1 // SPDX-License-Identifier: GPL-2.0
3 * Copyright (c) 2000-2006 Silicon Graphics, Inc.
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_log_format.h"
11 #include "xfs_trans_resv.h"
14 #include "xfs_mount.h"
15 #include "xfs_defer.h"
16 #include "xfs_inode.h"
17 #include "xfs_trans.h"
19 #include "xfs_log_priv.h"
20 #include "xfs_log_recover.h"
21 #include "xfs_trans_priv.h"
22 #include "xfs_alloc.h"
23 #include "xfs_ialloc.h"
24 #include "xfs_trace.h"
25 #include "xfs_icache.h"
26 #include "xfs_error.h"
27 #include "xfs_buf_item.h"
29 #define BLK_AVG(blk1, blk2) ((blk1+blk2) >> 1)
36 xlog_clear_stale_blocks(
41 xlog_recover_check_summary(
44 #define xlog_recover_check_summary(log)
47 xlog_do_recovery_pass(
48 struct xlog *, xfs_daddr_t, xfs_daddr_t, int, xfs_daddr_t *);
51 * Sector aligned buffer routines for buffer create/read/write/access
55 * Verify the log-relative block number and length in basic blocks are valid for
56 * an operation involving the given XFS log buffer. Returns true if the fields
57 * are valid, false otherwise.
65 if (blk_no < 0 || blk_no >= log->l_logBBsize)
67 if (bbcount <= 0 || (blk_no + bbcount) > log->l_logBBsize)
73 * Allocate a buffer to hold log data. The buffer needs to be able to map to
74 * a range of nbblks basic blocks at any valid offset within the log.
81 int align_mask = xfs_buftarg_dma_alignment(log->l_targ);
84 * Pass log block 0 since we don't have an addr yet, buffer will be
87 if (XFS_IS_CORRUPT(log->l_mp, !xlog_verify_bno(log, 0, nbblks))) {
88 xfs_warn(log->l_mp, "Invalid block length (0x%x) for buffer",
94 * We do log I/O in units of log sectors (a power-of-2 multiple of the
95 * basic block size), so we round up the requested size to accommodate
96 * the basic blocks required for complete log sectors.
98 * In addition, the buffer may be used for a non-sector-aligned block
99 * offset, in which case an I/O of the requested size could extend
100 * beyond the end of the buffer. If the requested size is only 1 basic
101 * block it will never straddle a sector boundary, so this won't be an
102 * issue. Nor will this be a problem if the log I/O is done in basic
103 * blocks (sector size 1). But otherwise we extend the buffer by one
104 * extra log sector to ensure there's space to accommodate this
107 if (nbblks > 1 && log->l_sectBBsize > 1)
108 nbblks += log->l_sectBBsize;
109 nbblks = round_up(nbblks, log->l_sectBBsize);
110 return kmem_alloc_io(BBTOB(nbblks), align_mask, KM_MAYFAIL | KM_ZERO);
114 * Return the address of the start of the given block number's data
115 * in a log buffer. The buffer covers a log sector-aligned region.
117 static inline unsigned int
122 return BBTOB(blk_no & ((xfs_daddr_t)log->l_sectBBsize - 1));
135 if (XFS_IS_CORRUPT(log->l_mp, !xlog_verify_bno(log, blk_no, nbblks))) {
137 "Invalid log block/length (0x%llx, 0x%x) for buffer",
139 return -EFSCORRUPTED;
142 blk_no = round_down(blk_no, log->l_sectBBsize);
143 nbblks = round_up(nbblks, log->l_sectBBsize);
146 error = xfs_rw_bdev(log->l_targ->bt_bdev, log->l_logBBstart + blk_no,
147 BBTOB(nbblks), data, op);
148 if (error && !XFS_FORCED_SHUTDOWN(log->l_mp)) {
150 "log recovery %s I/O error at daddr 0x%llx len %d error %d",
151 op == REQ_OP_WRITE ? "write" : "read",
152 blk_no, nbblks, error);
164 return xlog_do_io(log, blk_no, nbblks, data, REQ_OP_READ);
177 error = xlog_do_io(log, blk_no, nbblks, data, REQ_OP_READ);
179 *offset = data + xlog_align(log, blk_no);
190 return xlog_do_io(log, blk_no, nbblks, data, REQ_OP_WRITE);
195 * dump debug superblock and log record information
198 xlog_header_check_dump(
200 xlog_rec_header_t *head)
202 xfs_debug(mp, "%s: SB : uuid = %pU, fmt = %d",
203 __func__, &mp->m_sb.sb_uuid, XLOG_FMT);
204 xfs_debug(mp, " log : uuid = %pU, fmt = %d",
205 &head->h_fs_uuid, be32_to_cpu(head->h_fmt));
208 #define xlog_header_check_dump(mp, head)
212 * check log record header for recovery
215 xlog_header_check_recover(
217 xlog_rec_header_t *head)
219 ASSERT(head->h_magicno == cpu_to_be32(XLOG_HEADER_MAGIC_NUM));
222 * IRIX doesn't write the h_fmt field and leaves it zeroed
223 * (XLOG_FMT_UNKNOWN). This stops us from trying to recover
224 * a dirty log created in IRIX.
226 if (XFS_IS_CORRUPT(mp, head->h_fmt != cpu_to_be32(XLOG_FMT))) {
228 "dirty log written in incompatible format - can't recover");
229 xlog_header_check_dump(mp, head);
230 return -EFSCORRUPTED;
232 if (XFS_IS_CORRUPT(mp, !uuid_equal(&mp->m_sb.sb_uuid,
233 &head->h_fs_uuid))) {
235 "dirty log entry has mismatched uuid - can't recover");
236 xlog_header_check_dump(mp, head);
237 return -EFSCORRUPTED;
243 * read the head block of the log and check the header
246 xlog_header_check_mount(
248 xlog_rec_header_t *head)
250 ASSERT(head->h_magicno == cpu_to_be32(XLOG_HEADER_MAGIC_NUM));
252 if (uuid_is_null(&head->h_fs_uuid)) {
254 * IRIX doesn't write the h_fs_uuid or h_fmt fields. If
255 * h_fs_uuid is null, we assume this log was last mounted
256 * by IRIX and continue.
258 xfs_warn(mp, "null uuid in log - IRIX style log");
259 } else if (XFS_IS_CORRUPT(mp, !uuid_equal(&mp->m_sb.sb_uuid,
260 &head->h_fs_uuid))) {
261 xfs_warn(mp, "log has mismatched uuid - can't recover");
262 xlog_header_check_dump(mp, head);
263 return -EFSCORRUPTED;
269 * This routine finds (to an approximation) the first block in the physical
270 * log which contains the given cycle. It uses a binary search algorithm.
271 * Note that the algorithm can not be perfect because the disk will not
272 * necessarily be perfect.
275 xlog_find_cycle_start(
278 xfs_daddr_t first_blk,
279 xfs_daddr_t *last_blk,
289 mid_blk = BLK_AVG(first_blk, end_blk);
290 while (mid_blk != first_blk && mid_blk != end_blk) {
291 error = xlog_bread(log, mid_blk, 1, buffer, &offset);
294 mid_cycle = xlog_get_cycle(offset);
295 if (mid_cycle == cycle)
296 end_blk = mid_blk; /* last_half_cycle == mid_cycle */
298 first_blk = mid_blk; /* first_half_cycle == mid_cycle */
299 mid_blk = BLK_AVG(first_blk, end_blk);
301 ASSERT((mid_blk == first_blk && mid_blk+1 == end_blk) ||
302 (mid_blk == end_blk && mid_blk-1 == first_blk));
310 * Check that a range of blocks does not contain stop_on_cycle_no.
311 * Fill in *new_blk with the block offset where such a block is
312 * found, or with -1 (an invalid block number) if there is no such
313 * block in the range. The scan needs to occur from front to back
314 * and the pointer into the region must be updated since a later
315 * routine will need to perform another test.
318 xlog_find_verify_cycle(
320 xfs_daddr_t start_blk,
322 uint stop_on_cycle_no,
323 xfs_daddr_t *new_blk)
333 * Greedily allocate a buffer big enough to handle the full
334 * range of basic blocks we'll be examining. If that fails,
335 * try a smaller size. We need to be able to read at least
336 * a log sector, or we're out of luck.
338 bufblks = 1 << ffs(nbblks);
339 while (bufblks > log->l_logBBsize)
341 while (!(buffer = xlog_alloc_buffer(log, bufblks))) {
343 if (bufblks < log->l_sectBBsize)
347 for (i = start_blk; i < start_blk + nbblks; i += bufblks) {
350 bcount = min(bufblks, (start_blk + nbblks - i));
352 error = xlog_bread(log, i, bcount, buffer, &buf);
356 for (j = 0; j < bcount; j++) {
357 cycle = xlog_get_cycle(buf);
358 if (cycle == stop_on_cycle_no) {
375 xlog_logrec_hblks(struct xlog *log, struct xlog_rec_header *rh)
377 if (xfs_sb_version_haslogv2(&log->l_mp->m_sb)) {
378 int h_size = be32_to_cpu(rh->h_size);
380 if ((be32_to_cpu(rh->h_version) & XLOG_VERSION_2) &&
381 h_size > XLOG_HEADER_CYCLE_SIZE)
382 return DIV_ROUND_UP(h_size, XLOG_HEADER_CYCLE_SIZE);
388 * Potentially backup over partial log record write.
390 * In the typical case, last_blk is the number of the block directly after
391 * a good log record. Therefore, we subtract one to get the block number
392 * of the last block in the given buffer. extra_bblks contains the number
393 * of blocks we would have read on a previous read. This happens when the
394 * last log record is split over the end of the physical log.
396 * extra_bblks is the number of blocks potentially verified on a previous
397 * call to this routine.
400 xlog_find_verify_log_record(
402 xfs_daddr_t start_blk,
403 xfs_daddr_t *last_blk,
409 xlog_rec_header_t *head = NULL;
412 int num_blks = *last_blk - start_blk;
415 ASSERT(start_blk != 0 || *last_blk != start_blk);
417 buffer = xlog_alloc_buffer(log, num_blks);
419 buffer = xlog_alloc_buffer(log, 1);
424 error = xlog_bread(log, start_blk, num_blks, buffer, &offset);
427 offset += ((num_blks - 1) << BBSHIFT);
430 for (i = (*last_blk) - 1; i >= 0; i--) {
432 /* valid log record not found */
434 "Log inconsistent (didn't find previous header)");
436 error = -EFSCORRUPTED;
441 error = xlog_bread(log, i, 1, buffer, &offset);
446 head = (xlog_rec_header_t *)offset;
448 if (head->h_magicno == cpu_to_be32(XLOG_HEADER_MAGIC_NUM))
456 * We hit the beginning of the physical log & still no header. Return
457 * to caller. If caller can handle a return of -1, then this routine
458 * will be called again for the end of the physical log.
466 * We have the final block of the good log (the first block
467 * of the log record _before_ the head. So we check the uuid.
469 if ((error = xlog_header_check_mount(log->l_mp, head)))
473 * We may have found a log record header before we expected one.
474 * last_blk will be the 1st block # with a given cycle #. We may end
475 * up reading an entire log record. In this case, we don't want to
476 * reset last_blk. Only when last_blk points in the middle of a log
477 * record do we update last_blk.
479 xhdrs = xlog_logrec_hblks(log, head);
481 if (*last_blk - i + extra_bblks !=
482 BTOBB(be32_to_cpu(head->h_len)) + xhdrs)
491 * Head is defined to be the point of the log where the next log write
492 * could go. This means that incomplete LR writes at the end are
493 * eliminated when calculating the head. We aren't guaranteed that previous
494 * LR have complete transactions. We only know that a cycle number of
495 * current cycle number -1 won't be present in the log if we start writing
496 * from our current block number.
498 * last_blk contains the block number of the first block with a given
501 * Return: zero if normal, non-zero if error.
