2023-04-11 18:59:56 -07:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2017-10-17 21:37:41 -07:00
|
|
|
/*
|
2023-04-11 18:59:57 -07:00
|
|
|
* Copyright (C) 2017-2023 Oracle. All Rights Reserved.
|
2023-04-11 18:59:56 -07:00
|
|
|
* Author: Darrick J. Wong <djwong@kernel.org>
|
2017-10-17 21:37:41 -07:00
|
|
|
*/
|
|
|
|
|
#include "xfs.h"
|
|
|
|
|
#include "xfs_fs.h"
|
|
|
|
|
#include "xfs_shared.h"
|
|
|
|
|
#include "xfs_format.h"
|
2024-02-22 12:43:42 -08:00
|
|
|
#include "xfs_log_format.h"
|
xfs: allow queued AG intents to drain before scrubbing
When a writer thread executes a chain of log intent items, the AG header
buffer locks will cycle during a transaction roll to get from one intent
item to the next in a chain. Although scrub takes all AG header buffer
locks, this isn't sufficient to guard against scrub checking an AG while
that writer thread is in the middle of finishing a chain because there's
no higher level locking primitive guarding allocation groups.
When there's a collision, cross-referencing between data structures
(e.g. rmapbt and refcountbt) yields false corruption events; if repair
is running, this results in incorrect repairs, which is catastrophic.
Fix this by adding to the perag structure the count of active intents
and make scrub wait until it has both AG header buffer locks and the
intent counter reaches zero.
One quirk of the drain code is that deferred bmap updates also bump and
drop the intent counter. A fundamental decision made during the design
phase of the reverse mapping feature is that updates to the rmapbt
records are always made by the same code that updates the primary
metadata. In other words, callers of bmapi functions expect that the
bmapi functions will queue deferred rmap updates.
Some parts of the reflink code queue deferred refcount (CUI) and bmap
(BUI) updates in the same head transaction, but the deferred work
manager completely finishes the CUI before the BUI work is started. As
a result, the CUI drops the intent count long before the deferred rmap
(RUI) update even has a chance to bump the intent count. The only way
to keep the intent count elevated between the CUI and RUI is for the BUI
to bump the counter until the RUI has been created.
A second quirk of the intent drain code is that deferred work items must
increment the intent counter as soon as the work item is added to the
transaction. When a BUI completes and queues an RUI, the RUI must
increment the counter before the BUI decrements it. The only way to
accomplish this is to require that the counter be bumped as soon as the
deferred work item is created in memory.
In the next patches we'll improve on this facility, but this patch
provides the basic functionality.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2023-04-11 18:59:58 -07:00
|
|
|
#include "xfs_trans_resv.h"
|
|
|
|
|
#include "xfs_mount.h"
|
2024-02-22 12:43:42 -08:00
|
|
|
#include "xfs_trans.h"
|
2023-04-20 08:18:34 +10:00
|
|
|
#include "xfs_ag.h"
|
2017-10-17 21:37:41 -07:00
|
|
|
#include "xfs_btree.h"
|
|
|
|
|
#include "xfs_rmap.h"
|
2018-01-16 18:53:09 -08:00
|
|
|
#include "xfs_refcount.h"
|
2017-10-17 21:37:41 -07:00
|
|
|
#include "scrub/scrub.h"
|
|
|
|
|
#include "scrub/common.h"
|
|
|
|
|
#include "scrub/btree.h"
|
2023-04-11 18:59:58 -07:00
|
|
|
#include "scrub/trace.h"
|
2024-02-22 12:43:42 -08:00
|
|
|
#include "scrub/repair.h"
|
2017-10-17 21:37:41 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set us up to scrub reference count btrees.
|
|
|
|
|
*/
|
|
|
|
|
int
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_setup_ag_refcountbt(
|
2021-04-07 17:59:39 -07:00
|
|
|
struct xfs_scrub *sc)
|
2017-10-17 21:37:41 -07:00
|
|
|
{
|
2023-04-11 18:59:59 -07:00
|
|
|
if (xchk_need_intent_drain(sc))
|
|
|
|
|
xchk_fsgates_enable(sc, XCHK_FSGATES_DRAIN);
|
2024-02-22 12:43:42 -08:00
|
|
|
|
|
|
|
|
if (xchk_could_repair(sc)) {
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
error = xrep_setup_ag_refcountbt(sc);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-07 17:59:39 -07:00
|
|
|
return xchk_setup_ag_btree(sc, false);
|
2017-10-17 21:37:41 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Reference count btree scrubber. */
|
|
|
|
|
|
2018-01-16 18:53:08 -08:00
|
|
|
/*
|
|
|
|
|
* Confirming Reference Counts via Reverse Mappings
|
|
|
|
|
*
|
|
|
|
|
* We want to count the reverse mappings overlapping a refcount record
|
|
|
|
|
* (bno, len, refcount), allowing for the possibility that some of the
|
|
|
|
|
* overlap may come from smaller adjoining reverse mappings, while some
|
|
|
|
|
* comes from single extents which overlap the range entirely. The
|
|
|
|
|
* outer loop is as follows:
|
|
|
|
|
*
|
|
|
|
|
* 1. For all reverse mappings overlapping the refcount extent,
|
|
|
|
|
* a. If a given rmap completely overlaps, mark it as seen.
