xref: /openbmc/linux/fs/xfs/scrub/dir.c (revision cfdfc14e)
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * Copyright (C) 2017 Oracle.  All Rights Reserved.
4  * Author: Darrick J. Wong <darrick.wong@oracle.com>
5  */
6 #include "xfs.h"
7 #include "xfs_fs.h"
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_defer.h"
13 #include "xfs_btree.h"
14 #include "xfs_bit.h"
15 #include "xfs_log_format.h"
16 #include "xfs_trans.h"
17 #include "xfs_sb.h"
18 #include "xfs_inode.h"
19 #include "xfs_icache.h"
20 #include "xfs_itable.h"
21 #include "xfs_da_format.h"
22 #include "xfs_da_btree.h"
23 #include "xfs_dir2.h"
24 #include "xfs_dir2_priv.h"
25 #include "xfs_ialloc.h"
26 #include "scrub/xfs_scrub.h"
27 #include "scrub/scrub.h"
28 #include "scrub/common.h"
29 #include "scrub/trace.h"
30 #include "scrub/dabtree.h"
31 
32 /* Set us up to scrub directories. */
33 int
34 xfs_scrub_setup_directory(
35 	struct xfs_scrub_context	*sc,
36 	struct xfs_inode		*ip)
37 {
38 	return xfs_scrub_setup_inode_contents(sc, ip, 0);
39 }
40 
41 /* Directories */
42 
43 /* Scrub a directory entry. */
44 
45 struct xfs_scrub_dir_ctx {
46 	/* VFS fill-directory iterator */
47 	struct dir_context		dir_iter;
48 
49 	struct xfs_scrub_context	*sc;
50 };
51 
52 /* Check that an inode's mode matches a given DT_ type. */
53 STATIC int
54 xfs_scrub_dir_check_ftype(
55 	struct xfs_scrub_dir_ctx	*sdc,
56 	xfs_fileoff_t			offset,
57 	xfs_ino_t			inum,
58 	int				dtype)
59 {
60 	struct xfs_mount		*mp = sdc->sc->mp;
61 	struct xfs_inode		*ip;
62 	int				ino_dtype;
63 	int				error = 0;
64 
65 	if (!xfs_sb_version_hasftype(&mp->m_sb)) {
66 		if (dtype != DT_UNKNOWN && dtype != DT_DIR)
67 			xfs_scrub_fblock_set_corrupt(sdc->sc, XFS_DATA_FORK,
68 					offset);
69 		goto out;
70 	}
71 
72 	/*
73 	 * Grab the inode pointed to by the dirent.  We release the
74 	 * inode before we cancel the scrub transaction.  Since we're
75 	 * don't know a priori that releasing the inode won't trigger
76 	 * eofblocks cleanup (which allocates what would be a nested
77 	 * transaction), we can't use DONTCACHE here because DONTCACHE
78 	 * inodes can trigger immediate inactive cleanup of the inode.
79 	 */
80 	error = xfs_iget(mp, sdc->sc->tp, inum, 0, 0, &ip);
81 	if (!xfs_scrub_fblock_xref_process_error(sdc->sc, XFS_DATA_FORK, offset,
82 			&error))
83 		goto out;
84 
85 	/* Convert mode to the DT_* values that dir_emit uses. */
86 	ino_dtype = xfs_dir3_get_dtype(mp,
87 			xfs_mode_to_ftype(VFS_I(ip)->i_mode));
88 	if (ino_dtype != dtype)
89 		xfs_scrub_fblock_set_corrupt(sdc->sc, XFS_DATA_FORK, offset);
90 	iput(VFS_I(ip));
91 out:
92 	return error;
93 }
94 
95 /*
96  * Scrub a single directory entry.
97  *
98  * We use the VFS directory iterator (i.e. readdir) to call this
99  * function for every directory entry in a directory.  Once we're here,
100  * we check the inode number to make sure it's sane, then we check that
101  * we can look up this filename.  Finally, we check the ftype.
