1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2017-2023 Oracle. All Rights Reserved. 4 * Author: Darrick J. Wong <djwong@kernel.org> 5 */ 6 #include "xfs.h" 7 #include "xfs_fs.h" 8 #include "xfs_shared.h" 9 #include "xfs_format.h" 10 #include "xfs_trans_resv.h" 11 #include "xfs_mount.h" 12 #include "xfs_btree.h" 13 #include "xfs_sb.h" 14 #include "xfs_alloc.h" 15 #include "xfs_ialloc.h" 16 #include "xfs_rmap.h" 17 #include "xfs_ag.h" 18 #include "xfs_inode.h" 19 #include "scrub/scrub.h" 20 #include "scrub/common.h" 21 22 int xchk_setup_agheader(struct xfs_scrub * sc)23 xchk_setup_agheader( 24 struct xfs_scrub *sc) 25 { 26 if (xchk_need_intent_drain(sc)) 27 xchk_fsgates_enable(sc, XCHK_FSGATES_DRAIN); 28 return xchk_setup_fs(sc); 29 } 30 31 /* Superblock */ 32 33 /* Cross-reference with the other btrees. */ 34 STATIC void xchk_superblock_xref(struct xfs_scrub * sc,struct xfs_buf * bp)35 xchk_superblock_xref( 36 struct xfs_scrub *sc, 37 struct xfs_buf *bp) 38 { 39 struct xfs_mount *mp = sc->mp; 40 xfs_agnumber_t agno = sc->sm->sm_agno; 41 xfs_agblock_t agbno; 42 int error; 43 44 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 45 return; 46 47 agbno = XFS_SB_BLOCK(mp); 48 49 error = xchk_ag_init_existing(sc, agno, &sc->sa); 50 if (!xchk_xref_process_error(sc, agno, agbno, &error)) 51 return; 52 53 xchk_xref_is_used_space(sc, agbno, 1); 54 xchk_xref_is_not_inode_chunk(sc, agbno, 1); 55 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_FS); 56 xchk_xref_is_not_shared(sc, agbno, 1); 57 xchk_xref_is_not_cow_staging(sc, agbno, 1); 58 59 /* scrub teardown will take care of sc->sa for us */ 60 } 61 62 /* 63 * Scrub the filesystem superblock. 64 * 65 * Note: We do /not/ attempt to check AG 0's superblock. Mount is 66 * responsible for validating all the geometry information in sb 0, so 67 * if the filesystem is capable of initiating online scrub, then clearly 68 * sb 0 is ok and we can use its information to check everything else. 69 */ 70 int xchk_superblock(struct xfs_scrub * sc)71 xchk_superblock( 72 struct xfs_scrub *sc) 73 { 74 struct xfs_mount *mp = sc->mp; 75 struct xfs_buf *bp; 76 struct xfs_dsb *sb; 77 struct xfs_perag *pag; 78 xfs_agnumber_t agno; 79 uint32_t v2_ok; 80 __be32 features_mask; 81 int error; 82 __be16 vernum_mask; 83 84 agno = sc->sm->sm_agno; 85 if (agno == 0) 86 return 0; 87 88 /* 89 * Grab an active reference to the perag structure. If we can't get 90 * it, we're racing with something that's tearing down the AG, so 91 * signal that the AG no longer exists. 92 */ 93 pag = xfs_perag_get(mp, agno); 94 if (!pag) 95 return -ENOENT; 96 97 error = xfs_sb_read_secondary(mp, sc->tp, agno, &bp); 98 /* 99 * The superblock verifier can return several different error codes 100 * if it thinks the superblock doesn't look right. For a mount these 101 * would all get bounced back to userspace, but if we're here then the 102 * fs mounted successfully, which means that this secondary superblock 103 * is simply incorrect. Treat all these codes the same way we treat 104 * any corruption. 105 */ 106 switch (error) { 107 case -EINVAL: /* also -EWRONGFS */ 108 case -ENOSYS: 109 case -EFBIG: 110 error = -EFSCORRUPTED; 111 fallthrough; 112 default: 113 break; 114 } 115 if (!xchk_process_error(sc, agno, XFS_SB_BLOCK(mp), &error)) 116 goto out_pag; 117 118 sb = bp->b_addr; 119 120 /* 121 * Verify the geometries match. Fields that are permanently 122 * set by mkfs are checked; fields that can be updated later 123 * (and are not propagated to backup superblocks) are preen 124 * checked. 