506 xfs_daddr_t *return_head_blk)
510 xfs_daddr_t new_blk, first_blk, start_blk, last_blk, head_blk;
512 uint first_half_cycle, last_half_cycle;
514 int error, log_bbnum = log->l_logBBsize;
516 /* Is the end of the log device zeroed? */
517 error = xlog_find_zeroed(log, &first_blk);
519 xfs_warn(log->l_mp, "empty log check failed");
523 *return_head_blk = first_blk;
525 /* Is the whole lot zeroed? */
527 /* Linux XFS shouldn't generate totally zeroed logs -
528 * mkfs etc write a dummy unmount record to a fresh
529 * log so we can store the uuid in there
531 xfs_warn(log->l_mp, "totally zeroed log");
537 first_blk = 0; /* get cycle # of 1st block */
538 buffer = xlog_alloc_buffer(log, 1);
542 error = xlog_bread(log, 0, 1, buffer, &offset);
544 goto out_free_buffer;
546 first_half_cycle = xlog_get_cycle(offset);
548 last_blk = head_blk = log_bbnum - 1; /* get cycle # of last block */
549 error = xlog_bread(log, last_blk, 1, buffer, &offset);
551 goto out_free_buffer;
553 last_half_cycle = xlog_get_cycle(offset);
554 ASSERT(last_half_cycle != 0);
557 * If the 1st half cycle number is equal to the last half cycle number,
558 * then the entire log is stamped with the same cycle number. In this
559 * case, head_blk can't be set to zero (which makes sense). The below
560 * math doesn't work out properly with head_blk equal to zero. Instead,
561 * we set it to log_bbnum which is an invalid block number, but this
562 * value makes the math correct. If head_blk doesn't changed through
563 * all the tests below, *head_blk is set to zero at the very end rather
564 * than log_bbnum. In a sense, log_bbnum and zero are the same block
565 * in a circular file.
567 if (first_half_cycle == last_half_cycle) {
569 * In this case we believe that the entire log should have
570 * cycle number last_half_cycle. We need to scan backwards
571 * from the end verifying that there are no holes still
572 * containing last_half_cycle - 1. If we find such a hole,
573 * then the start of that hole will be the new head. The
574 * simple case looks like
575 * x | x ... | x - 1 | x
576 * Another case that fits this picture would be
577 * x | x + 1 | x ... | x
578 * In this case the head really is somewhere at the end of the
579 * log, as one of the latest writes at the beginning was
582 * x | x + 1 | x ... | x - 1 | x
583 * This is really the combination of the above two cases, and
584 * the head has to end up at the start of the x-1 hole at the
587 * In the 256k log case, we will read from the beginning to the
588 * end of the log and search for cycle numbers equal to x-1.
589 * We don't worry about the x+1 blocks that we encounter,
590 * because we know that they cannot be the head since the log
593 head_blk = log_bbnum;
594 stop_on_cycle = last_half_cycle - 1;
597 * In this case we want to find the first block with cycle
598 * number matching last_half_cycle. We expect the log to be
600 * x + 1 ... | x ... | x
601 * The first block with cycle number x (last_half_cycle) will
602 * be where the new head belongs. First we do a binary search
603 * for the first occurrence of last_half_cycle. The binary
604 * search may not be totally accurate, so then we scan back
605 * from there looking for occurrences of last_half_cycle before
606 * us. If that backwards scan wraps around the beginning of
607 * the log, then we look for occurrences of last_half_cycle - 1
608 * at the end of the log. The cases we're looking for look
610 * v binary search stopped here
611 * x + 1 ... | x | x + 1 | x ... | x
612 * ^ but we want to locate this spot
614 * <---------> less than scan distance
615 * x + 1 ... | x ... | x - 1 | x
616 * ^ we want to locate this spot
618 stop_on_cycle = last_half_cycle;
619 error = xlog_find_cycle_start(log, buffer, first_blk, &head_blk,
622 goto out_free_buffer;
626 * Now validate the answer. Scan back some number of maximum possible
627 * blocks and make sure each one has the expected cycle number. The
628 * maximum is determined by the total possible amount of buffering
629 * in the in-core log. The following number can be made tighter if
630 * we actually look at the block size of the filesystem.
632 num_scan_bblks = min_t(int, log_bbnum, XLOG_TOTAL_REC_SHIFT(log));
633 if (head_blk >= num_scan_bblks) {
635 * We are guaranteed that the entire check can be performed
638 start_blk = head_blk - num_scan_bblks;
639 if ((error = xlog_find_verify_cycle(log,
640 start_blk, num_scan_bblks,
641 stop_on_cycle, &new_blk)))
642 goto out_free_buffer;
645 } else { /* need to read 2 parts of log */
647 * We are going to scan backwards in the log in two parts.
648 * First we scan the physical end of the log. In this part
649 * of the log, we are looking for blocks with cycle number
650 * last_half_cycle - 1.
651 * If we find one, then we know that the log starts there, as
652 * we've found a hole that didn't get written in going around
653 * the end of the physical log. The simple case for this is
654 * x + 1 ... | x ... | x - 1 | x
655 * <---------> less than scan distance
656 * If all of the blocks at the end of the log have cycle number
657 * last_half_cycle, then we check the blocks at the start of
658 * the log looking for occurrences of last_half_cycle. If we
659 * find one, then our current estimate for the location of the
660 * first occurrence of last_half_cycle is wrong and we move
661 * back to the hole we've found. This case looks like
662 * x + 1 ... | x | x + 1 | x ...
663 * ^ binary search stopped here
664 * Another case we need to handle that only occurs in 256k
666 * x + 1 ... | x ... | x+1 | x ...
667 * ^ binary search stops here
668 * In a 256k log, the scan at the end of the log will see the
669 * x + 1 blocks. We need to skip past those since that is
670 * certainly not the head of the log. By searching for
671 * last_half_cycle-1 we accomplish that.
673 ASSERT(head_blk <= INT_MAX &&
674 (xfs_daddr_t) num_scan_bblks >= head_blk);
675 start_blk = log_bbnum - (num_scan_bblks - head_blk);
676 if ((error = xlog_find_verify_cycle(log, start_blk,
677 num_scan_bblks - (int)head_blk,
678 (stop_on_cycle - 1), &new_blk)))
679 goto out_free_buffer;
686 * Scan beginning of log now. The last part of the physical
687 * log is good. This scan needs to verify that it doesn't find
688 * the last_half_cycle.
691 ASSERT(head_blk <= INT_MAX);
692 if ((error = xlog_find_verify_cycle(log,
693 start_blk, (int)head_blk,
694 stop_on_cycle, &new_blk)))
695 goto out_free_buffer;
702 * Now we need to make sure head_blk is not pointing to a block in
703 * the middle of a log record.
705 num_scan_bblks = XLOG_REC_SHIFT(log);
706 if (head_blk >= num_scan_bblks) {
707 start_blk = head_blk - num_scan_bblks; /* don't read head_blk */
709 /* start ptr at last block ptr before head_blk */
710 error = xlog_find_verify_log_record(log, start_blk, &head_blk, 0);
714 goto out_free_buffer;
717 ASSERT(head_blk <= INT_MAX);
718 error = xlog_find_verify_log_record(log, start_blk, &head_blk, 0);
720 goto out_free_buffer;
722 /* We hit the beginning of the log during our search */
723 start_blk = log_bbnum - (num_scan_bblks - head_blk);
725 ASSERT(start_blk <= INT_MAX &&
726 (xfs_daddr_t) log_bbnum-start_blk >= 0);
727 ASSERT(head_blk <= INT_MAX);
728 error = xlog_find_verify_log_record(log, start_blk,
729 &new_blk, (int)head_blk);
733 goto out_free_buffer;
734 if (new_blk != log_bbnum)
737 goto out_free_buffer;
741 if (head_blk == log_bbnum)
742 *return_head_blk = 0;
744 *return_head_blk = head_blk;
746 * When returning here, we have a good block number. Bad block
747 * means that during a previous crash, we didn't have a clean break
748 * from cycle number N to cycle number N-1. In this case, we need
749 * to find the first block with cycle number N-1.
756 xfs_warn(log->l_mp, "failed to find log head");
761 * Seek backwards in the log for log record headers.
763 * Given a starting log block, walk backwards until we find the provided number
764 * of records or hit the provided tail block. The return value is the number of
765 * records encountered or a negative error code. The log block and buffer
766 * pointer of the last record seen are returned in rblk and rhead respectively.
769 xlog_rseek_logrec_hdr(
771 xfs_daddr_t head_blk,
772 xfs_daddr_t tail_blk,
776 struct xlog_rec_header **rhead,
788 * Walk backwards from the head block until we hit the tail or the first
791 end_blk = head_blk > tail_blk ? tail_blk : 0;
792 for (i = (int) head_blk - 1; i >= end_blk; i--) {
793 error = xlog_bread(log, i, 1, buffer, &offset);
797 if (*(__be32 *) offset == cpu_to_be32(XLOG_HEADER_MAGIC_NUM)) {
799 *rhead = (struct xlog_rec_header *) offset;
800 if (++found == count)
806 * If we haven't hit the tail block or the log record header count,
807 * start looking again from the end of the physical log. Note that
808 * callers can pass head == tail if the tail is not yet known.
810 if (tail_blk >= head_blk && found != count) {
811 for (i = log->l_logBBsize - 1; i >= (int) tail_blk; i--) {
812 error = xlog_bread(log, i, 1, buffer, &offset);
816 if (*(__be32 *)offset ==
817 cpu_to_be32(XLOG_HEADER_MAGIC_NUM)) {
820 *rhead = (struct xlog_rec_header *) offset;
821 if (++found == count)
834 * Seek forward in the log for log record headers.
836 * Given head and tail blocks, walk forward from the tail block until we find
837 * the provided number of records or hit the head block. The return value is the
838 * number of records encountered or a negative error code. The log block and
839 * buffer pointer of the last record seen are returned in rblk and rhead
843 xlog_seek_logrec_hdr(
845 xfs_daddr_t head_blk,
846 xfs_daddr_t tail_blk,
850 struct xlog_rec_header **rhead,
862 * Walk forward from the tail block until we hit the head or the last
865 end_blk = head_blk > tail_blk ? head_blk : log->l_logBBsize - 1;
866 for (i = (int) tail_blk; i <= end_blk; i++) {
867 error = xlog_bread(log, i, 1, buffer, &offset);
871 if (*(__be32 *) offset == cpu_to_be32(XLOG_HEADER_MAGIC_NUM)) {
873 *rhead = (struct xlog_rec_header *) offset;
874 if (++found == count)
880 * If we haven't hit the head block or the log record header count,
881 * start looking again from the start of the physical log.
883 if (tail_blk > head_blk && found != count) {
884 for (i = 0; i < (int) head_blk; i++) {
885 error = xlog_bread(log, i, 1, buffer, &offset);
889 if (*(__be32 *)offset ==
890 cpu_to_be32(XLOG_HEADER_MAGIC_NUM)) {
893 *rhead = (struct xlog_rec_header *) offset;
894 if (++found == count)
907 * Calculate distance from head to tail (i.e., unused space in the log).
912 xfs_daddr_t head_blk,
913 xfs_daddr_t tail_blk)
915 if (head_blk < tail_blk)
916 return tail_blk - head_blk;
918 return tail_blk + (log->l_logBBsize - head_blk);
922 * Verify the log tail. This is particularly important when torn or incomplete
923 * writes have been detected near the front of the log and the head has been
924 * walked back accordingly.
926 * We also have to handle the case where the tail was pinned and the head
927 * blocked behind the tail right before a crash. If the tail had been pushed
928 * immediately prior to the crash and the subsequent checkpoint was only
929 * partially written, it's possible it overwrote the last referenced tail in the
930 * log with garbage. This is not a coherency problem because the tail must have
931 * been pushed before it can be overwritten, but appears as log corruption to
932 * recovery because we have no way to know the tail was updated if the
933 * subsequent checkpoint didn't write successfully.
935 * Therefore, CRC check the log from tail to head. If a failure occurs and the
936 * offending record is within max iclog bufs from the head, walk the tail
937 * forward and retry until a valid tail is found or corruption is detected out
938 * of the range of a possible overwrite.
943 xfs_daddr_t head_blk,
944 xfs_daddr_t *tail_blk,
947 struct xlog_rec_header *thead;
949 xfs_daddr_t first_bad;
952 xfs_daddr_t tmp_tail;
953 xfs_daddr_t orig_tail = *tail_blk;
955 buffer = xlog_alloc_buffer(log, 1);
960 * Make sure the tail points to a record (returns positive count on
963 error = xlog_seek_logrec_hdr(log, head_blk, *tail_blk, 1, buffer,
964 &tmp_tail, &thead, &wrapped);
967 if (*tail_blk != tmp_tail)
968 *tail_blk = tmp_tail;
971 * Run a CRC check from the tail to the head. We can't just check
972 * MAX_ICLOGS records past the tail because the tail may point to stale
973 * blocks cleared during the search for the head/tail. These blocks are
974 * overwritten with zero-length records and thus record count is not a
975 * reliable indicator of the iclog state before a crash.
