1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright (C) 2017 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <darrick.wong@oracle.com>
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_btree.h"
13 #include "xfs_log_format.h"
14 #include "xfs_inode.h"
15 #include "xfs_ialloc.h"
16 #include "xfs_da_format.h"
17 #include "xfs_reflink.h"
19 #include "xfs_bmap_util.h"
20 #include "scrub/scrub.h"
21 #include "scrub/common.h"
22 #include "scrub/btree.h"
25 * Grab total control of the inode metadata. It doesn't matter here if
26 * the file data is still changing; exclusive access to the metadata is
36 * Try to get the inode. If the verifiers fail, we try again
39 error = xchk_get_inode(sc);
45 return xchk_trans_alloc(sc, 0);
50 /* Got the inode, lock it and we're ready to go. */
51 sc->ilock_flags = XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL;
52 xfs_ilock(sc->ip, sc->ilock_flags);
53 error = xchk_trans_alloc(sc, 0);
56 sc->ilock_flags |= XFS_ILOCK_EXCL;
57 xfs_ilock(sc->ip, XFS_ILOCK_EXCL);
60 /* scrub teardown will unlock and release the inode for us */
66 /* Validate di_extsize hint. */
70 struct xfs_dinode *dip,
76 uint32_t value = be32_to_cpu(dip->di_extsize);
78 fa = xfs_inode_validate_extsize(sc->mp, value, mode, flags);
80 xchk_ino_set_corrupt(sc, ino);
83 * XFS allows a sysadmin to change the rt extent size when adding a rt
84 * section to a filesystem after formatting. If there are any
85 * directories with extszinherit and rtinherit set, the hint could
86 * become misaligned with the new rextsize. The verifier doesn't check
87 * this, because we allow rtinherit directories even without an rt
88 * device. Flag this as an administrative warning since we will clean
91 if ((flags & XFS_DIFLAG_RTINHERIT) &&
92 (flags & XFS_DIFLAG_EXTSZINHERIT) &&
93 value % sc->mp->m_sb.sb_rextsize > 0)
94 xchk_ino_set_warning(sc, ino);
98 * Validate di_cowextsize hint.
100 * The rules are documented at xfs_ioctl_setattr_check_cowextsize().
101 * These functions must be kept in sync with each other.
104 xchk_inode_cowextsize(
105 struct xfs_scrub *sc,
106 struct xfs_dinode *dip,
114 fa = xfs_inode_validate_cowextsize(sc->mp,
115 be32_to_cpu(dip->di_cowextsize), mode, flags,
118 xchk_ino_set_corrupt(sc, ino);
121 /* Make sure the di_flags make sense for the inode. */
124 struct xfs_scrub *sc,
125 struct xfs_dinode *dip,
130 struct xfs_mount *mp = sc->mp;
132 /* di_flags are all taken, last bit cannot be used */
133 if (flags & ~XFS_DIFLAG_ANY)
136 /* rt flags require rt device */
137 if ((flags & XFS_DIFLAG_REALTIME) && !mp->m_rtdev_targp)
140 /* new rt bitmap flag only valid for rbmino */
141 if ((flags & XFS_DIFLAG_NEWRTBM) && ino != mp->m_sb.sb_rbmino)
144 /* directory-only flags */
145 if ((flags & (XFS_DIFLAG_RTINHERIT |
146 XFS_DIFLAG_EXTSZINHERIT |
147 XFS_DIFLAG_PROJINHERIT |
148 XFS_DIFLAG_NOSYMLINKS)) &&
152 /* file-only flags */
153 if ((flags & (XFS_DIFLAG_REALTIME | FS_XFLAG_EXTSIZE)) &&
157 /* filestreams and rt make no sense */
158 if ((flags & XFS_DIFLAG_FILESTREAM) && (flags & XFS_DIFLAG_REALTIME))
163 xchk_ino_set_corrupt(sc, ino);
166 /* Make sure the di_flags2 make sense for the inode. */
169 struct xfs_scrub *sc,
170 struct xfs_dinode *dip,
176 struct xfs_mount *mp = sc->mp;
178 /* Unknown di_flags2 could be from a future kernel */
179 if (flags2 & ~XFS_DIFLAG2_ANY)
180 xchk_ino_set_warning(sc, ino);
182 /* reflink flag requires reflink feature */
183 if ((flags2 & XFS_DIFLAG2_REFLINK) &&
184 !xfs_has_reflink(mp))
187 /* cowextsize flag is checked w.r.t. mode separately */
189 /* file/dir-only flags */