125 */ 126 if (sb->sb_blocksize != cpu_to_be32(mp->m_sb.sb_blocksize)) 127 xchk_block_set_corrupt(sc, bp); 128 129 if (sb->sb_dblocks != cpu_to_be64(mp->m_sb.sb_dblocks)) 130 xchk_block_set_corrupt(sc, bp); 131 132 if (sb->sb_rblocks != cpu_to_be64(mp->m_sb.sb_rblocks)) 133 xchk_block_set_corrupt(sc, bp); 134 135 if (sb->sb_rextents != cpu_to_be64(mp->m_sb.sb_rextents)) 136 xchk_block_set_corrupt(sc, bp); 137 138 if (!uuid_equal(&sb->sb_uuid, &mp->m_sb.sb_uuid)) 139 xchk_block_set_preen(sc, bp); 140 141 if (sb->sb_logstart != cpu_to_be64(mp->m_sb.sb_logstart)) 142 xchk_block_set_corrupt(sc, bp); 143 144 if (sb->sb_rootino != cpu_to_be64(mp->m_sb.sb_rootino)) 145 xchk_block_set_preen(sc, bp); 146 147 if (sb->sb_rbmino != cpu_to_be64(mp->m_sb.sb_rbmino)) 148 xchk_block_set_preen(sc, bp); 149 150 if (sb->sb_rsumino != cpu_to_be64(mp->m_sb.sb_rsumino)) 151 xchk_block_set_preen(sc, bp); 152 153 if (sb->sb_rextsize != cpu_to_be32(mp->m_sb.sb_rextsize)) 154 xchk_block_set_corrupt(sc, bp); 155 156 if (sb->sb_agblocks != cpu_to_be32(mp->m_sb.sb_agblocks)) 157 xchk_block_set_corrupt(sc, bp); 158 159 if (sb->sb_agcount != cpu_to_be32(mp->m_sb.sb_agcount)) 160 xchk_block_set_corrupt(sc, bp); 161 162 if (sb->sb_rbmblocks != cpu_to_be32(mp->m_sb.sb_rbmblocks)) 163 xchk_block_set_corrupt(sc, bp); 164 165 if (sb->sb_logblocks != cpu_to_be32(mp->m_sb.sb_logblocks)) 166 xchk_block_set_corrupt(sc, bp); 167 168 /* Check sb_versionnum bits that are set at mkfs time. */ 169 vernum_mask = cpu_to_be16(XFS_SB_VERSION_NUMBITS | 170 XFS_SB_VERSION_ALIGNBIT | 171 XFS_SB_VERSION_DALIGNBIT | 172 XFS_SB_VERSION_SHAREDBIT | 173 XFS_SB_VERSION_LOGV2BIT | 174 XFS_SB_VERSION_SECTORBIT | 175 XFS_SB_VERSION_EXTFLGBIT | 176 XFS_SB_VERSION_DIRV2BIT); 177 if ((sb->sb_versionnum & vernum_mask) != 178 (cpu_to_be16(mp->m_sb.sb_versionnum) & vernum_mask)) 179 xchk_block_set_corrupt(sc, bp); 180 181 /* Check sb_versionnum bits that can be set after mkfs time. */ 182 vernum_mask = cpu_to_be16(XFS_SB_VERSION_ATTRBIT | 183 XFS_SB_VERSION_NLINKBIT | 184 XFS_SB_VERSION_QUOTABIT); 185 if ((sb->sb_versionnum & vernum_mask) != 186 (cpu_to_be16(mp->m_sb.sb_versionnum) & vernum_mask)) 187 xchk_block_set_preen(sc, bp); 188 189 if (sb->sb_sectsize != cpu_to_be16(mp->m_sb.sb_sectsize)) 190 xchk_block_set_corrupt(sc, bp); 191 192 if (sb->sb_inodesize != cpu_to_be16(mp->m_sb.sb_inodesize)) 193 xchk_block_set_corrupt(sc, bp); 194 195 if (sb->sb_inopblock != cpu_to_be16(mp->m_sb.sb_inopblock)) 196 xchk_block_set_corrupt(sc, bp); 197 198 if (memcmp(sb->sb_fname, mp->m_sb.sb_fname, sizeof(sb->sb_fname))) 199 xchk_block_set_preen(sc, bp); 200 201 if (sb->sb_blocklog != mp->m_sb.sb_blocklog) 202 xchk_block_set_corrupt(sc, bp); 203 204 if (sb->sb_sectlog != mp->m_sb.sb_sectlog) 205 xchk_block_set_corrupt(sc, bp); 206 207 if (sb->sb_inodelog != mp->m_sb.sb_inodelog) 208 xchk_block_set_corrupt(sc, bp); 209 210 if (sb->sb_inopblog != mp->m_sb.sb_inopblog) 211 xchk_block_set_corrupt(sc, bp); 212 213 if (sb->sb_agblklog != mp->m_sb.sb_agblklog) 214 xchk_block_set_corrupt(sc, bp); 215 216 if (sb->sb_rextslog != mp->m_sb.sb_rextslog) 217 xchk_block_set_corrupt(sc, bp); 218 219 if (sb->sb_imax_pct != mp->m_sb.sb_imax_pct) 220 xchk_block_set_preen(sc, bp); 221 222 /* 223 * Skip the summary counters since we track them in memory anyway. 224 * sb_icount, sb_ifree, sb_fdblocks, sb_frexents 225 */ 226 227 if (sb->sb_uquotino != cpu_to_be64(mp->m_sb.sb_uquotino)) 228 xchk_block_set_preen(sc, bp); 229 230 if (sb->sb_gquotino != cpu_to_be64(mp->m_sb.sb_gquotino)) 231 xchk_block_set_preen(sc, bp); 232 233 /* 234 * Skip the quota flags since repair will force quotacheck. 