) {
|
|
|
|
|
case 1:
|
|
|
|
|
/*
|
|
|
|
|
* We autoconvert v1 inodes into v2 inodes on writeout,
|
|
|
|
|
* so just mark this inode for preening.
|
|
|
|
|
*/
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_preen(sc, ino);
|
2022-01-06 03:14:19 +08:00
|
|
|
prid = 0;
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
case 2:
|
|
|
|
|
case 3:
|
|
|
|
|
if (dip->di_onlink != 0)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
if (dip->di_mode == 0 && sc->ip)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
if (dip->di_projid_hi != 0 &&
|
2021-08-19 09:46:37 +08:00
|
|
|
!xfs_has_projid32(mp))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2022-01-06 03:14:19 +08:00
|
|
|
|
|
|
|
|
prid = be16_to_cpu(dip->di_projid_lo);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
default:
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-06 03:14:19 +08:00
|
|
|
if (xfs_has_projid32(mp))
|
|
|
|
|
prid |= (prid_t)be16_to_cpu(dip->di_projid_hi) << 16;
|
|
|
|
|
|
2017-10-18 12:37:42 +08:00
|
|
|
/*
|
|
|
|
|
* di_uid/di_gid -- -1 isn't invalid, but there's no way that
|
|
|
|
|
* userspace could have created that.
|
|
|
|
|
*/
|
|
|
|
|
if (dip->di_uid == cpu_to_be32(-1U) ||
|
|
|
|
|
dip->di_gid == cpu_to_be32(-1U))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_warning(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
2022-01-06 03:14:19 +08:00
|
|
|
/*
|
|
|
|
|
* project id of -1 isn't supposed to be valid, but the kernel didn't
|
|
|
|
|
* always validate that.
|
|
|
|
|
*/
|
|
|
|
|
if (prid == -1U)
|
|
|
|
|
xchk_ino_set_warning(sc, ino);
|
|
|
|
|
|
2017-10-18 12:37:42 +08:00
|
|
|
/* di_format */
|
|
|
|
|
switch (dip->di_format) {
|
|
|
|
|
case XFS_DINODE_FMT_DEV:
|
|
|
|
|
if (!S_ISCHR(mode) && !S_ISBLK(mode) &&
|
|
|
|
|
!S_ISFIFO(mode) && !S_ISSOCK(mode))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
case XFS_DINODE_FMT_LOCAL:
|
|
|
|
|
if (!S_ISDIR(mode) && !S_ISLNK(mode))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
case XFS_DINODE_FMT_EXTENTS:
|
|
|
|
|
if (!S_ISREG(mode) && !S_ISDIR(mode) && !S_ISLNK(mode))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
case XFS_DINODE_FMT_BTREE:
|
|
|
|
|
if (!S_ISREG(mode) && !S_ISDIR(mode))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
case XFS_DINODE_FMT_UUID:
|
|
|
|
|
default:
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-09 02:41:35 +08:00
|
|
|
/* di_[amc]time.nsec */
|
2020-08-18 00:59:07 +08:00
|
|
|
xchk_dinode_nsec(sc, ino, dip, dip->di_atime);
|
|
|
|
|
xchk_dinode_nsec(sc, ino, dip, dip->di_mtime);
|
|
|
|
|
xchk_dinode_nsec(sc, ino, dip, dip->di_ctime);
|
2018-01-09 02:41:35 +08:00
|
|
|
|
2017-10-18 12:37:42 +08:00
|
|
|
/*
|
|
|
|
|
* di_size. xfs_dinode_verify checks for things that screw up
|
|
|
|
|
* the VFS such as the upper bit being set and zero-length
|
|
|
|
|
* symlinks/directories, but we can do more here.
