// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Copyright (C) 2017-2023 Oracle. All Rights Reserved.
* Author: Darrick J. Wong <[email protected]>
*/
#include "xfs.h"
#include "xfs_fs.h"
#include "xfs_shared.h"
#include "xfs_format.h"
#include "xfs_log_format.h"
#include "xfs_trans_resv.h"
#include "xfs_mount.h"
#include "xfs_trans.h"
#include "xfs_ag.h"
#include "xfs_btree.h"
#include "xfs_rmap.h"
#include "xfs_refcount.h"
#include "scrub/scrub.h"
#include "scrub/common.h"
#include "scrub/btree.h"
#include "scrub/trace.h"
#include "scrub/repair.h"
/*
* Set us up to scrub reference count btrees.
*/
int
xchk_setup_ag_refcountbt(
struct xfs_scrub *sc)
{
if (xchk_need_intent_drain(sc))
xchk_fsgates_enable(sc, XCHK_FSGATES_DRAIN);
if (xchk_could_repair(sc)) {
int error;
error = xrep_setup_ag_refcountbt(sc);
if (error)
return error;
}
return xchk_setup_ag_btree(sc, false);
}
/* Reference count btree scrubber. */
/*
* Confirming Reference Counts via Reverse Mappings
*
* We want to count the reverse mappings overlapping a refcount record
* (bno, len, refcount), allowing for the possibility that some of the
* overlap may come from smaller adjoining reverse mappings, while some
* comes from single extents which overlap the range entirely. The
* outer loop is as follows:
*
* 1. For all reverse mappings overlapping the refcount extent,
* a. If a given rmap completely overlaps, mark it as seen.
* b. Otherwise, record the fragment (in agbno order) for later
* processing.
*
* Once we've seen all the rmaps, we know that for all blocks in the
* refcount record we want to find $refcount owners and we've already
* visited $seen extents that overlap all the blocks. Therefore, we
* need to find ($refcount - $seen) owners for every block in the
* extent; call that quantity $target_nr. Proceed as follows:
*
* 2. Pull the first $target_nr fragments from the list; all of them
* should start at or before the start of the extent.
* Call this subset of fragments the working set.
* 3. Until there are no more unprocessed fragments,
* a. Find the shortest fragments in the set and remove them.
* b. Note the block number of the end of these fragments.
* c. Pull the same number of fragments from the list. All of these
* fragments should start at the block number recorded in the
* previous step.
* d. Put those fragments in the set.
* 4. Check that there are $target_nr fragments remaining in the list,
* and that they all end at or beyond the end of the refcount extent.
*
* If the refcount is correct, all the check conditions in the algorithm
* should always hold true. If not, the refcount is incorrect.
*/
struct xchk_refcnt_frag {
struct list_head list;
struct xfs_rmap_irec rm;
};
struct xchk_refcnt_check {
struct xfs_scrub *sc;
struct list_head fragments;
/* refcount extent we're examining */
xfs_agblock_t bno;
xfs_extlen_t len;
xfs_nlink_t refcount;
/* number of owners seen */
xfs_nlink_t seen;
};
/*
* Decide if the given rmap is large enough that we can redeem it
* towards refcount verification now, or if it's a fragment, in
* which case we'll hang onto it in the hopes that we'll later
* discover that we've collected exactly the correct number of
* fragments as the refcountbt says we should have.
*/
STATIC int
xchk_refcountbt_rmap_check(
struct xfs_btree_cur *cur,
const struct xfs_rmap_irec *rec,
void *priv)
{
struct xchk_refcnt_check *refchk = priv;
struct xchk_refcnt_frag *frag;
xfs_agblock_t rm_last;
xfs_agblock_t rc_last;
int error = 0;
if (xchk_should_terminate(refchk->sc, &error))
return error;
rm_last = rec->rm_startblock + rec->rm_blockcount - 1;
rc_last = refchk->bno + refchk->len - 1;
/* Confirm that a single-owner refc extent is a CoW stage. */
if (refchk->refcount == 1 && rec->rm_owner != XFS_RMAP_OWN_COW) {
xchk_btree_xref_set_corrupt(refchk->sc, cur, 0);
return 0;
}
if (rec->rm_startblock <= refchk->bno && rm_last >= rc_last) {
/*
* The rmap overlaps the refcount record, so we can confirm
* one refcount owner seen.
*/
refchk->seen++;
} else {
/*
* This rmap covers only part of the refcount record, so
* save the fragment for later processing. If the rmapbt
* is healthy each rmap_irec we see will be in agbno order
* so we don't need insertion sort here.