|
|
|
|
|
* b. Otherwise, record the fragment (in agbno order) for later
|
|
|
|
|
* processing.
|
|
|
|
|
*
|
|
|
|
|
* Once we've seen all the rmaps, we know that for all blocks in the
|
|
|
|
|
* refcount record we want to find $refcount owners and we've already
|
|
|
|
|
* visited $seen extents that overlap all the blocks. Therefore, we
|
|
|
|
|
* need to find ($refcount - $seen) owners for every block in the
|
|
|
|
|
* extent; call that quantity $target_nr. Proceed as follows:
|
|
|
|
|
*
|
|
|
|
|
* 2. Pull the first $target_nr fragments from the list; all of them
|
|
|
|
|
* should start at or before the start of the extent.
|
|
|
|
|
* Call this subset of fragments the working set.
|
|
|
|
|
* 3. Until there are no more unprocessed fragments,
|
|
|
|
|
* a. Find the shortest fragments in the set and remove them.
|
|
|
|
|
* b. Note the block number of the end of these fragments.
|
|
|
|
|
* c. Pull the same number of fragments from the list. All of these
|
|
|
|
|
* fragments should start at the block number recorded in the
|
|
|
|
|
* previous step.
|
|
|
|
|
* d. Put those fragments in the set.
|
|
|
|
|
* 4. Check that there are $target_nr fragments remaining in the list,
|
|
|
|
|
* and that they all end at or beyond the end of the refcount extent.
|
|
|
|
|
*
|
|
|
|
|
* If the refcount is correct, all the check conditions in the algorithm
|
|
|
|
|
* should always hold true. If not, the refcount is incorrect.
|
|
|
|
|
*/
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_frag {
|
2018-07-19 12:29:12 -07:00
|
|
|
struct list_head list;
|
|
|
|
|
struct xfs_rmap_irec rm;
|
2018-01-16 18:53:08 -08:00
|
|
|
};
|
|
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_check {
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc;
|
2018-07-19 12:29:12 -07:00
|
|
|
struct list_head fragments;
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
/* refcount extent we're examining */
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_agblock_t bno;
|
|
|
|
|
xfs_extlen_t len;
|
|
|
|
|
xfs_nlink_t refcount;
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
/* number of owners seen */
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_nlink_t seen;
|
2018-01-16 18:53:08 -08:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Decide if the given rmap is large enough that we can redeem it
|
|
|
|
|
* towards refcount verification now, or if it's a fragment, in
|
|
|
|
|
* which case we'll hang onto it in the hopes that we'll later
|
|
|
|
|
* discover that we've collected exactly the correct number of
|
|
|
|
|
* fragments as the refcountbt says we should have.
|
|
|
|
|
*/
|
|
|
|
|
STATIC int
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_rmap_check(
|
2018-01-16 18:53:08 -08:00
|
|
|
struct xfs_btree_cur *cur,
|
2021-08-10 17:02:16 -07:00
|
|
|
const struct xfs_rmap_irec *rec,
|
2018-01-16 18:53:08 -08:00
|
|
|
void *priv)
|
|
|
|
|
{
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_check *refchk = priv;
|
|
|
|
|
struct xchk_refcnt_frag *frag;
|
2018-01-16 18:53:08 -08:00
|
|
|
xfs_agblock_t rm_last;
|
|
|
|
|
xfs_agblock_t rc_last;
|
|
|
|
|
int error = 0;
|
|
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
if (xchk_should_terminate(refchk->sc, &error))
|
2018-01-16 18:53:08 -08:00
|
|
|
return error;
|
|
|
|
|
|
|
|
|
|
rm_last = rec->rm_startblock + rec->rm_blockcount - 1;
|
|
|
|
|
rc_last = refchk->bno + refchk->len - 1;
|
|
|
|
|
|
|
|
|
|
/* Confirm that a single-owner refc extent is a CoW stage. */
|
|
|
|
|
if (refchk->refcount == 1 && rec->rm_owner != XFS_RMAP_OWN_COW) {
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(refchk->sc, cur, 0);
|
2018-01-16 18:53:08 -08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (rec->rm_startblock <= refchk->bno && rm_last >= rc_last) {
|
|
|
|
|
/*
|
|
|
|
|
* The rmap overlaps the refcount record, so we can confirm
|
|
|
|
|
* one refcount owner seen.