|
|
|
|
|
*/
|
|
|
|
|
isize = be64_to_cpu(dip->di_size);
|
|
|
|
|
if (isize & (1ULL << 63))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
/* Devices, fifos, and sockets must have zero size */
|
|
|
|
|
if (!S_ISDIR(mode) && !S_ISREG(mode) && !S_ISLNK(mode) && isize != 0)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
/* Directories can't be larger than the data section size (32G) */
|
|
|
|
|
if (S_ISDIR(mode) && (isize == 0 || isize >= XFS_DIR2_SPACE_SIZE))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
/* Symlinks can't be larger than SYMLINK_MAXLEN */
|
|
|
|
|
if (S_ISLNK(mode) && (isize == 0 || isize >= XFS_SYMLINK_MAXLEN))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Warn if the running kernel can't handle the kinds of offsets
|
|
|
|
|
* needed to deal with the file size. In other words, if the
|
|
|
|
|
* pagecache can't cache all the blocks in this file due to
|
|
|
|
|
* overly large offsets, flag the inode for admin review.
|
|
|
|
|
*/
|
2022-11-17 08:08:03 +08:00
|
|
|
if (isize > mp->m_super->s_maxbytes)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_warning(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
/* di_nblocks */
|
|
|
|
|
if (flags2 & XFS_DIFLAG2_REFLINK) {
|
|
|
|
|
; /* nblocks can exceed dblocks */
|
|
|
|
|
} else if (flags & XFS_DIFLAG_REALTIME) {
|
|
|
|
|
/*
|
|
|
|
|
* nblocks is the sum of data extents (in the rtdev),
|
|
|
|
|
* attr extents (in the datadev), and both forks' bmbt
|
|
|
|
|
* blocks (in the datadev). This clumsy check is the
|
|
|
|
|
* best we can do without cross-referencing with the
|
|
|
|
|
* inode forks.
|
|
|
|
|
*/
|
|
|
|
|
if (be64_to_cpu(dip->di_nblocks) >=
|
|
|
|
|
mp->m_sb.sb_dblocks + mp->m_sb.sb_rblocks)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
} else {
|
|
|
|
|
if (be64_to_cpu(dip->di_nblocks) >= mp->m_sb.sb_dblocks)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
}
|
|
|
|
|
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_flags(sc, dip, ino, mode, flags);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_extsize(sc, dip, ino, mode, flags);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
2020-08-27 18:04:34 +08:00
|
|
|
nextents = xfs_dfork_data_extents(dip);
|
|
|
|
|
naextents = xfs_dfork_attr_extents(dip);
|
|
|
|
|
|
2017-10-18 12:37:42 +08:00
|
|
|
/* di_nextents */
|
|
|
|
|
fork_recs = XFS_DFORK_DSIZE(dip, mp) / sizeof(struct xfs_bmbt_rec);
|
|
|
|
|
switch (dip->di_format) {
|
|
|
|
|
case XFS_DINODE_FMT_EXTENTS:
|
|
|
|
|
if (nextents > fork_recs)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
case XFS_DINODE_FMT_BTREE:
|
|
|
|
|
if (nextents <= fork_recs)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
if (nextents != 0)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* di_forkoff */
|
|
|
|
|
if (XFS_DFORK_APTR(dip) >= (char *)dip + mp->m_sb.sb_inodesize)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2020-08-27 18:04:34 +08:00
|
|
|
if (naextents != 0 && dip->di_forkoff == 0)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
if (dip->di_forkoff == 0 && dip->di_aformat != XFS_DINODE_FMT_EXTENTS)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
/* di_aformat */
|
|
|
|
|
if (dip->di_aformat != XFS_DINODE_FMT_LOCAL &&
|
|
|
|
|
dip->di_aformat != XFS_DINODE_FMT_EXTENTS &&
|
|
|
|
|
dip->di_aformat != XFS_DINODE_FMT_BTREE)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
|
|
|
|
/* di_anextents */
|
|
|
|
|
fork_recs = XFS_DFORK_ASIZE(dip, mp) / sizeof(struct xfs_bmbt_rec);
|
|
|
|
|
switch (dip->di_aformat) {
|
|
|
|
|
case XFS_DINODE_FMT_EXTENTS:
|
2020-08-27 18:04:34 +08:00
|
|
|
if (naextents > fork_recs)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
case XFS_DINODE_FMT_BTREE:
|
2020-08-27 18:04:34 +08:00
|
|
|
if (naextents <= fork_recs)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
break;
|
|
|
|
|
default:
|
2020-08-27 18:04:34 +08:00
|
|
|
if (naextents != 0)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (dip->di_version >= 3) {
|
2020-08-18 00:59:07 +08:00
|
|
|
xchk_dinode_nsec(sc, ino, dip, dip->di_crtime);
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_flags2(sc, dip, ino, mode, flags, flags2);
|
|
|
|
|
xchk_inode_cowextsize(sc, dip, ino, mode, flags,
|
2017-10-18 12:37:42 +08:00
|
|
|
flags2);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-17 10:53:07 +08:00
|
|
|
/*
|
|
|
|
|
* Make sure the finobt doesn't think this inode is free.