978 error = xlog_do_recovery_pass(log, head_blk, *tail_blk,
979 XLOG_RECOVER_CRCPASS, &first_bad);
980 while ((error == -EFSBADCRC || error == -EFSCORRUPTED) && first_bad) {
984 * Is corruption within range of the head? If so, retry from
985 * the next record. Otherwise return an error.
987 tail_distance = xlog_tail_distance(log, head_blk, first_bad);
988 if (tail_distance > BTOBB(XLOG_MAX_ICLOGS * hsize))
991 /* skip to the next record; returns positive count on success */
992 error = xlog_seek_logrec_hdr(log, head_blk, first_bad, 2,
993 buffer, &tmp_tail, &thead, &wrapped);
997 *tail_blk = tmp_tail;
999 error = xlog_do_recovery_pass(log, head_blk, *tail_blk,
1000 XLOG_RECOVER_CRCPASS, &first_bad);
1003 if (!error && *tail_blk != orig_tail)
1005 "Tail block (0x%llx) overwrite detected. Updated to 0x%llx",
1006 orig_tail, *tail_blk);
1013 * Detect and trim torn writes from the head of the log.
1015 * Storage without sector atomicity guarantees can result in torn writes in the
1016 * log in the event of a crash. Our only means to detect this scenario is via
1017 * CRC verification. While we can't always be certain that CRC verification
1018 * failure is due to a torn write vs. an unrelated corruption, we do know that
1019 * only a certain number (XLOG_MAX_ICLOGS) of log records can be written out at
1020 * one time. Therefore, CRC verify up to XLOG_MAX_ICLOGS records at the head of
1021 * the log and treat failures in this range as torn writes as a matter of
1022 * policy. In the event of CRC failure, the head is walked back to the last good
1023 * record in the log and the tail is updated from that record and verified.
1028 xfs_daddr_t *head_blk, /* in/out: unverified head */
1029 xfs_daddr_t *tail_blk, /* out: tail block */
1031 xfs_daddr_t *rhead_blk, /* start blk of last record */
1032 struct xlog_rec_header **rhead, /* ptr to last record */
1033 bool *wrapped) /* last rec. wraps phys. log */
1035 struct xlog_rec_header *tmp_rhead;
1037 xfs_daddr_t first_bad;
1038 xfs_daddr_t tmp_rhead_blk;
1044 * Check the head of the log for torn writes. Search backwards from the
1045 * head until we hit the tail or the maximum number of log record I/Os
1046 * that could have been in flight at one time. Use a temporary buffer so
1047 * we don't trash the rhead/buffer pointers from the caller.
1049 tmp_buffer = xlog_alloc_buffer(log, 1);
1052 error = xlog_rseek_logrec_hdr(log, *head_blk, *tail_blk,
1053 XLOG_MAX_ICLOGS, tmp_buffer,
1054 &tmp_rhead_blk, &tmp_rhead, &tmp_wrapped);
1055 kmem_free(tmp_buffer);
1060 * Now run a CRC verification pass over the records starting at the
1061 * block found above to the current head. If a CRC failure occurs, the
1062 * log block of the first bad record is saved in first_bad.
1064 error = xlog_do_recovery_pass(log, *head_blk, tmp_rhead_blk,
1065 XLOG_RECOVER_CRCPASS, &first_bad);
1066 if ((error == -EFSBADCRC || error == -EFSCORRUPTED) && first_bad) {
1068 * We've hit a potential torn write. Reset the error and warn
1073 "Torn write (CRC failure) detected at log block 0x%llx. Truncating head block from 0x%llx.",
1074 first_bad, *head_blk);
1077 * Get the header block and buffer pointer for the last good
1078 * record before the bad record.
1080 * Note that xlog_find_tail() clears the blocks at the new head
1081 * (i.e., the records with invalid CRC) if the cycle number
1082 * matches the current cycle.
1084 found = xlog_rseek_logrec_hdr(log, first_bad, *tail_blk, 1,
1085 buffer, rhead_blk, rhead, wrapped);
1088 if (found == 0) /* XXX: right thing to do here? */
1092 * Reset the head block to the starting block of the first bad
1093 * log record and set the tail block based on the last good
1096 * Bail out if the updated head/tail match as this indicates
1097 * possible corruption outside of the acceptable
1098 * (XLOG_MAX_ICLOGS) range. This is a job for xfs_repair...
1100 *head_blk = first_bad;
1101 *tail_blk = BLOCK_LSN(be64_to_cpu((*rhead)->h_tail_lsn));
1102 if (*head_blk == *tail_blk) {
1110 return xlog_verify_tail(log, *head_blk, tail_blk,
1111 be32_to_cpu((*rhead)->h_size));
1115 * We need to make sure we handle log wrapping properly, so we can't use the
1116 * calculated logbno directly. Make sure it wraps to the correct bno inside the
1119 * The log is limited to 32 bit sizes, so we use the appropriate modulus
1120 * operation here and cast it back to a 64 bit daddr on return.
1122 static inline xfs_daddr_t
1129 div_s64_rem(bno, log->l_logBBsize, &mod);
1134 * Check whether the head of the log points to an unmount record. In other
1135 * words, determine whether the log is clean. If so, update the in-core state
1139 xlog_check_unmount_rec(
1141 xfs_daddr_t *head_blk,
1142 xfs_daddr_t *tail_blk,
1143 struct xlog_rec_header *rhead,
1144 xfs_daddr_t rhead_blk,
1148 struct xlog_op_header *op_head;
1149 xfs_daddr_t umount_data_blk;
1150 xfs_daddr_t after_umount_blk;
1158 * Look for unmount record. If we find it, then we know there was a
1159 * clean unmount. Since 'i' could be the last block in the physical
1160 * log, we convert to a log block before comparing to the head_blk.
1162 * Save the current tail lsn to use to pass to xlog_clear_stale_blocks()
1163 * below. We won't want to clear the unmount record if there is one, so
1164 * we pass the lsn of the unmount record rather than the block after it.
1166 hblks = xlog_logrec_hblks(log, rhead);
1167 after_umount_blk = xlog_wrap_logbno(log,
1168 rhead_blk + hblks + BTOBB(be32_to_cpu(rhead->h_len)));
1170 if (*head_blk == after_umount_blk &&
1171 be32_to_cpu(rhead->h_num_logops) == 1) {
1172 umount_data_blk = xlog_wrap_logbno(log, rhead_blk + hblks);
1173 error = xlog_bread(log, umount_data_blk, 1, buffer, &offset);
1177 op_head = (struct xlog_op_header *)offset;
1178 if (op_head->oh_flags & XLOG_UNMOUNT_TRANS) {
1180 * Set tail and last sync so that newly written log
1181 * records will point recovery to after the current
1184 xlog_assign_atomic_lsn(&log->l_tail_lsn,
1185 log->l_curr_cycle, after_umount_blk);
1186 xlog_assign_atomic_lsn(&log->l_last_sync_lsn,
1187 log->l_curr_cycle, after_umount_blk);
1188 *tail_blk = after_umount_blk;
1200 xfs_daddr_t head_blk,
1201 struct xlog_rec_header *rhead,
1202 xfs_daddr_t rhead_blk,
1206 * Reset log values according to the state of the log when we
1207 * crashed. In the case where head_blk == 0, we bump curr_cycle
1208 * one because the next write starts a new cycle rather than
1209 * continuing the cycle of the last good log record. At this
1210 * point we have guaranteed that all partial log records have been
1211 * accounted for. Therefore, we know that the last good log record
1212 * written was complete and ended exactly on the end boundary
1213 * of the physical log.
1215 log->l_prev_block = rhead_blk;
1216 log->l_curr_block = (int)head_blk;
1217 log->l_curr_cycle = be32_to_cpu(rhead->h_cycle);
1219 log->l_curr_cycle++;
1220 atomic64_set(&log->l_tail_lsn, be64_to_cpu(rhead->h_tail_lsn));
1221 atomic64_set(&log->l_last_sync_lsn, be64_to_cpu(rhead->h_lsn));
1222 xlog_assign_grant_head(&log->l_reserve_head.grant, log->l_curr_cycle,
1223 BBTOB(log->l_curr_block));
1224 xlog_assign_grant_head(&log->l_write_head.grant, log->l_curr_cycle,
1225 BBTOB(log->l_curr_block));
1229 * Find the sync block number or the tail of the log.
1231 * This will be the block number of the last record to have its
1232 * associated buffers synced to disk. Every log record header has
1233 * a sync lsn embedded in it. LSNs hold block numbers, so it is easy
1234 * to get a sync block number. The only concern is to figure out which
1235 * log record header to believe.
1237 * The following algorithm uses the log record header with the largest
1238 * lsn. The entire log record does not need to be valid. We only care
1239 * that the header is valid.
1241 * We could speed up search by using current head_blk buffer, but it is not
1247 xfs_daddr_t *head_blk,
1248 xfs_daddr_t *tail_blk)
1250 xlog_rec_header_t *rhead;
1251 char *offset = NULL;
1254 xfs_daddr_t rhead_blk;
1256 bool wrapped = false;
1260 * Find previous log record
1262 if ((error = xlog_find_head(log, head_blk)))
1264 ASSERT(*head_blk < INT_MAX);
1266 buffer = xlog_alloc_buffer(log, 1);
1269 if (*head_blk == 0) { /* special case */
1270 error = xlog_bread(log, 0, 1, buffer, &offset);
1274 if (xlog_get_cycle(offset) == 0) {
1276 /* leave all other log inited values alone */
1282 * Search backwards through the log looking for the log record header
1283 * block. This wraps all the way back around to the head so something is
1284 * seriously wrong if we can't find it.
1286 error = xlog_rseek_logrec_hdr(log, *head_blk, *head_blk, 1, buffer,
1287 &rhead_blk, &rhead, &wrapped);
1291 xfs_warn(log->l_mp, "%s: couldn't find sync record", __func__);
1292 error = -EFSCORRUPTED;
1295 *tail_blk = BLOCK_LSN(be64_to_cpu(rhead->h_tail_lsn));
1298 * Set the log state based on the current head record.
1300 xlog_set_state(log, *head_blk, rhead, rhead_blk, wrapped);
1301 tail_lsn = atomic64_read(&log->l_tail_lsn);
1304 * Look for an unmount record at the head of the log. This sets the log
1305 * state to determine whether recovery is necessary.
1307 error = xlog_check_unmount_rec(log, head_blk, tail_blk, rhead,
1308 rhead_blk, buffer, &clean);
1313 * Verify the log head if the log is not clean (e.g., we have anything
1314 * but an unmount record at the head). This uses CRC verification to
1315 * detect and trim torn writes. If discovered, CRC failures are
1316 * considered torn writes and the log head is trimmed accordingly.
1318 * Note that we can only run CRC verification when the log is dirty
1319 * because there's no guarantee that the log data behind an unmount
1320 * record is compatible with the current architecture.
1323 xfs_daddr_t orig_head = *head_blk;
1325 error = xlog_verify_head(log, head_blk, tail_blk, buffer,
1326 &rhead_blk, &rhead, &wrapped);
1330 /* update in-core state again if the head changed */
1331 if (*head_blk != orig_head) {
1332 xlog_set_state(log, *head_blk, rhead, rhead_blk,
1334 tail_lsn = atomic64_read(&log->l_tail_lsn);
1335 error = xlog_check_unmount_rec(log, head_blk, tail_blk,
1336 rhead, rhead_blk, buffer,
1344 * Note that the unmount was clean. If the unmount was not clean, we
1345 * need to know this to rebuild the superblock counters from the perag
1346 * headers if we have a filesystem using non-persistent counters.
1349 log->l_mp->m_flags |= XFS_MOUNT_WAS_CLEAN;
1352 * Make sure that there are no blocks in front of the head
1353 * with the same cycle number as the head. This can happen
1354 * because we allow multiple outstanding log writes concurrently,
1355 * and the later writes might make it out before earlier ones.
1357 * We use the lsn from before modifying it so that we'll never
1358 * overwrite the unmount record after a clean unmount.
1360 * Do this only if we are going to recover the filesystem
1362 * NOTE: This used to say "if (!readonly)"
1363 * However on Linux, we can & do recover a read-only filesystem.
1364 * We only skip recovery if NORECOVERY is specified on mount,
1365 * in which case we would not be here.
1367 * But... if the -device- itself is readonly, just skip this.
1368 * We can't recover this device anyway, so it won't matter.