|
|
|
|
|
*/
|
|
|
|
|
refchk->seen++;
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* This rmap covers only part of the refcount record, so
|
|
|
|
|
* save the fragment for later processing. If the rmapbt
|
|
|
|
|
* is healthy each rmap_irec we see will be in agbno order
|
|
|
|
|
* so we don't need insertion sort here.
|
|
|
|
|
*/
|
2022-11-06 17:03:16 -08:00
|
|
|
frag = kmalloc(sizeof(struct xchk_refcnt_frag),
|
|
|
|
|
XCHK_GFP_FLAGS);
|
2018-01-16 18:53:08 -08:00
|
|
|
if (!frag)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
memcpy(&frag->rm, rec, sizeof(frag->rm));
|
|
|
|
|
list_add_tail(&frag->list, &refchk->fragments);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Given a bunch of rmap fragments, iterate through them, keeping
|
|
|
|
|
* a running tally of the refcount. If this ever deviates from
|
|
|
|
|
* what we expect (which is the refcountbt's refcount minus the
|
|
|
|
|
* number of extents that totally covered the refcountbt extent),
|
|
|
|
|
* we have a refcountbt error.
|
|
|
|
|
*/
|
|
|
|
|
STATIC void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_process_rmap_fragments(
|
|
|
|
|
struct xchk_refcnt_check *refchk)
|
2018-01-16 18:53:08 -08:00
|
|
|
{
|
|
|
|
|
struct list_head worklist;
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_frag *frag;
|
|
|
|
|
struct xchk_refcnt_frag *n;
|
2018-01-16 18:53:08 -08:00
|
|
|
xfs_agblock_t bno;
|
|
|
|
|
xfs_agblock_t rbno;
|
|
|
|
|
xfs_agblock_t next_rbno;
|
|
|
|
|
xfs_nlink_t nr;
|
|
|
|
|
xfs_nlink_t target_nr;
|
|
|
|
|
|
|
|
|
|
target_nr = refchk->refcount - refchk->seen;
|
|
|
|
|
if (target_nr == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* There are (refchk->rc.rc_refcount - refchk->nr refcount)
|
|
|
|
|
* references we haven't found yet. Pull that many off the
|
|
|
|
|
* fragment list and figure out where the smallest rmap ends
|
|
|
|
|
* (and therefore the next rmap should start). All the rmaps
|
|
|
|
|
* we pull off should start at or before the beginning of the
|
|
|
|
|
* refcount record's range.
|
|
|
|
|
*/
|
|
|
|
|
INIT_LIST_HEAD(&worklist);
|
|
|
|
|
rbno = NULLAGBLOCK;
|
|
|
|
|
|
|
|
|
|
/* Make sure the fragments actually /are/ in agbno order. */
|
|
|
|
|
bno = 0;
|
|
|
|
|
list_for_each_entry(frag, &refchk->fragments, list) {
|
|
|
|
|
if (frag->rm.rm_startblock < bno)
|
|
|
|
|
goto done;
|
|
|
|
|
bno = frag->rm.rm_startblock;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Find all the rmaps that start at or before the refc extent,
|
|
|
|
|
* and put them on the worklist.
|
|
|
|
|
*/
|
2020-11-08 16:32:42 -08:00
|
|
|
nr = 0;
|
2018-01-16 18:53:08 -08:00
|
|
|
list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
|
2020-11-08 16:32:42 -08:00
|
|
|
if (frag->rm.rm_startblock > refchk->bno || nr > target_nr)
|
|
|
|
|
break;
|
2018-01-16 18:53:08 -08:00
|
|
|
bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
|
|
|
|
|
if (bno < rbno)
|
|
|
|
|
rbno = bno;
|
|
|
|
|
list_move_tail(&frag->list, &worklist);
|
|
|
|
|
nr++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We should have found exactly $target_nr rmap fragments starting
|
|
|
|
|
* at or before the refcount extent.
