1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * Copyright (C) 2017 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <darrick.wong@oracle.com>
5 */
6 #include "xfs.h"
7 #include "xfs_fs.h"
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_btree.h"
11 #include "xfs_rmap.h"
12 #include "xfs_refcount.h"
13 #include "scrub/scrub.h"
14 #include "scrub/common.h"
15 #include "scrub/btree.h"
16 #include "xfs_trans_resv.h"
17 #include "xfs_mount.h"
18 #include "xfs_ag.h"
19
20 /*
21 * Set us up to scrub reference count btrees.
22 */
23 int
xchk_setup_ag_refcountbt(struct xfs_scrub * sc)24 xchk_setup_ag_refcountbt(
25 struct xfs_scrub *sc)
26 {
27 return xchk_setup_ag_btree(sc, false);
28 }
29
30 /* Reference count btree scrubber. */
31
32 /*
33 * Confirming Reference Counts via Reverse Mappings
34 *
35 * We want to count the reverse mappings overlapping a refcount record
36 * (bno, len, refcount), allowing for the possibility that some of the
37 * overlap may come from smaller adjoining reverse mappings, while some
38 * comes from single extents which overlap the range entirely. The
39 * outer loop is as follows:
40 *
41 * 1. For all reverse mappings overlapping the refcount extent,
42 * a. If a given rmap completely overlaps, mark it as seen.
43 * b. Otherwise, record the fragment (in agbno order) for later
44 * processing.
45 *
46 * Once we've seen all the rmaps, we know that for all blocks in the
47 * refcount record we want to find $refcount owners and we've already
48 * visited $seen extents that overlap all the blocks. Therefore, we
49 * need to find ($refcount - $seen) owners for every block in the
50 * extent; call that quantity $target_nr. Proceed as follows:
51 *
52 * 2. Pull the first $target_nr fragments from the list; all of them
53 * should start at or before the start of the extent.
54 * Call this subset of fragments the working set.
55 * 3. Until there are no more unprocessed fragments,
56 * a. Find the shortest fragments in the set and remove them.
57 * b. Note the block number of the end of these fragments.
58 * c. Pull the same number of fragments from the list. All of these
59 * fragments should start at the block number recorded in the
60 * previous step.
61 * d. Put those fragments in the set.
62 * 4. Check that there are $target_nr fragments remaining in the list,
63 * and that they all end at or beyond the end of the refcount extent.
64 *
65 * If the refcount is correct, all the check conditions in the algorithm
66 * should always hold true. If not, the refcount is incorrect.
67 */
68 struct xchk_refcnt_frag {
69 struct list_head list;
70 struct xfs_rmap_irec rm;
71 };
72
73 struct xchk_refcnt_check {
74 struct xfs_scrub *sc;
75 struct list_head fragments;
76
77 /* refcount extent we're examining */
78 xfs_agblock_t bno;
79 xfs_extlen_t len;
80 xfs_nlink_t refcount;
81
82 /* number of owners seen */
83 xfs_nlink_t seen;
84 };
85
86 /*
87 * Decide if the given rmap is large enough that we can redeem it
88 * towards refcount verification now, or if it's a fragment, in
89 * which case we'll hang onto it in the hopes that we'll later
90 * discover that we've collected exactly the correct number of
91 * fragments as the refcountbt says we should have.
92 */
93 STATIC int
xchk_refcountbt_rmap_check(struct xfs_btree_cur * cur,const struct xfs_rmap_irec * rec,void * priv)94 xchk_refcountbt_rmap_check(
95 struct xfs_btree_cur *cur,
96 const struct xfs_rmap_irec *rec,
97 void *priv)
98 {
99 struct xchk_refcnt_check *refchk = priv;
100 struct xchk_refcnt_frag *frag;
101 xfs_agblock_t rm_last;
102 xfs_agblock_t rc_last;
103 int error = 0;
104
105 if (xchk_should_terminate(refchk->sc, &error))
106 return error;
107
108 rm_last = rec->rm_startblock + rec->rm_blockcount - 1;
109 rc_last = refchk->bno + refchk->len - 1;
110
111 /* Confirm that a single-owner refc extent is a CoW stage. */
112 if (refchk->refcount == 1 && rec->rm_owner != XFS_RMAP_OWN_COW) {
113 xchk_btree_xref_set_corrupt(refchk->sc, cur, 0);
114 return 0;
115 }
116
117 if (rec->rm_startblock <= refchk->bno && rm_last >= rc_last) {
118 /*
119 * The rmap overlaps the refcount record, so we can confirm
120 * one refcount owner seen.
