1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright (C) 2017 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <darrick.wong@oracle.com>
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_defer.h"
13 #include "xfs_btree.h"
15 #include "xfs_log_format.h"
16 #include "xfs_trans.h"
18 #include "xfs_inode.h"
19 #include "xfs_icache.h"
20 #include "xfs_inode_buf.h"
21 #include "xfs_inode_fork.h"
22 #include "xfs_ialloc.h"
23 #include "xfs_da_format.h"
24 #include "xfs_reflink.h"
27 #include "xfs_bmap_util.h"
28 #include "scrub/xfs_scrub.h"
29 #include "scrub/scrub.h"
30 #include "scrub/common.h"
31 #include "scrub/btree.h"
32 #include "scrub/trace.h"
35 * Grab total control of the inode metadata. It doesn't matter here if
36 * the file data is still changing; exclusive access to the metadata is
47 * Try to get the inode. If the verifiers fail, we try again
50 error = xchk_get_inode(sc, ip);
56 return xchk_trans_alloc(sc, 0);
61 /* Got the inode, lock it and we're ready to go. */
62 sc->ilock_flags = XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL;
63 xfs_ilock(sc->ip, sc->ilock_flags);
64 error = xchk_trans_alloc(sc, 0);
67 sc->ilock_flags |= XFS_ILOCK_EXCL;
68 xfs_ilock(sc->ip, XFS_ILOCK_EXCL);
71 /* scrub teardown will unlock and release the inode for us */
77 /* Validate di_extsize hint. */
81 struct xfs_dinode *dip,
88 fa = xfs_inode_validate_extsize(sc->mp, be32_to_cpu(dip->di_extsize),
91 xchk_ino_set_corrupt(sc, ino);
95 * Validate di_cowextsize hint.
97 * The rules are documented at xfs_ioctl_setattr_check_cowextsize().
98 * These functions must be kept in sync with each other.
101 xchk_inode_cowextsize(
102 struct xfs_scrub *sc,
103 struct xfs_dinode *dip,
111 fa = xfs_inode_validate_cowextsize(sc->mp,
112 be32_to_cpu(dip->di_cowextsize), mode, flags,
115 xchk_ino_set_corrupt(sc, ino);
118 /* Make sure the di_flags make sense for the inode. */
121 struct xfs_scrub *sc,
122 struct xfs_dinode *dip,
127 struct xfs_mount *mp = sc->mp;
129 /* di_flags are all taken, last bit cannot be used */
130 if (flags & ~XFS_DIFLAG_ANY)
133 /* rt flags require rt device */
134 if ((flags & XFS_DIFLAG_REALTIME) && !mp->m_rtdev_targp)
137 /* new rt bitmap flag only valid for rbmino */
138 if ((flags & XFS_DIFLAG_NEWRTBM) && ino != mp->m_sb.sb_rbmino)
141 /* directory-only flags */
142 if ((flags & (XFS_DIFLAG_RTINHERIT |
143 XFS_DIFLAG_EXTSZINHERIT |
144 XFS_DIFLAG_PROJINHERIT |
145 XFS_DIFLAG_NOSYMLINKS)) &&
149 /* file-only flags */
150 if ((flags & (XFS_DIFLAG_REALTIME | FS_XFLAG_EXTSIZE)) &&
154 /* filestreams and rt make no sense */
155 if ((flags & XFS_DIFLAG_FILESTREAM) && (flags & XFS_DIFLAG_REALTIME))
160 xchk_ino_set_corrupt(sc, ino);
163 /* Make sure the di_flags2 make sense for the inode. */
166 struct xfs_scrub *sc,
167 struct xfs_dinode *dip,
173 struct xfs_mount *mp = sc->mp;
175 /* Unknown di_flags2 could be from a future kernel */
176 if (flags2 & ~XFS_DIFLAG2_ANY)
177 xchk_ino_set_warning(sc, ino);
179 /* reflink flag requires reflink feature */
180 if ((flags2 & XFS_DIFLAG2_REFLINK) &&
181 !xfs_sb_version_hasreflink(&mp->m_sb))
184 /* cowextsize flag is checked w.r.t. mode separately */
186 /* file/dir-only flags */
187 if ((flags2 & XFS_DIFLAG2_DAX) && !(S_ISREG(mode) || S_ISDIR(mode)))
190 /* file-only flags */
191 if ((flags2 & XFS_DIFLAG2_REFLINK) && !S_ISREG(mode))
194 /* realtime and reflink make no sense, currently */
195 if ((flags & XFS_DIFLAG_REALTIME) && (flags2 & XFS_DIFLAG2_REFLINK))
198 /* dax and reflink make no sense, currently */
199 if ((flags2 & XFS_DIFLAG2_DAX) && (flags2 & XFS_DIFLAG2_REFLINK))
204 xchk_ino_set_corrupt(sc, ino);
207 /* Scrub all the ondisk inode fields. */
210 struct xfs_scrub *sc,
211 struct xfs_dinode *dip,
214 struct xfs_mount *mp = sc->mp;
216 unsigned long long isize;
222 flags = be16_to_cpu(dip->di_flags);
223 if (dip->di_version >= 3)
224 flags2 = be64_to_cpu(dip->di_flags2);
229 mode = be16_to_cpu(dip->di_mode);
230 switch (mode & S_IFMT) {
238 /* mode is recognized */
241 xchk_ino_set_corrupt(sc, ino);
246 switch (dip->di_version) {
249 * We autoconvert v1 inodes into v2 inodes on writeout,
250 * so just mark this inode for preening.