|
|
|
|
|
*/
|
|
|
|
|
if (nr != target_nr)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
while (!list_empty(&refchk->fragments)) {
|
|
|
|
|
/* Discard any fragments ending at rbno from the worklist. */
|
|
|
|
|
nr = 0;
|
|
|
|
|
next_rbno = NULLAGBLOCK;
|
|
|
|
|
list_for_each_entry_safe(frag, n, &worklist, list) {
|
|
|
|
|
bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
|
|
|
|
|
if (bno != rbno) {
|
|
|
|
|
if (bno < next_rbno)
|
|
|
|
|
next_rbno = bno;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
list_del(&frag->list);
|
2022-11-06 17:03:16 -08:00
|
|
|
kfree(frag);
|
2018-01-16 18:53:08 -08:00
|
|
|
nr++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Try to add nr rmaps starting at rbno to the worklist. */
|
|
|
|
|
list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
|
|
|
|
|
bno = frag->rm.rm_startblock + frag->rm.rm_blockcount;
|
|
|
|
|
if (frag->rm.rm_startblock != rbno)
|
|
|
|
|
goto done;
|
|
|
|
|
list_move_tail(&frag->list, &worklist);
|
|
|
|
|
if (next_rbno > bno)
|
|
|
|
|
next_rbno = bno;
|
|
|
|
|
nr--;
|
|
|
|
|
if (nr == 0)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If we get here and nr > 0, this means that we added fewer
|
|
|
|
|
* items to the worklist than we discarded because the fragment
|
|
|
|
|
* list ran out of items. Therefore, we cannot maintain the
|
|
|
|
|
* required refcount. Something is wrong, so we're done.
|
|
|
|
|
*/
|
|
|
|
|
if (nr)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
rbno = next_rbno;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Make sure the last extent we processed ends at or beyond
|
|
|
|
|
* the end of the refcount extent.
|
|
|
|
|
*/
|
|
|
|
|
if (rbno < refchk->bno + refchk->len)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
/* Actually record us having seen the remaining refcount. */
|
|
|
|
|
refchk->seen = refchk->refcount;
|
|
|
|
|
done:
|
|
|
|
|
/* Delete fragments and work list. */
|
|
|
|
|
list_for_each_entry_safe(frag, n, &worklist, list) {
|
|
|
|
|
list_del(&frag->list);
|
2022-11-06 17:03:16 -08:00
|
|
|
kfree(frag);
|
2018-01-16 18:53:08 -08:00
|
|
|
}
|
|
|
|
|
list_for_each_entry_safe(frag, n, &refchk->fragments, list) {
|
|
|
|
|
list_del(&frag->list);
|
2022-11-06 17:03:16 -08:00
|
|
|
kfree(frag);
|
2018-01-16 18:53:08 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Use the rmap entries covering this extent to verify the refcount. */
|
|
|
|
|
STATIC void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_xref_rmap(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc,
|
2022-10-11 11:22:54 -07:00
|
|
|
const struct xfs_refcount_irec *irec)
|
2018-01-16 18:53:08 -08:00
|
|
|
{
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_check refchk = {
|
2022-10-11 11:22:54 -07:00
|
|
|
.sc = sc,
|
|
|
|
|
.bno = irec->rc_startblock,
|
|
|
|
|
.len = irec->rc_blockcount,
|
|
|
|
|
.refcount = irec->rc_refcount,
|
2018-01-16 18:53:08 -08:00
|
|
|
.seen = 0,
|
|
|
|
|
};
|
|
|
|
|
struct xfs_rmap_irec low;
|
|
|
|
|
struct xfs_rmap_irec high;
|
2018-07-19 12:29:11 -07:00
|
|
|
struct xchk_refcnt_frag *frag;
|
|
|
|
|
struct xchk_refcnt_frag *n;
|
2018-01-16 18:53:08 -08:00
|
|
|
int error;
|
|
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!sc->sa.rmap_cur || xchk_skip_xref(sc->sm))
|
2018-01-16 18:53:08 -08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* Cross-reference with the rmapbt to confirm the refcount. */
|
|
|
|
|
memset(&low, 0, sizeof(low));
|
2022-10-11 11:22:54 -07:00
|
|
|
low.rm_startblock = irec->rc_startblock;
