2 * Copyright (C) 2017 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <darrick.wong@oracle.com>
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it would be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write the Free Software Foundation,
18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
22 #include "xfs_shared.h"
23 #include "xfs_format.h"
24 #include "xfs_trans_resv.h"
25 #include "xfs_mount.h"
26 #include "xfs_defer.h"
27 #include "xfs_btree.h"
29 #include "xfs_log_format.h"
30 #include "xfs_trans.h"
32 #include "xfs_inode.h"
33 #include "xfs_icache.h"
34 #include "xfs_inode_buf.h"
35 #include "xfs_inode_fork.h"
36 #include "xfs_ialloc.h"
37 #include "xfs_da_format.h"
38 #include "xfs_reflink.h"
39 #include "scrub/xfs_scrub.h"
40 #include "scrub/scrub.h"
41 #include "scrub/common.h"
42 #include "scrub/trace.h"
45 * Grab total control of the inode metadata. It doesn't matter here if
46 * the file data is still changing; exclusive access to the metadata is
50 xfs_scrub_setup_inode(
51 struct xfs_scrub_context *sc,
54 struct xfs_mount *mp = sc->mp;
58 * Try to get the inode. If the verifiers fail, we try again
61 error = xfs_scrub_get_inode(sc, ip);
72 /* Got the inode, lock it and we're ready to go. */
73 sc->ilock_flags = XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL;
74 xfs_ilock(sc->ip, sc->ilock_flags);
75 error = xfs_scrub_trans_alloc(sc->sm, mp, &sc->tp);
78 sc->ilock_flags |= XFS_ILOCK_EXCL;
79 xfs_ilock(sc->ip, XFS_ILOCK_EXCL);
82 /* scrub teardown will unlock and release the inode for us */
89 * Validate di_extsize hint.
91 * The rules are documented at xfs_ioctl_setattr_check_extsize().
92 * These functions must be kept in sync with each other.
95 xfs_scrub_inode_extsize(
96 struct xfs_scrub_context *sc,
98 struct xfs_dinode *dip,
103 struct xfs_mount *mp = sc->mp;
108 uint32_t extsize_bytes;
109 uint32_t blocksize_bytes;
111 rt_flag = (flags & XFS_DIFLAG_REALTIME);
112 hint_flag = (flags & XFS_DIFLAG_EXTSIZE);
113 inherit_flag = (flags & XFS_DIFLAG_EXTSZINHERIT);
114 extsize = be32_to_cpu(dip->di_extsize);
115 extsize_bytes = XFS_FSB_TO_B(sc->mp, extsize);
118 blocksize_bytes = mp->m_sb.sb_rextsize << mp->m_sb.sb_blocklog;
120 blocksize_bytes = mp->m_sb.sb_blocksize;
122 if ((hint_flag || inherit_flag) && !(S_ISDIR(mode) || S_ISREG(mode)))
125 if (hint_flag && !S_ISREG(mode))
128 if (inherit_flag && !S_ISDIR(mode))
131 if ((hint_flag || inherit_flag) && extsize == 0)
134 if (!(hint_flag || inherit_flag) && extsize != 0)
137 if (extsize_bytes % blocksize_bytes)
140 if (extsize > MAXEXTLEN)
143 if (!rt_flag && extsize > mp->m_sb.sb_agblocks / 2)
148 xfs_scrub_ino_set_corrupt(sc, ino, bp);
152 * Validate di_cowextsize hint.
154 * The rules are documented at xfs_ioctl_setattr_check_cowextsize().
155 * These functions must be kept in sync with each other.
