Loading...
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * Copyright (c) 2021-2024 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <djwong@kernel.org>
5 */
6#include "xfs.h"
7#include "xfs_fs.h"
8#include "xfs_shared.h"
9#include "xfs_format.h"
10#include "xfs_trans_resv.h"
11#include "xfs_mount.h"
12#include "xfs_log_format.h"
13#include "xfs_trans.h"
14#include "xfs_inode.h"
15#include "xfs_icache.h"
16#include "xfs_bmap_util.h"
17#include "xfs_iwalk.h"
18#include "xfs_ialloc.h"
19#include "xfs_sb.h"
20#include "scrub/scrub.h"
21#include "scrub/common.h"
22#include "scrub/repair.h"
23#include "scrub/xfile.h"
24#include "scrub/xfarray.h"
25#include "scrub/iscan.h"
26#include "scrub/nlinks.h"
27#include "scrub/trace.h"
28
29/*
30 * Live Inode Link Count Repair
31 * ============================
32 *
33 * Use the live inode link count information that we collected to replace the
34 * nlink values of the incore inodes. A scrub->repair cycle should have left
35 * the live data and hooks active, so this is safe so long as we make sure the
36 * inode is locked.
37 */
38
39/*
40 * Correct the link count of the given inode. Because we have to grab locks
41 * and resources in a certain order, it's possible that this will be a no-op.
42 */
43STATIC int
44xrep_nlinks_repair_inode(
45 struct xchk_nlink_ctrs *xnc)
46{
47 struct xchk_nlink obs;
48 struct xfs_scrub *sc = xnc->sc;
49 struct xfs_mount *mp = sc->mp;
50 struct xfs_inode *ip = sc->ip;
51 uint64_t total_links;
52 uint64_t actual_nlink;
53 bool dirty = false;
54 int error;
55
56 xchk_ilock(sc, XFS_IOLOCK_EXCL);
57
58 error = xfs_trans_alloc(mp, &M_RES(mp)->tr_link, 0, 0, 0, &sc->tp);
59 if (error)
60 return error;
61
62 xchk_ilock(sc, XFS_ILOCK_EXCL);
63 xfs_trans_ijoin(sc->tp, ip, 0);
64
65 mutex_lock(&xnc->lock);
66
67 if (xchk_iscan_aborted(&xnc->collect_iscan)) {
68 error = -ECANCELED;
69 goto out_scanlock;
70 }
71
72 error = xfarray_load_sparse(xnc->nlinks, ip->i_ino, &obs);
73 if (error)
74 goto out_scanlock;
75
76 /*
77 * We're done accessing the shared scan data, so we can drop the lock.
78 * We still hold @ip's ILOCK, so its link count cannot change.
79 */
80 mutex_unlock(&xnc->lock);
81
82 total_links = xchk_nlink_total(ip, &obs);
83 actual_nlink = VFS_I(ip)->i_nlink;
84
85 /*
86 * Non-directories cannot have directories pointing up to them.
87 *
88 * We previously set error to zero, but set it again because one static
89 * checker author fears that programmers will fail to maintain this
90 * invariant and built their tool to flag this as a security risk. A
91 * different tool author made their bot complain about the redundant
92 * store. This is a never-ending and stupid battle; both tools missed
93 * *actual bugs* elsewhere; and I no longer care.
94 */
95 if (!S_ISDIR(VFS_I(ip)->i_mode) && obs.children != 0) {
96 trace_xrep_nlinks_unfixable_inode(mp, ip, &obs);
97 error = 0;
98 goto out_trans;
99 }
100
101 /*
102 * We did not find any links to this inode. If the inode agrees, we
103 * have nothing further to do. If not, the inode has a nonzero link
104 * count and we don't have anywhere to graft the child onto. Dropping
105 * a live inode's link count to zero can cause unexpected shutdowns in
106 * inactivation, so leave it alone.