252 xchk_ino_set_preen(sc, ino);
256 if (dip->di_onlink != 0)
257 xchk_ino_set_corrupt(sc, ino);
259 if (dip->di_mode == 0 && sc->ip)
260 xchk_ino_set_corrupt(sc, ino);
262 if (dip->di_projid_hi != 0 &&
263 !xfs_sb_version_hasprojid32bit(&mp->m_sb))
264 xchk_ino_set_corrupt(sc, ino);
267 xchk_ino_set_corrupt(sc, ino);
272 * di_uid/di_gid -- -1 isn't invalid, but there's no way that
273 * userspace could have created that.
275 if (dip->di_uid == cpu_to_be32(-1U) ||
276 dip->di_gid == cpu_to_be32(-1U))
277 xchk_ino_set_warning(sc, ino);
280 switch (dip->di_format) {
281 case XFS_DINODE_FMT_DEV:
282 if (!S_ISCHR(mode) && !S_ISBLK(mode) &&
283 !S_ISFIFO(mode) && !S_ISSOCK(mode))
284 xchk_ino_set_corrupt(sc, ino);
286 case XFS_DINODE_FMT_LOCAL:
287 if (!S_ISDIR(mode) && !S_ISLNK(mode))
288 xchk_ino_set_corrupt(sc, ino);
290 case XFS_DINODE_FMT_EXTENTS:
291 if (!S_ISREG(mode) && !S_ISDIR(mode) && !S_ISLNK(mode))
292 xchk_ino_set_corrupt(sc, ino);
294 case XFS_DINODE_FMT_BTREE:
295 if (!S_ISREG(mode) && !S_ISDIR(mode))
296 xchk_ino_set_corrupt(sc, ino);
298 case XFS_DINODE_FMT_UUID:
300 xchk_ino_set_corrupt(sc, ino);
304 /* di_[amc]time.nsec */
305 if (be32_to_cpu(dip->di_atime.t_nsec) >= NSEC_PER_SEC)
306 xchk_ino_set_corrupt(sc, ino);
307 if (be32_to_cpu(dip->di_mtime.t_nsec) >= NSEC_PER_SEC)
308 xchk_ino_set_corrupt(sc, ino);
309 if (be32_to_cpu(dip->di_ctime.t_nsec) >= NSEC_PER_SEC)
310 xchk_ino_set_corrupt(sc, ino);
313 * di_size. xfs_dinode_verify checks for things that screw up
314 * the VFS such as the upper bit being set and zero-length
315 * symlinks/directories, but we can do more here.
317 isize = be64_to_cpu(dip->di_size);
318 if (isize & (1ULL << 63))
319 xchk_ino_set_corrupt(sc, ino);
321 /* Devices, fifos, and sockets must have zero size */
322 if (!S_ISDIR(mode) && !S_ISREG(mode) && !S_ISLNK(mode) && isize != 0)
323 xchk_ino_set_corrupt(sc, ino);
325 /* Directories can't be larger than the data section size (32G) */
326 if (S_ISDIR(mode) && (isize == 0 || isize >= XFS_DIR2_SPACE_SIZE))
327 xchk_ino_set_corrupt(sc, ino);
329 /* Symlinks can't be larger than SYMLINK_MAXLEN */
330 if (S_ISLNK(mode) && (isize == 0 || isize >= XFS_SYMLINK_MAXLEN))
331 xchk_ino_set_corrupt(sc, ino);
334 * Warn if the running kernel can't handle the kinds of offsets
335 * needed to deal with the file size. In other words, if the
336 * pagecache can't cache all the blocks in this file due to
337 * overly large offsets, flag the inode for admin review.