1370 if (!xfs_readonly_buftarg(log->l_targ))
1371 error = xlog_clear_stale_blocks(log, tail_lsn);
1377 xfs_warn(log->l_mp, "failed to locate log tail");
1382 * Is the log zeroed at all?
1384 * The last binary search should be changed to perform an X block read
1385 * once X becomes small enough. You can then search linearly through
1386 * the X blocks. This will cut down on the number of reads we need to do.
1388 * If the log is partially zeroed, this routine will pass back the blkno
1389 * of the first block with cycle number 0. It won't have a complete LR
1393 * 0 => the log is completely written to
1394 * 1 => use *blk_no as the first block of the log
1395 * <0 => error has occurred
1400 xfs_daddr_t *blk_no)
1404 uint first_cycle, last_cycle;
1405 xfs_daddr_t new_blk, last_blk, start_blk;
1406 xfs_daddr_t num_scan_bblks;
1407 int error, log_bbnum = log->l_logBBsize;
1411 /* check totally zeroed log */
1412 buffer = xlog_alloc_buffer(log, 1);
1415 error = xlog_bread(log, 0, 1, buffer, &offset);
1417 goto out_free_buffer;
1419 first_cycle = xlog_get_cycle(offset);
1420 if (first_cycle == 0) { /* completely zeroed log */
1426 /* check partially zeroed log */
1427 error = xlog_bread(log, log_bbnum-1, 1, buffer, &offset);
1429 goto out_free_buffer;
1431 last_cycle = xlog_get_cycle(offset);
1432 if (last_cycle != 0) { /* log completely written to */
1437 /* we have a partially zeroed log */
1438 last_blk = log_bbnum-1;
1439 error = xlog_find_cycle_start(log, buffer, 0, &last_blk, 0);
1441 goto out_free_buffer;
1444 * Validate the answer. Because there is no way to guarantee that
1445 * the entire log is made up of log records which are the same size,
1446 * we scan over the defined maximum blocks. At this point, the maximum
1447 * is not chosen to mean anything special. XXXmiken
1449 num_scan_bblks = XLOG_TOTAL_REC_SHIFT(log);
1450 ASSERT(num_scan_bblks <= INT_MAX);
1452 if (last_blk < num_scan_bblks)
1453 num_scan_bblks = last_blk;
1454 start_blk = last_blk - num_scan_bblks;
1457 * We search for any instances of cycle number 0 that occur before
1458 * our current estimate of the head. What we're trying to detect is
1459 * 1 ... | 0 | 1 | 0...
1460 * ^ binary search ends here
1462 if ((error = xlog_find_verify_cycle(log, start_blk,
1463 (int)num_scan_bblks, 0, &new_blk)))
1464 goto out_free_buffer;
1469 * Potentially backup over partial log record write. We don't need
1470 * to search the end of the log because we know it is zero.
1472 error = xlog_find_verify_log_record(log, start_blk, &last_blk, 0);
1476 goto out_free_buffer;
1487 * These are simple subroutines used by xlog_clear_stale_blocks() below
1488 * to initialize a buffer full of empty log record headers and write
1489 * them into the log.
1500 xlog_rec_header_t *recp = (xlog_rec_header_t *)buf;
1502 memset(buf, 0, BBSIZE);
1503 recp->h_magicno = cpu_to_be32(XLOG_HEADER_MAGIC_NUM);
1504 recp->h_cycle = cpu_to_be32(cycle);
1505 recp->h_version = cpu_to_be32(
1506 xfs_sb_version_haslogv2(&log->l_mp->m_sb) ? 2 : 1);
1507 recp->h_lsn = cpu_to_be64(xlog_assign_lsn(cycle, block));
1508 recp->h_tail_lsn = cpu_to_be64(xlog_assign_lsn(tail_cycle, tail_block));
1509 recp->h_fmt = cpu_to_be32(XLOG_FMT);
1510 memcpy(&recp->h_fs_uuid, &log->l_mp->m_sb.sb_uuid, sizeof(uuid_t));
1514 xlog_write_log_records(
1525 int sectbb = log->l_sectBBsize;
1526 int end_block = start_block + blocks;
1532 * Greedily allocate a buffer big enough to handle the full
1533 * range of basic blocks to be written. If that fails, try
1534 * a smaller size. We need to be able to write at least a
1535 * log sector, or we're out of luck.
1537 bufblks = 1 << ffs(blocks);
1538 while (bufblks > log->l_logBBsize)
1540 while (!(buffer = xlog_alloc_buffer(log, bufblks))) {
1542 if (bufblks < sectbb)
1546 /* We may need to do a read at the start to fill in part of
1547 * the buffer in the starting sector not covered by the first
1550 balign = round_down(start_block, sectbb);
1551 if (balign != start_block) {
1552 error = xlog_bread_noalign(log, start_block, 1, buffer);
1554 goto out_free_buffer;
1556 j = start_block - balign;
1559 for (i = start_block; i < end_block; i += bufblks) {
1560 int bcount, endcount;
1562 bcount = min(bufblks, end_block - start_block);
1563 endcount = bcount - j;
1565 /* We may need to do a read at the end to fill in part of
1566 * the buffer in the final sector not covered by the write.
1567 * If this is the same sector as the above read, skip it.
1569 ealign = round_down(end_block, sectbb);
1570 if (j == 0 && (start_block + endcount > ealign)) {
1571 error = xlog_bread_noalign(log, ealign, sectbb,
1572 buffer + BBTOB(ealign - start_block));
1578 offset = buffer + xlog_align(log, start_block);
1579 for (; j < endcount; j++) {
1580 xlog_add_record(log, offset, cycle, i+j,
1581 tail_cycle, tail_block);
1584 error = xlog_bwrite(log, start_block, endcount, buffer);
1587 start_block += endcount;
1597 * This routine is called to blow away any incomplete log writes out
1598 * in front of the log head. We do this so that we won't become confused
1599 * if we come up, write only a little bit more, and then crash again.
1600 * If we leave the partial log records out there, this situation could
1601 * cause us to think those partial writes are valid blocks since they
1602 * have the current cycle number. We get rid of them by overwriting them
1603 * with empty log records with the old cycle number rather than the
1606 * The tail lsn is passed in rather than taken from
1607 * the log so that we will not write over the unmount record after a
1608 * clean unmount in a 512 block log. Doing so would leave the log without
1609 * any valid log records in it until a new one was written. If we crashed
1610 * during that time we would not be able to recover.
1613 xlog_clear_stale_blocks(
1617 int tail_cycle, head_cycle;
1618 int tail_block, head_block;
1619 int tail_distance, max_distance;
1623 tail_cycle = CYCLE_LSN(tail_lsn);
1624 tail_block = BLOCK_LSN(tail_lsn);
1625 head_cycle = log->l_curr_cycle;
1626 head_block = log->l_curr_block;
1629 * Figure out the distance between the new head of the log
1630 * and the tail. We want to write over any blocks beyond the
1631 * head that we may have written just before the crash, but
1632 * we don't want to overwrite the tail of the log.
1634 if (head_cycle == tail_cycle) {
1636 * The tail is behind the head in the physical log,
1637 * so the distance from the head to the tail is the
1638 * distance from the head to the end of the log plus
1639 * the distance from the beginning of the log to the
1642 if (XFS_IS_CORRUPT(log->l_mp,
1643 head_block < tail_block ||
1644 head_block >= log->l_logBBsize))
1645 return -EFSCORRUPTED;
1646 tail_distance = tail_block + (log->l_logBBsize - head_block);
1649 * The head is behind the tail in the physical log,
1650 * so the distance from the head to the tail is just
1651 * the tail block minus the head block.
1653 if (XFS_IS_CORRUPT(log->l_mp,
1654 head_block >= tail_block ||
1655 head_cycle != tail_cycle + 1))
1656 return -EFSCORRUPTED;
1657 tail_distance = tail_block - head_block;
1661 * If the head is right up against the tail, we can't clear
1664 if (tail_distance <= 0) {
1665 ASSERT(tail_distance == 0);
1669 max_distance = XLOG_TOTAL_REC_SHIFT(log);
1671 * Take the smaller of the maximum amount of outstanding I/O
1672 * we could have and the distance to the tail to clear out.
1673 * We take the smaller so that we don't overwrite the tail and
1674 * we don't waste all day writing from the head to the tail
1677 max_distance = min(max_distance, tail_distance);
1679 if ((head_block + max_distance) <= log->l_logBBsize) {
1681 * We can stomp all the blocks we need to without
1682 * wrapping around the end of the log. Just do it
1683 * in a single write. Use the cycle number of the
1684 * current cycle minus one so that the log will look like:
1687 error = xlog_write_log_records(log, (head_cycle - 1),
1688 head_block, max_distance, tail_cycle,
1694 * We need to wrap around the end of the physical log in
1695 * order to clear all the blocks. Do it in two separate
1696 * I/Os. The first write should be from the head to the
1697 * end of the physical log, and it should use the current
1698 * cycle number minus one just like above.
1700 distance = log->l_logBBsize - head_block;
1701 error = xlog_write_log_records(log, (head_cycle - 1),
1702 head_block, distance, tail_cycle,
1709 * Now write the blocks at the start of the physical log.
1710 * This writes the remainder of the blocks we want to clear.
1711 * It uses the current cycle number since we're now on the
1712 * same cycle as the head so that we get:
1713 * n ... n ... | n - 1 ...
1714 * ^^^^^ blocks we're writing
1716 distance = max_distance - (log->l_logBBsize - head_block);
1717 error = xlog_write_log_records(log, head_cycle, 0, distance,
1718 tail_cycle, tail_block);
1727 * Release the recovered intent item in the AIL that matches the given intent
1728 * type and intent id.
1731 xlog_recover_release_intent(
1733 unsigned short intent_type,
1736 struct xfs_ail_cursor cur;
1737 struct xfs_log_item *lip;
1738 struct xfs_ail *ailp = log->l_ailp;
1740 spin_lock(&ailp->ail_lock);
1741 for (lip = xfs_trans_ail_cursor_first(ailp, &cur, 0); lip != NULL;
1742 lip = xfs_trans_ail_cursor_next(ailp, &cur)) {
1743 if (lip->li_type != intent_type)
1745 if (!lip->li_ops->iop_match(lip, intent_id))
1748 spin_unlock(&ailp->ail_lock);
1749 lip->li_ops->iop_release(lip);
1750 spin_lock(&ailp->ail_lock);
1754 xfs_trans_ail_cursor_done(&cur);
1755 spin_unlock(&ailp->ail_lock);
1758 /******************************************************************************
1760 * Log recover routines
1762 ******************************************************************************
1764 static const struct xlog_recover_item_ops *xlog_recover_item_ops[] = {
1766 &xlog_inode_item_ops,
1767 &xlog_dquot_item_ops,
1768 &xlog_quotaoff_item_ops,
1769 &xlog_icreate_item_ops,
1780 static const struct xlog_recover_item_ops *
1782 struct xlog_recover_item *item)
1786 for (i = 0; i < ARRAY_SIZE(xlog_recover_item_ops); i++)
1787 if (ITEM_TYPE(item) == xlog_recover_item_ops[i]->item_type)
1788 return xlog_recover_item_ops[i];
1794 * Sort the log items in the transaction.
1796 * The ordering constraints are defined by the inode allocation and unlink
1797 * behaviour. The rules are:
1799 * 1. Every item is only logged once in a given transaction. Hence it
1800 * represents the last logged state of the item. Hence ordering is
1801 * dependent on the order in which operations need to be performed so
1802 * required initial conditions are always met.
1804 * 2. Cancelled buffers are recorded in pass 1 in a separate table and
1805 * there's nothing to replay from them so we can simply cull them
1806 * from the transaction. However, we can't do that until after we've
1807 * replayed all the other items because they may be dependent on the
1808 * cancelled buffer and replaying the cancelled buffer can remove it
1809 * form the cancelled buffer table. Hence they have tobe done last.
1811 * 3. Inode allocation buffers must be replayed before inode items that
1812 * read the buffer and replay changes into it. For filesystems using the
1813 * ICREATE transactions, this means XFS_LI_ICREATE objects need to get
1814 * treated the same as inode allocation buffers as they create and
1815 * initialise the buffers directly.
1817 * 4. Inode unlink buffers must be replayed after inode items are replayed.
1818 * This ensures that inodes are completely flushed to the inode buffer
1819 * in a "free" state before we remove the unlinked inode list pointer.
1821 * Hence the ordering needs to be inode allocation buffers first, inode items
1822 * second, inode unlink buffers third and cancelled buffers last.
