xfs: check for sparse inode clusters that cross new EOAG when shrinking

While running xfs/168, I noticed occasional write verifier shutdowns
involving inodes at the very end of the filesystem.  Existing inode
btree validation code checks that all inode clusters are fully contained
within the filesystem.

However, due to inadequate checking in the fs shrink code, it's possible
that there could be a sparse inode cluster at the end of the filesystem
where the upper inodes of the cluster are marked as holes and the
corresponding blocks are free.  In this case, the last blocks in the AG
are listed in the bnobt.  This enables the shrink to proceed but results
in a filesystem that trips the inode verifiers.  Fix this by disallowing
the shrink.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>

diff --git a/fs/xfs/libxfs/xfs_ag.c b/fs/xfs/libxfs/xfs_ag.c
index 778ec52..ee9ec0c 100644 (file)
--- a/fs/xfs/libxfs/xfs_ag.c
+++ b/fs/xfs/libxfs/xfs_ag.c
@@ -803,6 +803,14 @@ xfs_ag_shrink_space(
 
        args.fsbno = XFS_AGB_TO_FSB(mp, agno, aglen - delta);
 
+       /*
+        * Make sure that the last inode cluster cannot overlap with the new
+        * end of the AG, even if it's sparse.
+        */
+       error = xfs_ialloc_check_shrink(*tpp, agno, agibp, aglen - delta);
+       if (error)
+               return error;
+
        /*
         * Disable perag reservations so it doesn't cause the allocation request
         * to fail. We'll reestablish reservation before we return.

diff --git a/fs/xfs/libxfs/xfs_ialloc.c b/fs/xfs/libxfs/xfs_ialloc.c
index 57d9cb6..aaf8805 100644 (file)
--- a/fs/xfs/libxfs/xfs_ialloc.c
+++ b/fs/xfs/libxfs/xfs_ialloc.c
@@ -2928,3 +2928,58 @@ xfs_ialloc_calc_rootino(
 
        return XFS_AGINO_TO_INO(mp, 0, XFS_AGB_TO_AGINO(mp, first_bno));
 }
+
+/*
+ * Ensure there are not sparse inode clusters that cross the new EOAG.
+ *
+ * This is a no-op for non-spinode filesystems since clusters are always fully
+ * allocated and checking the bnobt suffices.  However, a spinode filesystem
+ * could have a record where the upper inodes are free blocks.  If those blocks
+ * were removed from the filesystem, the inode record would extend beyond EOAG,
+ * which will be flagged as corruption.
+ */
+int
+xfs_ialloc_check_shrink(
+       struct xfs_trans        *tp,
+       xfs_agnumber_t          agno,
+       struct xfs_buf          *agibp,
+       xfs_agblock_t           new_length)
+{
+       struct xfs_inobt_rec_incore rec;
+       struct xfs_btree_cur    *cur;
+       struct xfs_mount        *mp = tp->t_mountp;
+       struct xfs_perag        *pag;
+       xfs_agino_t             agino = XFS_AGB_TO_AGINO(mp, new_length);
+       int                     has;
+       int                     error;
+
+       if (!xfs_sb_version_hassparseinodes(&mp->m_sb))
+               return 0;
+
+       pag = xfs_perag_get(mp, agno);
+       cur = xfs_inobt_init_cursor(mp, tp, agibp, pag, XFS_BTNUM_INO);
+
+       /* Look up the inobt record that would correspond to the new EOFS. */
+       error = xfs_inobt_lookup(cur, agino, XFS_LOOKUP_LE, &has);
+       if (error || !has)
+               goto out;
+
+       error = xfs_inobt_get_rec(cur, &rec, &has);
+       if (error)
+               goto out;
+
+       if (!has) {
+               error = -EFSCORRUPTED;
+               goto out;
+       }
+
+       /* If the record covers inodes that would be beyond EOFS, bail out. */
+       if (rec.ir_startino + XFS_INODES_PER_CHUNK > agino) {
+               error = -ENOSPC;
+               goto out;
+       }
+out:
+       xfs_btree_del_cursor(cur, error);
+       xfs_perag_put(pag);
+       return error;
+}

diff --git a/fs/xfs/libxfs/xfs_ialloc.h b/fs/xfs/libxfs/xfs_ialloc.h
index 9df7c80..9a2112b 100644 (file)
--- a/fs/xfs/libxfs/xfs_ialloc.h
+++ b/fs/xfs/libxfs/xfs_ialloc.h
@@ -122,4 +122,7 @@ int xfs_ialloc_cluster_alignment(struct xfs_mount *mp);
 void xfs_ialloc_setup_geometry(struct xfs_mount *mp);
 xfs_ino_t xfs_ialloc_calc_rootino(struct xfs_mount *mp, int sunit);
 
+int xfs_ialloc_check_shrink(struct xfs_trans *tp, xfs_agnumber_t agno,
+               struct xfs_buf *agibp, xfs_agblock_t new_length);
+
 #endif /* __XFS_IALLOC_H__ */