235 * sb_qflags 236 */ 237 238 if (sb->sb_flags != mp->m_sb.sb_flags) 239 xchk_block_set_corrupt(sc, bp); 240 241 if (sb->sb_shared_vn != mp->m_sb.sb_shared_vn) 242 xchk_block_set_corrupt(sc, bp); 243 244 if (sb->sb_inoalignmt != cpu_to_be32(mp->m_sb.sb_inoalignmt)) 245 xchk_block_set_corrupt(sc, bp); 246 247 if (sb->sb_unit != cpu_to_be32(mp->m_sb.sb_unit)) 248 xchk_block_set_preen(sc, bp); 249 250 if (sb->sb_width != cpu_to_be32(mp->m_sb.sb_width)) 251 xchk_block_set_preen(sc, bp); 252 253 if (sb->sb_dirblklog != mp->m_sb.sb_dirblklog) 254 xchk_block_set_corrupt(sc, bp); 255 256 if (sb->sb_logsectlog != mp->m_sb.sb_logsectlog) 257 xchk_block_set_corrupt(sc, bp); 258 259 if (sb->sb_logsectsize != cpu_to_be16(mp->m_sb.sb_logsectsize)) 260 xchk_block_set_corrupt(sc, bp); 261 262 if (sb->sb_logsunit != cpu_to_be32(mp->m_sb.sb_logsunit)) 263 xchk_block_set_corrupt(sc, bp); 264 265 /* Do we see any invalid bits in sb_features2? */ 266 if (!xfs_sb_version_hasmorebits(&mp->m_sb)) { 267 if (sb->sb_features2 != 0) 268 xchk_block_set_corrupt(sc, bp); 269 } else { 270 v2_ok = XFS_SB_VERSION2_OKBITS; 271 if (xfs_sb_is_v5(&mp->m_sb)) 272 v2_ok |= XFS_SB_VERSION2_CRCBIT; 273 274 if (!!(sb->sb_features2 & cpu_to_be32(~v2_ok))) 275 xchk_block_set_corrupt(sc, bp); 276 277 if (sb->sb_features2 != sb->sb_bad_features2) 278 xchk_block_set_preen(sc, bp); 279 } 280 281 /* Check sb_features2 flags that are set at mkfs time. */ 282 features_mask = cpu_to_be32(XFS_SB_VERSION2_LAZYSBCOUNTBIT | 283 XFS_SB_VERSION2_PROJID32BIT | 284 XFS_SB_VERSION2_CRCBIT | 285 XFS_SB_VERSION2_FTYPE); 286 if ((sb->sb_features2 & features_mask) != 287 (cpu_to_be32(mp->m_sb.sb_features2) & features_mask)) 288 xchk_block_set_corrupt(sc, bp); 289 290 /* Check sb_features2 flags that can be set after mkfs time. */ 291 features_mask = cpu_to_be32(XFS_SB_VERSION2_ATTR2BIT); 292 if ((sb->sb_features2 & features_mask) != 293 (cpu_to_be32(mp->m_sb.sb_features2) & features_mask)) 294 xchk_block_set_preen(sc, bp); 295 296 if (!xfs_has_crc(mp)) { 297 /* all v5 fields must be zero */ 298 if (memchr_inv(&sb->sb_features_compat, 0, 299 sizeof(struct xfs_dsb) - 300 offsetof(struct xfs_dsb, sb_features_compat))) 301 xchk_block_set_corrupt(sc, bp); 302 } else { 303 /* compat features must match */ 304 if (sb->sb_features_compat != 305 cpu_to_be32(mp->m_sb.sb_features_compat)) 306 xchk_block_set_corrupt(sc, bp); 307 308 /* ro compat features must match */ 309 if (sb->sb_features_ro_compat != 310 cpu_to_be32(mp->m_sb.sb_features_ro_compat)) 311 xchk_block_set_corrupt(sc, bp); 312 313 /* 314 * NEEDSREPAIR is ignored on a secondary super, so we should 315 * clear it when we find it, though it's not a corruption. 316 */ 317 features_mask = cpu_to_be32(XFS_SB_FEAT_INCOMPAT_NEEDSREPAIR); 318 if ((cpu_to_be32(mp->m_sb.sb_features_incompat) ^ 319 sb->sb_features_incompat) & features_mask) 320 xchk_block_set_preen(sc, bp); 321 322 /* all other incompat features must match */ 323 if ((cpu_to_be32(mp->m_sb.sb_features_incompat) ^ 324 sb->sb_features_incompat) & ~features_mask) 325 xchk_block_set_corrupt(sc, bp); 326 327 /* 328 * log incompat features protect newer log record types from 329 * older log recovery code. Log recovery doesn't check the 330 * secondary supers, so we can clear these if needed. 331 */ 332 if (sb->sb_features_log_incompat) 333 xchk_block_set_preen(sc, bp); 334 335 /* Don't care about sb_crc */ 336 337 if (sb->sb_spino_align != cpu_to_be32(mp->m_sb.sb_spino_align)) 338 xchk_block_set_corrupt(sc, bp); 339 340 if (sb->sb_pquotino != cpu_to_be64(mp->m_sb.sb_pquotino)) 341 xchk_block_set_preen(sc, bp); 342 343 /* Don't care about sb_lsn */ 344 } 345 346 if (xfs_has_metauuid(mp)) { 347 /* The metadata UUID must be the same for all supers */ 348 if (!uuid_equal(&sb->sb_meta_uuid, &mp->m_sb.sb_meta_uuid)) 349 xchk_block_set_corrupt(sc, bp); 350 } 351 352 /* Everything else must be zero. */ 353 if (memchr_inv(sb + 1, 0, 354 BBTOB(bp->b_length) - sizeof(struct xfs_dsb))) 355 xchk_block_set_corrupt(sc, bp); 356 357 xchk_superblock_xref(sc, bp); 358 out_pag: 359 xfs_perag_put(pag); 360 return error; 361 } 362 363 /* AGF */ 364 365 /* Tally