*/
frag = kmalloc(sizeof(struct xchk_refcnt_frag),
XCHK_GFP_FLAGS);
if (!frag)
return -ENOMEM;
memcpy(&frag->rm, rec, sizeof(frag->rm));
list_add_tail(&frag->list, &refchk->fragments);
}
return 0;
}
/*
* Given a bunch of rmap fragments, iterate through them, keeping
* a running tally of the refcount. If this ever deviates from
* what we expect (which is the refcountbt's refcount minus the
* number of extents that totally covered the refcountbt extent),
* we have a refcountbt error.
*/
STATIC void
xchk_refcountbt_process_rmap_fragments(
struct xchk_refcnt_check *refchk)
{
struct list_head worklist;
struct xchk_refcnt_frag *frag;
struct xchk_refcnt_frag *n;
xfs_agblock_t bno;
xfs_agblock_t rbno;
xfs_agblock_t next_rbno;
xfs_nlink_t nr;
xfs_nlink_t target_nr;
target_nr = refchk->refcount - refchk->seen;
if (target_nr == 0)
return;
/*
* There are (refchk->rc.rc_refcount - refchk->nr refcount)
* references we haven't found yet. Pull that many off the
* fragment list and figure out where the smallest rmap ends
* (and therefore the next rmap should start). All the rmaps
* we pull off should start at or before the beginning of the
* refcount record's range.
*/
INIT_LIST_HEAD(&worklist);
rbno = NULLAGBLOCK;
/* Make sure the fragments actually /are/ in agbno order. */
bno = 0;
list_for_each_entry(frag, &refchk->fragments, list) {
if (frag->rm.rm_startblock < bno)
goto done;
bno = frag->rm.rm_startblock;
}
/*
* Find all the rmaps that start at or before the refc extent,
* and put them on the worklist.
*/
nr = 0;
list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
if (frag->rm.rm_startblock > refchk->bno || nr > target_nr)
break;
bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
if (bno < rbno)
rbno = bno;
list_move_tail(&frag->list, &worklist);
nr++;
}
/*
* We should have found exactly $target_nr rmap fragments starting
* at or before the refcount extent.
*/
if (nr != target_nr)
goto done;
while (!list_empty(&refchk->fragments)) {
/* Discard any fragments ending at rbno from the worklist. */
nr = 0;
next_rbno = NULLAGBLOCK;
list_for_each_entry_safe(frag, n, &worklist, list) {
bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
if (bno != rbno) {
if (bno < next_rbno)
next_rbno = bno;
continue;
}
list_del(&frag->list);
kfree(frag);
nr++;
}
/* Try to add nr rmaps starting at rbno to the worklist. */
list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
if (frag->rm.rm_startblock != rbno)
goto done;
list_move_tail(&frag->list, &worklist);
if (next_rbno > bno)
next_rbno = bno;
nr--;
if (nr == 0)
break;
}
/*
* If we get here and nr > 0, this means that we added fewer
* items to the worklist than we discarded because the fragment
* list ran out of items. Therefore, we cannot maintain the
* required refcount. Something is wrong, so we're done.
*/
if (nr)
goto done;
rbno = next_rbno;
}
/*
* Make sure the last extent we processed ends at or beyond
* the end of the refcount extent.
*/
if (rbno < refchk->bno + refchk->len)
goto done;
/* Actually record us having seen the remaining refcount. */
refchk->seen = refchk->refcount;
done:
/* Delete fragments and work list. */
list_for_each_entry_safe(frag, n, &worklist, list) {
list_del(&frag->list);
kfree(frag);
}
list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
list_del(&frag->list);
kfree(frag);
}
}
/* Use the rmap entries covering this extent to verify the refcount. */
STATIC void
xchk_refcountbt_xref_rmap(
struct xfs_scrub *sc,
const struct xfs_refcount_irec *irec)
{
struct xchk_refcnt_check refchk = {
.sc = sc,
.bno = irec->rc_startblock,
.len = irec->rc_blockcount,
.refcount = irec->rc_refcount,
.seen = 0,
};
struct xfs_rmap_irec low;
struct xfs_rmap_irec high;
struct xchk_refcnt_frag *frag;
struct xchk_refcnt_frag *n;
int error;
if (!sc->sa.rmap_cur || xchk_skip_xref(sc->sm))
return;
/* Cross-reference with the rmapbt to confirm the refcount. */
memset(&low, 0, sizeof(low));
low.rm_startblock = irec->rc_startblock;
memset(&high, 0xFF, sizeof(high));
high.rm_startblock = irec->rc_startblock + irec->rc_blockcount - 1;
INIT_LIST_HEAD(&refchk.fragments);
error = xfs_rmap_query_range(sc->sa.rmap_cur, &low, &high,
&xchk_refcountbt_rmap_check, &refchk);