102  */
103 STATIC int
104 xfs_scrub_dir_actor(
105 	struct dir_context		*dir_iter,
106 	const char			*name,
107 	int				namelen,
108 	loff_t				pos,
109 	u64				ino,
110 	unsigned			type)
111 {
112 	struct xfs_mount		*mp;
113 	struct xfs_inode		*ip;
114 	struct xfs_scrub_dir_ctx	*sdc;
115 	struct xfs_name			xname;
116 	xfs_ino_t			lookup_ino;
117 	xfs_dablk_t			offset;
118 	int				error = 0;
119 
120 	sdc = container_of(dir_iter, struct xfs_scrub_dir_ctx, dir_iter);
121 	ip = sdc->sc->ip;
122 	mp = ip->i_mount;
123 	offset = xfs_dir2_db_to_da(mp->m_dir_geo,
124 			xfs_dir2_dataptr_to_db(mp->m_dir_geo, pos));
125 
126 	/* Does this inode number make sense? */
127 	if (!xfs_verify_dir_ino(mp, ino)) {
128 		xfs_scrub_fblock_set_corrupt(sdc->sc, XFS_DATA_FORK, offset);
129 		goto out;
130 	}
131 
132 	if (!strncmp(".", name, namelen)) {
133 		/* If this is "." then check that the inum matches the dir. */
134 		if (xfs_sb_version_hasftype(&mp->m_sb) && type != DT_DIR)
135 			xfs_scrub_fblock_set_corrupt(sdc->sc, XFS_DATA_FORK,
136 					offset);
137 		if (ino != ip->i_ino)
138 			xfs_scrub_fblock_set_corrupt(sdc->sc, XFS_DATA_FORK,
139 					offset);
140 	} else if (!strncmp("..", name, namelen)) {
141 		/*
142 		 * If this is ".." in the root inode, check that the inum
143 		 * matches this dir.
144 		 */
145 		if (xfs_sb_version_hasftype(&mp->m_sb) && type != DT_DIR)
146 			xfs_scrub_fblock_set_corrupt(sdc->sc, XFS_DATA_FORK,
147 					offset);
148 		if (ip->i_ino == mp->m_sb.sb_rootino && ino != ip->i_ino)
149 			xfs_scrub_fblock_set_corrupt(sdc->sc, XFS_DATA_FORK,
150 					offset);
151 	}
152 
153 	/* Verify that we can look up this name by hash. */
154 	xname.name = name;
155 	xname.len = namelen;
156 	xname.type = XFS_DIR3_FT_UNKNOWN;
157 
158 	error = xfs_dir_lookup(sdc->sc->tp, ip, &xname, &lookup_ino, NULL);
159 	if (!xfs_scrub_fblock_process_error(sdc->sc, XFS_DATA_FORK, offset,
160 			&error))
161 		goto out;
162 	if (lookup_ino != ino) {
163 		xfs_scrub_fblock_set_corrupt(sdc->sc, XFS_DATA_FORK, offset);
164 		goto out;
165 	}
166 
167 	/* Verify the file type.  This function absorbs error codes. */
168 	error = xfs_scrub_dir_check_ftype(sdc, offset, lookup_ino, type);
169 	if (error)
170 		goto out;
171 out:
172 	/*
173 	 * A negative error code returned here is supposed to cause the
174 	 * dir_emit caller (xfs_readdir) to abort the directory iteration
175 	 * and return zero to xfs_scrub_directory.