107 */
108 if (total_links == 0) {
109 if (actual_nlink != 0)
110 trace_xrep_nlinks_unfixable_inode(mp, ip, &obs);
111 goto out_trans;
112 }
113
114 /* Commit the new link count if it changed. */
115 if (total_links != actual_nlink) {
116 if (total_links > XFS_MAXLINK) {
117 trace_xrep_nlinks_unfixable_inode(mp, ip, &obs);
118 goto out_trans;
119 }
120
121 trace_xrep_nlinks_update_inode(mp, ip, &obs);
122
123 set_nlink(VFS_I(ip), total_links);
124 dirty = true;
125 }
126
127 if (!dirty) {
128 error = 0;
129 goto out_trans;
130 }
131
132 xfs_trans_log_inode(sc->tp, ip, XFS_ILOG_CORE);
133
134 error = xrep_trans_commit(sc);
135 xchk_iunlock(sc, XFS_ILOCK_EXCL | XFS_IOLOCK_EXCL);
136 return error;
137
138out_scanlock:
139 mutex_unlock(&xnc->lock);
140out_trans:
141 xchk_trans_cancel(sc);
142 xchk_iunlock(sc, XFS_ILOCK_EXCL | XFS_IOLOCK_EXCL);
143 return error;
144}
145
146/*
147 * Try to visit every inode in the filesystem for repairs. Move on if we can't
148 * grab an inode, since we're still making forward progress.
149 */
150static int
151xrep_nlinks_iter(
152 struct xchk_nlink_ctrs *xnc,
153 struct xfs_inode **ipp)
154{
155 int error;
156
157 do {
158 error = xchk_iscan_iter(&xnc->compare_iscan, ipp);
159 } while (error == -EBUSY);
160
161 return error;
162}
163
164/* Commit the new inode link counters. */
165int
166xrep_nlinks(
167 struct xfs_scrub *sc)
168{
169 struct xchk_nlink_ctrs *xnc = sc->buf;
170 int error;
171
172 /*
173 * We need ftype for an accurate count of the number of child
174 * subdirectory links. Child subdirectories with a back link (dotdot
175 * entry) but no forward link are unfixable, so we cannot repair the
176 * link count of the parent directory based on the back link count
177 * alone. Filesystems without ftype support are rare (old V4) so we
178 * just skip out here.
179 */
180 if (!xfs_has_ftype(sc->mp))
181 return -EOPNOTSUPP;
182
183 /*
184 * Use the inobt to walk all allocated inodes to compare and fix the
185 * link counts. Retry iget every tenth of a second for up to 30
186 * seconds -- even if repair misses a few inodes, we still try to fix
187 * as many of them as we can.
188 */
189 xchk_iscan_start(sc, 30000, 100, &xnc->compare_iscan);
190 ASSERT(sc->ip == NULL);
191
192 while ((error = xrep_nlinks_iter(xnc, &sc->ip)) == 1) {
193 /*
194 * Commit the scrub transaction so that we can create repair
195 * transactions with the correct reservations.
196 */
197 xchk_trans_cancel(sc);
198
199 error = xrep_nlinks_repair_inode(xnc);
200 xchk_iscan_mark_visited(&xnc->compare_iscan, sc->ip);
201 xchk_irele(sc, sc->ip);
202 sc->ip = NULL;
203 if (error)
204 break;
205
206 if (xchk_should_terminate(sc, &error))
207 break;
208
209 /*
210 * Create a new empty transaction so that we can advance the
211 * iscan cursor without deadlocking if the inobt has a cycle.
212 * We can only push the inactivation workqueues with an empty
213 * transaction.