190 if ((flags2 & XFS_DIFLAG2_DAX) && !(S_ISREG(mode) || S_ISDIR(mode)))
193 /* file-only flags */
194 if ((flags2 & XFS_DIFLAG2_REFLINK) && !S_ISREG(mode))
197 /* realtime and reflink make no sense, currently */
198 if ((flags & XFS_DIFLAG_REALTIME) && (flags2 & XFS_DIFLAG2_REFLINK))
201 /* no bigtime iflag without the bigtime feature */
202 if (xfs_dinode_has_bigtime(dip) &&
203 !xfs_sb_version_hasbigtime(&mp->m_sb))
208 xchk_ino_set_corrupt(sc, ino);
213 struct xfs_scrub *sc,
215 struct xfs_dinode *dip,
216 const xfs_timestamp_t ts)
218 struct timespec64 tv;
220 tv = xfs_inode_from_disk_ts(dip, ts);
221 if (tv.tv_nsec < 0 || tv.tv_nsec >= NSEC_PER_SEC)
222 xchk_ino_set_corrupt(sc, ino);
225 /* Scrub all the ondisk inode fields. */
228 struct xfs_scrub *sc,
229 struct xfs_dinode *dip,
232 struct xfs_mount *mp = sc->mp;
234 unsigned long long isize;
240 flags = be16_to_cpu(dip->di_flags);
241 if (dip->di_version >= 3)
242 flags2 = be64_to_cpu(dip->di_flags2);
247 mode = be16_to_cpu(dip->di_mode);
248 switch (mode & S_IFMT) {
256 /* mode is recognized */
259 xchk_ino_set_corrupt(sc, ino);
264 switch (dip->di_version) {
267 * We autoconvert v1 inodes into v2 inodes on writeout,
268 * so just mark this inode for preening.
270 xchk_ino_set_preen(sc, ino);
274 if (dip->di_onlink != 0)
275 xchk_ino_set_corrupt(sc, ino);
277 if (dip->di_mode == 0 && sc->ip)
278 xchk_ino_set_corrupt(sc, ino);
280 if (dip->di_projid_hi != 0 &&
281 !xfs_has_projid32(mp))
282 xchk_ino_set_corrupt(sc, ino);
285 xchk_ino_set_corrupt(sc, ino);
290 * di_uid/di_gid -- -1 isn't invalid, but there's no way that
291 * userspace could have created that.
293 if (dip->di_uid == cpu_to_be32(-1U) ||
294 dip->di_gid == cpu_to_be32(-1U))
295 xchk_ino_set_warning(sc, ino);
298 switch (dip->di_format) {
299 case XFS_DINODE_FMT_DEV:
300 if (!S_ISCHR(mode) && !S_ISBLK(mode) &&
301 !S_ISFIFO(mode) && !S_ISSOCK(mode))
302 xchk_ino_set_corrupt(sc, ino);
304 case XFS_DINODE_FMT_LOCAL:
305 if (!S_ISDIR(mode) && !S_ISLNK(mode))
306 xchk_ino_set_corrupt(sc, ino);
308 case XFS_DINODE_FMT_EXTENTS:
309 if (!S_ISREG(mode) && !S_ISDIR(mode) && !S_ISLNK(mode))
310 xchk_ino_set_corrupt(sc, ino);
312 case XFS_DINODE_FMT_BTREE:
313 if (!S_ISREG(mode) && !S_ISDIR(mode))
314 xchk_ino_set_corrupt(sc, ino);
316 case XFS_DINODE_FMT_UUID:
318 xchk_ino_set_corrupt(sc, ino);
322 /* di_[amc]time.nsec */
323 xchk_dinode_nsec(sc, ino, dip, dip->di_atime);
324 xchk_dinode_nsec(sc, ino, dip, dip->di_mtime);
325 xchk_dinode_nsec(sc, ino, dip, dip->di_ctime);
328 * di_size. xfs_dinode_verify checks for things that screw up
329 * the VFS such as the upper bit being set and zero-length
330 * symlinks/directories, but we can do more here.
332 isize = be64_to_cpu(dip->di_size);
333 if (isize & (1ULL << 63))
334 xchk_ino_set_corrupt(sc, ino);
336 /* Devices, fifos, and sockets must have zero size */
337 if (!S_ISDIR(mode) && !S_ISREG(mode) && !S_ISLNK(mode) && isize != 0)
338 xchk_ino_set_corrupt(sc, ino);
340 /* Directories can't be larger than the data section size (32G) */
341 if (S_ISDIR(mode) && (isize == 0 || isize >= XFS_DIR2_SPACE_SIZE))
342 xchk_ino_set_corrupt(sc, ino);
344 /* Symlinks can't be larger than SYMLINK_MAXLEN */
345 if (S_ISLNK(mode) && (isize == 0 || isize >= XFS_SYMLINK_MAXLEN))
346 xchk_ino_set_corrupt(sc, ino);
349 * Warn if the running kernel can't handle the kinds of offsets
350 * needed to deal with the file size. In other words, if the
351 * pagecache can't cache all the blocks in this file due to
352 * overly large offsets, flag the inode for admin review.