339 if (isize >= mp->m_super->s_maxbytes)
340 xchk_ino_set_warning(sc, ino);
343 if (flags2 & XFS_DIFLAG2_REFLINK) {
344 ; /* nblocks can exceed dblocks */
345 } else if (flags & XFS_DIFLAG_REALTIME) {
347 * nblocks is the sum of data extents (in the rtdev),
348 * attr extents (in the datadev), and both forks' bmbt
349 * blocks (in the datadev). This clumsy check is the
350 * best we can do without cross-referencing with the
353 if (be64_to_cpu(dip->di_nblocks) >=
354 mp->m_sb.sb_dblocks + mp->m_sb.sb_rblocks)
355 xchk_ino_set_corrupt(sc, ino);
357 if (be64_to_cpu(dip->di_nblocks) >= mp->m_sb.sb_dblocks)
358 xchk_ino_set_corrupt(sc, ino);
361 xchk_inode_flags(sc, dip, ino, mode, flags);
363 xchk_inode_extsize(sc, dip, ino, mode, flags);
366 nextents = be32_to_cpu(dip->di_nextents);
367 fork_recs = XFS_DFORK_DSIZE(dip, mp) / sizeof(struct xfs_bmbt_rec);
368 switch (dip->di_format) {
369 case XFS_DINODE_FMT_EXTENTS:
370 if (nextents > fork_recs)
371 xchk_ino_set_corrupt(sc, ino);
373 case XFS_DINODE_FMT_BTREE:
374 if (nextents <= fork_recs)
375 xchk_ino_set_corrupt(sc, ino);
379 xchk_ino_set_corrupt(sc, ino);
384 if (XFS_DFORK_APTR(dip) >= (char *)dip + mp->m_sb.sb_inodesize)
385 xchk_ino_set_corrupt(sc, ino);
386 if (dip->di_anextents != 0 && dip->di_forkoff == 0)
387 xchk_ino_set_corrupt(sc, ino);
388 if (dip->di_forkoff == 0 && dip->di_aformat != XFS_DINODE_FMT_EXTENTS)
389 xchk_ino_set_corrupt(sc, ino);
392 if (dip->di_aformat != XFS_DINODE_FMT_LOCAL &&
393 dip->di_aformat != XFS_DINODE_FMT_EXTENTS &&
394 dip->di_aformat != XFS_DINODE_FMT_BTREE)
395 xchk_ino_set_corrupt(sc, ino);
398 nextents = be16_to_cpu(dip->di_anextents);
399 fork_recs = XFS_DFORK_ASIZE(dip, mp) / sizeof(struct xfs_bmbt_rec);
400 switch (dip->di_aformat) {
401 case XFS_DINODE_FMT_EXTENTS:
402 if (nextents > fork_recs)
403 xchk_ino_set_corrupt(sc, ino);
405 case XFS_DINODE_FMT_BTREE:
406 if (nextents <= fork_recs)
407 xchk_ino_set_corrupt(sc, ino);
411 xchk_ino_set_corrupt(sc, ino);
414 if (dip->di_version >= 3) {
415 if (be32_to_cpu(dip->di_crtime.t_nsec) >= NSEC_PER_SEC)
416 xchk_ino_set_corrupt(sc, ino);
417 xchk_inode_flags2(sc, dip, ino, mode, flags, flags2);
418 xchk_inode_cowextsize(sc, dip, ino, mode, flags,
424 * Make sure the finobt doesn't think this inode is free.
425 * We don't have to check the inobt ourselves because we got the inode via
426 * IGET_UNTRUSTED, which checks the inobt for us.
429 xchk_inode_xref_finobt(
430 struct xfs_scrub *sc,
433 struct xfs_inobt_rec_incore rec;
438 if (!sc->sa.fino_cur || xchk_skip_xref(sc->sm))
441 agino = XFS_INO_TO_AGINO(sc->mp, ino);
444 * Try to get the finobt record. If we can't get it, then we're
447 error = xfs_inobt_lookup(sc->sa.fino_cur, agino, XFS_LOOKUP_LE,
449 if (!xchk_should_check_xref(sc, &error, &sc->sa.fino_cur) ||
453 error = xfs_inobt_get_rec(sc->sa.fino_cur, &rec, &has_record);
454 if (!xchk_should_check_xref(sc, &error, &sc->sa.fino_cur) ||
459 * Otherwise, make sure this record either doesn't cover this inode,
460 * or that it does but it's marked present.