|
2018-01-16 18:53:08 -08:00
|
|
|
memset(&high, 0xFF, sizeof(high));
|
2022-10-11 11:22:54 -07:00
|
|
|
high.rm_startblock = irec->rc_startblock + irec->rc_blockcount - 1;
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
INIT_LIST_HEAD(&refchk.fragments);
|
|
|
|
|
error = xfs_rmap_query_range(sc->sa.rmap_cur, &low, &high,
|
2018-07-19 12:29:11 -07:00
|
|
|
&xchk_refcountbt_rmap_check, &refchk);
|
|
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
|
2018-01-16 18:53:08 -08:00
|
|
|
goto out_free;
|
|
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_process_rmap_fragments(&refchk);
|
2023-04-11 18:59:58 -07:00
|
|
|
if (irec->rc_refcount != refchk.seen) {
|
|
|
|
|
trace_xchk_refcount_incorrect(sc->sa.pag, irec, refchk.seen);
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
|
2023-04-11 18:59:58 -07:00
|
|
|
}
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
out_free:
|
|
|
|
|
list_for_each_entry_safe(frag, n, &refchk.fragments, list) {
|
|
|
|
|
list_del(&frag->list);
|
2022-11-06 17:03:16 -08:00
|
|
|
kfree(frag);
|
2018-01-16 18:53:08 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-16 18:53:05 -08:00
|
|
|
/* Cross-reference with the other btrees. */
|
|
|
|
|
STATIC void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_xref(
|
2022-10-11 11:22:54 -07:00
|
|
|
struct xfs_scrub *sc,
|
|
|
|
|
const struct xfs_refcount_irec *irec)
|
2018-01-16 18:53:05 -08:00
|
|
|
{
|
|
|
|
|
if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
|
|
|
|
|
return;
|
2018-01-16 18:53:06 -08:00
|
|
|
|
2022-10-11 11:22:54 -07:00
|
|
|
xchk_xref_is_used_space(sc, irec->rc_startblock, irec->rc_blockcount);
|
|
|
|
|
xchk_xref_is_not_inode_chunk(sc, irec->rc_startblock,
|
|
|
|
|
irec->rc_blockcount);
|
|
|
|
|
xchk_refcountbt_xref_rmap(sc, irec);
|
2018-01-16 18:53:05 -08:00
|
|
|
}
|
|
|
|
|
|
2023-04-11 19:00:12 -07:00
|
|
|
struct xchk_refcbt_records {
|
2023-04-11 19:00:27 -07:00
|
|
|
/* Previous refcount record. */
|
|
|
|
|
struct xfs_refcount_irec prev_rec;
|
|
|
|
|
|
2023-04-11 19:00:12 -07:00
|
|
|
/* The next AG block where we aren't expecting shared extents. */
|
|
|
|
|
xfs_agblock_t next_unshared_agbno;
|
|
|
|
|
|
|
|
|
|
/* Number of CoW blocks we expect. */
|
|
|
|
|
xfs_agblock_t cow_blocks;
|
|
|
|
|
|
|
|
|
|
/* Was the last record a shared or CoW staging extent? */
|
|
|
|
|
enum xfs_refc_domain prev_domain;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
STATIC int
|
|
|
|
|
xchk_refcountbt_rmap_check_gap(
|
|
|
|
|
struct xfs_btree_cur *cur,
|
|
|
|
|
const struct xfs_rmap_irec *rec,
|
|
|
|
|
void *priv)
|
|
|
|
|
{
|
|
|
|
|
xfs_agblock_t *next_bno = priv;
|
|
|
|
|
|
|
|
|
|
if (*next_bno != NULLAGBLOCK && rec->rm_startblock < *next_bno)
|
|
|
|
|
return -ECANCELED;
|
|
|
|
|
|
|
|
|
|
*next_bno = rec->rm_startblock + rec->rm_blockcount;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Make sure that a gap in the reference count records does not correspond to
|
|
|
|
|
* overlapping records (i.e. shared extents) in the reverse mappings.
|
|
|
|
|
*/
|
|
|
|
|
static inline void
|
|
|
|
|
xchk_refcountbt_xref_gaps(
|
|
|
|
|
struct xfs_scrub *sc,
|
|
|
|
|
struct xchk_refcbt_records *rrc,
|
|
|
|
|
xfs_agblock_t bno)
|
|
|
|
|
{
|
|
|
|
|
struct xfs_rmap_irec low;
|
|
|
|
|
struct xfs_rmap_irec high;
|
|
|
|
|
xfs_agblock_t next_bno = NULLAGBLOCK;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
if (bno <= rrc->next_unshared_agbno || !sc->sa.rmap_cur ||
|
|
|
|
|
xchk_skip_xref(sc->sm))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