354 if (isize >= mp->m_super->s_maxbytes)
355 xchk_ino_set_warning(sc, ino);
358 if (flags2 & XFS_DIFLAG2_REFLINK) {
359 ; /* nblocks can exceed dblocks */
360 } else if (flags & XFS_DIFLAG_REALTIME) {
362 * nblocks is the sum of data extents (in the rtdev),
363 * attr extents (in the datadev), and both forks' bmbt
364 * blocks (in the datadev). This clumsy check is the
365 * best we can do without cross-referencing with the
368 if (be64_to_cpu(dip->di_nblocks) >=
369 mp->m_sb.sb_dblocks + mp->m_sb.sb_rblocks)
370 xchk_ino_set_corrupt(sc, ino);
372 if (be64_to_cpu(dip->di_nblocks) >= mp->m_sb.sb_dblocks)
373 xchk_ino_set_corrupt(sc, ino);
376 xchk_inode_flags(sc, dip, ino, mode, flags);
378 xchk_inode_extsize(sc, dip, ino, mode, flags);
381 nextents = be32_to_cpu(dip->di_nextents);
382 fork_recs = XFS_DFORK_DSIZE(dip, mp) / sizeof(struct xfs_bmbt_rec);
383 switch (dip->di_format) {
384 case XFS_DINODE_FMT_EXTENTS:
385 if (nextents > fork_recs)
386 xchk_ino_set_corrupt(sc, ino);
388 case XFS_DINODE_FMT_BTREE:
389 if (nextents <= fork_recs)
390 xchk_ino_set_corrupt(sc, ino);
394 xchk_ino_set_corrupt(sc, ino);
399 if (XFS_DFORK_APTR(dip) >= (char *)dip + mp->m_sb.sb_inodesize)
400 xchk_ino_set_corrupt(sc, ino);
401 if (dip->di_anextents != 0 && dip->di_forkoff == 0)
402 xchk_ino_set_corrupt(sc, ino);
403 if (dip->di_forkoff == 0 && dip->di_aformat != XFS_DINODE_FMT_EXTENTS)
404 xchk_ino_set_corrupt(sc, ino);
407 if (dip->di_aformat != XFS_DINODE_FMT_LOCAL &&
408 dip->di_aformat != XFS_DINODE_FMT_EXTENTS &&
409 dip->di_aformat != XFS_DINODE_FMT_BTREE)
410 xchk_ino_set_corrupt(sc, ino);
413 nextents = be16_to_cpu(dip->di_anextents);
414 fork_recs = XFS_DFORK_ASIZE(dip, mp) / sizeof(struct xfs_bmbt_rec);
415 switch (dip->di_aformat) {
416 case XFS_DINODE_FMT_EXTENTS:
417 if (nextents > fork_recs)
418 xchk_ino_set_corrupt(sc, ino);
420 case XFS_DINODE_FMT_BTREE:
421 if (nextents <= fork_recs)
422 xchk_ino_set_corrupt(sc, ino);
426 xchk_ino_set_corrupt(sc, ino);
429 if (dip->di_version >= 3) {
430 xchk_dinode_nsec(sc, ino, dip, dip->di_crtime);
431 xchk_inode_flags2(sc, dip, ino, mode, flags, flags2);
432 xchk_inode_cowextsize(sc, dip, ino, mode, flags,
438 * Make sure the finobt doesn't think this inode is free.
439 * We don't have to check the inobt ourselves because we got the inode via
440 * IGET_UNTRUSTED, which checks the inobt for us.
443 xchk_inode_xref_finobt(
444 struct xfs_scrub *sc,
447 struct xfs_inobt_rec_incore rec;
452 if (!sc->sa.fino_cur || xchk_skip_xref(sc->sm))
455 agino = XFS_INO_TO_AGINO(sc->mp, ino);
458 * Try to get the finobt record. If we can't get it, then we're
461 error = xfs_inobt_lookup(sc->sa.fino_cur, agino, XFS_LOOKUP_LE,
463 if (!xchk_should_check_xref(sc, &error, &sc->sa.fino_cur) ||
467 error = xfs_inobt_get_rec(sc->sa.fino_cur, &rec, &has_record);
468 if (!xchk_should_check_xref(sc, &error, &sc->sa.fino_cur) ||
473 * Otherwise, make sure this record either doesn't cover this inode,
474 * or that it does but it's marked present.
