1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright (C) 2017 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <darrick.wong@oracle.com>
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_defer.h"
13 #include "xfs_btree.h"
15 #include "xfs_log_format.h"
16 #include "xfs_trans.h"
18 #include "xfs_inode.h"
19 #include "xfs_icache.h"
21 #include "xfs_dir2_priv.h"
22 #include "xfs_ialloc.h"
23 #include "scrub/xfs_scrub.h"
24 #include "scrub/scrub.h"
25 #include "scrub/common.h"
26 #include "scrub/trace.h"
28 /* Set us up to scrub parents. */
34 return xchk_setup_inode_contents(sc, ip, 0);
39 /* Look for an entry in a parent pointing to this inode. */
41 struct xchk_parent_ctx {
42 struct dir_context dc;
47 /* Look for a single entry in a directory pointing to an inode. */
50 struct dir_context *dc,
57 struct xchk_parent_ctx *spc;
59 spc = container_of(dc, struct xchk_parent_ctx, dc);
65 /* Count the number of dentries in the parent dir that point to this inode. */
67 xchk_parent_count_parent_dentries(
69 struct xfs_inode *parent,
72 struct xchk_parent_ctx spc = {
73 .dc.actor = xchk_parent_actor,
84 * If there are any blocks, read-ahead block 0 as we're almost
85 * certain to have the next operation be a read there. This is
86 * how we guarantee that the parent's extent map has been loaded,
89 lock_mode = xfs_ilock_data_map_shared(parent);
90 if (parent->i_d.di_nextents > 0)
91 error = xfs_dir3_data_readahead(parent, 0, -1);
92 xfs_iunlock(parent, lock_mode);
97 * Iterate the parent dir to confirm that there is
98 * exactly one entry pointing back to the inode being
101 bufsize = (size_t)min_t(loff_t, XFS_READDIR_BUFSIZE,
102 parent->i_d.di_size);
105 error = xfs_readdir(sc->tp, parent, &spc.dc, bufsize);
108 if (oldpos == spc.dc.pos)
118 * Given the inode number of the alleged parent of the inode being
119 * scrubbed, try to validate that the parent has exactly one directory
120 * entry pointing back to the inode being scrubbed.
123 xchk_parent_validate(
124 struct xfs_scrub *sc,
128 struct xfs_mount *mp = sc->mp;
129 struct xfs_inode *dp = NULL;
130 xfs_nlink_t expected_nlink;
136 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
139 /* '..' must not point to ourselves. */
140 if (sc->ip->i_ino == dnum) {
141 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
146 * If we're an unlinked directory, the parent /won't/ have a link
147 * to us. Otherwise, it should have one link.
149 expected_nlink = VFS_I(sc->ip)->i_nlink == 0 ? 0 : 1;
152 * Grab this parent inode. We release the inode before we
153 * cancel the scrub transaction. Since we're don't know a
154 * priori that releasing the inode won't trigger eofblocks
155 * cleanup (which allocates what would be a nested transaction)
156 * if the parent pointer erroneously points to a file, we
157 * can't use DONTCACHE here because DONTCACHE inodes can trigger
158 * immediate inactive cleanup of the inode.
160 * If _iget returns -EINVAL then the parent inode number is garbage
161 * and the directory is corrupt. If the _iget returns -EFSCORRUPTED
162 * or -EFSBADCRC then the parent is corrupt which is a cross
163 * referencing error. Any other error is an operational error.
165 error = xfs_iget(mp, sc->tp, dnum, XFS_IGET_UNTRUSTED, 0, &dp);
166 if (error == -EINVAL) {
167 error = -EFSCORRUPTED;
168 xchk_fblock_process_error(sc, XFS_DATA_FORK, 0, &error);
171 if (!xchk_fblock_xref_process_error(sc, XFS_DATA_FORK, 0, &error))
173 if (dp == sc->ip || !S_ISDIR(VFS_I(dp)->i_mode)) {
174 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
179 * We prefer to keep the inode locked while we lock and search
180 * its alleged parent for a forward reference. If we can grab
181 * the iolock, validate the pointers and we're done. We must
182 * use nowait here to avoid an ABBA deadlock on the parent and
185 if (xfs_ilock_nowait(dp, XFS_IOLOCK_SHARED)) {
186 error = xchk_parent_count_parent_dentries(sc, dp, &nlink);
187 if (!xchk_fblock_xref_process_error(sc, XFS_DATA_FORK, 0,
190 if (nlink != expected_nlink)
191 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
196 * The game changes if we get here. We failed to lock the parent,
197 * so we're going to try to verify both pointers while only holding
198 * one lock so as to avoid deadlocking with something that's actually
199 * trying to traverse down the directory tree.