121 */
122 refchk->seen++;
123 } else {
124 /*
125 * This rmap covers only part of the refcount record, so
126 * save the fragment for later processing. If the rmapbt
127 * is healthy each rmap_irec we see will be in agbno order
128 * so we don't need insertion sort here.
129 */
130 frag = kmem_alloc(sizeof(struct xchk_refcnt_frag),
131 KM_MAYFAIL);
132 if (!frag)
133 return -ENOMEM;
134 memcpy(&frag->rm, rec, sizeof(frag->rm));
135 list_add_tail(&frag->list, &refchk->fragments);
136 }
137
138 return 0;
139 }
140
141 /*
142 * Given a bunch of rmap fragments, iterate through them, keeping
143 * a running tally of the refcount. If this ever deviates from
144 * what we expect (which is the refcountbt's refcount minus the
145 * number of extents that totally covered the refcountbt extent),
146 * we have a refcountbt error.
147 */
148 STATIC void
xchk_refcountbt_process_rmap_fragments(struct xchk_refcnt_check * refchk)149 xchk_refcountbt_process_rmap_fragments(
150 struct xchk_refcnt_check *refchk)
151 {
152 struct list_head worklist;
153 struct xchk_refcnt_frag *frag;
154 struct xchk_refcnt_frag *n;
155 xfs_agblock_t bno;
156 xfs_agblock_t rbno;
157 xfs_agblock_t next_rbno;
158 xfs_nlink_t nr;
159 xfs_nlink_t target_nr;
160
161 target_nr = refchk->refcount - refchk->seen;
162 if (target_nr == 0)
163 return;
164
165 /*
166 * There are (refchk->rc.rc_refcount - refchk->nr refcount)
167 * references we haven't found yet. Pull that many off the
168 * fragment list and figure out where the smallest rmap ends
169 * (and therefore the next rmap should start). All the rmaps
170 * we pull off should start at or before the beginning of the
171 * refcount record's range.
172 */
173 INIT_LIST_HEAD(&worklist);
174 rbno = NULLAGBLOCK;
175
176 /* Make sure the fragments actually /are/ in agbno order. */
177 bno = 0;
178 list_for_each_entry(frag, &refchk->fragments, list) {
179 if (frag->rm.rm_startblock < bno)
180 goto done;
181 bno = frag->rm.rm_startblock;
182 }
183
184 /*
185 * Find all the rmaps that start at or before the refc extent,
186 * and put them on the worklist.
187 */
188 nr = 0;
189 list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
190 if (frag->rm.rm_startblock > refchk->bno || nr > target_nr)
191 break;
192 bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
193 if (bno < rbno)
194 rbno = bno;
195 list_move_tail(&frag->list, &worklist);
196 nr++;
197 }
198
199 /*
200 * We should have found exactly $target_nr rmap fragments starting
201 * at or before the refcount extent.
202 */
203 if (nr != target_nr)
204 goto done;
205
206 while (!list_empty(&refchk->fragments)) {
207 /* Discard any fragments ending at rbno from the worklist. */
208 nr = 0;
209 next_rbno = NULLAGBLOCK;
210 list_for_each_entry_safe(frag, n, &worklist, list) {
211 bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
212 if (bno != rbno) {
213 if (bno < next_rbno)
214 next_rbno = bno;
215 continue;
216 }
217 list_del(&frag->list);
218 kmem_free(frag);
219 nr++;
220 }
221
222 /* Try to add nr rmaps starting at rbno to the worklist. */
223 list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
224 bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
225 if (frag->rm.rm_startblock != rbno)
226 goto done;
227 list_move_tail(&frag->list, &worklist);
228 if (next_rbno > bno)
229 next_rbno = bno;
230 nr--;
231 if (nr == 0)
232 break;
233 }
234
235 /*
236 * If we get here and nr > 0, this means that we added fewer
237 * items to the worklist than we discarded because the fragment
238 * list ran out of items. Therefore, we cannot maintain the
239 * required refcount. Something is wrong, so we're done.