|
|
|
|
|
* We don't have to check the inobt ourselves because we got the inode via
|
|
|
|
|
* IGET_UNTRUSTED, which checks the inobt for us.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_xref_finobt(
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_scrub *sc,
|
2018-01-17 10:53:07 +08:00
|
|
|
xfs_ino_t ino)
|
|
|
|
|
{
|
|
|
|
|
struct xfs_inobt_rec_incore rec;
|
|
|
|
|
xfs_agino_t agino;
|
|
|
|
|
int has_record;
|
|
|
|
|
int error;
|
|
|
|
|
|
2018-07-20 03:29:11 +08:00
|
|
|
if (!sc->sa.fino_cur || xchk_skip_xref(sc->sm))
|
2018-01-17 10:53:07 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
agino = XFS_INO_TO_AGINO(sc->mp, ino);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Try to get the finobt record. If we can't get it, then we're
|
|
|
|
|
* in good shape.
|
|
|
|
|
*/
|
|
|
|
|
error = xfs_inobt_lookup(sc->sa.fino_cur, agino, XFS_LOOKUP_LE,
|
|
|
|
|
&has_record);
|
2018-07-20 03:29:11 +08:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.fino_cur) ||
|
2018-01-17 10:53:07 +08:00
|
|
|
!has_record)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
error = xfs_inobt_get_rec(sc->sa.fino_cur, &rec, &has_record);
|
2018-07-20 03:29:11 +08:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.fino_cur) ||
|
2018-01-17 10:53:07 +08:00
|
|
|
!has_record)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Otherwise, make sure this record either doesn't cover this inode,
|
|
|
|
|
* or that it does but it's marked present.