214 */
215 error = xchk_trans_alloc_empty(sc);
216 if (error)
217 break;
218 }
219 xchk_iscan_iter_finish(&xnc->compare_iscan);
220 xchk_iscan_teardown(&xnc->compare_iscan);
221
222 return error;
223}
1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * Copyright (c) 2021-2024 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <djwong@kernel.org>
5 */
6#include "xfs.h"
7#include "xfs_fs.h"
8#include "xfs_shared.h"
9#include "xfs_format.h"
10#include "xfs_trans_resv.h"
11#include "xfs_mount.h"
12#include "xfs_log_format.h"
13#include "xfs_trans.h"
14#include "xfs_inode.h"
15#include "xfs_icache.h"
16#include "xfs_bmap_util.h"
17#include "xfs_iwalk.h"
18#include "xfs_ialloc.h"
19#include "xfs_sb.h"
20#include "xfs_ag.h"
21#include "xfs_dir2.h"
22#include "xfs_parent.h"
23#include "scrub/scrub.h"
24#include "scrub/common.h"
25#include "scrub/repair.h"
26#include "scrub/xfile.h"
27#include "scrub/xfarray.h"
28#include "scrub/iscan.h"
29#include "scrub/orphanage.h"
30#include "scrub/nlinks.h"
31#include "scrub/trace.h"
32#include "scrub/tempfile.h"
33
34/*
35 * Live Inode Link Count Repair
36 * ============================
37 *
38 * Use the live inode link count information that we collected to replace the
39 * nlink values of the incore inodes. A scrub->repair cycle should have left
40 * the live data and hooks active, so this is safe so long as we make sure the
41 * inode is locked.
42 */
43
44/* Set up to repair inode link counts. */
45int
46xrep_setup_nlinks(
47 struct xfs_scrub *sc)
48{
49 return xrep_orphanage_try_create(sc);
50}
51
52/*
53 * Inodes that aren't the root directory or the orphanage, have a nonzero link
54 * count, and no observed parents should be moved to the orphanage.
55 */
56static inline bool
57xrep_nlinks_is_orphaned(
58 struct xfs_scrub *sc,
59 struct xfs_inode *ip,
60 unsigned int actual_nlink,
61 const struct xchk_nlink *obs)
62{
63 if (obs->parents != 0)
64 return false;
65 if (xchk_inode_is_dirtree_root(ip) || ip == sc->orphanage)
66 return false;
67 return actual_nlink != 0;
68}
69
70/* Remove an inode from the unlinked list. */
71STATIC int
72xrep_nlinks_iunlink_remove(
73 struct xfs_scrub *sc)
74{
75 struct xfs_perag *pag;
76 int error;
77
78 pag = xfs_perag_get(sc->mp, XFS_INO_TO_AGNO(sc->mp, sc->ip->i_ino));
79 error = xfs_iunlink_remove(sc->tp, pag, sc->ip);
80 xfs_perag_put(pag);
81 return error;
82}
83
84/*
85 * Correct the link count of the given inode. Because we have to grab locks
86 * and resources in a certain order, it's possible that this will be a no-op.
87 */
88STATIC int
89xrep_nlinks_repair_inode(
90 struct xchk_nlink_ctrs *xnc)
91{
92 struct xchk_nlink obs;
93 struct xfs_scrub *sc = xnc->sc;
94 struct xfs_mount *mp = sc->mp;
95 struct xfs_inode *ip = sc->ip;
96 uint64_t total_links;
97 uint64_t actual_nlink;
98 bool orphanage_available = false;
99 bool dirty = false;
100 int error;
101
102 /*
103 * Ignore temporary files being used to stage repairs, since we assume
104 * they're correct for non-directories, and the directory repair code
105 * doesn't bump the link counts for the children.
106 */
107 if (xrep_is_tempfile(ip))
108 return 0;
109
110 /*
111 * If the filesystem has an orphanage attached to the scrub context,
112 * prepare for a link count repair that could involve @ip being adopted
113 * by the lost+found.
114 */
115 if (xrep_orphanage_can_adopt(sc)) {
116 error = xrep_orphanage_iolock_two(sc);
117 if (error)
118 return error;
119
120 error = xrep_adoption_trans_alloc(sc, &xnc->adoption);
121 if (error) {
122 xchk_iunlock(sc, XFS_IOLOCK_EXCL);
123 xrep_orphanage_iunlock(sc, XFS_IOLOCK_EXCL);
124 } else {
125 orphanage_available = true;
126 }
127 }
128
129 /*
130 * Either there is no orphanage or we couldn't allocate resources for
131 * that kind of update. Let's try again with only the resources we
132 * need for a simple link count update, since that's much more common.