158 xfs_scrub_inode_cowextsize(
159 struct xfs_scrub_context *sc,
161 struct xfs_dinode *dip,
167 struct xfs_mount *mp = sc->mp;
171 uint32_t extsize_bytes;
173 rt_flag = (flags & XFS_DIFLAG_REALTIME);
174 hint_flag = (flags2 & XFS_DIFLAG2_COWEXTSIZE);
175 extsize = be32_to_cpu(dip->di_cowextsize);
176 extsize_bytes = XFS_FSB_TO_B(sc->mp, extsize);
178 if (hint_flag && !xfs_sb_version_hasreflink(&mp->m_sb))
181 if (hint_flag && !(S_ISDIR(mode) || S_ISREG(mode)))
184 if (hint_flag && extsize == 0)
187 if (!hint_flag && extsize != 0)
190 if (hint_flag && rt_flag)
193 if (extsize_bytes % mp->m_sb.sb_blocksize)
196 if (extsize > MAXEXTLEN)
199 if (extsize > mp->m_sb.sb_agblocks / 2)
204 xfs_scrub_ino_set_corrupt(sc, ino, bp);
207 /* Make sure the di_flags make sense for the inode. */
209 xfs_scrub_inode_flags(
210 struct xfs_scrub_context *sc,
212 struct xfs_dinode *dip,
217 struct xfs_mount *mp = sc->mp;
219 if (flags & ~XFS_DIFLAG_ANY)
222 /* rt flags require rt device */
223 if ((flags & (XFS_DIFLAG_REALTIME | XFS_DIFLAG_RTINHERIT)) &&
227 /* new rt bitmap flag only valid for rbmino */
228 if ((flags & XFS_DIFLAG_NEWRTBM) && ino != mp->m_sb.sb_rbmino)
231 /* directory-only flags */
232 if ((flags & (XFS_DIFLAG_RTINHERIT |
233 XFS_DIFLAG_EXTSZINHERIT |
234 XFS_DIFLAG_PROJINHERIT |
235 XFS_DIFLAG_NOSYMLINKS)) &&
239 /* file-only flags */
240 if ((flags & (XFS_DIFLAG_REALTIME | FS_XFLAG_EXTSIZE)) &&
244 /* filestreams and rt make no sense */
245 if ((flags & XFS_DIFLAG_FILESTREAM) && (flags & XFS_DIFLAG_REALTIME))
250 xfs_scrub_ino_set_corrupt(sc, ino, bp);
253 /* Make sure the di_flags2 make sense for the inode. */
255 xfs_scrub_inode_flags2(
256 struct xfs_scrub_context *sc,
258 struct xfs_dinode *dip,
264 struct xfs_mount *mp = sc->mp;
266 if (flags2 & ~XFS_DIFLAG2_ANY)
269 /* reflink flag requires reflink feature */
270 if ((flags2 & XFS_DIFLAG2_REFLINK) &&
271 !xfs_sb_version_hasreflink(&mp->m_sb))
274 /* cowextsize flag is checked w.r.t. mode separately */
276 /* file/dir-only flags */
277 if ((flags2 & XFS_DIFLAG2_DAX) && !(S_ISREG(mode) || S_ISDIR(mode)))
280 /* file-only flags */
281 if ((flags2 & XFS_DIFLAG2_REFLINK) && !S_ISREG(mode))
284 /* realtime and reflink make no sense, currently */
285 if ((flags & XFS_DIFLAG_REALTIME) && (flags2 & XFS_DIFLAG2_REFLINK))
288 /* dax and reflink make no sense, currently */
289 if ((flags2 & XFS_DIFLAG2_DAX) && (flags2 & XFS_DIFLAG2_REFLINK))
294 xfs_scrub_ino_set_corrupt(sc, ino, bp);
297 /* Scrub all the ondisk inode fields. */
300 struct xfs_scrub_context *sc,
302 struct xfs_dinode *dip,
305 struct xfs_mount *mp = sc->mp;
307 unsigned long long isize;
313 flags = be16_to_cpu(dip->di_flags);
314 if (dip->di_version >= 3)
315 flags2 = be64_to_cpu(dip->di_flags2);
320 mode = be16_to_cpu(dip->di_mode);
321 if (mode & ~(S_IALLUGO | S_IFMT))
322 xfs_scrub_ino_set_corrupt(sc, ino, bp);
325 switch (dip->di_version) {
328 * We autoconvert v1 inodes into v2 inodes on writeout,
329 * so just mark this inode for preening.
331 xfs_scrub_ino_set_preen(sc, ino, bp);
335 if (dip->di_onlink != 0)
336 xfs_scrub_ino_set_corrupt(sc, ino, bp);
338 if (dip->di_mode == 0 && sc->ip)
339 xfs_scrub_ino_set_corrupt(sc, ino, bp);
341 if (dip->di_projid_hi != 0 &&
342 !xfs_sb_version_hasprojid32bit(&mp->m_sb))
343 xfs_scrub_ino_set_corrupt(sc, ino, bp);
346 xfs_scrub_ino_set_corrupt(sc, ino, bp);
351 * di_uid/di_gid -- -1 isn't invalid, but there's no way that
352 * userspace could have created that.