|
|
|
|
|
*/
|
|
|
|
|
if (rec.ir_startino > agino ||
|
|
|
|
|
rec.ir_startino + XFS_INODES_PER_CHUNK <= agino)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (rec.ir_free & XFS_INOBT_MASK(agino - rec.ir_startino))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.fino_cur, 0);
|
2018-01-17 10:53:07 +08:00
|
|
|
}
|
|
|
|
|
|
2018-01-17 10:53:10 +08:00
|
|
|
/* Cross reference the inode fields with the forks. */
|
|
|
|
|
STATIC void
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_xref_bmap(
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_dinode *dip)
|
2018-01-17 10:53:10 +08:00
|
|
|
{
|
2018-07-20 03:29:12 +08:00
|
|
|
xfs_extnum_t nextents;
|
|
|
|
|
xfs_filblks_t count;
|
|
|
|
|
xfs_filblks_t acount;
|
|
|
|
|
int error;
|
2018-01-17 10:53:10 +08:00
|
|
|
|
2018-07-20 03:29:11 +08:00
|
|
|
if (xchk_skip_xref(sc->sm))
|
2018-05-14 21:34:31 +08:00
|
|
|
return;
|
|
|
|
|
|
2018-01-17 10:53:10 +08:00
|
|
|
/* Walk all the extents to check nextents/naextents/nblocks. */
|
|
|
|
|
error = xfs_bmap_count_blocks(sc->tp, sc->ip, XFS_DATA_FORK,
|
|
|
|
|
&nextents, &count);
|
2018-07-20 03:29:11 +08:00
|
|
|
if (!xchk_should_check_xref(sc, &error, NULL))
|
2018-01-17 10:53:10 +08:00
|
|
|
return;
|
2020-08-27 18:04:34 +08:00
|
|
|
if (nextents < xfs_dfork_data_extents(dip))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino);
|
2018-01-17 10:53:10 +08:00
|
|
|
|
|
|
|
|
error = xfs_bmap_count_blocks(sc->tp, sc->ip, XFS_ATTR_FORK,
|
|
|
|
|
&nextents, &acount);
|
2018-07-20 03:29:11 +08:00
|
|
|
if (!xchk_should_check_xref(sc, &error, NULL))
|
2018-01-17 10:53:10 +08:00
|
|
|
return;
|
2020-08-27 18:04:34 +08:00
|
|
|
if (nextents != xfs_dfork_attr_extents(dip))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino);
|
2018-01-17 10:53:10 +08:00
|
|
|
|
|
|
|
|
/* Check nblocks against the inode. */
|
|
|
|
|
if (count + acount != be64_to_cpu(dip->di_nblocks))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino);
|
2018-01-17 10:53:10 +08:00
|
|
|
}
|
|
|
|
|
|
2018-01-17 10:53:05 +08:00
|
|
|
/* Cross-reference with the other btrees. */
|
|
|
|
|
STATIC void
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_xref(
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-20 03:29:12 +08:00
|
|
|
xfs_ino_t ino,
|
|
|
|
|
struct xfs_dinode *dip)
|
2018-01-17 10:53:05 +08:00
|
|
|
{
|
2018-07-20 03:29:12 +08:00
|
|
|
xfs_agnumber_t agno;
|
|
|
|
|
xfs_agblock_t agbno;
|
|
|
|
|
int error;
|
2018-01-17 10:53:06 +08:00
|
|
|
|
2018-01-17 10:53:05 +08:00
|
|
|
if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
|
|
|
|
|
return;
|
2018-01-17 10:53:06 +08:00
|
|
|
|
|
|
|
|
agno = XFS_INO_TO_AGNO(sc->mp, ino);
|
|
|
|
|
agbno = XFS_INO_TO_AGBNO(sc->mp, ino);
|
|
|
|
|
|
2021-08-07 02:06:35 +08:00
|
|
|
error = xchk_ag_init_existing(sc, agno, &sc->sa);
|
2018-07-20 03:29:11 +08:00
|
|
|
if (!xchk_xref_process_error(sc, agno, agbno, &error))
|
xfs: fix perag structure refcounting error when scrub fails
The kernel test robot found the following bug when running xfs/355 to
scrub a bmap btree:
XFS: Assertion failed: !sa->pag, file: fs/xfs/scrub/common.c, line: 412
------------[ cut here ]------------
kernel BUG at fs/xfs/xfs_message.c:110!