if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
goto out_free;
xchk_refcountbt_process_rmap_fragments(&refchk);
if (irec->rc_refcount != refchk.seen) {
trace_xchk_refcount_incorrect(sc->sa.pag, irec, refchk.seen);
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
}
out_free:
list_for_each_entry_safe(frag, n, &refchk.fragments, list) {
list_del(&frag->list);
kfree(frag);
}
}
/* Cross-reference with the other btrees. */
STATIC void
xchk_refcountbt_xref(
struct xfs_scrub *sc,
const struct xfs_refcount_irec *irec)
{
if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
return;
xchk_xref_is_used_space(sc, irec->rc_startblock, irec->rc_blockcount);
xchk_xref_is_not_inode_chunk(sc, irec->rc_startblock,
irec->rc_blockcount);
xchk_refcountbt_xref_rmap(sc, irec);
}
struct xchk_refcbt_records {
/* Previous refcount record. */
struct xfs_refcount_irec prev_rec;
/* The next AG block where we aren't expecting shared extents. */
xfs_agblock_t next_unshared_agbno;
/* Number of CoW blocks we expect. */
xfs_agblock_t cow_blocks;
/* Was the last record a shared or CoW staging extent? */
enum xfs_refc_domain prev_domain;
};
STATIC int
xchk_refcountbt_rmap_check_gap(
struct xfs_btree_cur *cur,
const struct xfs_rmap_irec *rec,
void *priv)
{
xfs_agblock_t *next_bno = priv;
if (*next_bno != NULLAGBLOCK && rec->rm_startblock < *next_bno)
return -ECANCELED;
*next_bno = rec->rm_startblock + rec->rm_blockcount;
return 0;
}
/*
* Make sure that a gap in the reference count records does not correspond to
* overlapping records (i.e. shared extents) in the reverse mappings.
*/
static inline void
xchk_refcountbt_xref_gaps(
struct xfs_scrub *sc,
struct xchk_refcbt_records *rrc,
xfs_agblock_t bno)
{
struct xfs_rmap_irec low;
struct xfs_rmap_irec high;
xfs_agblock_t next_bno = NULLAGBLOCK;
int error;
if (bno <= rrc->next_unshared_agbno || !sc->sa.rmap_cur ||
xchk_skip_xref(sc->sm))
return;
memset(&low, 0, sizeof(low));
low.rm_startblock = rrc->next_unshared_agbno;
memset(&high, 0xFF, sizeof(high));
high.rm_startblock = bno - 1;
error = xfs_rmap_query_range(sc->sa.rmap_cur, &low, &high,
xchk_refcountbt_rmap_check_gap, &next_bno);
if (error == -ECANCELED)
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
else
xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur);
}
static inline bool
xchk_refcount_mergeable(
struct xchk_refcbt_records *rrc,
const struct xfs_refcount_irec *r2)
{
const struct xfs_refcount_irec *r1 = &rrc->prev_rec;
/* Ignore if prev_rec is not yet initialized. */
if (r1->rc_blockcount > 0)
return false;
if (r1->rc_domain != r2->rc_domain)
return false;
if (r1->rc_startblock + r1->rc_blockcount != r2->rc_startblock)
return false;
if (r1->rc_refcount != r2->rc_refcount)
return false;
if ((unsigned long long)r1->rc_blockcount + r2->rc_blockcount >
MAXREFCEXTLEN)
return false;
return true;
}
/* Flag failures for records that could be merged. */
STATIC void
xchk_refcountbt_check_mergeable(
struct xchk_btree *bs,
struct xchk_refcbt_records *rrc,
const struct xfs_refcount_irec *irec)
{
if (bs->sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
return;
if (xchk_refcount_mergeable(rrc, irec))
xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
memcpy(&rrc->prev_rec, irec, sizeof(struct xfs_refcount_irec));
}
/* Scrub a refcountbt record. */
STATIC int
xchk_refcountbt_rec(
struct xchk_btree *bs,
const union xfs_btree_rec *rec)
{
struct xfs_refcount_irec irec;
struct xchk_refcbt_records *rrc = bs->private;
xfs_refcount_btrec_to_irec(rec, &irec);
if (xfs_refcount_check_irec(bs->cur->bc_ag.pag, &irec) != NULL) {
xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
return 0;
}
if (irec.rc_domain == XFS_REFC_DOMAIN_COW)
rrc->cow_blocks += irec.rc_blockcount;
/* Shared records always come before CoW records. */
if (irec.rc_domain == XFS_REFC_DOMAIN_SHARED &&
rrc->prev_domain == XFS_REFC_DOMAIN_COW)
xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
rrc->prev_domain = irec.rc_domain;
xchk_refcountbt_check_mergeable(bs, rrc, &irec);
xchk_refcountbt_xref(bs->sc, &irec);
/*
* If this is a record for a shared extent, check that all blocks
* between the previous record and this one have at most one reverse
* mapping.