memset(&low, 0, sizeof(low));
|
|
|
|
|
low.rm_startblock = rrc->next_unshared_agbno;
|
|
|
|
|
memset(&high, 0xFF, sizeof(high));
|
|
|
|
|
high.rm_startblock = bno - 1;
|
|
|
|
|
|
|
|
|
|
error = xfs_rmap_query_range(sc->sa.rmap_cur, &low, &high,
|
|
|
|
|
xchk_refcountbt_rmap_check_gap, &next_bno);
|
|
|
|
|
if (error == -ECANCELED)
|
|
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
|
|
|
|
|
else
|
|
|
|
|
xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur);
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-11 19:00:27 -07:00
|
|
|
static inline bool
|
|
|
|
|
xchk_refcount_mergeable(
|
|
|
|
|
struct xchk_refcbt_records *rrc,
|
|
|
|
|
const struct xfs_refcount_irec *r2)
|
|
|
|
|
{
|
|
|
|
|
const struct xfs_refcount_irec *r1 = &rrc->prev_rec;
|
|
|
|
|
|
|
|
|
|
/* Ignore if prev_rec is not yet initialized. */
|
|
|
|
|
if (r1->rc_blockcount > 0)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if (r1->rc_domain != r2->rc_domain)
|
|
|
|
|
return false;
|
|
|
|
|
if (r1->rc_startblock + r1->rc_blockcount != r2->rc_startblock)
|
|
|
|
|
return false;
|
|
|
|
|
if (r1->rc_refcount != r2->rc_refcount)
|
|
|
|
|
return false;
|
|
|
|
|
if ((unsigned long long)r1->rc_blockcount + r2->rc_blockcount >
|
|
|
|
|
MAXREFCEXTLEN)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Flag failures for records that could be merged. */
|
|
|
|
|
STATIC void
|
|
|
|
|
xchk_refcountbt_check_mergeable(
|
|
|
|
|
struct xchk_btree *bs,
|
|
|
|
|
struct xchk_refcbt_records *rrc,
|
|
|
|
|
const struct xfs_refcount_irec *irec)
|
|
|
|
|
{
|
|
|
|
|
if (bs->sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (xchk_refcount_mergeable(rrc, irec))
|
|
|
|
|
xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
|
|
|
|
|
|
|
|
|
|
memcpy(&rrc->prev_rec, irec, sizeof(struct xfs_refcount_irec));
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-17 21:37:41 -07:00
|
|
|
/* Scrub a refcountbt record. */
|
|
|
|
|
STATIC int
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt_rec(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xchk_btree *bs,
|
2021-08-10 17:02:17 -07:00
|
|
|
const union xfs_btree_rec *rec)
|
2017-10-17 21:37:41 -07:00
|
|
|
{
|
2022-10-11 11:22:54 -07:00
|
|
|
struct xfs_refcount_irec irec;
|
2023-04-11 19:00:12 -07:00
|
|
|
struct xchk_refcbt_records *rrc = bs->private;
|
2017-10-17 21:37:41 -07:00
|
|
|
|
2022-10-11 11:22:54 -07:00
|
|
|
xfs_refcount_btrec_to_irec(rec, &irec);
|
2023-12-15 10:03:33 -08:00
|
|
|
if (xfs_refcount_check_irec(bs->cur->bc_ag.pag, &irec) != NULL) {
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
|
2023-04-11 19:00:02 -07:00
|
|
|
return 0;
|
|
|
|
|
}
|
2022-10-26 14:31:27 -07:00
|
|
|
|
|
|
|
|
if (irec.rc_domain == XFS_REFC_DOMAIN_COW)
|
2023-04-11 19:00:12 -07:00
|
|
|
rrc->cow_blocks += irec.rc_blockcount;
|
|
|
|
|
|
|
|
|
|
/* Shared records always come before CoW records. */
|
|
|
|
|
if (irec.rc_domain == XFS_REFC_DOMAIN_SHARED &&
|
|
|
|
|
rrc->prev_domain == XFS_REFC_DOMAIN_COW)
|
|
|
|
|
xchk_btree_set_corrupt(bs->sc, bs->cur, 0);
|
|
|
|
|
rrc->prev_domain = irec.rc_domain;
|
2017-10-17 21:37:41 -07:00
|
|
|
|
2023-04-11 19:00:27 -07:00
|
|
|
xchk_refcountbt_check_mergeable(bs, rrc, &irec);
|
2022-10-11 11:22:54 -07:00
|
|
|
xchk_refcountbt_xref(bs->sc, &irec);
|
2018-01-16 18:53:05 -08:00
|
|
|
|
2023-04-11 19:00:12 -07:00
|
|
|
/*
|
|
|
|
|
* If this is a record for a shared extent, check that all blocks
|
|
|
|
|
* between the previous record and this one have at most one reverse
|
|
|
|
|
* mapping.