1824 * But there's a problem with that - we can't tell an inode allocation buffer
1825 * apart from a regular buffer, so we can't separate them. We can, however,
1826 * tell an inode unlink buffer from the others, and so we can separate them out
1827 * from all the other buffers and move them to last.
1829 * Hence, 4 lists, in order from head to tail:
1830 * - buffer_list for all buffers except cancelled/inode unlink buffers
1831 * - item_list for all non-buffer items
1832 * - inode_buffer_list for inode unlink buffers
1833 * - cancel_list for the cancelled buffers
1835 * Note that we add objects to the tail of the lists so that first-to-last
1836 * ordering is preserved within the lists. Adding objects to the head of the
1837 * list means when we traverse from the head we walk them in last-to-first
1838 * order. For cancelled buffers and inode unlink buffers this doesn't matter,
1839 * but for all other items there may be specific ordering that we need to
1843 xlog_recover_reorder_trans(
1845 struct xlog_recover *trans,
1848 struct xlog_recover_item *item, *n;
1850 LIST_HEAD(sort_list);
1851 LIST_HEAD(cancel_list);
1852 LIST_HEAD(buffer_list);
1853 LIST_HEAD(inode_buffer_list);
1854 LIST_HEAD(item_list);
1856 list_splice_init(&trans->r_itemq, &sort_list);
1857 list_for_each_entry_safe(item, n, &sort_list, ri_list) {
1858 enum xlog_recover_reorder fate = XLOG_REORDER_ITEM_LIST;
1860 item->ri_ops = xlog_find_item_ops(item);
1861 if (!item->ri_ops) {
1863 "%s: unrecognized type of log operation (%d)",
1864 __func__, ITEM_TYPE(item));
1867 * return the remaining items back to the transaction
1868 * item list so they can be freed in caller.
1870 if (!list_empty(&sort_list))
1871 list_splice_init(&sort_list, &trans->r_itemq);
1872 error = -EFSCORRUPTED;
1876 if (item->ri_ops->reorder)
1877 fate = item->ri_ops->reorder(item);
1880 case XLOG_REORDER_BUFFER_LIST:
1881 list_move_tail(&item->ri_list, &buffer_list);
1883 case XLOG_REORDER_CANCEL_LIST:
1884 trace_xfs_log_recover_item_reorder_head(log,
1886 list_move(&item->ri_list, &cancel_list);
1888 case XLOG_REORDER_INODE_BUFFER_LIST:
1889 list_move(&item->ri_list, &inode_buffer_list);
1891 case XLOG_REORDER_ITEM_LIST:
1892 trace_xfs_log_recover_item_reorder_tail(log,
1894 list_move_tail(&item->ri_list, &item_list);
1899 ASSERT(list_empty(&sort_list));
1900 if (!list_empty(&buffer_list))
1901 list_splice(&buffer_list, &trans->r_itemq);
1902 if (!list_empty(&item_list))
1903 list_splice_tail(&item_list, &trans->r_itemq);
1904 if (!list_empty(&inode_buffer_list))
1905 list_splice_tail(&inode_buffer_list, &trans->r_itemq);
1906 if (!list_empty(&cancel_list))
1907 list_splice_tail(&cancel_list, &trans->r_itemq);
1916 const struct xfs_buf_ops *ops)
1918 if (!xlog_is_buffer_cancelled(log, blkno, len))
1919 xfs_buf_readahead(log->l_mp->m_ddev_targp, blkno, len, ops);
1923 xlog_recover_items_pass2(
1925 struct xlog_recover *trans,
1926 struct list_head *buffer_list,
1927 struct list_head *item_list)
1929 struct xlog_recover_item *item;
1932 list_for_each_entry(item, item_list, ri_list) {
1933 trace_xfs_log_recover_item_recover(log, trans, item,
1934 XLOG_RECOVER_PASS2);
1936 if (item->ri_ops->commit_pass2)
1937 error = item->ri_ops->commit_pass2(log, buffer_list,
1938 item, trans->r_lsn);
1947 * Perform the transaction.
1949 * If the transaction modifies a buffer or inode, do it now. Otherwise,
1950 * EFIs and EFDs get queued up by adding entries into the AIL for them.
1953 xlog_recover_commit_trans(
1955 struct xlog_recover *trans,
1957 struct list_head *buffer_list)
1960 int items_queued = 0;
1961 struct xlog_recover_item *item;
1962 struct xlog_recover_item *next;
1963 LIST_HEAD (ra_list);
1964 LIST_HEAD (done_list);
1966 #define XLOG_RECOVER_COMMIT_QUEUE_MAX 100
1968 hlist_del_init(&trans->r_list);
1970 error = xlog_recover_reorder_trans(log, trans, pass);
1974 list_for_each_entry_safe(item, next, &trans->r_itemq, ri_list) {
1975 trace_xfs_log_recover_item_recover(log, trans, item, pass);
1978 case XLOG_RECOVER_PASS1:
1979 if (item->ri_ops->commit_pass1)
1980 error = item->ri_ops->commit_pass1(log, item);
1982 case XLOG_RECOVER_PASS2:
1983 if (item->ri_ops->ra_pass2)
1984 item->ri_ops->ra_pass2(log, item);
1985 list_move_tail(&item->ri_list, &ra_list);
1987 if (items_queued >= XLOG_RECOVER_COMMIT_QUEUE_MAX) {
1988 error = xlog_recover_items_pass2(log, trans,
1989 buffer_list, &ra_list);
1990 list_splice_tail_init(&ra_list, &done_list);
2004 if (!list_empty(&ra_list)) {
2006 error = xlog_recover_items_pass2(log, trans,
2007 buffer_list, &ra_list);
2008 list_splice_tail_init(&ra_list, &done_list);
2011 if (!list_empty(&done_list))
2012 list_splice_init(&done_list, &trans->r_itemq);
2018 xlog_recover_add_item(
2019 struct list_head *head)
2021 struct xlog_recover_item *item;
2023 item = kmem_zalloc(sizeof(struct xlog_recover_item), 0);
2024 INIT_LIST_HEAD(&item->ri_list);
2025 list_add_tail(&item->ri_list, head);
2029 xlog_recover_add_to_cont_trans(
2031 struct xlog_recover *trans,
2035 struct xlog_recover_item *item;
2036 char *ptr, *old_ptr;
2040 * If the transaction is empty, the header was split across this and the
2041 * previous record. Copy the rest of the header.
2043 if (list_empty(&trans->r_itemq)) {
2044 ASSERT(len <= sizeof(struct xfs_trans_header));
2045 if (len > sizeof(struct xfs_trans_header)) {
2046 xfs_warn(log->l_mp, "%s: bad header length", __func__);
2047 return -EFSCORRUPTED;
2050 xlog_recover_add_item(&trans->r_itemq);
2051 ptr = (char *)&trans->r_theader +
2052 sizeof(struct xfs_trans_header) - len;
2053 memcpy(ptr, dp, len);
2057 /* take the tail entry */
2058 item = list_entry(trans->r_itemq.prev, struct xlog_recover_item,
2061 old_ptr = item->ri_buf[item->ri_cnt-1].i_addr;
2062 old_len = item->ri_buf[item->ri_cnt-1].i_len;
2064 ptr = krealloc(old_ptr, len + old_len, GFP_KERNEL | __GFP_NOFAIL);
2065 memcpy(&ptr[old_len], dp, len);
2066 item->ri_buf[item->ri_cnt-1].i_len += len;
2067 item->ri_buf[item->ri_cnt-1].i_addr = ptr;
2068 trace_xfs_log_recover_item_add_cont(log, trans, item, 0);
2073 * The next region to add is the start of a new region. It could be
2074 * a whole region or it could be the first part of a new region. Because
2075 * of this, the assumption here is that the type and size fields of all
2076 * format structures fit into the first 32 bits of the structure.
2078 * This works because all regions must be 32 bit aligned. Therefore, we
2079 * either have both fields or we have neither field. In the case we have
2080 * neither field, the data part of the region is zero length. We only have
2081 * a log_op_header and can throw away the header since a new one will appear
2082 * later. If we have at least 4 bytes, then we can determine how many regions
2083 * will appear in the current log item.
2086 xlog_recover_add_to_trans(
2088 struct xlog_recover *trans,
2092 struct xfs_inode_log_format *in_f; /* any will do */
2093 struct xlog_recover_item *item;
2098 if (list_empty(&trans->r_itemq)) {
2099 /* we need to catch log corruptions here */
2100 if (*(uint *)dp != XFS_TRANS_HEADER_MAGIC) {
2101 xfs_warn(log->l_mp, "%s: bad header magic number",
2104 return -EFSCORRUPTED;
2107 if (len > sizeof(struct xfs_trans_header)) {
2108 xfs_warn(log->l_mp, "%s: bad header length", __func__);
2110 return -EFSCORRUPTED;
2114 * The transaction header can be arbitrarily split across op
2115 * records. If we don't have the whole thing here, copy what we
2116 * do have and handle the rest in the next record.
2118 if (len == sizeof(struct xfs_trans_header))
2119 xlog_recover_add_item(&trans->r_itemq);
2120 memcpy(&trans->r_theader, dp, len);
2124 ptr = kmem_alloc(len, 0);
2125 memcpy(ptr, dp, len);
2126 in_f = (struct xfs_inode_log_format *)ptr;
2128 /* take the tail entry */
2129 item = list_entry(trans->r_itemq.prev, struct xlog_recover_item,
2131 if (item->ri_total != 0 &&
2132 item->ri_total == item->ri_cnt) {
2133 /* tail item is in use, get a new one */
2134 xlog_recover_add_item(&trans->r_itemq);
2135 item = list_entry(trans->r_itemq.prev,
2136 struct xlog_recover_item, ri_list);
2139 if (item->ri_total == 0) { /* first region to be added */
2140 if (in_f->ilf_size == 0 ||
2141 in_f->ilf_size > XLOG_MAX_REGIONS_IN_ITEM) {
2143 "bad number of regions (%d) in inode log format",
2147 return -EFSCORRUPTED;
2150 item->ri_total = in_f->ilf_size;
2152 kmem_zalloc(item->ri_total * sizeof(xfs_log_iovec_t),
2156 if (item->ri_total <= item->ri_cnt) {
2158 "log item region count (%d) overflowed size (%d)",
2159 item->ri_cnt, item->ri_total);
2162 return -EFSCORRUPTED;
2165 /* Description region is ri_buf[0] */
2166 item->ri_buf[item->ri_cnt].i_addr = ptr;
2167 item->ri_buf[item->ri_cnt].i_len = len;
2169 trace_xfs_log_recover_item_add(log, trans, item, 0);
2174 * Free up any resources allocated by the transaction
2176 * Remember that EFIs, EFDs, and IUNLINKs are handled later.
2179 xlog_recover_free_trans(
2180 struct xlog_recover *trans)
2182 struct xlog_recover_item *item, *n;
2185 hlist_del_init(&trans->r_list);
2187 list_for_each_entry_safe(item, n, &trans->r_itemq, ri_list) {
2188 /* Free the regions in the item. */
2189 list_del(&item->ri_list);
2190 for (i = 0; i < item->ri_cnt; i++)
2191 kmem_free(item->ri_buf[i].i_addr);
2192 /* Free the item itself */
2193 kmem_free(item->ri_buf);
2196 /* Free the transaction recover structure */
2201 * On error or completion, trans is freed.
2204 xlog_recovery_process_trans(
2206 struct xlog_recover *trans,
2211 struct list_head *buffer_list)
2214 bool freeit = false;
2216 /* mask off ophdr transaction container flags */
2217 flags &= ~XLOG_END_TRANS;
2218 if (flags & XLOG_WAS_CONT_TRANS)
2219 flags &= ~XLOG_CONTINUE_TRANS;
2222 * Callees must not free the trans structure. We'll decide if we need to
2223 * free it or not based on the operation being done and it's result.
2226 /* expected flag values */
2228 case XLOG_CONTINUE_TRANS:
2229 error = xlog_recover_add_to_trans(log, trans, dp, len);
2231 case XLOG_WAS_CONT_TRANS:
2232 error = xlog_recover_add_to_cont_trans(log, trans, dp, len);
2234 case XLOG_COMMIT_TRANS:
2235 error = xlog_recover_commit_trans(log, trans, pass,
2237 /* success or fail, we are now done with this transaction. */
2241 /* unexpected flag values */
2242 case XLOG_UNMOUNT_TRANS:
2243 /* just skip trans */
2244 xfs_warn(log->l_mp, "%s: Unmount LR", __func__);
2247 case XLOG_START_TRANS:
2249 xfs_warn(log->l_mp, "%s: bad flag 0x%x", __func__, flags);
2251 error = -EFSCORRUPTED;
2254 if (error || freeit)
2255 xlog_recover_free_trans(trans);
2260 * Lookup the transaction recovery structure associated with the ID in the
2261 * current ophdr. If the transaction doesn't exist and the start flag is set in
2262 * the ophdr, then allocate a new transaction for future ID matches to find.
