// SPDX-License-Identifier: GPL-2.0-or-later /* * Copyright (C) 2017-2023 Oracle. All Rights Reserved. * Author: Darrick J. Wong <[email protected]> */ #include "xfs.h" #include "xfs_fs.h" #include "xfs_shared.h" #include "xfs_format.h" #include "xfs_trans_resv.h" #include "xfs_mount.h" #include "xfs_log_format.h" #include "xfs_trans.h" #include "xfs_inode.h" #include "xfs_quota.h" #include "xfs_qm.h" #include "xfs_scrub.h" #include "xfs_buf_mem.h" #include "xfs_rmap.h" #include "xfs_exchrange.h" #include "xfs_exchmaps.h" #include "xfs_dir2.h" #include "xfs_parent.h" #include "xfs_icache.h" #include "scrub/scrub.h" #include "scrub/common.h" #include "scrub/trace.h" #include "scrub/repair.h" #include "scrub/health.h" #include "scrub/stats.h" #include "scrub/xfile.h" #include "scrub/tempfile.h" #include "scrub/orphanage.h" /* * Online Scrub and Repair * * Traditionally, XFS (the kernel driver) did not know how to check or * repair on-disk data structures. That task was left to the xfs_check * and xfs_repair tools, both of which require taking the filesystem * offline for a thorough but time consuming examination. Online * scrub & repair, on the other hand, enables us to check the metadata * for obvious errors while carefully stepping around the filesystem's * ongoing operations, locking rules, etc. * * Given that most XFS metadata consist of records stored in a btree, * most of the checking functions iterate the btree blocks themselves * looking for irregularities. When a record block is encountered, each * record can be checked for obviously bad values. Record values can * also be cross-referenced against other btrees to look for potential * misunderstandings between pieces of metadata. * * It is expected that the checkers responsible for per-AG metadata * structures will lock the AG headers (AGI, AGF, AGFL), iterate the * metadata structure, and perform any relevant cross-referencing before * unlocking the AG and returning the results to userspace. These * scrubbers must not keep an AG locked for too long to avoid tying up * the block and inode allocators. * * Block maps and b-trees rooted in an inode present a special challenge * because they can involve extents from any AG. The general scrubber * structure of lock -> check -> xref -> unlock still holds, but AG * locking order rules /must/ be obeyed to avoid deadlocks. The * ordering rule, of course, is that we must lock in increasing AG * order. Helper functions are provided to track which AG headers we've * already locked. If we detect an imminent locking order violation, we * can signal a potential deadlock, in which case the scrubber can jump * out to the top level, lock all the AGs in order, and retry the scrub. * * For file data (directories, extended attributes, symlinks) scrub, we * can simply lock the inode and walk the data. For btree data * (directories and attributes) we follow the same btree-scrubbing * strategy outlined previously to check the records. * * We use a bit of trickery with transactions to avoid buffer deadlocks * if there is a cycle in the metadata. The basic problem is that * travelling down a btree involves locking the current buffer at each * tree level. If a pointer should somehow point back to a buffer that * we've already examined, we will deadlock due to the second buffer * locking attempt. Note however that grabbing a buffer in transaction * context links the locked buffer to the transaction. If we try to * re-grab the buffer in the context of the same transaction, we avoid * the second lock attempt and continue. Between the verifier and the * scrubber, something will notice that something is amiss and report * the corruption. Therefore, each scrubber will allocate an empty * transaction, attach buffers to it, and cancel the transaction at the * end of the scrub run. Cancelling a non-dirty transaction simply * unlocks the buffers. * * There are four pieces of data that scrub can communicate to * userspace. The first is the error code (errno), which can be used to * communicate operational errors in performing the scrub. There are * also three flags that can be set in the scrub context. If the data * structure itself is corrupt, the CORRUPT flag will be set. If * the metadata is correct but otherwise suboptimal, the PREEN flag * will be set. * * We perform secondary validation of filesystem metadata by * cross-referencing every record with all other available metadata. * For