|
|
|
|
|
*/
|
|
|
|
|
if (irec.rc_domain == XFS_REFC_DOMAIN_SHARED) {
|
|
|
|
|
xchk_refcountbt_xref_gaps(bs->sc, rrc, irec.rc_startblock);
|
|
|
|
|
rrc->next_unshared_agbno = irec.rc_startblock +
|
|
|
|
|
irec.rc_blockcount;
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-30 11:31:48 -07:00
|
|
|
return 0;
|
2017-10-17 21:37:41 -07:00
|
|
|
}
|
|
|
|
|
|
2018-01-16 18:53:08 -08:00
|
|
|
/* Make sure we have as many refc blocks as the rmap says. */
|
|
|
|
|
STATIC void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcount_xref_rmap(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_filblks_t cow_blocks)
|
2018-01-16 18:53:08 -08:00
|
|
|
{
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_extlen_t refcbt_blocks = 0;
|
|
|
|
|
xfs_filblks_t blocks;
|
|
|
|
|
int error;
|
2018-01-16 18:53:08 -08:00
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!sc->sa.rmap_cur || xchk_skip_xref(sc->sm))
|
2018-01-16 18:53:08 -08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* Check that we saw as many refcbt blocks as the rmap knows about. */
|
|
|
|
|
error = xfs_btree_count_blocks(sc->sa.refc_cur, &refcbt_blocks);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_btree_process_error(sc, sc->sa.refc_cur, 0, &error))
|
2018-01-16 18:53:08 -08:00
|
|
|
return;
|
2018-12-12 08:46:23 -08:00
|
|
|
error = xchk_count_rmap_ownedby_ag(sc, sc->sa.rmap_cur,
|
|
|
|
|
&XFS_RMAP_OINFO_REFC, &blocks);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
|
2018-01-16 18:53:08 -08:00
|
|
|
return;
|
|
|
|
|
if (blocks != refcbt_blocks)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
/* Check that we saw as many cow blocks as the rmap knows about. */
|
2018-12-12 08:46:23 -08:00
|
|
|
error = xchk_count_rmap_ownedby_ag(sc, sc->sa.rmap_cur,
|
|
|
|
|
&XFS_RMAP_OINFO_COW, &blocks);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.rmap_cur))
|
2018-01-16 18:53:08 -08:00
|
|
|
return;
|
|
|
|
|
if (blocks != cow_blocks)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.rmap_cur, 0);
|
2018-01-16 18:53:08 -08:00
|
|
|
}
|
|
|
|
|
|
2017-10-17 21:37:41 -07:00
|
|
|
/* Scrub the refcount btree for some AG. */
|
|
|
|
|
int
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_refcountbt(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc)
|
2017-10-17 21:37:41 -07:00
|
|
|
{
|
2023-04-11 19:00:12 -07:00
|
|
|
struct xchk_refcbt_records rrc = {
|
|
|
|
|
.cow_blocks = 0,
|
|
|
|
|
.next_unshared_agbno = 0,
|
|
|
|
|
.prev_domain = XFS_REFC_DOMAIN_SHARED,
|
|
|
|
|
};
|
2018-07-19 12:29:12 -07:00
|
|
|
int error;
|
2017-10-17 21:37:41 -07:00
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
error = xchk_btree(sc, sc->sa.refc_cur, xchk_refcountbt_rec,
|
2023-04-11 19:00:12 -07:00
|
|
|
&XFS_RMAP_OINFO_REFC, &rrc);
|
2018-01-16 18:53:08 -08:00
|
|
|
if (error)
|
|
|
|
|
return error;
|
|
|
|
|
|
2023-04-11 19:00:12 -07:00
|
|
|
/*
|
|
|
|
|
* Check that all blocks between the last refcount > 1 record and the
|
|
|
|
|
* end of the AG have at most one reverse mapping.
|
|
|
|
|
*/
|
|
|
|
|
xchk_refcountbt_xref_gaps(sc, &rrc, sc->mp->m_sb.sb_agblocks);
|
|
|
|
|
|
|
|
|
|
xchk_refcount_xref_rmap(sc, rrc.cow_blocks);
|
2018-01-16 18:53:08 -08:00
|
|
|
|
|
|
|
|
return 0;
|
2017-10-17 21:37:41 -07:00
|
|
|
}
|
2018-01-16 18:53:09 -08:00
|
|
|
|
|
|
|
|
/* xref check that a cow staging extent is marked in the refcountbt. */
|
|
|
|
|
void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_xref_is_cow_staging(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc,
|
2018-01-16 18:53:09 -08:00
|
|
|
xfs_agblock_t agbno,
|
|
|
|
|
xfs_extlen_t len)
|
|
|
|
|
{
|
|
|
|
|
struct xfs_refcount_irec rc;
|
|
|
|
|
int has_refcount;
|
|
|
|
|
int error;
|
|
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!sc->sa.refc_cur || xchk_skip_xref(sc->sm))
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
/* Find the CoW staging extent. */
|
xfs: track cow/shared record domains explicitly in xfs_refcount_irec
Just prior to committing the reflink code into upstream, the xfs
maintainer at the time requested that I find a way to shard the refcount
records into two domains -- one for records tracking shared extents, and
a second for tracking CoW staging extents. The idea here was to
minimize mount time CoW reclamation by pushing all the CoW records to
the right edge of the keyspace, and it was accomplished by setting the
upper bit in rc_startblock. We don't allow AGs to have more than 2^31
blocks, so the bit was free.