freespace record lengths. */ 366 STATIC int xchk_agf_record_bno_lengths(struct xfs_btree_cur * cur,const struct xfs_alloc_rec_incore * rec,void * priv)367 xchk_agf_record_bno_lengths( 368 struct xfs_btree_cur *cur, 369 const struct xfs_alloc_rec_incore *rec, 370 void *priv) 371 { 372 xfs_extlen_t *blocks = priv; 373 374 (*blocks) += rec->ar_blockcount; 375 return 0; 376 } 377 378 /* Check agf_freeblks */ 379 static inline void xchk_agf_xref_freeblks(struct xfs_scrub * sc)380 xchk_agf_xref_freeblks( 381 struct xfs_scrub *sc) 382 { 383 struct xfs_agf *agf = sc->sa.agf_bp->b_addr; 384 xfs_extlen_t blocks = 0; 385 int error; 386 387 if (!sc->sa.bno_cur) 388 return; 389 390 error = xfs_alloc_query_all(sc->sa.bno_cur, 391 xchk_agf_record_bno_lengths, &blocks); 392 if (!xchk_should_check_xref(sc, &error, &sc->sa.bno_cur)) 393 return; 394 if (blocks != be32_to_cpu(agf->agf_freeblks)) 395 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp); 396 } 397 398 /* Cross reference the AGF with the cntbt (freespace by length btree) */ 399 static inline void xchk_agf_xref_cntbt(struct xfs_scrub * sc)400 xchk_agf_xref_cntbt( 401 struct xfs_scrub *sc) 402 { 403 struct xfs_agf *agf = sc->sa.agf_bp->b_addr; 404 xfs_agblock_t agbno; 405 xfs_extlen_t blocks; 406 int have; 407 int error; 408 409 if (!sc->sa.cnt_cur) 410 return; 411 412 /* Any freespace at all? */ 413 error = xfs_alloc_lookup_le(sc->sa.cnt_cur, 0, -1U, &have); 414 if (!xchk_should_check_xref(sc, &error, &sc->sa.cnt_cur)) 415 return; 416 if (!have) { 417 if (agf->agf_freeblks != cpu_to_be32(0)) 418 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp); 419 return; 420 } 421 422 /* Check agf_longest */ 423 error = xfs_alloc_get_rec(sc->sa.cnt_cur, &agbno, &blocks, &have); 424 if (!xchk_should_check_xref(sc, &error, &sc->sa.cnt_cur)) 425 return; 426 if (!have || blocks != be32_to_cpu(agf->agf_longest)) 427 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp); 428 } 429 430 /* Check the btree block counts in the AGF against the btrees. */ 431 STATIC void xchk_agf_xref_btreeblks(struct xfs_scrub * sc)432 xchk_agf_xref_btreeblks( 433 struct xfs_scrub *sc) 434 { 435 struct xfs_agf *agf = sc->sa.agf_bp->b_addr; 436 struct xfs_mount *mp = sc->mp; 437 xfs_agblock_t blocks; 438 xfs_agblock_t btreeblks; 439 int error; 440 441 /* agf_btreeblks didn't exist before lazysbcount */ 442 if (!xfs_has_lazysbcount(sc->mp)) 443 return; 444 445 /* Check agf_rmap_blocks; set up for agf_btreeblks check */ 446 if (sc->sa.rmap_cur) { 447 error = xfs_btree_count_blocks(sc->sa.rmap_cur, &blocks); 448 if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur)) 449 return; 450 btreeblks = blocks - 1; 451 if (blocks != be32_to_cpu(agf->agf_rmap_blocks)) 452 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp); 453 } else { 454 btreeblks = 0; 455 } 456 457 /* 458 * No rmap cursor; we can't xref if we have the rmapbt feature. 459 * We also can't do it if we're missing the free space btree cursors. 460 */ 461 if ((xfs_has_rmapbt(mp) && !sc->sa.rmap_cur) || 462 !sc->sa.bno_cur || !sc->sa.cnt_cur) 463 return; 464 465 /* Check agf_btreeblks */ 466 error = xfs_btree_count_blocks(sc->sa.bno_cur, &blocks); 467 if (!xchk_should_check_xref(sc, &error, &sc->sa.bno_cur)) 468 return; 469 btreeblks += blocks - 1; 470 471 error = xfs_btree_count_blocks(sc->sa.cnt_cur, &blocks); 472 if (!xchk_should_check_xref(sc, &error, &sc->sa.cnt_cur)) 473 return; 474 btreeblks += blocks - 1; 475 476 if (btreeblks != be32_to_cpu(agf->agf_btreeblks)) 477 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp); 478 } 479 480 /* Check agf_refcount_blocks against tree size */ 481 static inline void xchk_agf_xref_refcblks(struct xfs_scrub * sc)482 xchk_agf_xref_refcblks( 483 struct xfs_scrub *sc) 484 { 485 struct xfs_agf *agf = sc->sa.agf_bp->b_addr; 486 xfs_agblock_t blocks; 487 int error; 488 489 if (!sc->sa.refc_cur) 490 return; 491 492 error = xfs_btree_count_blocks(sc->sa.refc_cur, &blocks); 493 if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur)) 494 return; 495 if (blocks != be32_to_cpu(agf->agf_refcount_blocks)) 496 xchk_block_xref_set_corrupt(sc, sc->sa.agf_bp); 497 } 498 499 /* Cross-reference with the other btrees. */ 500 STATIC void xchk_agf_xref(struct xfs_scrub * sc)501 xchk_agf_xref( 502 struct xfs_scrub *sc) 503 { 504 struct xfs_mount *mp = sc->mp; 505 xfs_agblock_t agbno; 506 507 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 508 return; 509 510 agbno = XFS_AGF_BLOCK(mp); 511 512 xchk_ag_btcur_init(sc, &sc->sa); 513 514 xchk_xref_is_used_space(sc, agbno, 1); 515 xchk_agf_xref_freeblks(sc); 516 xchk_agf_xref_cntbt(sc); 517 xchk_xref_is_not_inode_chunk(sc, agbno, 1); 518 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_FS); 519 xchk_agf_xref_btreeblks(sc); 520 xchk_xref_is_not_shared(sc, agbno, 1); 521 xchk_xref_is_not_cow_staging(sc, agbno, 1); 522 xchk_agf_xref_refcblks(sc); 523 524 /* scrub teardown will take care of sc->sa for us */ 525 } 526 527 /* Scrub the AGF. */ 528 int xchk_agf(struct xfs_scrub * sc)529 xchk_agf( 530 struct xfs_scrub *sc) 531 { 532 struct xfs_mount *mp = sc->mp; 533 struct xfs_agf *agf; 534 struct xfs_perag *pag; 535 xfs_agnumber_t agno = sc->sm->sm_agno; 536 xfs_agblock_t agbno; 537 xfs_agblock_t eoag; 538 xfs_agblock_t agfl_first; 539 xfs_agblock_t agfl_last; 540 xfs_agblock_t agfl_count; 541 xfs_agblock_t fl_count; 542 int level; 543 int error = 0; 544 545 error = xchk_ag_read_headers(sc, agno, &sc->sa); 546 if (!xchk_process_error(sc, agno, XFS_AGF_BLOCK(sc->mp), &error)) 547 goto out; 548 xchk_buffer_recheck(sc, sc->sa.agf_bp); 549 550 agf = sc->sa.agf_bp->b_addr; 551 pag = sc->sa.pag; 552 553 /* Check the AG length */ 554 eoag = be32_to_cpu(agf->agf_length); 555 if (eoag != pag->block_count) 556 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 557 558 /* Check the AGF btree roots and levels */ 559 agbno = be32_to_cpu(agf->agf_bno_root); 560 if (!xfs_verify_agbno(pag, agbno)) 561 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 562 563 agbno = be32_to_cpu(agf->agf_cnt_root); 564 if (!xfs_verify_agbno(pag, agbno)) 565 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 566 567 level = be32_to_cpu(agf->agf_bno_level); 568 if (level <= 0 || level > mp->m_alloc_maxlevels) 569 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 570 571 level = be32_to_cpu(agf->agf_cnt_level); 572 if (level <= 0 || level > mp->m_alloc_maxlevels) 573 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 574 575 if (xfs_has_rmapbt(mp)) { 576 agbno = be32_to_cpu(agf->agf_rmap_root); 577 if (!xfs_verify_agbno(pag, agbno)) 578 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 579 580 level = be32_to_cpu(agf->agf_rmap_level); 581 if (level <= 0 || level > mp->m_rmap_maxlevels) 582 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 583 } 584 585 if (xfs_has_reflink(mp)) { 586 agbno = be32_to_cpu(agf->agf_refcount_root); 587 if (!xfs_verify_agbno(pag, agbno)) 588 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 589 590 level = be32_to_cpu(agf->agf_refcount_level); 591 if (level <= 0 || level > mp->m_refc_maxlevels) 592 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 593 } 594 595 /* Check the AGFL counters */ 596 agfl_first = be32_to_cpu(agf->agf_flfirst); 597 agfl_last = be32_to_cpu(agf->agf_fllast); 598 agfl_count = be32_to_cpu(agf->agf_flcount); 599 if (agfl_last > agfl_first) 600 fl_count = agfl_last - agfl_first + 1; 601 else 602 fl_count = xfs_agfl_size(mp) - agfl_first + agfl_last + 1; 603 if (agfl_count != 0 && fl_count != agfl_count) 604 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 