240 */
241 if (nr)
242 goto done;
243
244 rbno = next_rbno;
245 }
246
247 /*
248 * Make sure the last extent we processed ends at or beyond
249 * the end of the refcount extent.
250 */
251 if (rbno < refchk->bno + refchk->len)
252 goto done;
253
254 /* Actually record us having seen the remaining refcount. */
255 refchk->seen = refchk->refcount;
256 done:
257 /* Delete fragments and work list. */
258 list_for_each_entry_safe(frag, n, &worklist, list) {
259 list_del(&frag->list);
260 kmem_free(frag);
261 }
262 list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
263 list_del(&frag->list);
264 kmem_free(frag);
265 }
266 }
267
268 /* Use the rmap entries covering this extent to verify the refcount. */
269 STATIC void
xchk_refcountbt_xref_rmap(struct xfs_scrub * sc,const struct xfs_refcount_irec * irec)270 xchk_refcountbt_xref_rmap(
271 struct xfs_scrub *sc,
272 const struct xfs_refcount_irec *irec)
273 {
274 struct xchk_refcnt_check refchk = {
275 .sc = sc,
276 .bno = irec->rc_startblock,
277 .len = irec->rc_blockcount,
278 .refcount = irec->rc_refcount,
279 .seen = 0,
280 };
281 struct xfs_rmap_irec low;
282 struct xfs_rmap_irec high;
283 struct xchk_refcnt_frag *frag;
284 struct xchk_refcnt_frag *n;
285 int error;
286
287 if (!sc->sa.rmap_cur || xchk_skip_xref(sc->sm))
288 return;
289
290 /* Cross-reference with the rmapbt to confirm the refcount. */
291 memset(&low, 0, sizeof(low));
292 low.rm_startblock = irec->rc_startblock;
293 memset(&high, 0xFF, sizeof(high));
294 high.rm_startblock = irec->rc_startblock + irec->rc_blockcount - 1;
295
296 INIT_LIST_HEAD(&refchk.fragments);
297 error = xfs_rmap_query_range(sc->sa.rmap_cur, &low, &high,
298 &xchk_refcountbt_rmap_check, &refchk);
299 if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
300 goto out_free;
301
302 xchk_refcountbt_process_rmap_fragments(&refchk);
303 if (irec->rc_refcount != refchk.seen)
304 xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
305
306 out_free:
307 list_for_each_entry_safe(frag, n, &refchk.fragments, list) {
308 list_del(&frag->list);
309 kmem_free(frag);
310 }
311 }
312
313 /* Cross-reference with the other btrees. */
314 STATIC void
xchk_refcountbt_xref(struct xfs_scrub * sc,const struct xfs_refcount_irec * irec)315 xchk_refcountbt_xref(
316 struct xfs_scrub *sc,
317 const struct xfs_refcount_irec *irec)
318 {
319 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
320 return;
321
322 xchk_xref_is_used_space(sc, irec->rc_startblock, irec->rc_blockcount);
323 xchk_xref_is_not_inode_chunk(sc, irec->rc_startblock,
324 irec->rc_blockcount);
325 xchk_refcountbt_xref_rmap(sc, irec);
326 }
327
328 /* Scrub a refcountbt record. */
329 STATIC int
xchk_refcountbt_rec(struct xchk_btree * bs,const union xfs_btree_rec * rec)330 xchk_refcountbt_rec(
331 struct xchk_btree *bs,
332 const union xfs_btree_rec *rec)
333 {
334 struct xfs_refcount_irec irec;
335 xfs_agblock_t *cow_blocks = bs->private;
336 struct xfs_perag *pag = bs->cur->bc_ag.pag;
337
338 xfs_refcount_btrec_to_irec(rec, &irec);
339
340 /* Check the domain and refcount are not incompatible. */
341 if (!xfs_refcount_check_domain(&irec))
342 xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
343
344 if (irec.rc_domain == XFS_REFC_DOMAIN_COW)
345 (*cow_blocks) += irec.rc_blockcount;
346
347 /* Check the extent. */
348 if (!xfs_verify_agbext(pag, irec.rc_startblock, irec.rc_blockcount))
349 xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
350
351 if (irec.rc_refcount == 0)
352 xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
353
354 xchk_refcountbt_xref(bs->sc, &irec);
355
356 return 0;
357 }
358