2263 * Either way, return what we found during the lookup - an existing transaction
2266 STATIC struct xlog_recover *
2267 xlog_recover_ophdr_to_trans(
2268 struct hlist_head rhash[],
2269 struct xlog_rec_header *rhead,
2270 struct xlog_op_header *ohead)
2272 struct xlog_recover *trans;
2274 struct hlist_head *rhp;
2276 tid = be32_to_cpu(ohead->oh_tid);
2277 rhp = &rhash[XLOG_RHASH(tid)];
2278 hlist_for_each_entry(trans, rhp, r_list) {
2279 if (trans->r_log_tid == tid)
2284 * skip over non-start transaction headers - we could be
2285 * processing slack space before the next transaction starts
2287 if (!(ohead->oh_flags & XLOG_START_TRANS))
2290 ASSERT(be32_to_cpu(ohead->oh_len) == 0);
2293 * This is a new transaction so allocate a new recovery container to
2294 * hold the recovery ops that will follow.
2296 trans = kmem_zalloc(sizeof(struct xlog_recover), 0);
2297 trans->r_log_tid = tid;
2298 trans->r_lsn = be64_to_cpu(rhead->h_lsn);
2299 INIT_LIST_HEAD(&trans->r_itemq);
2300 INIT_HLIST_NODE(&trans->r_list);
2301 hlist_add_head(&trans->r_list, rhp);
2304 * Nothing more to do for this ophdr. Items to be added to this new
2305 * transaction will be in subsequent ophdr containers.
2311 xlog_recover_process_ophdr(
2313 struct hlist_head rhash[],
2314 struct xlog_rec_header *rhead,
2315 struct xlog_op_header *ohead,
2319 struct list_head *buffer_list)
2321 struct xlog_recover *trans;
2325 /* Do we understand who wrote this op? */
2326 if (ohead->oh_clientid != XFS_TRANSACTION &&
2327 ohead->oh_clientid != XFS_LOG) {
2328 xfs_warn(log->l_mp, "%s: bad clientid 0x%x",
2329 __func__, ohead->oh_clientid);
2331 return -EFSCORRUPTED;
2335 * Check the ophdr contains all the data it is supposed to contain.
2337 len = be32_to_cpu(ohead->oh_len);
2338 if (dp + len > end) {
2339 xfs_warn(log->l_mp, "%s: bad length 0x%x", __func__, len);
2341 return -EFSCORRUPTED;
2344 trans = xlog_recover_ophdr_to_trans(rhash, rhead, ohead);
2346 /* nothing to do, so skip over this ophdr */
2351 * The recovered buffer queue is drained only once we know that all
2352 * recovery items for the current LSN have been processed. This is
2355 * - Buffer write submission updates the metadata LSN of the buffer.
2356 * - Log recovery skips items with a metadata LSN >= the current LSN of
2357 * the recovery item.
2358 * - Separate recovery items against the same metadata buffer can share
2359 * a current LSN. I.e., consider that the LSN of a recovery item is
2360 * defined as the starting LSN of the first record in which its
2361 * transaction appears, that a record can hold multiple transactions,
2362 * and/or that a transaction can span multiple records.
2364 * In other words, we are allowed to submit a buffer from log recovery
2365 * once per current LSN. Otherwise, we may incorrectly skip recovery
2366 * items and cause corruption.
2368 * We don't know up front whether buffers are updated multiple times per
2369 * LSN. Therefore, track the current LSN of each commit log record as it
2370 * is processed and drain the queue when it changes. Use commit records
2371 * because they are ordered correctly by the logging code.
2373 if (log->l_recovery_lsn != trans->r_lsn &&
2374 ohead->oh_flags & XLOG_COMMIT_TRANS) {
2375 error = xfs_buf_delwri_submit(buffer_list);
2378 log->l_recovery_lsn = trans->r_lsn;
2381 return xlog_recovery_process_trans(log, trans, dp, len,
2382 ohead->oh_flags, pass, buffer_list);
2386 * There are two valid states of the r_state field. 0 indicates that the
2387 * transaction structure is in a normal state. We have either seen the
2388 * start of the transaction or the last operation we added was not a partial
2389 * operation. If the last operation we added to the transaction was a
2390 * partial operation, we need to mark r_state with XLOG_WAS_CONT_TRANS.
2392 * NOTE: skip LRs with 0 data length.
2395 xlog_recover_process_data(
2397 struct hlist_head rhash[],
2398 struct xlog_rec_header *rhead,
2401 struct list_head *buffer_list)
2403 struct xlog_op_header *ohead;
2408 end = dp + be32_to_cpu(rhead->h_len);
2409 num_logops = be32_to_cpu(rhead->h_num_logops);
2411 /* check the log format matches our own - else we can't recover */
2412 if (xlog_header_check_recover(log->l_mp, rhead))
2415 trace_xfs_log_recover_record(log, rhead, pass);
2416 while ((dp < end) && num_logops) {
2418 ohead = (struct xlog_op_header *)dp;
2419 dp += sizeof(*ohead);
2422 /* errors will abort recovery */
2423 error = xlog_recover_process_ophdr(log, rhash, rhead, ohead,
2424 dp, end, pass, buffer_list);
2428 dp += be32_to_cpu(ohead->oh_len);
2434 /* Take all the collected deferred ops and finish them in order. */
2436 xlog_finish_defer_ops(
2437 struct xfs_mount *mp,
2438 struct list_head *capture_list)
2440 struct xfs_defer_capture *dfc, *next;
2441 struct xfs_trans *tp;
2442 struct xfs_inode *ip;
2445 list_for_each_entry_safe(dfc, next, capture_list, dfc_list) {
2446 struct xfs_trans_res resv;
2449 * Create a new transaction reservation from the captured
2450 * information. Set logcount to 1 to force the new transaction
2451 * to regrant every roll so that we can make forward progress
2452 * in recovery no matter how full the log might be.
2454 resv.tr_logres = dfc->dfc_logres;
2455 resv.tr_logcount = 1;
2456 resv.tr_logflags = XFS_TRANS_PERM_LOG_RES;
2458 error = xfs_trans_alloc(mp, &resv, dfc->dfc_blkres,
2459 dfc->dfc_rtxres, XFS_TRANS_RESERVE, &tp);
2464 * Transfer to this new transaction all the dfops we captured
2465 * from recovering a single intent item.
2467 list_del_init(&dfc->dfc_list);
2468 xfs_defer_ops_continue(dfc, tp, &ip);
2470 error = xfs_trans_commit(tp);
2472 xfs_iunlock(ip, XFS_ILOCK_EXCL);
2479 ASSERT(list_empty(capture_list));
2483 /* Release all the captured defer ops and capture structures in this list. */
2485 xlog_abort_defer_ops(
2486 struct xfs_mount *mp,
2487 struct list_head *capture_list)
2489 struct xfs_defer_capture *dfc;
2490 struct xfs_defer_capture *next;
2492 list_for_each_entry_safe(dfc, next, capture_list, dfc_list) {
2493 list_del_init(&dfc->dfc_list);
2494 xfs_defer_ops_release(mp, dfc);
2498 * When this is called, all of the log intent items which did not have
2499 * corresponding log done items should be in the AIL. What we do now
2500 * is update the data structures associated with each one.
2502 * Since we process the log intent items in normal transactions, they
2503 * will be removed at some point after the commit. This prevents us
2504 * from just walking down the list processing each one. We'll use a
2505 * flag in the intent item to skip those that we've already processed
2506 * and use the AIL iteration mechanism's generation count to try to
2507 * speed this up at least a bit.
2509 * When we start, we know that the intents are the only things in the
2510 * AIL. As we process them, however, other items are added to the
2514 xlog_recover_process_intents(
2517 LIST_HEAD(capture_list);
2518 struct xfs_ail_cursor cur;
2519 struct xfs_log_item *lip;
2520 struct xfs_ail *ailp;
2522 #if defined(DEBUG) || defined(XFS_WARN)
2527 spin_lock(&ailp->ail_lock);
2528 #if defined(DEBUG) || defined(XFS_WARN)
2529 last_lsn = xlog_assign_lsn(log->l_curr_cycle, log->l_curr_block);
2531 for (lip = xfs_trans_ail_cursor_first(ailp, &cur, 0);
2533 lip = xfs_trans_ail_cursor_next(ailp, &cur)) {
2535 * We're done when we see something other than an intent.
2536 * There should be no intents left in the AIL now.
2538 if (!xlog_item_is_intent(lip)) {
2540 for (; lip; lip = xfs_trans_ail_cursor_next(ailp, &cur))
2541 ASSERT(!xlog_item_is_intent(lip));
2547 * We should never see a redo item with a LSN higher than
2548 * the last transaction we found in the log at the start
2551 ASSERT(XFS_LSN_CMP(last_lsn, lip->li_lsn) >= 0);
2554 * NOTE: If your intent processing routine can create more
2555 * deferred ops, you /must/ attach them to the capture list in
2556 * the recover routine or else those subsequent intents will be
2557 * replayed in the wrong order!
2559 spin_unlock(&ailp->ail_lock);
2560 error = lip->li_ops->iop_recover(lip, &capture_list);
2561 spin_lock(&ailp->ail_lock);
2563 trace_xlog_intent_recovery_failed(log->l_mp, error,
2564 lip->li_ops->iop_recover);
2569 xfs_trans_ail_cursor_done(&cur);
2570 spin_unlock(&ailp->ail_lock);
2574 error = xlog_finish_defer_ops(log->l_mp, &capture_list);
2580 xlog_abort_defer_ops(log->l_mp, &capture_list);
2585 * A cancel occurs when the mount has failed and we're bailing out.
2586 * Release all pending log intent items so they don't pin the AIL.
2589 xlog_recover_cancel_intents(
2592 struct xfs_log_item *lip;
2593 struct xfs_ail_cursor cur;
2594 struct xfs_ail *ailp;
2597 spin_lock(&ailp->ail_lock);
2598 lip = xfs_trans_ail_cursor_first(ailp, &cur, 0);
2599 while (lip != NULL) {
2601 * We're done when we see something other than an intent.
2602 * There should be no intents left in the AIL now.
2604 if (!xlog_item_is_intent(lip)) {
2606 for (; lip; lip = xfs_trans_ail_cursor_next(ailp, &cur))
2607 ASSERT(!xlog_item_is_intent(lip));
2612 spin_unlock(&ailp->ail_lock);
2613 lip->li_ops->iop_release(lip);
2614 spin_lock(&ailp->ail_lock);
2615 lip = xfs_trans_ail_cursor_next(ailp, &cur);
2618 xfs_trans_ail_cursor_done(&cur);
2619 spin_unlock(&ailp->ail_lock);
2623 * This routine performs a transaction to null out a bad inode pointer
2624 * in an agi unlinked inode hash bucket.
2627 xlog_recover_clear_agi_bucket(
2629 xfs_agnumber_t agno,
2634 struct xfs_buf *agibp;
2638 error = xfs_trans_alloc(mp, &M_RES(mp)->tr_clearagi, 0, 0, 0, &tp);
2642 error = xfs_read_agi(mp, tp, agno, &agibp);
2646 agi = agibp->b_addr;
2647 agi->agi_unlinked[bucket] = cpu_to_be32(NULLAGINO);
2648 offset = offsetof(xfs_agi_t, agi_unlinked) +
2649 (sizeof(xfs_agino_t) * bucket);
2650 xfs_trans_log_buf(tp, agibp, offset,
2651 (offset + sizeof(xfs_agino_t) - 1));
2653 error = xfs_trans_commit(tp);
2659 xfs_trans_cancel(tp);
2661 xfs_warn(mp, "%s: failed to clear agi %d. Continuing.", __func__, agno);
2666 xlog_recover_process_one_iunlink(
2667 struct xfs_mount *mp,
2668 xfs_agnumber_t agno,
2672 struct xfs_buf *ibp;
2673 struct xfs_dinode *dip;
2674 struct xfs_inode *ip;
2678 ino = XFS_AGINO_TO_INO(mp, agno, agino);
2679 error = xfs_iget(mp, NULL, ino, 0, 0, &ip);
2684 * Get the on disk inode to find the next inode in the bucket.