invalid opcode: 0000 [#1] SMP PTI
CPU: 2 PID: 1415 Comm: xfs_scrub Not tainted 5.14.0-rc4-00021-g48c6615cc557 #1
Hardware name: Hewlett-Packard p6-1451cx/2ADA, BIOS 8.15 02/05/2013
RIP: 0010:assfail+0x23/0x28 [xfs]
RSP: 0018:ffffc9000aacb890 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffffc9000aacbcc8 RCX: 0000000000000000
RDX: 00000000ffffffc0 RSI: 000000000000000a RDI: ffffffffc09e7dcd
RBP: ffffc9000aacbc80 R08: ffff8881fdf17d50 R09: 0000000000000000
R10: 000000000000000a R11: f000000000000000 R12: 0000000000000000
R13: ffff88820c7ed000 R14: 0000000000000001 R15: ffffc9000aacb980
FS: 00007f185b955700(0000) GS:ffff8881fdf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f6ef43000 CR3: 000000020de38002 CR4: 00000000001706e0
Call Trace:
xchk_ag_read_headers+0xda/0x100 [xfs]
xchk_ag_init+0x15/0x40 [xfs]
xchk_btree_check_block_owner+0x76/0x180 [xfs]
xchk_btree_get_block+0xd0/0x140 [xfs]
xchk_btree+0x32e/0x440 [xfs]
xchk_bmap_btree+0xd4/0x140 [xfs]
xchk_bmap+0x1eb/0x3c0 [xfs]
xfs_scrub_metadata+0x227/0x4c0 [xfs]
xfs_ioc_scrub_metadata+0x50/0xc0 [xfs]
xfs_file_ioctl+0x90c/0xc40 [xfs]
__x64_sys_ioctl+0x83/0xc0
do_syscall_64+0x3b/0xc0
The unusual handling of errors while initializing struct xchk_ag is the
root cause here. Since the beginning of xfs_scrub, the goal of
xchk_ag_read_headers has been to read all three AG header buffers and
attach them both to the xchk_ag structure and the scrub transaction.
Corruption errors on any of the three headers doesn't necessarily
trigger an immediate return to userspace, because xfs_scrub can also
tell us to /fix/ the problem.
In other words, it's possible for the xchk_ag init functions to return
an error code and a partially filled out structure so that scrub can use
however much information it managed to pull. Before 5.15, it was
sufficient to cancel (or commit) the scrub transaction on the way out of
the scrub code to release the buffers.
Ccommit 48c6615cc557 added a reference to the perag structure to struct
xchk_ag. Since perag structures are not attached to transactions like
buffers are, this adds the requirement that the perag ref be released
explicitly. The scrub teardown function xchk_teardown was amended to do
this for the xchk_ag embedded in struct xfs_scrub.
Unfortunately, I forgot that certain parts of the scrub code probe
multiple AGs and therefore handle the initialization and cleanup on
their own. Specifically, the bmbt scrubber will initialize it long
enough to cross-reference AG metadata for btree blocks and for the
extent mappings in the bmbt.
If one of the AG headers is corrupt, the init function returns with a
live perag structure reference and some of the AG header buffers. If an
error occurs, the cross referencing will be noted as XCORRUPTion and
skipped, but the main scrub process will move on to the next record.
It is now necessary to release the perag reference before we try to
analyze something from a different AG, or else we'll trip over the
assertion noted above.
Fixes: 48c6615cc557 ("xfs: grab active perag ref when reading AG headers")
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Chandan Babu R <chandanrlinux@gmail.com>
2021-08-20 03:07:49 +08:00
|
|
|
goto out_free;
|
2018-01-17 10:53:06 +08:00
|
|
|
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_xref_is_used_space(sc, agbno, 1);
|
|
|
|
|
xchk_inode_xref_finobt(sc, ino);
|
2023-04-12 10:00:15 +08:00
|
|
|
xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_INODES);
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_xref_is_not_shared(sc, agbno, 1);
|
2023-04-12 10:00:12 +08:00
|
|
|
xchk_xref_is_not_cow_staging(sc, agbno, 1);
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_xref_bmap(sc, dip);
|
2018-01-17 10:53:06 +08:00
|
|
|
|
xfs: fix perag structure refcounting error when scrub fails
The kernel test robot found the following bug when running xfs/355 to
scrub a bmap btree:
XFS: Assertion failed: !sa->pag, file: fs/xfs/scrub/common.c, line: 412
------------[ cut here ]------------
kernel BUG at fs/xfs/xfs_message.c:110!