133 */
134 if (!orphanage_available) {
135 xchk_ilock(sc, XFS_IOLOCK_EXCL);
136
137 error = xfs_trans_alloc(mp, &M_RES(mp)->tr_link, 0, 0, 0,
138 &sc->tp);
139 if (error) {
140 xchk_iunlock(sc, XFS_IOLOCK_EXCL);
141 return error;
142 }
143
144 xchk_ilock(sc, XFS_ILOCK_EXCL);
145 xfs_trans_ijoin(sc->tp, ip, 0);
146 }
147
148 mutex_lock(&xnc->lock);
149
150 if (xchk_iscan_aborted(&xnc->collect_iscan)) {
151 error = -ECANCELED;
152 goto out_scanlock;
153 }
154
155 error = xfarray_load_sparse(xnc->nlinks, ip->i_ino, &obs);
156 if (error)
157 goto out_scanlock;
158
159 /*
160 * We're done accessing the shared scan data, so we can drop the lock.
161 * We still hold @ip's ILOCK, so its link count cannot change.
162 */
163 mutex_unlock(&xnc->lock);
164
165 total_links = xchk_nlink_total(ip, &obs);
166 actual_nlink = VFS_I(ip)->i_nlink;
167
168 /*
169 * Non-directories cannot have directories pointing up to them.
170 *
171 * We previously set error to zero, but set it again because one static
172 * checker author fears that programmers will fail to maintain this
173 * invariant and built their tool to flag this as a security risk. A
174 * different tool author made their bot complain about the redundant
175 * store. This is a never-ending and stupid battle; both tools missed
176 * *actual bugs* elsewhere; and I no longer care.
177 */
178 if (!S_ISDIR(VFS_I(ip)->i_mode) && obs.children != 0) {
179 trace_xrep_nlinks_unfixable_inode(mp, ip, &obs);
180 error = 0;
181 goto out_trans;
182 }
183
184 /*
185 * Decide if we're going to move this file to the orphanage, and fix
186 * up the incore link counts if we are.
187 */
188 if (orphanage_available &&
189 xrep_nlinks_is_orphaned(sc, ip, actual_nlink, &obs)) {
190 /* Figure out what name we're going to use here. */
191 error = xrep_adoption_compute_name(&xnc->adoption, &xnc->xname);
192 if (error)
193 goto out_trans;
194
195 /*
196 * Reattach this file to the directory tree by moving it to
197 * the orphanage per the adoption parameters that we already
198 * computed.
199 */
200 error = xrep_adoption_move(&xnc->adoption);
201 if (error)
202 goto out_trans;
203
204 /*
205 * Re-read the link counts since the reparenting will have
206 * updated our scan info.
207 */
208 mutex_lock(&xnc->lock);
209 error = xfarray_load_sparse(xnc->nlinks, ip->i_ino, &obs);
210 mutex_unlock(&xnc->lock);
211 if (error)
212 goto out_trans;
213
214 total_links = xchk_nlink_total(ip, &obs);
215 actual_nlink = VFS_I(ip)->i_nlink;
216 dirty = true;
217 }
218
219 /*
220 * If this inode is linked from the directory tree and on the unlinked
221 * list, remove it from the unlinked list.
222 */
223 if (total_links > 0 && xfs_inode_on_unlinked_list(ip)) {
224 error = xrep_nlinks_iunlink_remove(sc);
225 if (error)
226 goto out_trans;
227 dirty = true;
228 }
229
230 /*
231 * If this inode is not linked from the directory tree yet not on the
232 * unlinked list, put it on the unlinked list.