605 606 /* Do the incore counters match? */ 607 if (pag->pagf_freeblks != be32_to_cpu(agf->agf_freeblks)) 608 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 609 if (pag->pagf_flcount != be32_to_cpu(agf->agf_flcount)) 610 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 611 if (xfs_has_lazysbcount(sc->mp) && 612 pag->pagf_btreeblks != be32_to_cpu(agf->agf_btreeblks)) 613 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 614 615 xchk_agf_xref(sc); 616 out: 617 return error; 618 } 619 620 /* AGFL */ 621 622 struct xchk_agfl_info { 623 /* Number of AGFL entries that the AGF claims are in use. */ 624 unsigned int agflcount; 625 626 /* Number of AGFL entries that we found. */ 627 unsigned int nr_entries; 628 629 /* Buffer to hold AGFL entries for extent checking. */ 630 xfs_agblock_t *entries; 631 632 struct xfs_buf *agfl_bp; 633 struct xfs_scrub *sc; 634 }; 635 636 /* Cross-reference with the other btrees. */ 637 STATIC void xchk_agfl_block_xref(struct xfs_scrub * sc,xfs_agblock_t agbno)638 xchk_agfl_block_xref( 639 struct xfs_scrub *sc, 640 xfs_agblock_t agbno) 641 { 642 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 643 return; 644 645 xchk_xref_is_used_space(sc, agbno, 1); 646 xchk_xref_is_not_inode_chunk(sc, agbno, 1); 647 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_AG); 648 xchk_xref_is_not_shared(sc, agbno, 1); 649 xchk_xref_is_not_cow_staging(sc, agbno, 1); 650 } 651 652 /* Scrub an AGFL block. */ 653 STATIC int xchk_agfl_block(struct xfs_mount * mp,xfs_agblock_t agbno,void * priv)654 xchk_agfl_block( 655 struct xfs_mount *mp, 656 xfs_agblock_t agbno, 657 void *priv) 658 { 659 struct xchk_agfl_info *sai = priv; 660 struct xfs_scrub *sc = sai->sc; 661 662 if (xfs_verify_agbno(sc->sa.pag, agbno) && 663 sai->nr_entries < sai->agflcount) 664 sai->entries[sai->nr_entries++] = agbno; 665 else 666 xchk_block_set_corrupt(sc, sai->agfl_bp); 667 668 xchk_agfl_block_xref(sc, agbno); 669 670 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 671 return -ECANCELED; 672 673 return 0; 674 } 675 676 static int xchk_agblock_cmp(const void * pa,const void * pb)677 xchk_agblock_cmp( 678 const void *pa, 679 const void *pb) 680 { 681 const xfs_agblock_t *a = pa; 682 const xfs_agblock_t *b = pb; 683 684 return (int)*a - (int)*b; 685 } 686 687 /* Cross-reference with the other btrees. */ 688 STATIC void xchk_agfl_xref(struct xfs_scrub * sc)689 xchk_agfl_xref( 690 struct xfs_scrub *sc) 691 { 692 struct xfs_mount *mp = sc->mp; 693 xfs_agblock_t agbno; 694 695 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 696 return; 697 698 agbno = XFS_AGFL_BLOCK(mp); 699 700 xchk_ag_btcur_init(sc, &sc->sa); 701 702 xchk_xref_is_used_space(sc, agbno, 1); 703 xchk_xref_is_not_inode_chunk(sc, agbno, 1); 704 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_FS); 705 xchk_xref_is_not_shared(sc, agbno, 1); 706 xchk_xref_is_not_cow_staging(sc, agbno, 1); 707 708 /* 709 * Scrub teardown will take care of sc->sa for us. Leave sc->sa 710 * active so that the agfl block xref can use it too. 711 */ 712 } 713 714 /* Scrub the AGFL. */ 715 int xchk_agfl(struct xfs_scrub * sc)716 xchk_agfl( 717 struct xfs_scrub *sc) 718 { 719 struct xchk_agfl_info sai = { 720 .sc = sc, 721 }; 722 struct xfs_agf *agf; 723 xfs_agnumber_t agno = sc->sm->sm_agno; 724 unsigned int i; 725 int error; 726 727 /* Lock the AGF and AGI so that nobody can touch this AG. */ 728 error = xchk_ag_read_headers(sc, agno, &sc->sa); 729 if (!xchk_process_error(sc, agno, XFS_AGFL_BLOCK(sc->mp), &error)) 730 return error; 731 if (!sc->sa.agf_bp) 732 return -EFSCORRUPTED; 733 734 /* Try to read the AGFL, and verify its structure if we get it. */ 735 error = xfs_alloc_read_agfl(sc->sa.pag, sc->tp, &sai.agfl_bp); 736 if (!xchk_process_error(sc, agno, XFS_AGFL_BLOCK(sc->mp), &error)) 737 return error; 738 xchk_buffer_recheck(sc, sai.agfl_bp); 739 740 xchk_agfl_xref(sc); 741 742 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 743 goto out; 744 745 /* Allocate buffer to ensure uniqueness of AGFL entries. */ 746 agf = sc->sa.agf_bp->b_addr; 747 sai.agflcount = be32_to_cpu(agf->agf_flcount); 748 if (sai.agflcount > xfs_agfl_size(sc->mp)) { 749 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 750 goto out; 751 } 752 sai.entries = kvcalloc(sai.agflcount, sizeof(xfs_agblock_t), 753 XCHK_GFP_FLAGS); 754 if (!sai.entries) { 755 error = -ENOMEM; 756 goto out; 757 } 758 759 /* Check the blocks in the AGFL. */ 760 error = xfs_agfl_walk(sc->mp, sc->sa.agf_bp->b_addr, sai.agfl_bp, 761 xchk_agfl_block, &sai); 762 if (error == -ECANCELED) { 763 error = 0; 764 goto out_free; 765 } 766 if (error) 767 goto out_free; 768 769 if (sai.agflcount != sai.nr_entries) { 770 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 771 goto out_free; 772 } 773 774 /* Sort entries, check for duplicates. */ 775 sort(sai.entries, sai.nr_entries, sizeof(sai.entries[0]), 776 xchk_agblock_cmp, NULL); 777 for (i = 1; i < sai.nr_entries; i++) { 778 if (sai.entries[i] == sai.entries[i - 1]) { 779 xchk_block_set_corrupt(sc, sc->sa.agf_bp); 780 break; 781 } 782 } 783 784 out_free: 785 kvfree(sai.entries); 786 out: 787 return error; 788 } 789 790 /* AGI */ 791 792 /* Check agi_count/agi_freecount */ 793 static inline void xchk_agi_xref_icounts(struct xfs_scrub * sc)794 xchk_agi_xref_icounts( 795 struct xfs_scrub *sc) 796 { 797 struct xfs_agi *agi = sc->sa.agi_bp->b_addr; 798 xfs_agino_t icount; 799 xfs_agino_t freecount; 800 int error; 801 802 if (!sc->sa.ino_cur) 803 return; 804 805 error = xfs_ialloc_count_inodes(sc->sa.ino_cur, &icount, &freecount); 806 if (!xchk_should_check_xref(sc, &error, &sc->sa.ino_cur)) 807 return; 808 if (be32_to_cpu(agi->agi_count) != icount || 809 be32_to_cpu(agi->agi_freecount) != freecount) 810 xchk_block_xref_set_corrupt(sc, sc->sa.agi_bp); 811 } 812 813 /* Check agi_[fi]blocks against tree size */ 814 static inline void xchk_agi_xref_fiblocks(struct xfs_scrub * sc)815 xchk_agi_xref_fiblocks( 816 struct xfs_scrub *sc) 817 { 818 struct xfs_agi *agi = sc->sa.agi_bp->b_addr; 819 xfs_agblock_t blocks; 820 int error = 0; 821 822 if (!xfs_has_inobtcounts(sc->mp)) 823 return; 824 825 if (sc->sa.ino_cur) { 826 error = xfs_btree_count_blocks(sc->sa.ino_cur, &blocks); 827 if (!xchk_should_check_xref(sc, &error, &sc->sa.ino_cur)) 828 return; 829 if (blocks != be32_to_cpu(agi->agi_iblocks)) 830 xchk_block_xref_set_corrupt(sc, sc->sa.agi_bp); 831 } 832 833 if (sc->sa.fino_cur) { 834 error = xfs_btree_count_blocks(sc->sa.fino_cur, &blocks); 835 if (!xchk_should_check_xref(sc, &error, &sc->sa.fino_cur)) 836 return; 837 if (blocks != be32_to_cpu(agi->agi_fblocks)) 838 xchk_block_xref_set_corrupt(sc, sc->sa.agi_bp); 839 } 840 } 841 842 /* Cross-reference with the other btrees. */ 843 STATIC void xchk_agi_xref(struct xfs_scrub * sc)844 xchk_agi_xref( 845 struct xfs_scrub *sc) 846 { 847 struct xfs_mount *mp = sc->mp; 848 xfs_agblock_t agbno; 849 850 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 851 return; 852 853 agbno = XFS_AGI_BLOCK(mp); 854 855 xchk_ag_btcur_init(sc, &sc->sa); 856 857 xchk_xref_is_used_space(sc, agbno, 1); 858 xchk_xref_is_not_inode_chunk(sc, agbno, 1); 859 xchk_agi_xref_icounts(sc); 860 xchk_xref_is_only_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_FS); 861 xchk_xref_is_not_shared(sc, agbno, 1); 862 xchk_xref_is_not_cow_staging(sc, agbno, 1); 863 xchk_agi_xref_fiblocks(sc); 864 865 /* scrub teardown will take care of sc->sa for us */ 866 } 867 868 /* 869 * Check the unlinked buckets for links to bad inodes. We hold the AGI, so 870 * there