Unfortunately, this was a very late addition to the codebase, so most of
the refcount record processing code still treats rc_startblock as a u32
and pays no attention to whether or not the upper bit (the cow flag) is
set. This is a weakness is theoretically exploitable, since we're not
fully validating the incoming metadata records.
Fuzzing demonstrates practical exploits of this weakness. If the cow
flag of a node block key record is corrupted, a lookup operation can go
to the wrong record block and start returning records from the wrong
cow/shared domain. This causes the math to go all wrong (since cow
domain is still implicit in the upper bit of rc_startblock) and we can
crash the kernel by tricking xfs into jumping into a nonexistent AG and
tripping over xfs_perag_get(mp, <nonexistent AG>) returning NULL.
To fix this, start tracking the domain as an explicit part of struct
xfs_refcount_irec, adjust all refcount functions to check the domain
of a returned record, and alter the function definitions to accept them
where necessary.
Found by fuzzing keys[2].cowflag = add in xfs/464.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
2022-10-10 09:06:24 -07:00
|
|
|
error = xfs_refcount_lookup_le(sc->sa.refc_cur, XFS_REFC_DOMAIN_COW,
|
|
|
|
|
agbno, &has_refcount);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
if (!has_refcount) {
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
error = xfs_refcount_get_rec(sc->sa.refc_cur, &rc, &has_refcount);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
if (!has_refcount) {
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2022-10-26 14:16:36 -07:00
|
|
|
/* CoW lookup returned a shared extent record? */
|
|
|
|
|
if (rc.rc_domain != XFS_REFC_DOMAIN_COW)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
2018-01-16 18:53:09 -08:00
|
|
|
|
|
|
|
|
/* Must be at least as long as what was passed in */
|
|
|
|
|
if (rc.rc_blockcount < len)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
2018-01-16 18:53:09 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* xref check that the extent is not shared. Only file data blocks
|
|
|
|
|
* can have multiple owners.
|
|
|
|
|
*/
|
|
|
|
|
void
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_xref_is_not_shared(
|
2018-07-19 12:29:12 -07:00
|
|
|
struct xfs_scrub *sc,
|
2018-07-19 12:29:12 -07:00
|
|
|
xfs_agblock_t agbno,
|
|
|
|
|
xfs_extlen_t len)
|
2018-01-16 18:53:09 -08:00
|
|
|
{
|
2023-04-11 19:00:10 -07:00
|
|
|
enum xbtree_recpacking outcome;
|
2018-07-19 12:29:12 -07:00
|
|
|
int error;
|
2018-01-16 18:53:09 -08:00
|
|
|
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!sc->sa.refc_cur || xchk_skip_xref(sc->sm))
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
|
|
|
|
|
2023-04-11 19:00:10 -07:00
|
|
|
error = xfs_refcount_has_records(sc->sa.refc_cur,
|
|
|
|
|
XFS_REFC_DOMAIN_SHARED, agbno, len, &outcome);
|
2018-07-19 12:29:11 -07:00
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
|
2018-01-16 18:53:09 -08:00
|
|
|
return;
|
2023-04-11 19:00:10 -07:00
|
|
|
if (outcome != XBTREE_RECPACKING_EMPTY)
|
2018-07-19 12:29:11 -07:00
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
2018-01-16 18:53:09 -08:00
|
|
|
}
|
2023-04-11 19:00:12 -07:00
|
|
|
|
|
|
|
|
/* xref check that the extent is not being used for CoW staging. */
|
|
|
|
|
void
|
|
|
|
|
xchk_xref_is_not_cow_staging(
|
|
|
|
|
struct xfs_scrub *sc,
|
|
|
|
|
xfs_agblock_t agbno,
|
|
|
|
|
xfs_extlen_t len)
|
|
|
|
|
{
|
|
|
|
|
enum xbtree_recpacking outcome;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
if (!sc->sa.refc_cur || xchk_skip_xref(sc->sm))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
error = xfs_refcount_has_records(sc->sa.refc_cur, XFS_REFC_DOMAIN_COW,
|
|
|
|
|
agbno, len, &outcome);
|
|
|
|
|
if (!xchk_should_check_xref(sc, &error, &sc->sa.refc_cur))
|
|
|
|
|
return;
|
|
|
|
|
if (outcome != XBTREE_RECPACKING_EMPTY)
|
|
|
|
|
xchk_btree_xref_set_corrupt(sc, sc->sa.refc_cur, 0);
|
|
|
|
|
}
|