476 if (rec.ir_startino > agino ||
477 rec.ir_startino + XFS_INODES_PER_CHUNK <= agino)
480 if (rec.ir_free & XFS_INOBT_MASK(agino - rec.ir_startino))
481 xchk_btree_xref_set_corrupt(sc, sc->sa.fino_cur, 0);
484 /* Cross reference the inode fields with the forks. */
486 xchk_inode_xref_bmap(
487 struct xfs_scrub *sc,
488 struct xfs_dinode *dip)
490 xfs_extnum_t nextents;
492 xfs_filblks_t acount;
495 if (xchk_skip_xref(sc->sm))
498 /* Walk all the extents to check nextents/naextents/nblocks. */
499 error = xfs_bmap_count_blocks(sc->tp, sc->ip, XFS_DATA_FORK,
501 if (!xchk_should_check_xref(sc, &error, NULL))
503 if (nextents < be32_to_cpu(dip->di_nextents))
504 xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino);
506 error = xfs_bmap_count_blocks(sc->tp, sc->ip, XFS_ATTR_FORK,
508 if (!xchk_should_check_xref(sc, &error, NULL))
510 if (nextents != be16_to_cpu(dip->di_anextents))
511 xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino);
513 /* Check nblocks against the inode. */
514 if (count + acount != be64_to_cpu(dip->di_nblocks))
515 xchk_ino_xref_set_corrupt(sc, sc->ip->i_ino);
518 /* Cross-reference with the other btrees. */
521 struct xfs_scrub *sc,
523 struct xfs_dinode *dip)
529 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
532 agno = XFS_INO_TO_AGNO(sc->mp, ino);
533 agbno = XFS_INO_TO_AGBNO(sc->mp, ino);
535 error = xchk_ag_init_existing(sc, agno, &sc->sa);
536 if (!xchk_xref_process_error(sc, agno, agbno, &error))
539 xchk_xref_is_used_space(sc, agbno, 1);
540 xchk_inode_xref_finobt(sc, ino);
541 xchk_xref_is_owned_by(sc, agbno, 1, &XFS_RMAP_OINFO_INODES);
542 xchk_xref_is_not_shared(sc, agbno, 1);
543 xchk_inode_xref_bmap(sc, dip);
545 xchk_ag_free(sc, &sc->sa);
549 * If the reflink iflag disagrees with a scan for shared data fork extents,
550 * either flag an error (shared extents w/ no flag) or a preen (flag set w/o
551 * any shared extents). We already checked for reflink iflag set on a non
552 * reflink filesystem.
555 xchk_inode_check_reflink_iflag(
556 struct xfs_scrub *sc,
559 struct xfs_mount *mp = sc->mp;
563 if (!xfs_has_reflink(mp))
566 error = xfs_reflink_inode_has_shared_extents(sc->tp, sc->ip,
568 if (!xchk_xref_process_error(sc, XFS_INO_TO_AGNO(mp, ino),
569 XFS_INO_TO_AGBNO(mp, ino), &error))
571 if (xfs_is_reflink_inode(sc->ip) && !has_shared)
572 xchk_ino_set_preen(sc, ino);
573 else if (!xfs_is_reflink_inode(sc->ip) && has_shared)
574 xchk_ino_set_corrupt(sc, ino);
577 /* Scrub an inode. */
580 struct xfs_scrub *sc)
582 struct xfs_dinode di;
586 * If sc->ip is NULL, that means that the setup function called
587 * xfs_iget to look up the inode. xfs_iget returned a EFSCORRUPTED
588 * and a NULL inode, so flag the corruption error and return.
591 xchk_ino_set_corrupt(sc, sc->sm->sm_ino);
595 /* Scrub the inode core. */
596 xfs_inode_to_disk(sc->ip, &di, 0);
597 xchk_dinode(sc, &di, sc->ip->i_ino);
598 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
602 * Look for discrepancies between file's data blocks and the reflink
603 * iflag. We already checked the iflag against the file mode when
604 * we scrubbed the dinode.
606 if (S_ISREG(VFS_I(sc->ip)->i_mode))
607 xchk_inode_check_reflink_iflag(sc, sc->ip->i_ino);
609 xchk_inode_xref(sc, sc->ip->i_ino, &di);
projects / linux-2.6-microblaze.git / blob