invalid opcode: 0000 [#1] SMP PTI
CPU: 2 PID: 1415 Comm: xfs_scrub Not tainted 5.14.0-rc4-00021-g48c6615cc557 #1
Hardware name: Hewlett-Packard p6-1451cx/2ADA, BIOS 8.15 02/05/2013
RIP: 0010:assfail+0x23/0x28 [xfs]
RSP: 0018:ffffc9000aacb890 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffffc9000aacbcc8 RCX: 0000000000000000
RDX: 00000000ffffffc0 RSI: 000000000000000a RDI: ffffffffc09e7dcd
RBP: ffffc9000aacbc80 R08: ffff8881fdf17d50 R09: 0000000000000000
R10: 000000000000000a R11: f000000000000000 R12: 0000000000000000
R13: ffff88820c7ed000 R14: 0000000000000001 R15: ffffc9000aacb980
FS: 00007f185b955700(0000) GS:ffff8881fdf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f6ef43000 CR3: 000000020de38002 CR4: 00000000001706e0
Call Trace:
xchk_ag_read_headers+0xda/0x100 [xfs]
xchk_ag_init+0x15/0x40 [xfs]
xchk_btree_check_block_owner+0x76/0x180 [xfs]
xchk_btree_get_block+0xd0/0x140 [xfs]
xchk_btree+0x32e/0x440 [xfs]
xchk_bmap_btree+0xd4/0x140 [xfs]
xchk_bmap+0x1eb/0x3c0 [xfs]
xfs_scrub_metadata+0x227/0x4c0 [xfs]
xfs_ioc_scrub_metadata+0x50/0xc0 [xfs]
xfs_file_ioctl+0x90c/0xc40 [xfs]
__x64_sys_ioctl+0x83/0xc0
do_syscall_64+0x3b/0xc0
The unusual handling of errors while initializing struct xchk_ag is the
root cause here. Since the beginning of xfs_scrub, the goal of
xchk_ag_read_headers has been to read all three AG header buffers and
attach them both to the xchk_ag structure and the scrub transaction.
Corruption errors on any of the three headers doesn't necessarily
trigger an immediate return to userspace, because xfs_scrub can also
tell us to /fix/ the problem.
In other words, it's possible for the xchk_ag init functions to return
an error code and a partially filled out structure so that scrub can use
however much information it managed to pull. Before 5.15, it was
sufficient to cancel (or commit) the scrub transaction on the way out of
the scrub code to release the buffers.
Ccommit 48c6615cc557 added a reference to the perag structure to struct
xchk_ag. Since perag structures are not attached to transactions like
buffers are, this adds the requirement that the perag ref be released
explicitly. The scrub teardown function xchk_teardown was amended to do
this for the xchk_ag embedded in struct xfs_scrub.
Unfortunately, I forgot that certain parts of the scrub code probe
multiple AGs and therefore handle the initialization and cleanup on
their own. Specifically, the bmbt scrubber will initialize it long
enough to cross-reference AG metadata for btree blocks and for the
extent mappings in the bmbt.
If one of the AG headers is corrupt, the init function returns with a
live perag structure reference and some of the AG header buffers. If an
error occurs, the cross referencing will be noted as XCORRUPTion and
skipped, but the main scrub process will move on to the next record.
It is now necessary to release the perag reference before we try to
analyze something from a different AG, or else we'll trip over the
assertion noted above.
