1 /* 2 * Copyright (c) 2000-2006 Silicon Graphics, Inc. 3 * Copyright (c) 2013 Red Hat, Inc. 4 * All Rights Reserved. 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License as 8 * published by the Free Software Foundation. 9 * 10 * This program is distributed in the hope that it would be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program; if not, write the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 18 */ 19 #include "xfs.h" 20 #include "xfs_fs.h" 21 #include "xfs_shared.h" 22 #include "xfs_format.h" 23 #include "xfs_log_format.h" 24 #include "xfs_trans_resv.h" 25 #include "xfs_mount.h" 26 #include "xfs_inode.h" 27 #include "xfs_quota.h" 28 #include "xfs_trans.h" 29 #include "xfs_qm.h" 30 #include "xfs_error.h" 31 #include "xfs_cksum.h" 32 #include "xfs_trace.h" 33 34 int 35 xfs_calc_dquots_per_chunk( 36 unsigned int nbblks) /* basic block units */ 37 { 38 ASSERT(nbblks > 0); 39 return BBTOB(nbblks) / sizeof(xfs_dqblk_t); 40 } 41 42 /* 43 * Do some primitive error checking on ondisk dquot data structures. 44 */ 45 xfs_failaddr_t 46 xfs_dquot_verify( 47 struct xfs_mount *mp, 48 xfs_disk_dquot_t *ddq, 49 xfs_dqid_t id, 50 uint type, /* used only when IO_dorepair is true */ 51 uint flags) 52 { 53 /* 54 * We can encounter an uninitialized dquot buffer for 2 reasons: 55 * 1. If we crash while deleting the quotainode(s), and those blks got 56 * used for user data. This is because we take the path of regular 57 * file deletion; however, the size field of quotainodes is never 58 * updated, so all the tricks that we play in itruncate_finish 59 * don't quite matter. 60 * 61 * 2. We don't play the quota buffers when there's a quotaoff logitem. 62 * But the allocation will be replayed so we'll end up with an 63 * uninitialized quota block. 64 * 65 * This is all fine; things are still consistent, and we haven't lost 66 * any quota information. Just don't complain about bad dquot blks. 67 */ 68 if (ddq->d_magic != cpu_to_be16(XFS_DQUOT_MAGIC)) 69 return __this_address; 70 if (ddq->d_version != XFS_DQUOT_VERSION) 71 return __this_address; 72 73 if (ddq->d_flags != XFS_DQ_USER && 74 ddq->d_flags != XFS_DQ_PROJ && 75 ddq->d_flags != XFS_DQ_GROUP) 76 return __this_address; 77 78 if (id != -1 && id != be32_to_cpu(ddq->d_id)) 79 return __this_address; 80 81 if (!ddq->d_id) 82 return NULL; 83 84 if (ddq->d_blk_softlimit && 85 be64_to_cpu(ddq->d_bcount) > be64_to_cpu(ddq->d_blk_softlimit) && 86 !ddq->d_btimer) 87 return __this_address; 88 89 if (ddq->d_ino_softlimit && 90 be64_to_cpu(ddq->d_icount) > be64_to_cpu(ddq->d_ino_softlimit) && 91 !ddq->d_itimer) 92 return __this_address; 93 94 if (ddq->d_rtb_softlimit && 95 be64_to_cpu(ddq->d_rtbcount) > be64_to_cpu(ddq->d_rtb_softlimit) && 96 !ddq->d_rtbtimer) 97 return __this_address; 98 99 return NULL; 100 } 101 102 /* 103 * Do some primitive error checking on ondisk dquot data structures. 104 */ 105 int 106 xfs_dquot_repair( 107 struct xfs_mount *mp, 108 struct xfs_disk_dquot *ddq, 109 xfs_dqid_t id, 110 uint type) 111 { 112 struct xfs_dqblk *d = (struct xfs_dqblk *)ddq; 113 114 115 /* 116 * Typically, a repair is only requested by quotacheck. 117 */ 118 ASSERT(id != -1); 119 memset(d, 0, sizeof(xfs_dqblk_t)); 120 121 d->dd_diskdq.d_magic = cpu_to_be16(XFS_DQUOT_MAGIC); 122 d->dd_diskdq.d_version = XFS_DQUOT_VERSION; 123 d->dd_diskdq.d_flags = type; 124 d->dd_diskdq.d_id = cpu_to_be32(id); 125 126 if (xfs_sb_version_hascrc(&mp->m_sb)) { 127 uuid_copy(&d->dd_uuid, &mp->m_sb.sb_meta_uuid); 128 xfs_update_cksum((char *)d, sizeof(struct xfs_dqblk), 129 XFS_DQUOT_CRC_OFF); 130 } 131 132 return 0; 133 } 134 135 STATIC bool 136 xfs_dquot_buf_verify_crc( 137 struct xfs_mount *mp, 138 struct xfs_buf *bp) 139 { 140 struct xfs_dqblk *d = (struct xfs_dqblk *)bp->b_addr; 141 int ndquots; 142 int i; 143 144 if (!xfs_sb_version_hascrc(&mp->m_sb)) 145 return true; 146 147 /* 148 * if we are in log recovery, the quota subsystem has not been 149 * initialised so we have no quotainfo structure. In that case, we need 150 * to manually calculate the number of dquots in the buffer. 