233 */
234 if (total_links == 0 && !xfs_inode_on_unlinked_list(ip)) {
235 error = xfs_iunlink(sc->tp, ip);
236 if (error)
237 goto out_trans;
238 dirty = true;
239 }
240
241 /* Commit the new link count if it changed. */
242 if (total_links != actual_nlink) {
243 trace_xrep_nlinks_update_inode(mp, ip, &obs);
244
245 set_nlink(VFS_I(ip), min_t(unsigned long long, total_links,
246 XFS_NLINK_PINNED));
247 dirty = true;
248 }
249
250 if (!dirty) {
251 error = 0;
252 goto out_trans;
253 }
254
255 xfs_trans_log_inode(sc->tp, ip, XFS_ILOG_CORE);
256
257 error = xrep_trans_commit(sc);
258 goto out_unlock;
259
260out_scanlock:
261 mutex_unlock(&xnc->lock);
262out_trans:
263 xchk_trans_cancel(sc);
264out_unlock:
265 xchk_iunlock(sc, XFS_ILOCK_EXCL);
266 if (orphanage_available) {
267 xrep_orphanage_iunlock(sc, XFS_ILOCK_EXCL);
268 xrep_orphanage_iunlock(sc, XFS_IOLOCK_EXCL);
269 }
270 xchk_iunlock(sc, XFS_IOLOCK_EXCL);
271 return error;
272}
273
274/*
275 * Try to visit every inode in the filesystem for repairs. Move on if we can't
276 * grab an inode, since we're still making forward progress.
277 */
278static int
279xrep_nlinks_iter(
280 struct xchk_nlink_ctrs *xnc,
281 struct xfs_inode **ipp)
282{
283 int error;
284
285 do {
286 error = xchk_iscan_iter(&xnc->compare_iscan, ipp);
287 } while (error == -EBUSY);
288
289 return error;
290}
291
292/* Commit the new inode link counters. */
293int
294xrep_nlinks(
295 struct xfs_scrub *sc)
296{
297 struct xchk_nlink_ctrs *xnc = sc->buf;
298 int error;
299
300 /*
301 * We need ftype for an accurate count of the number of child
302 * subdirectory links. Child subdirectories with a back link (dotdot
303 * entry) but no forward link are moved to the orphanage, so we cannot
304 * repair the link count of the parent directory based on the back link
305 * count alone. Filesystems without ftype support are rare (old V4) so
306 * we just skip out here.
307 */
308 if (!xfs_has_ftype(sc->mp))
309 return -EOPNOTSUPP;
310
311 /*
312 * Use the inobt to walk all allocated inodes to compare and fix the
313 * link counts. Retry iget every tenth of a second for up to 30
314 * seconds -- even if repair misses a few inodes, we still try to fix
315 * as many of them as we can.
316 */
317 xchk_iscan_start(sc, 30000, 100, &xnc->compare_iscan);
318 ASSERT(sc->ip == NULL);
319
320 while ((error = xrep_nlinks_iter(xnc, &sc->ip)) == 1) {
321 /*
322 * Commit the scrub transaction so that we can create repair
323 * transactions with the correct reservations.
324 */
325 xchk_trans_cancel(sc);
326
327 error = xrep_nlinks_repair_inode(xnc);
328 xchk_iscan_mark_visited(&xnc->compare_iscan, sc->ip);
329 xchk_irele(sc, sc->ip);
330 sc->ip = NULL;
331 if (error)
332 break;
333
334 if (xchk_should_terminate(sc, &error))
335 break;
336
337 /*
338 * Create a new empty transaction so that we can advance the
339 * iscan cursor without deadlocking if the inobt has a cycle.
340 * We can only push the inactivation workqueues with an empty
341 * transaction.
342 */
343 error = xchk_trans_alloc_empty(sc);
344 if (error)
345 break;
346 }
347 xchk_iscan_iter_finish(&xnc->compare_iscan);
348 xchk_iscan_teardown(&xnc->compare_iscan);
349
350 return error;
351}