Fixes: 48c6615cc557 ("xfs: grab active perag ref when reading AG headers")
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Chandan Babu R <chandanrlinux@gmail.com>
2021-08-20 03:07:49 +08:00
|
|
|
out_free:
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ag_free(sc, &sc->sa);
|
2018-01-17 10:53:05 +08:00
|
|
|
}
|
|
|
|
|
|
2018-01-17 10:53:09 +08:00
|
|
|
/*
|
|
|
|
|
* If the reflink iflag disagrees with a scan for shared data fork extents,
|
|
|
|
|
* either flag an error (shared extents w/ no flag) or a preen (flag set w/o
|
|
|
|
|
* any shared extents). We already checked for reflink iflag set on a non
|
|
|
|
|
* reflink filesystem.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_check_reflink_iflag(
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-20 03:29:12 +08:00
|
|
|
xfs_ino_t ino)
|
2018-01-17 10:53:09 +08:00
|
|
|
{
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_mount *mp = sc->mp;
|
|
|
|
|
bool has_shared;
|
|
|
|
|
int error;
|
2018-01-17 10:53:09 +08:00
|
|
|
|
2021-08-19 09:46:37 +08:00
|
|
|
if (!xfs_has_reflink(mp))
|
2018-01-17 10:53:09 +08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
error = xfs_reflink_inode_has_shared_extents(sc->tp, sc->ip,
|
|
|
|
|
&has_shared);
|
2018-07-20 03:29:11 +08:00
|
|
|
if (!xchk_xref_process_error(sc, XFS_INO_TO_AGNO(mp, ino),
|
2018-01-17 10:53:09 +08:00
|
|
|
XFS_INO_TO_AGBNO(mp, ino), &error))
|
|
|
|
|
return;
|
|
|
|
|
if (xfs_is_reflink_inode(sc->ip) && !has_shared)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_preen(sc, ino);
|
2018-01-17 10:53:09 +08:00
|
|
|
else if (!xfs_is_reflink_inode(sc->ip) && has_shared)
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, ino);
|
2018-01-17 10:53:09 +08:00
|
|
|
}
|
|
|
|
|
|
2017-10-18 12:37:42 +08:00
|
|
|
/* Scrub an inode. */
|
|
|
|
|
int
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode(
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_scrub *sc)
|
2017-10-18 12:37:42 +08:00
|
|
|
{
|
2018-07-20 03:29:12 +08:00
|
|
|
struct xfs_dinode di;
|
|
|
|
|
int error = 0;
|
2017-10-18 12:37:42 +08:00
|
|
|
|
2018-03-24 01:06:54 +08:00
|
|
|
/*
|
|
|
|
|
* If sc->ip is NULL, that means that the setup function called
|
|
|
|
|
* xfs_iget to look up the inode. xfs_iget returned a EFSCORRUPTED
|
|
|
|
|
* and a NULL inode, so flag the corruption error and return.
|
|
|
|
|
*/
|
|
|
|
|
if (!sc->ip) {
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_ino_set_corrupt(sc, sc->sm->sm_ino);
|
2018-03-24 01:06:54 +08:00
|
|
|
return 0;
|
2017-10-18 12:37:42 +08:00
|
|
|
}
|
|
|
|
|
|
2018-03-24 01:06:54 +08:00
|
|
|
/* Scrub the inode core. */
|
|
|
|
|
xfs_inode_to_disk(sc->ip, &di, 0);
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_dinode(sc, &di, sc->ip->i_ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
/*
|
2018-01-17 10:53:09 +08:00
|
|
|
* Look for discrepancies between file's data blocks and the reflink
|
|
|
|
|
* iflag. We already checked the iflag against the file mode when
|
|
|
|
|
* we scrubbed the dinode.
|
2017-10-18 12:37:42 +08:00
|
|
|
*/
|
2018-01-17 10:53:09 +08:00
|
|
|
if (S_ISREG(VFS_I(sc->ip)->i_mode))
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_check_reflink_iflag(sc, sc->ip->i_ino);
|
2017-10-18 12:37:42 +08:00
|
|
|
|
2018-07-20 03:29:11 +08:00
|
|
|
xchk_inode_xref(sc, sc->ip->i_ino, &di);
|
2017-10-18 12:37:42 +08:00
|
|
|
out:
|
|
|
|
|
return error;
|
|
|
|
|
}
|