354 if (dip->di_uid == cpu_to_be32(-1U) ||
355 dip->di_gid == cpu_to_be32(-1U))
356 xfs_scrub_ino_set_warning(sc, ino, bp);
359 switch (dip->di_format) {
360 case XFS_DINODE_FMT_DEV:
361 if (!S_ISCHR(mode) && !S_ISBLK(mode) &&
362 !S_ISFIFO(mode) && !S_ISSOCK(mode))
363 xfs_scrub_ino_set_corrupt(sc, ino, bp);
365 case XFS_DINODE_FMT_LOCAL:
366 if (!S_ISDIR(mode) && !S_ISLNK(mode))
367 xfs_scrub_ino_set_corrupt(sc, ino, bp);
369 case XFS_DINODE_FMT_EXTENTS:
370 if (!S_ISREG(mode) && !S_ISDIR(mode) && !S_ISLNK(mode))
371 xfs_scrub_ino_set_corrupt(sc, ino, bp);
373 case XFS_DINODE_FMT_BTREE:
374 if (!S_ISREG(mode) && !S_ISDIR(mode))
375 xfs_scrub_ino_set_corrupt(sc, ino, bp);
377 case XFS_DINODE_FMT_UUID:
379 xfs_scrub_ino_set_corrupt(sc, ino, bp);
384 * di_size. xfs_dinode_verify checks for things that screw up
385 * the VFS such as the upper bit being set and zero-length
386 * symlinks/directories, but we can do more here.
388 isize = be64_to_cpu(dip->di_size);
389 if (isize & (1ULL << 63))
390 xfs_scrub_ino_set_corrupt(sc, ino, bp);
392 /* Devices, fifos, and sockets must have zero size */
393 if (!S_ISDIR(mode) && !S_ISREG(mode) && !S_ISLNK(mode) && isize != 0)
394 xfs_scrub_ino_set_corrupt(sc, ino, bp);
396 /* Directories can't be larger than the data section size (32G) */
397 if (S_ISDIR(mode) && (isize == 0 || isize >= XFS_DIR2_SPACE_SIZE))
398 xfs_scrub_ino_set_corrupt(sc, ino, bp);
400 /* Symlinks can't be larger than SYMLINK_MAXLEN */
401 if (S_ISLNK(mode) && (isize == 0 || isize >= XFS_SYMLINK_MAXLEN))
402 xfs_scrub_ino_set_corrupt(sc, ino, bp);
405 * Warn if the running kernel can't handle the kinds of offsets
406 * needed to deal with the file size. In other words, if the
407 * pagecache can't cache all the blocks in this file due to
408 * overly large offsets, flag the inode for admin review.
410 if (isize >= mp->m_super->s_maxbytes)
411 xfs_scrub_ino_set_warning(sc, ino, bp);
414 if (flags2 & XFS_DIFLAG2_REFLINK) {
415 ; /* nblocks can exceed dblocks */
416 } else if (flags & XFS_DIFLAG_REALTIME) {
418 * nblocks is the sum of data extents (in the rtdev),
419 * attr extents (in the datadev), and both forks' bmbt
420 * blocks (in the datadev). This clumsy check is the
421 * best we can do without cross-referencing with the
424 if (be64_to_cpu(dip->di_nblocks) >=
425 mp->m_sb.sb_dblocks + mp->m_sb.sb_rblocks)
426 xfs_scrub_ino_set_corrupt(sc, ino, bp);
428 if (be64_to_cpu(dip->di_nblocks) >= mp->m_sb.sb_dblocks)
429 xfs_scrub_ino_set_corrupt(sc, ino, bp);
432 xfs_scrub_inode_flags(sc, bp, dip, ino, mode, flags);
434 xfs_scrub_inode_extsize(sc, bp, dip, ino, mode, flags);
437 nextents = be32_to_cpu(dip->di_nextents);
438 fork_recs = XFS_DFORK_DSIZE(dip, mp) / sizeof(struct xfs_bmbt_rec);
439 switch (dip->di_format) {
440 case XFS_DINODE_FMT_EXTENTS:
441 if (nextents > fork_recs)
442 xfs_scrub_ino_set_corrupt(sc, ino, bp);
444 case XFS_DINODE_FMT_BTREE:
445 if (nextents <= fork_recs)
446 xfs_scrub_ino_set_corrupt(sc, ino, bp);
450 xfs_scrub_ino_set_corrupt(sc, ino, bp);
455 if (XFS_DFORK_APTR(dip) >= (char *)dip + mp->m_sb.sb_inodesize)
456 xfs_scrub_ino_set_corrupt(sc, ino, bp);
457 if (dip->di_anextents != 0 && dip->di_forkoff == 0)
458 xfs_scrub_ino_set_corrupt(sc, ino, bp);
459 if (dip->di_forkoff == 0 && dip->di_aformat != XFS_DINODE_FMT_EXTENTS)