359 /* Make sure we have as many refc blocks as the rmap says. */
360 STATIC void
xchk_refcount_xref_rmap(struct xfs_scrub * sc,xfs_filblks_t cow_blocks)361 xchk_refcount_xref_rmap(
362 struct xfs_scrub *sc,
363 xfs_filblks_t cow_blocks)
364 {
365 xfs_extlen_t refcbt_blocks = 0;
366 xfs_filblks_t blocks;
367 int error;
368
369 if (!sc->sa.rmap_cur || xchk_skip_xref(sc->sm))
370 return;
371
372 /* Check that we saw as many refcbt blocks as the rmap knows about. */
373 error = xfs_btree_count_blocks(sc->sa.refc_cur, &refcbt_blocks);
374 if (!xchk_btree_process_error(sc, sc->sa.refc_cur, 0, &error))
375 return;
376 error = xchk_count_rmap_ownedby_ag(sc, sc->sa.rmap_cur,
377 &XFS_RMAP_OINFO_REFC, &blocks);
378 if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
379 return;
380 if (blocks != refcbt_blocks)
381 xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
382
383 /* Check that we saw as many cow blocks as the rmap knows about. */
384 error = xchk_count_rmap_ownedby_ag(sc, sc->sa.rmap_cur,
385 &XFS_RMAP_OINFO_COW, &blocks);
386 if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
387 return;
388 if (blocks != cow_blocks)
389 xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
390 }
391
392 /* Scrub the refcount btree for some AG. */
393 int
xchk_refcountbt(struct xfs_scrub * sc)394 xchk_refcountbt(
395 struct xfs_scrub *sc)
396 {
397 xfs_agblock_t cow_blocks = 0;
398 int error;
399
400 error = xchk_btree(sc, sc->sa.refc_cur, xchk_refcountbt_rec,
401 &XFS_RMAP_OINFO_REFC, &cow_blocks);
402 if (error)
403 return error;
404
405 xchk_refcount_xref_rmap(sc, cow_blocks);
406
407 return 0;
408 }
409
410 /* xref check that a cow staging extent is marked in the refcountbt. */
411 void
xchk_xref_is_cow_staging(struct xfs_scrub * sc,xfs_agblock_t agbno,xfs_extlen_t len)412 xchk_xref_is_cow_staging(
413 struct xfs_scrub *sc,
414 xfs_agblock_t agbno,
415 xfs_extlen_t len)
416 {
417 struct xfs_refcount_irec rc;
418 int has_refcount;
419 int error;
420
421 if (!sc->sa.refc_cur || xchk_skip_xref(sc->sm))
422 return;
423
424 /* Find the CoW staging extent. */
425 error = xfs_refcount_lookup_le(sc->sa.refc_cur, XFS_REFC_DOMAIN_COW,
426 agbno, &has_refcount);
427 if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
428 return;
429 if (!has_refcount) {
430 xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
431 return;
432 }
433
434 error = xfs_refcount_get_rec(sc->sa.refc_cur, &rc, &has_refcount);
435 if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
436 return;
437 if (!has_refcount) {
438 xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
439 return;
440 }
441
442 /* CoW lookup returned a shared extent record? */
443 if (rc.rc_domain != XFS_REFC_DOMAIN_COW)
444 xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
445
446 /* Must be at least as long as what was passed in */
447 if (rc.rc_blockcount < len)
448 xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
449 }
450
451 /*
452 * xref check that the extent is not shared. Only file data blocks
453 * can have multiple owners.
454 */
455 void
xchk_xref_is_not_shared(struct xfs_scrub * sc,xfs_agblock_t agbno,xfs_extlen_t len)456 xchk_xref_is_not_shared(
457 struct xfs_scrub *sc,
458 xfs_agblock_t agbno,
459 xfs_extlen_t len)
460 {
461 bool shared;
462 int error;
463
464 if (!sc->sa.refc_cur || xchk_skip_xref(sc->sm))
465 return;
466
467 error = xfs_refcount_has_record(sc->sa.refc_cur, XFS_REFC_DOMAIN_SHARED,
468 agbno, len, &shared);
469 if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
470 return;
471 if (shared)
472 xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
473 }
474