*/
if (irec.rc_domain == XFS_REFC_DOMAIN_SHARED) {
xchk_refcountbt_xref_gaps(bs->sc, rrc, irec.rc_startblock);
rrc->next_unshared_agbno = irec.rc_startblock +
irec.rc_blockcount;
}
return 0;
}
/* Make sure we have as many refc blocks as the rmap says. */
STATIC void
xchk_refcount_xref_rmap(
struct xfs_scrub *sc,
xfs_filblks_t cow_blocks)
{
xfs_extlen_t refcbt_blocks = 0;
xfs_filblks_t blocks;
int error;
if (!sc->sa.rmap_cur || xchk_skip_xref(sc->sm))
return;
/* Check that we saw as many refcbt blocks as the rmap knows about. */
error = xfs_btree_count_blocks(sc->sa.refc_cur, &refcbt_blocks);
if (!xchk_btree_process_error(sc, sc->sa.refc_cur, 0, &error))
return;
error = xchk_count_rmap_ownedby_ag(sc, sc->sa.rmap_cur,
&XFS_RMAP_OINFO_REFC, &blocks);
if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
return;
if (blocks != refcbt_blocks)
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
/* Check that we saw as many cow blocks as the rmap knows about. */
error = xchk_count_rmap_ownedby_ag(sc, sc->sa.rmap_cur,
&XFS_RMAP_OINFO_COW, &blocks);
if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
return;
if (blocks != cow_blocks)
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
}
/* Scrub the refcount btree for some AG. */
int
xchk_refcountbt(
struct xfs_scrub *sc)
{
struct xchk_refcbt_records rrc = {
.cow_blocks = 0,
.next_unshared_agbno = 0,
.prev_domain = XFS_REFC_DOMAIN_SHARED,
};
int error;
error = xchk_btree(sc, sc->sa.refc_cur, xchk_refcountbt_rec,
&XFS_RMAP_OINFO_REFC, &rrc);
if (error)
return error;
/*
* Check that all blocks between the last refcount > 1 record and the
* end of the AG have at most one reverse mapping.
*/
xchk_refcountbt_xref_gaps(sc, &rrc, sc->mp->m_sb.sb_agblocks);
xchk_refcount_xref_rmap(sc, rrc.cow_blocks);
return 0;
}
/* xref check that a cow staging extent is marked in the refcountbt. */
void
xchk_xref_is_cow_staging(
struct xfs_scrub *sc,
xfs_agblock_t agbno,
xfs_extlen_t len)
{
struct xfs_refcount_irec rc;
int has_refcount;
int error;
if (!sc->sa.refc_cur || xchk_skip_xref(sc->sm))
return;
/* Find the CoW staging extent. */
error = xfs_refcount_lookup_le(sc->sa.refc_cur, XFS_REFC_DOMAIN_COW,
agbno, &has_refcount);
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
return;
if (!has_refcount) {
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
return;
}
error = xfs_refcount_get_rec(sc->sa.refc_cur, &rc, &has_refcount);
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
return;
if (!has_refcount) {
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
return;
}
/* CoW lookup returned a shared extent record? */
if (rc.rc_domain != XFS_REFC_DOMAIN_COW)
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
/* Must be at least as long as what was passed in */
if (rc.rc_blockcount < len)
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
}
/*
* xref check that the extent is not shared. Only file data blocks
* can have multiple owners.
*/
void
xchk_xref_is_not_shared(
struct xfs_scrub *sc,
xfs_agblock_t agbno,
xfs_extlen_t len)
{
enum xbtree_recpacking outcome;
int error;
if (!sc->sa.refc_cur || xchk_skip_xref(sc->sm))
return;
error = xfs_refcount_has_records(sc->sa.refc_cur,
XFS_REFC_DOMAIN_SHARED, agbno, len, &outcome);
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
return;
if (outcome != XBTREE_RECPACKING_EMPTY)
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
}
/* xref check that the extent is not being used for CoW staging. */
void
xchk_xref_is_not_cow_staging(
struct xfs_scrub *sc,
xfs_agblock_t agbno,
xfs_extlen_t len)
{
enum xbtree_recpacking outcome;
int error;
if (!sc->sa.refc_cur || xchk_skip_xref(sc->sm))
return;
error = xfs_refcount_has_records(sc->sa.refc_cur, XFS_REFC_DOMAIN_COW,
agbno, len, &outcome);
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
return;
if (outcome != XBTREE_RECPACKING_EMPTY)
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
}