460 xfs_scrub_ino_set_corrupt(sc, ino, bp);
463 if (dip->di_aformat != XFS_DINODE_FMT_LOCAL &&
464 dip->di_aformat != XFS_DINODE_FMT_EXTENTS &&
465 dip->di_aformat != XFS_DINODE_FMT_BTREE)
466 xfs_scrub_ino_set_corrupt(sc, ino, bp);
469 nextents = be16_to_cpu(dip->di_anextents);
470 fork_recs = XFS_DFORK_ASIZE(dip, mp) / sizeof(struct xfs_bmbt_rec);
471 switch (dip->di_aformat) {
472 case XFS_DINODE_FMT_EXTENTS:
473 if (nextents > fork_recs)
474 xfs_scrub_ino_set_corrupt(sc, ino, bp);
476 case XFS_DINODE_FMT_BTREE:
477 if (nextents <= fork_recs)
478 xfs_scrub_ino_set_corrupt(sc, ino, bp);
482 xfs_scrub_ino_set_corrupt(sc, ino, bp);
485 if (dip->di_version >= 3) {
486 xfs_scrub_inode_flags2(sc, bp, dip, ino, mode, flags, flags2);
487 xfs_scrub_inode_cowextsize(sc, bp, dip, ino, mode, flags,
492 /* Map and read a raw inode. */
494 xfs_scrub_inode_map_raw(
495 struct xfs_scrub_context *sc,
497 struct xfs_buf **bpp,
498 struct xfs_dinode **dipp)
500 struct xfs_imap imap;
501 struct xfs_mount *mp = sc->mp;
502 struct xfs_buf *bp = NULL;
503 struct xfs_dinode *dip;
506 error = xfs_imap(mp, sc->tp, ino, &imap, XFS_IGET_UNTRUSTED);
507 if (error == -EINVAL) {
509 * Inode could have gotten deleted out from under us;
510 * just forget about it.
515 if (!xfs_scrub_process_error(sc, XFS_INO_TO_AGNO(mp, ino),
516 XFS_INO_TO_AGBNO(mp, ino), &error))
519 error = xfs_trans_read_buf(mp, sc->tp, mp->m_ddev_targp,
520 imap.im_blkno, imap.im_len, XBF_UNMAPPED, &bp,
522 if (!xfs_scrub_process_error(sc, XFS_INO_TO_AGNO(mp, ino),
523 XFS_INO_TO_AGBNO(mp, ino), &error))
527 * Is this really an inode? We disabled verifiers in the above
528 * xfs_trans_read_buf call because the inode buffer verifier
529 * fails on /any/ inode record in the inode cluster with a bad
530 * magic or version number, not just the one that we're
531 * checking. Therefore, grab the buffer unconditionally, attach
532 * the inode verifiers by hand, and run the inode verifier only
533 * on the one inode we want.
535 bp->b_ops = &xfs_inode_buf_ops;
536 dip = xfs_buf_offset(bp, imap.im_boffset);
537 if (!xfs_dinode_verify(mp, ino, dip) ||
538 !xfs_dinode_good_version(mp, dip->di_version)) {
539 xfs_scrub_ino_set_corrupt(sc, ino, bp);
543 /* ...and is it the one we asked for? */
544 if (be32_to_cpu(dip->di_gen) != sc->sm->sm_gen) {
554 xfs_trans_brelse(sc->tp, bp);
558 /* Scrub an inode. */
561 struct xfs_scrub_context *sc)
563 struct xfs_dinode di;
564 struct xfs_mount *mp = sc->mp;
565 struct xfs_buf *bp = NULL;
566 struct xfs_dinode *dip;
572 /* Did we get the in-core inode, or are we doing this manually? */
575 xfs_inode_to_disk(sc->ip, &di, 0);
578 /* Map & read inode. */
579 ino = sc->sm->sm_ino;
580 error = xfs_scrub_inode_map_raw(sc, ino, &bp, &dip);
585 xfs_scrub_dinode(sc, bp, dip, ino);
586 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
589 /* Now let's do the things that require a live inode. */
594 * Does this inode have the reflink flag set but no shared extents?
595 * Set the preening flag if this is the case.
597 if (xfs_is_reflink_inode(sc->ip)) {
598 error = xfs_reflink_inode_has_shared_extents(sc->tp, sc->ip,
600 if (!xfs_scrub_process_error(sc, XFS_INO_TO_AGNO(mp, ino),
601 XFS_INO_TO_AGBNO(mp, ino), &error))
604 xfs_scrub_ino_set_preen(sc, ino, bp);
609 xfs_trans_brelse(sc->tp, bp);