cannot be any threads updating unlinked list pointers in this AG. 871 */ 872 STATIC void xchk_iunlink(struct xfs_scrub * sc,struct xfs_agi * agi)873 xchk_iunlink( 874 struct xfs_scrub *sc, 875 struct xfs_agi *agi) 876 { 877 unsigned int i; 878 struct xfs_inode *ip; 879 880 for (i = 0; i < XFS_AGI_UNLINKED_BUCKETS; i++) { 881 xfs_agino_t agino = be32_to_cpu(agi->agi_unlinked[i]); 882 883 while (agino != NULLAGINO) { 884 if (agino % XFS_AGI_UNLINKED_BUCKETS != i) { 885 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 886 return; 887 } 888 889 ip = xfs_iunlink_lookup(sc->sa.pag, agino); 890 if (!ip) { 891 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 892 return; 893 } 894 895 if (!xfs_inode_on_unlinked_list(ip)) { 896 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 897 return; 898 } 899 900 agino = ip->i_next_unlinked; 901 } 902 } 903 } 904 905 /* Scrub the AGI. */ 906 int xchk_agi(struct xfs_scrub * sc)907 xchk_agi( 908 struct xfs_scrub *sc) 909 { 910 struct xfs_mount *mp = sc->mp; 911 struct xfs_agi *agi; 912 struct xfs_perag *pag; 913 struct xfs_ino_geometry *igeo = M_IGEO(sc->mp); 914 xfs_agnumber_t agno = sc->sm->sm_agno; 915 xfs_agblock_t agbno; 916 xfs_agblock_t eoag; 917 xfs_agino_t agino; 918 xfs_agino_t first_agino; 919 xfs_agino_t last_agino; 920 xfs_agino_t icount; 921 int i; 922 int level; 923 int error = 0; 924 925 error = xchk_ag_read_headers(sc, agno, &sc->sa); 926 if (!xchk_process_error(sc, agno, XFS_AGI_BLOCK(sc->mp), &error)) 927 goto out; 928 xchk_buffer_recheck(sc, sc->sa.agi_bp); 929 930 agi = sc->sa.agi_bp->b_addr; 931 pag = sc->sa.pag; 932 933 /* Check the AG length */ 934 eoag = be32_to_cpu(agi->agi_length); 935 if (eoag != pag->block_count) 936 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 937 938 /* Check btree roots and levels */ 939 agbno = be32_to_cpu(agi->agi_root); 940 if (!xfs_verify_agbno(pag, agbno)) 941 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 942 943 level = be32_to_cpu(agi->agi_level); 944 if (level <= 0 || level > igeo->inobt_maxlevels) 945 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 946 947 if (xfs_has_finobt(mp)) { 948 agbno = be32_to_cpu(agi->agi_free_root); 949 if (!xfs_verify_agbno(pag, agbno)) 950 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 951 952 level = be32_to_cpu(agi->agi_free_level); 953 if (level <= 0 || level > igeo->inobt_maxlevels) 954 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 955 } 956 957 /* Check inode counters */ 958 xfs_agino_range(mp, agno, &first_agino, &last_agino); 959 icount = be32_to_cpu(agi->agi_count); 960 if (icount > last_agino - first_agino + 1 || 961 icount < be32_to_cpu(agi->agi_freecount)) 962 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 963 964 /* Check inode pointers */ 965 agino = be32_to_cpu(agi->agi_newino); 966 if (!xfs_verify_agino_or_null(pag, agino)) 967 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 968 969 agino = be32_to_cpu(agi->agi_dirino); 970 if (!xfs_verify_agino_or_null(pag, agino)) 971 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 972 973 /* Check unlinked inode buckets */ 974 for (i = 0; i < XFS_AGI_UNLINKED_BUCKETS; i++) { 975 agino = be32_to_cpu(agi->agi_unlinked[i]); 976 if (!xfs_verify_agino_or_null(pag, agino)) 977 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 978 } 979 980 if (agi->agi_pad32 != cpu_to_be32(0)) 981 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 982 983 /* Do the incore counters match? */ 984 if (pag->pagi_count != be32_to_cpu(agi->agi_count)) 985 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 986 if (pag->pagi_freecount != be32_to_cpu(agi->agi_freecount)) 987 xchk_block_set_corrupt(sc, sc->sa.agi_bp); 988 989 xchk_iunlink(sc, agi); 990 991 xchk_agi_xref(sc); 992 out: 993 return error; 994 } 995