2686 error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &ibp, 0);
2690 xfs_iflags_clear(ip, XFS_IRECOVERY);
2691 ASSERT(VFS_I(ip)->i_nlink == 0);
2692 ASSERT(VFS_I(ip)->i_mode != 0);
2694 /* setup for the next pass */
2695 agino = be32_to_cpu(dip->di_next_unlinked);
2699 * Prevent any DMAPI event from being sent when the reference on
2700 * the inode is dropped.
2702 ip->i_d.di_dmevmask = 0;
2711 * We can't read in the inode this bucket points to, or this inode
2712 * is messed up. Just ditch this bucket of inodes. We will lose
2713 * some inodes and space, but at least we won't hang.
2715 * Call xlog_recover_clear_agi_bucket() to perform a transaction to
2716 * clear the inode pointer in the bucket.
2718 xlog_recover_clear_agi_bucket(mp, agno, bucket);
2723 * Recover AGI unlinked lists
2725 * This is called during recovery to process any inodes which we unlinked but
2726 * not freed when the system crashed. These inodes will be on the lists in the
2727 * AGI blocks. What we do here is scan all the AGIs and fully truncate and free
2728 * any inodes found on the lists. Each inode is removed from the lists when it
2729 * has been fully truncated and is freed. The freeing of the inode and its
2730 * removal from the list must be atomic.
2732 * If everything we touch in the agi processing loop is already in memory, this
2733 * loop can hold the cpu for a long time. It runs without lock contention,
2734 * memory allocation contention, the need wait for IO, etc, and so will run
2735 * until we either run out of inodes to process, run low on memory or we run out
2738 * This behaviour is bad for latency on single CPU and non-preemptible kernels,
2739 * and can prevent other filesytem work (such as CIL pushes) from running. This
2740 * can lead to deadlocks if the recovery process runs out of log reservation
2741 * space. Hence we need to yield the CPU when there is other kernel work
2742 * scheduled on this CPU to ensure other scheduled work can run without undue
2746 xlog_recover_process_iunlinks(
2750 xfs_agnumber_t agno;
2752 struct xfs_buf *agibp;
2759 for (agno = 0; agno < mp->m_sb.sb_agcount; agno++) {
2761 * Find the agi for this ag.
2763 error = xfs_read_agi(mp, NULL, agno, &agibp);
2766 * AGI is b0rked. Don't process it.
2768 * We should probably mark the filesystem as corrupt
2769 * after we've recovered all the ag's we can....
2774 * Unlock the buffer so that it can be acquired in the normal
2775 * course of the transaction to truncate and free each inode.
2776 * Because we are not racing with anyone else here for the AGI
2777 * buffer, we don't even need to hold it locked to read the
2778 * initial unlinked bucket entries out of the buffer. We keep
2779 * buffer reference though, so that it stays pinned in memory
2780 * while we need the buffer.
2782 agi = agibp->b_addr;
2783 xfs_buf_unlock(agibp);
2785 for (bucket = 0; bucket < XFS_AGI_UNLINKED_BUCKETS; bucket++) {
2786 agino = be32_to_cpu(agi->agi_unlinked[bucket]);
2787 while (agino != NULLAGINO) {
2788 agino = xlog_recover_process_one_iunlink(mp,
2789 agno, agino, bucket);
2793 xfs_buf_rele(agibp);
2799 struct xlog_rec_header *rhead,
2805 for (i = 0; i < BTOBB(be32_to_cpu(rhead->h_len)) &&
2806 i < (XLOG_HEADER_CYCLE_SIZE / BBSIZE); i++) {
2807 *(__be32 *)dp = *(__be32 *)&rhead->h_cycle_data[i];
2811 if (xfs_sb_version_haslogv2(&log->l_mp->m_sb)) {
2812 xlog_in_core_2_t *xhdr = (xlog_in_core_2_t *)rhead;
2813 for ( ; i < BTOBB(be32_to_cpu(rhead->h_len)); i++) {
2814 j = i / (XLOG_HEADER_CYCLE_SIZE / BBSIZE);
2815 k = i % (XLOG_HEADER_CYCLE_SIZE / BBSIZE);
2816 *(__be32 *)dp = xhdr[j].hic_xheader.xh_cycle_data[k];
2823 * CRC check, unpack and process a log record.
2826 xlog_recover_process(
2828 struct hlist_head rhash[],
2829 struct xlog_rec_header *rhead,
2832 struct list_head *buffer_list)
2834 __le32 old_crc = rhead->h_crc;
2837 crc = xlog_cksum(log, rhead, dp, be32_to_cpu(rhead->h_len));
2840 * Nothing else to do if this is a CRC verification pass. Just return
2841 * if this a record with a non-zero crc. Unfortunately, mkfs always
2842 * sets old_crc to 0 so we must consider this valid even on v5 supers.
2843 * Otherwise, return EFSBADCRC on failure so the callers up the stack
2844 * know precisely what failed.
2846 if (pass == XLOG_RECOVER_CRCPASS) {
2847 if (old_crc && crc != old_crc)
2853 * We're in the normal recovery path. Issue a warning if and only if the
2854 * CRC in the header is non-zero. This is an advisory warning and the
2855 * zero CRC check prevents warnings from being emitted when upgrading
2856 * the kernel from one that does not add CRCs by default.
2858 if (crc != old_crc) {
2859 if (old_crc || xfs_sb_version_hascrc(&log->l_mp->m_sb)) {
2860 xfs_alert(log->l_mp,
2861 "log record CRC mismatch: found 0x%x, expected 0x%x.",
2862 le32_to_cpu(old_crc),
2864 xfs_hex_dump(dp, 32);
2868 * If the filesystem is CRC enabled, this mismatch becomes a
2869 * fatal log corruption failure.
2871 if (xfs_sb_version_hascrc(&log->l_mp->m_sb)) {
2872 XFS_ERROR_REPORT(__func__, XFS_ERRLEVEL_LOW, log->l_mp);
2873 return -EFSCORRUPTED;
2877 xlog_unpack_data(rhead, dp, log);
2879 return xlog_recover_process_data(log, rhash, rhead, dp, pass,
2884 xlog_valid_rec_header(
2886 struct xlog_rec_header *rhead,
2892 if (XFS_IS_CORRUPT(log->l_mp,
2893 rhead->h_magicno != cpu_to_be32(XLOG_HEADER_MAGIC_NUM)))
2894 return -EFSCORRUPTED;
2895 if (XFS_IS_CORRUPT(log->l_mp,
2896 (!rhead->h_version ||
2897 (be32_to_cpu(rhead->h_version) &
2898 (~XLOG_VERSION_OKBITS))))) {
2899 xfs_warn(log->l_mp, "%s: unrecognised log version (%d).",
2900 __func__, be32_to_cpu(rhead->h_version));
2901 return -EFSCORRUPTED;
2905 * LR body must have data (or it wouldn't have been written)
2906 * and h_len must not be greater than LR buffer size.
2908 hlen = be32_to_cpu(rhead->h_len);
2909 if (XFS_IS_CORRUPT(log->l_mp, hlen <= 0 || hlen > bufsize))
2910 return -EFSCORRUPTED;
2912 if (XFS_IS_CORRUPT(log->l_mp,
2913 blkno > log->l_logBBsize || blkno > INT_MAX))
2914 return -EFSCORRUPTED;
2919 * Read the log from tail to head and process the log records found.
2920 * Handle the two cases where the tail and head are in the same cycle
2921 * and where the active portion of the log wraps around the end of
2922 * the physical log separately. The pass parameter is passed through
2923 * to the routines called to process the data and is not looked at
2927 xlog_do_recovery_pass(
2929 xfs_daddr_t head_blk,
2930 xfs_daddr_t tail_blk,
2932 xfs_daddr_t *first_bad) /* out: first bad log rec */
2934 xlog_rec_header_t *rhead;
2935 xfs_daddr_t blk_no, rblk_no;
2936 xfs_daddr_t rhead_blk;
2939 int error = 0, h_size, h_len;
2941 int bblks, split_bblks;
2942 int hblks, split_hblks, wrapped_hblks;
2944 struct hlist_head rhash[XLOG_RHASH_SIZE];
2945 LIST_HEAD (buffer_list);
2947 ASSERT(head_blk != tail_blk);
2948 blk_no = rhead_blk = tail_blk;
2950 for (i = 0; i < XLOG_RHASH_SIZE; i++)
2951 INIT_HLIST_HEAD(&rhash[i]);
2954 * Read the header of the tail block and get the iclog buffer size from
2955 * h_size. Use this to tell how many sectors make up the log header.
2957 if (xfs_sb_version_haslogv2(&log->l_mp->m_sb)) {
2959 * When using variable length iclogs, read first sector of
2960 * iclog header and extract the header size from it. Get a
2961 * new hbp that is the correct size.
2963 hbp = xlog_alloc_buffer(log, 1);
2967 error = xlog_bread(log, tail_blk, 1, hbp, &offset);
2971 rhead = (xlog_rec_header_t *)offset;
2974 * xfsprogs has a bug where record length is based on lsunit but
2975 * h_size (iclog size) is hardcoded to 32k. Now that we
2976 * unconditionally CRC verify the unmount record, this means the
2977 * log buffer can be too small for the record and cause an
2980 * Detect this condition here. Use lsunit for the buffer size as
2981 * long as this looks like the mkfs case. Otherwise, return an
2982 * error to avoid a buffer overrun.
2984 h_size = be32_to_cpu(rhead->h_size);
2985 h_len = be32_to_cpu(rhead->h_len);
2986 if (h_len > h_size && h_len <= log->l_mp->m_logbsize &&
2987 rhead->h_num_logops == cpu_to_be32(1)) {
2989 "invalid iclog size (%d bytes), using lsunit (%d bytes)",
2990 h_size, log->l_mp->m_logbsize);
2991 h_size = log->l_mp->m_logbsize;
2994 error = xlog_valid_rec_header(log, rhead, tail_blk, h_size);
2998 hblks = xlog_logrec_hblks(log, rhead);
3001 hbp = xlog_alloc_buffer(log, hblks);
3004 ASSERT(log->l_sectBBsize == 1);
3006 hbp = xlog_alloc_buffer(log, 1);
3007 h_size = XLOG_BIG_RECORD_BSIZE;
3012 dbp = xlog_alloc_buffer(log, BTOBB(h_size));
3018 memset(rhash, 0, sizeof(rhash));
3019 if (tail_blk > head_blk) {
3021 * Perform recovery around the end of the physical log.
3022 * When the head is not on the same cycle number as the tail,
3023 * we can't do a sequential recovery.
3025 while (blk_no < log->l_logBBsize) {
3027 * Check for header wrapping around physical end-of-log
3032 if (blk_no + hblks <= log->l_logBBsize) {
3033 /* Read header in one read */
3034 error = xlog_bread(log, blk_no, hblks, hbp,
3039 /* This LR is split across physical log end */
3040 if (blk_no != log->l_logBBsize) {
3041 /* some data before physical log end */
3042 ASSERT(blk_no <= INT_MAX);
3043 split_hblks = log->l_logBBsize - (int)blk_no;
3044 ASSERT(split_hblks > 0);
3045 error = xlog_bread(log, blk_no,
3053 * Note: this black magic still works with
3054 * large sector sizes (non-512) only because:
3055 * - we increased the buffer size originally
3056 * by 1 sector giving us enough extra space
3057 * for the second read;
3058 * - the log start is guaranteed to be sector
3060 * - we read the log end (LR header start)
3061 * _first_, then the log start (LR header end)
3062 * - order is important.
3064 wrapped_hblks = hblks - split_hblks;
3065 error = xlog_bread_noalign(log, 0,
3067 offset + BBTOB(split_hblks));
3071 rhead = (xlog_rec_header_t *)offset;
3072 error = xlog_valid_rec_header(log, rhead,
3073 split_hblks ? blk_no : 0, h_size);
3077 bblks = (int)BTOBB(be32_to_cpu(rhead->h_len));
3081 * Read the log record data in multiple reads if it
3082 * wraps around the end of the log. Note that if the
3083 * header already wrapped, blk_no could point past the
3084 * end of the log. The record data is contiguous in
3087 if (blk_no + bblks <= log->l_logBBsize ||
3088 blk_no >= log->l_logBBsize) {
3089 rblk_no = xlog_wrap_logbno(log, blk_no);
3090 error = xlog_bread(log, rblk_no, bblks, dbp,
3095 /* This log record is split across the
3096 * physical end of log */
3099 if (blk_no != log->l_logBBsize) {
3100 /* some data is before the physical
3102 ASSERT(!wrapped_hblks);
3103 ASSERT(blk_no <= INT_MAX);
3105 log->l_logBBsize - (int)blk_no;
3106 ASSERT(split_bblks > 0);
3107 error = xlog_bread(log, blk_no,
3115 * Note: this black magic still works with
3116 * large sector sizes (non-512) only because:
3117 * - we increased the buffer size originally
3118 * by 1 sector giving us enough extra space
3119 * for the second read;
3120 * - the log start is guaranteed to be sector
3122 * - we read the log end (LR header start)
3123 * _first_, then the log start (LR header end)
3124 * - order is important.