151 */ 152 if (mp->m_quotainfo) 153 ndquots = mp->m_quotainfo->qi_dqperchunk; 154 else 155 ndquots = xfs_calc_dquots_per_chunk(bp->b_length); 156 157 for (i = 0; i < ndquots; i++, d++) { 158 if (!xfs_verify_cksum((char *)d, sizeof(struct xfs_dqblk), 159 XFS_DQUOT_CRC_OFF)) 160 return false; 161 if (!uuid_equal(&d->dd_uuid, &mp->m_sb.sb_meta_uuid)) 162 return false; 163 } 164 return true; 165 } 166 167 STATIC xfs_failaddr_t 168 xfs_dquot_buf_verify( 169 struct xfs_mount *mp, 170 struct xfs_buf *bp) 171 { 172 struct xfs_dqblk *d = (struct xfs_dqblk *)bp->b_addr; 173 xfs_failaddr_t fa; 174 xfs_dqid_t id = 0; 175 int ndquots; 176 int i; 177 178 /* 179 * if we are in log recovery, the quota subsystem has not been 180 * initialised so we have no quotainfo structure. In that case, we need 181 * to manually calculate the number of dquots in the buffer. 182 */ 183 if (mp->m_quotainfo) 184 ndquots = mp->m_quotainfo->qi_dqperchunk; 185 else 186 ndquots = xfs_calc_dquots_per_chunk(bp->b_length); 187 188 /* 189 * On the first read of the buffer, verify that each dquot is valid. 190 * We don't know what the id of the dquot is supposed to be, just that 191 * they should be increasing monotonically within the buffer. If the 192 * first id is corrupt, then it will fail on the second dquot in the 193 * buffer so corruptions could point to the wrong dquot in this case. 194 */ 195 for (i = 0; i < ndquots; i++) { 196 struct xfs_disk_dquot *ddq; 197 198 ddq = &d[i].dd_diskdq; 199 200 if (i == 0) 201 id = be32_to_cpu(ddq->d_id); 202 203 fa = xfs_dquot_verify(mp, ddq, id + i, 0, 0); 204 if (fa) 205 return fa; 206 } 207 208 return NULL; 209 } 210 211 static xfs_failaddr_t 212 xfs_dquot_buf_verify_struct( 213 struct xfs_buf *bp) 214 { 215 struct xfs_mount *mp = bp->b_target->bt_mount; 216 217 return xfs_dquot_buf_verify(mp, bp); 218 } 219 220 static void 221 xfs_dquot_buf_read_verify( 222 struct xfs_buf *bp) 223 { 224 struct xfs_mount *mp = bp->b_target->bt_mount; 225 xfs_failaddr_t fa; 226 227 if (!xfs_dquot_buf_verify_crc(mp, bp)) 228 xfs_verifier_error(bp, -EFSBADCRC, __this_address); 229 else { 230 fa = xfs_dquot_buf_verify(mp, bp); 231 if (fa) 232 xfs_verifier_error(bp, -EFSCORRUPTED, __this_address); 233 } 234 } 235 236 /* 237 * readahead errors are silent and simply leave the buffer as !done so a real 238 * read will then be run with the xfs_dquot_buf_ops verifier. See 239 * xfs_inode_buf_verify() for why we use EIO and ~XBF_DONE here rather than 240 * reporting the failure. 241 */ 242 static void 243 xfs_dquot_buf_readahead_verify( 244 struct xfs_buf *bp) 245 { 246 struct xfs_mount *mp = bp->b_target->bt_mount; 247 248 if (!xfs_dquot_buf_verify_crc(mp, bp) || 249 xfs_dquot_buf_verify(mp, bp) != NULL) { 250 xfs_buf_ioerror(bp, -EIO); 251 bp->b_flags &= ~XBF_DONE; 252 } 253 } 254 255 /* 256 * we don't calculate the CRC here as that is done when the dquot is flushed to 257 * the buffer after the update is done. This ensures that the dquot in the 258 * buffer always has an up-to-date CRC value. 259 */ 260 static void 261 xfs_dquot_buf_write_verify( 262 struct xfs_buf *bp) 263 { 264 struct xfs_mount *mp = bp->b_target->bt_mount; 265 xfs_failaddr_t fa; 266 267 fa = xfs_dquot_buf_verify(mp, bp); 268 if (fa) 269 xfs_verifier_error(bp, -EFSCORRUPTED, __this_address); 270 } 271 272 const struct xfs_buf_ops xfs_dquot_buf_ops = { 273 .name = "xfs_dquot", 274 .verify_read = xfs_dquot_buf_read_verify, 275 .verify_write = xfs_dquot_buf_write_verify, 276 .verify_struct = xfs_dquot_buf_verify_struct, 277 }; 278 279 const struct xfs_buf_ops xfs_dquot_buf_ra_ops = { 280 .name = "xfs_dquot_ra", 281 .verify_read = xfs_dquot_buf_readahead_verify, 282 .verify_write = xfs_dquot_buf_write_verify, 283 }; 284