462 if (rec.ir_startino > agino ||
463 rec.ir_startino + XFS_INODES_PER_CHUNK <= agino)
466 if (rec.ir_free & XFS_INOBT_MASK(agino - rec.ir_startino))
467 xchk_btree_xref_set_corrupt(sc, sc->sa.fino_cur, 0);
470 /* Cross reference the inode fields with the forks. */
472 xchk_inode_xref_bmap(
473 struct xfs_scrub *sc,
474 struct xfs_dinode *dip)
476 xfs_extnum_t nextents;
478 xfs_filblks_t acount;
481 if (xchk_skip_xref(sc->sm))
484 /* Walk all the extents to check nextents/naextents/nblocks. */
485 error = xfs_bmap_count_blocks(sc->tp, sc->ip, XFS_DATA_FORK,
487 if (!xchk_should_check_xref(sc, &error, NULL))
489 if (nextents < be32_to_cpu(dip->di_nextents))
490 xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino);
492 error = xfs_bmap_count_blocks(sc->tp, sc->ip, XFS_ATTR_FORK,
494 if (!xchk_should_check_xref(sc, &error, NULL))
496 if (nextents != be16_to_cpu(dip->di_anextents))
497 xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino);
499 /* Check nblocks against the inode. */
500 if (count + acount != be64_to_cpu(dip->di_nblocks))
501 xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino);
504 /* Cross-reference with the other btrees. */
507 struct xfs_scrub *sc,
509 struct xfs_dinode *dip)
511 struct xfs_owner_info oinfo;
516 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
519 agno = XFS_INO_TO_AGNO(sc->mp, ino);
520 agbno = XFS_INO_TO_AGBNO(sc->mp, ino);
522 error = xchk_ag_init(sc, agno, &sc->sa);
523 if (!xchk_xref_process_error(sc, agno, agbno, &error))
526 xchk_xref_is_used_space(sc, agbno, 1);
527 xchk_inode_xref_finobt(sc, ino);
528 xfs_rmap_ag_owner(&oinfo, XFS_RMAP_OWN_INODES);
529 xchk_xref_is_owned_by(sc, agbno, 1, &oinfo);
530 xchk_xref_is_not_shared(sc, agbno, 1);
531 xchk_inode_xref_bmap(sc, dip);
533 xchk_ag_free(sc, &sc->sa);
537 * If the reflink iflag disagrees with a scan for shared data fork extents,
538 * either flag an error (shared extents w/ no flag) or a preen (flag set w/o
539 * any shared extents). We already checked for reflink iflag set on a non
540 * reflink filesystem.
543 xchk_inode_check_reflink_iflag(
544 struct xfs_scrub *sc,
547 struct xfs_mount *mp = sc->mp;
551 if (!xfs_sb_version_hasreflink(&mp->m_sb))
554 error = xfs_reflink_inode_has_shared_extents(sc->tp, sc->ip,
556 if (!xchk_xref_process_error(sc, XFS_INO_TO_AGNO(mp, ino),
557 XFS_INO_TO_AGBNO(mp, ino), &error))
559 if (xfs_is_reflink_inode(sc->ip) && !has_shared)
560 xchk_ino_set_preen(sc, ino);
561 else if (!xfs_is_reflink_inode(sc->ip) && has_shared)
562 xchk_ino_set_corrupt(sc, ino);
565 /* Scrub an inode. */
568 struct xfs_scrub *sc)
570 struct xfs_dinode di;
574 * If sc->ip is NULL, that means that the setup function called
575 * xfs_iget to look up the inode. xfs_iget returned a EFSCORRUPTED
576 * and a NULL inode, so flag the corruption error and return.
579 xchk_ino_set_corrupt(sc, sc->sm->sm_ino);
583 /* Scrub the inode core. */
584 xfs_inode_to_disk(sc->ip, &di, 0);
585 xchk_dinode(sc, &di, sc->ip->i_ino);
586 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
590 * Look for discrepancies between file's data blocks and the reflink
591 * iflag. We already checked the iflag against the file mode when
592 * we scrubbed the dinode.
594 if (S_ISREG(VFS_I(sc->ip)->i_mode))
595 xchk_inode_check_reflink_iflag(sc, sc->ip->i_ino);
597 xchk_inode_xref(sc, sc->ip->i_ino, &di);
projects / releases.git / blob