3126 error = xlog_bread_noalign(log, 0,
3127 bblks - split_bblks,
3128 offset + BBTOB(split_bblks));
3133 error = xlog_recover_process(log, rhash, rhead, offset,
3134 pass, &buffer_list);
3142 ASSERT(blk_no >= log->l_logBBsize);
3143 blk_no -= log->l_logBBsize;
3147 /* read first part of physical log */
3148 while (blk_no < head_blk) {
3149 error = xlog_bread(log, blk_no, hblks, hbp, &offset);
3153 rhead = (xlog_rec_header_t *)offset;
3154 error = xlog_valid_rec_header(log, rhead, blk_no, h_size);
3158 /* blocks in data section */
3159 bblks = (int)BTOBB(be32_to_cpu(rhead->h_len));
3160 error = xlog_bread(log, blk_no+hblks, bblks, dbp,
3165 error = xlog_recover_process(log, rhash, rhead, offset, pass,
3170 blk_no += bblks + hblks;
3180 * Submit buffers that have been added from the last record processed,
3181 * regardless of error status.
3183 if (!list_empty(&buffer_list))
3184 error2 = xfs_buf_delwri_submit(&buffer_list);
3186 if (error && first_bad)
3187 *first_bad = rhead_blk;
3190 * Transactions are freed at commit time but transactions without commit
3191 * records on disk are never committed. Free any that may be left in the
3194 for (i = 0; i < XLOG_RHASH_SIZE; i++) {
3195 struct hlist_node *tmp;
3196 struct xlog_recover *trans;
3198 hlist_for_each_entry_safe(trans, tmp, &rhash[i], r_list)
3199 xlog_recover_free_trans(trans);
3202 return error ? error : error2;
3206 * Do the recovery of the log. We actually do this in two phases.
3207 * The two passes are necessary in order to implement the function
3208 * of cancelling a record written into the log. The first pass
3209 * determines those things which have been cancelled, and the
3210 * second pass replays log items normally except for those which
3211 * have been cancelled. The handling of the replay and cancellations
3212 * takes place in the log item type specific routines.
3214 * The table of items which have cancel records in the log is allocated
3215 * and freed at this level, since only here do we know when all of
3216 * the log recovery has been completed.
3219 xlog_do_log_recovery(
3221 xfs_daddr_t head_blk,
3222 xfs_daddr_t tail_blk)
3226 ASSERT(head_blk != tail_blk);
3229 * First do a pass to find all of the cancelled buf log items.
3230 * Store them in the buf_cancel_table for use in the second pass.
3232 log->l_buf_cancel_table = kmem_zalloc(XLOG_BC_TABLE_SIZE *
3233 sizeof(struct list_head),
3235 for (i = 0; i < XLOG_BC_TABLE_SIZE; i++)
3236 INIT_LIST_HEAD(&log->l_buf_cancel_table[i]);
3238 error = xlog_do_recovery_pass(log, head_blk, tail_blk,
3239 XLOG_RECOVER_PASS1, NULL);
3241 kmem_free(log->l_buf_cancel_table);
3242 log->l_buf_cancel_table = NULL;
3246 * Then do a second pass to actually recover the items in the log.
3247 * When it is complete free the table of buf cancel items.
3249 error = xlog_do_recovery_pass(log, head_blk, tail_blk,
3250 XLOG_RECOVER_PASS2, NULL);
3255 for (i = 0; i < XLOG_BC_TABLE_SIZE; i++)
3256 ASSERT(list_empty(&log->l_buf_cancel_table[i]));
3260 kmem_free(log->l_buf_cancel_table);
3261 log->l_buf_cancel_table = NULL;
3267 * Do the actual recovery
3272 xfs_daddr_t head_blk,
3273 xfs_daddr_t tail_blk)
3275 struct xfs_mount *mp = log->l_mp;
3276 struct xfs_buf *bp = mp->m_sb_bp;
3277 struct xfs_sb *sbp = &mp->m_sb;
3280 trace_xfs_log_recover(log, head_blk, tail_blk);
3283 * First replay the images in the log.
3285 error = xlog_do_log_recovery(log, head_blk, tail_blk);
3290 * If IO errors happened during recovery, bail out.
3292 if (XFS_FORCED_SHUTDOWN(mp))
3296 * We now update the tail_lsn since much of the recovery has completed
3297 * and there may be space available to use. If there were no extent
3298 * or iunlinks, we can free up the entire log and set the tail_lsn to
3299 * be the last_sync_lsn. This was set in xlog_find_tail to be the
3300 * lsn of the last known good LR on disk. If there are extent frees
3301 * or iunlinks they will have some entries in the AIL; so we look at
3302 * the AIL to determine how to set the tail_lsn.
3304 xlog_assign_tail_lsn(mp);
3307 * Now that we've finished replaying all buffer and inode updates,
3308 * re-read the superblock and reverify it.
3312 error = _xfs_buf_read(bp, XBF_READ);
3314 if (!XFS_FORCED_SHUTDOWN(mp)) {
3315 xfs_buf_ioerror_alert(bp, __this_address);
3322 /* Convert superblock from on-disk format */
3323 xfs_sb_from_disk(sbp, bp->b_addr);
3326 /* re-initialise in-core superblock and geometry structures */
3327 xfs_reinit_percpu_counters(mp);
3328 error = xfs_initialize_perag(mp, sbp->sb_agcount, &mp->m_maxagi);
3330 xfs_warn(mp, "Failed post-recovery per-ag init: %d", error);
3333 mp->m_alloc_set_aside = xfs_alloc_set_aside(mp);
3335 xlog_recover_check_summary(log);
3337 /* Normal transactions can now occur */
3338 log->l_flags &= ~XLOG_ACTIVE_RECOVERY;
3343 * Perform recovery and re-initialize some log variables in xlog_find_tail.
3345 * Return error or zero.
3351 xfs_daddr_t head_blk, tail_blk;
3354 /* find the tail of the log */
3355 error = xlog_find_tail(log, &head_blk, &tail_blk);
3360 * The superblock was read before the log was available and thus the LSN
3361 * could not be verified. Check the superblock LSN against the current
3362 * LSN now that it's known.
3364 if (xfs_sb_version_hascrc(&log->l_mp->m_sb) &&
3365 !xfs_log_check_lsn(log->l_mp, log->l_mp->m_sb.sb_lsn))
3368 if (tail_blk != head_blk) {
3369 /* There used to be a comment here:
3371 * disallow recovery on read-only mounts. note -- mount
3372 * checks for ENOSPC and turns it into an intelligent
3374 * ...but this is no longer true. Now, unless you specify
3375 * NORECOVERY (in which case this function would never be
3376 * called), we just go ahead and recover. We do this all
3377 * under the vfs layer, so we can get away with it unless
3378 * the device itself is read-only, in which case we fail.
3380 if ((error = xfs_dev_is_read_only(log->l_mp, "recovery"))) {
3385 * Version 5 superblock log feature mask validation. We know the
3386 * log is dirty so check if there are any unknown log features
3387 * in what we need to recover. If there are unknown features
3388 * (e.g. unsupported transactions, then simply reject the
3389 * attempt at recovery before touching anything.
3391 if (XFS_SB_VERSION_NUM(&log->l_mp->m_sb) == XFS_SB_VERSION_5 &&
3392 xfs_sb_has_incompat_log_feature(&log->l_mp->m_sb,
3393 XFS_SB_FEAT_INCOMPAT_LOG_UNKNOWN)) {
3395 "Superblock has unknown incompatible log features (0x%x) enabled.",
3396 (log->l_mp->m_sb.sb_features_log_incompat &
3397 XFS_SB_FEAT_INCOMPAT_LOG_UNKNOWN));
3399 "The log can not be fully and/or safely recovered by this kernel.");
3401 "Please recover the log on a kernel that supports the unknown features.");
3406 * Delay log recovery if the debug hook is set. This is debug
3407 * instrumention to coordinate simulation of I/O failures with
3410 if (xfs_globals.log_recovery_delay) {
3411 xfs_notice(log->l_mp,
3412 "Delaying log recovery for %d seconds.",
3413 xfs_globals.log_recovery_delay);
3414 msleep(xfs_globals.log_recovery_delay * 1000);
3417 xfs_notice(log->l_mp, "Starting recovery (logdev: %s)",
3418 log->l_mp->m_logname ? log->l_mp->m_logname
3421 error = xlog_do_recover(log, head_blk, tail_blk);
3422 log->l_flags |= XLOG_RECOVERY_NEEDED;
3428 * In the first part of recovery we replay inodes and buffers and build
3429 * up the list of extent free items which need to be processed. Here
3430 * we process the extent free items and clean up the on disk unlinked
3431 * inode lists. This is separated from the first part of recovery so
3432 * that the root and real-time bitmap inodes can be read in from disk in
3433 * between the two stages. This is necessary so that we can free space
3434 * in the real-time portion of the file system.
3437 xlog_recover_finish(
3441 * Now we're ready to do the transactions needed for the
3442 * rest of recovery. Start with completing all the extent
3443 * free intent records and then process the unlinked inode
3444 * lists. At this point, we essentially run in normal mode
3445 * except that we're still performing recovery actions
3446 * rather than accepting new requests.
3448 if (log->l_flags & XLOG_RECOVERY_NEEDED) {
3450 error = xlog_recover_process_intents(log);
3453 * Cancel all the unprocessed intent items now so that
3454 * we don't leave them pinned in the AIL. This can
3455 * cause the AIL to livelock on the pinned item if
3456 * anyone tries to push the AIL (inode reclaim does
3457 * this) before we get around to xfs_log_mount_cancel.
3459 xlog_recover_cancel_intents(log);
3460 xfs_alert(log->l_mp, "Failed to recover intents");
3465 * Sync the log to get all the intents out of the AIL.
3466 * This isn't absolutely necessary, but it helps in
3467 * case the unlink transactions would have problems
3468 * pushing the intents out of the way.
3470 xfs_log_force(log->l_mp, XFS_LOG_SYNC);
3472 xlog_recover_process_iunlinks(log);
3474 xlog_recover_check_summary(log);
3476 xfs_notice(log->l_mp, "Ending recovery (logdev: %s)",
3477 log->l_mp->m_logname ? log->l_mp->m_logname
3479 log->l_flags &= ~XLOG_RECOVERY_NEEDED;
3481 xfs_info(log->l_mp, "Ending clean mount");
3487 xlog_recover_cancel(
3490 if (log->l_flags & XLOG_RECOVERY_NEEDED)
3491 xlog_recover_cancel_intents(log);
3496 * Read all of the agf and agi counters and check that they
3497 * are consistent with the superblock counters.
3500 xlog_recover_check_summary(
3504 struct xfs_buf *agfbp;
3505 struct xfs_buf *agibp;
3506 xfs_agnumber_t agno;
3517 for (agno = 0; agno < mp->m_sb.sb_agcount; agno++) {
3518 error = xfs_read_agf(mp, NULL, agno, 0, &agfbp);
3520 xfs_alert(mp, "%s agf read failed agno %d error %d",
3521 __func__, agno, error);
3523 struct xfs_agf *agfp = agfbp->b_addr;
3525 freeblks += be32_to_cpu(agfp->agf_freeblks) +
3526 be32_to_cpu(agfp->agf_flcount);
3527 xfs_buf_relse(agfbp);
3530 error = xfs_read_agi(mp, NULL, agno, &agibp);
3532 xfs_alert(mp, "%s agi read failed agno %d error %d",
3533 __func__, agno, error);
3535 struct xfs_agi *agi = agibp->b_addr;
3537 itotal += be32_to_cpu(agi->agi_count);
3538 ifree += be32_to_cpu(agi->agi_freecount);
3539 xfs_buf_relse(agibp);
projects / linux-2.6-microblaze.git / blob