201 xfs_iunlock(sc->ip, sc->ilock_flags);
203 error = xchk_ilock_inverted(dp, XFS_IOLOCK_SHARED);
207 /* Go looking for our dentry. */
208 error = xchk_parent_count_parent_dentries(sc, dp, &nlink);
209 if (!xchk_fblock_xref_process_error(sc, XFS_DATA_FORK, 0, &error))
212 /* Drop the parent lock, relock this inode. */
213 xfs_iunlock(dp, XFS_IOLOCK_SHARED);
214 error = xchk_ilock_inverted(sc->ip, XFS_IOLOCK_EXCL);
217 sc->ilock_flags = XFS_IOLOCK_EXCL;
220 * If we're an unlinked directory, the parent /won't/ have a link
221 * to us. Otherwise, it should have one link. We have to re-set
222 * it here because we dropped the lock on sc->ip.
224 expected_nlink = VFS_I(sc->ip)->i_nlink == 0 ? 0 : 1;
226 /* Look up '..' to see if the inode changed. */
227 error = xfs_dir_lookup(sc->tp, sc->ip, &xfs_name_dotdot, &dnum, NULL);
228 if (!xchk_fblock_process_error(sc, XFS_DATA_FORK, 0, &error))
231 /* Drat, parent changed. Try again! */
232 if (dnum != dp->i_ino) {
240 * '..' didn't change, so check that there was only one entry
241 * for us in the parent.
243 if (nlink != expected_nlink)
244 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
248 xfs_iunlock(dp, XFS_IOLOCK_SHARED);
255 /* Scrub a parent pointer. */
258 struct xfs_scrub *sc)
260 struct xfs_mount *mp = sc->mp;
267 * If we're a directory, check that the '..' link points up to
268 * a directory that has one entry pointing to us.
270 if (!S_ISDIR(VFS_I(sc->ip)->i_mode))
273 /* We're not a special inode, are we? */
274 if (!xfs_verify_dir_ino(mp, sc->ip->i_ino)) {
275 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
280 * The VFS grabs a read or write lock via i_rwsem before it reads
281 * or writes to a directory. If we've gotten this far we've
282 * already obtained IOLOCK_EXCL, which (since 4.10) is the same as
283 * getting a write lock on i_rwsem. Therefore, it is safe for us
284 * to drop the ILOCK here in order to do directory lookups.
286 sc->ilock_flags &= ~(XFS_ILOCK_EXCL | XFS_MMAPLOCK_EXCL);
287 xfs_iunlock(sc->ip, XFS_ILOCK_EXCL | XFS_MMAPLOCK_EXCL);
290 error = xfs_dir_lookup(sc->tp, sc->ip, &xfs_name_dotdot, &dnum, NULL);
291 if (!xchk_fblock_process_error(sc, XFS_DATA_FORK, 0, &error))
293 if (!xfs_verify_dir_ino(mp, dnum)) {
294 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
298 /* Is this the root dir? Then '..' must point to itself. */
299 if (sc->ip == mp->m_rootip) {
300 if (sc->ip->i_ino != mp->m_sb.sb_rootino ||
301 sc->ip->i_ino != dnum)
302 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, 0);
307 error = xchk_parent_validate(sc, dnum, &try_again);
310 } while (try_again && ++tries < 20);
313 * We gave it our best shot but failed, so mark this scrub
314 * incomplete. Userspace can decide if it wants to try again.
316 if (try_again && tries == 20)
317 xchk_set_incomplete(sc);
320 * If we failed to lock the parent inode even after a retry, just mark
321 * this scrub incomplete and return.
323 if (sc->try_harder && error == -EDEADLOCK) {
325 xchk_set_incomplete(sc);
projects / releases.git / blob