example, for block mapping extents, we verify that there are no * records in the free space and inode btrees corresponding to that * space extent and that there is a corresponding entry in the reverse * mapping btree. Inconsistent metadata is noted by setting the * XCORRUPT flag; btree query function errors are noted by setting the * XFAIL flag and deleting the cursor to prevent further attempts to * cross-reference with a defective btree. * * If a piece of metadata proves corrupt or suboptimal, the userspace * program can ask the kernel to apply some tender loving care (TLC) to * the metadata object by setting the REPAIR flag and re-calling the * scrub ioctl. "Corruption" is defined by metadata violating the * on-disk specification; operations cannot continue if the violation is * left untreated. It is possible for XFS to continue if an object is * "suboptimal", however performance may be degraded. Repairs are * usually performed by rebuilding the metadata entirely out of * redundant metadata. Optimizing, on the other hand, can sometimes be * done without rebuilding entire structures. * * Generally speaking, the repair code has the following code structure: * Lock -> scrub -> repair -> commit -> re-lock -> re-scrub -> unlock. * The first check helps us figure out if we need to rebuild or simply * optimize the structure so that the rebuild knows what to do. The * second check evaluates the completeness of the repair; that is what * is reported to userspace. * * A quick note on symbol prefixes: * - "xfs_" are general XFS symbols. * - "xchk_" are symbols related to metadata checking. * - "xrep_" are symbols related to metadata repair. * - "xfs_scrub_" are symbols that tie online fsck to the rest of XFS. */ /* * Scrub probe -- userspace uses this to probe if we're willing to scrub * or repair a given mountpoint. This will be used by xfs_scrub to * probe the kernel's abilities to scrub (and repair) the metadata. We * do this by validating the ioctl inputs from userspace, preparing the * filesystem for a scrub (or a repair) operation, and immediately * returning to userspace. Userspace can use the returned errno and * structure state to decide (in broad terms) if scrub/repair are * supported by the running kernel. */ static int xchk_probe( struct xfs_scrub *sc) { … } /* Scrub setup and teardown */ static inline void xchk_fsgates_disable( struct xfs_scrub *sc) { … } /* Free the resources associated with a scrub subtype. */ void xchk_scrub_free_subord( struct xfs_scrub_subord *sub) { … } /* Free all the resources and finish the transactions. */ STATIC int xchk_teardown( struct xfs_scrub *sc, int error) { … } /* Scrubbing dispatch. */ static const struct xchk_meta_ops meta_scrub_ops[] = …; static int xchk_validate_inputs( struct xfs_mount *mp, struct xfs_scrub_metadata *sm) { … } #ifdef CONFIG_XFS_ONLINE_REPAIR static inline void xchk_postmortem(struct xfs_scrub *sc) { … } #else static inline void xchk_postmortem(struct xfs_scrub *sc) { /* * Userspace asked us to scrub something, it's broken, and we have no * way of fixing it. Scream in the logs. */ if (sc->sm->sm_flags & (XFS_SCRUB_OFLAG_CORRUPT | XFS_SCRUB_OFLAG_XCORRUPT)) xfs_alert_ratelimited(sc->mp, "Corruption detected during scrub."); } #endif /* CONFIG_XFS_ONLINE_REPAIR */ /* * Create a new scrub context from an existing one, but with a different scrub * type. */ struct xfs_scrub_subord * xchk_scrub_create_subord( struct xfs_scrub *sc, unsigned int subtype) { … } /* Dispatch metadata scrubbing. */ STATIC int xfs_scrub_metadata( struct file *file, struct xfs_scrub_metadata *sm) { … } /* Scrub one aspect of one piece of metadata. */ int xfs_ioc_scrub_metadata( struct file *file, void __user *arg) { … } /* Decide if there have been any scrub failures up to this point. */ static inline int xfs_scrubv_check_barrier( struct xfs_mount *mp, const struct xfs_scrub_vec *vectors, const struct xfs_scrub_vec *stop_vec) { … } /* * If the caller provided us with a nonzero inode number that isn't the ioctl * file, try to grab a reference to it to eliminate all further untrusted inode * lookups. If we can't get the inode, let each scrub function try again. */ STATIC struct xfs_inode * xchk_scrubv_open_by_handle( struct xfs_mount *mp, const struct xfs_scrub_vec_head *head) { … } /* Vectored scrub implementation to reduce ioctl calls. */ int xfs_ioc_scrubv_metadata( struct file *file, void __user *arg) { … }
Codebase Browser
linux