176 	 */
177 	if (error == 0 && sdc->sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
178 		return -EFSCORRUPTED;
179 	return error;
180 }
181 
182 /* Scrub a directory btree record. */
183 STATIC int
184 xfs_scrub_dir_rec(
185 	struct xfs_scrub_da_btree	*ds,
186 	int				level,
187 	void				*rec)
188 {
189 	struct xfs_mount		*mp = ds->state->mp;
190 	struct xfs_dir2_leaf_entry	*ent = rec;
191 	struct xfs_inode		*dp = ds->dargs.dp;
192 	struct xfs_dir2_data_entry	*dent;
193 	struct xfs_buf			*bp;
194 	char				*p, *endp;
195 	xfs_ino_t			ino;
196 	xfs_dablk_t			rec_bno;
197 	xfs_dir2_db_t			db;
198 	xfs_dir2_data_aoff_t		off;
199 	xfs_dir2_dataptr_t		ptr;
200 	xfs_dahash_t			calc_hash;
201 	xfs_dahash_t			hash;
202 	unsigned int			tag;
203 	int				error;
204 
205 	/* Check the hash of the entry. */
206 	error = xfs_scrub_da_btree_hash(ds, level, &ent->hashval);
207 	if (error)
208 		goto out;
209 
210 	/* Valid hash pointer? */
211 	ptr = be32_to_cpu(ent->address);
212 	if (ptr == 0)
213 		return 0;
214 
215 	/* Find the directory entry's location. */
216 	db = xfs_dir2_dataptr_to_db(mp->m_dir_geo, ptr);
217 	off = xfs_dir2_dataptr_to_off(mp->m_dir_geo, ptr);
218 	rec_bno = xfs_dir2_db_to_da(mp->m_dir_geo, db);
219 
220 	if (rec_bno >= mp->m_dir_geo->leafblk) {
221 		xfs_scrub_da_set_corrupt(ds, level);
222 		goto out;
223 	}
224 	error = xfs_dir3_data_read(ds->dargs.trans, dp, rec_bno, -2, &bp);
225 	if (!xfs_scrub_fblock_process_error(ds->sc, XFS_DATA_FORK, rec_bno,
226 			&error))
227 		goto out;
228 	if (!bp) {
229 		xfs_scrub_fblock_set_corrupt(ds->sc, XFS_DATA_FORK, rec_bno);
230 		goto out;
231 	}
232 	xfs_scrub_buffer_recheck(ds->sc, bp);
233 
234 	if (ds->sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
235 		goto out_relse;
236 
237 	dent = (struct xfs_dir2_data_entry *)(((char *)bp->b_addr) + off);
238 
239 	/* Make sure we got a real directory entry. */
240 	p = (char *)mp->m_dir_inode_ops->data_entry_p(bp->b_addr);
241 	endp = xfs_dir3_data_endp(mp->m_dir_geo, bp->b_addr);
242 	if (!endp) {
243 		xfs_scrub_fblock_set_corrupt(ds->sc, XFS_DATA_FORK, rec_bno);
244 		goto out_relse;
245 	}
246 	while (p < endp) {
247 		struct xfs_dir2_data_entry	*dep;
248 		struct xfs_dir2_data_unused	*dup;
249 
250 		dup = (struct xfs_dir2_data_unused *)p;
251 		if (be16_to_cpu(dup->freetag) == XFS_DIR2_DATA_FREE_TAG) {
252 			p += be16_to_cpu(dup->length);
253 			continue;
254 		}
255 		dep = (struct xfs_dir2_data_entry *)p;
256 		if (dep == dent)
257 			break;
258 		p += mp->m_dir_inode_ops->data_entsize(dep->namelen);
259 	}
260 	if (p >= endp) {
261 		xfs_scrub_fblock_set_corrupt(ds->sc, XFS_DATA_FORK, rec_bno);
262 		goto out_relse;
263 	}
264 
265 	/* Retrieve the entry, sanity check it, and compare hashes. */
266 	ino = be64_to_cpu(dent->inumber);
267 	hash = be32_to_cpu(ent->hashval);
268 	tag = be16_to_cpup(dp->d_ops->data_entry_tag_p(dent));
269 	if (!xfs_verify_dir_ino(mp, ino) || tag != off)
270 		xfs_scrub_fblock_set_corrupt(ds->sc, XFS_DATA_FORK, rec_bno);
271 	if (dent->namelen == 0) {
272 		xfs_scrub_fblock_set_corrupt(ds->sc, XFS_DATA_FORK, rec_bno);
273 		goto out_relse;
274 	}
275 	calc_hash = xfs_da_hashname(dent->name, dent->namelen);
276 	if (calc_hash != hash)
277 		xfs_scrub_fblock_set_corrupt(ds->sc, XFS_DATA_FORK, rec_bno);
278 
279 out_relse:
280 	xfs_trans_brelse(ds->dargs.trans, bp);
281 out:
282 	return error;
283 }
284 
285 /*
286  * Is this unused entry either in the bestfree or smaller than all of
287  * them?  We've already checked that the bestfrees are sorted longest to
288  * shortest, and that there aren't any bogus entries.
289  */
290 STATIC void
291 xfs_scrub_directory_check_free_entry(
292 	struct xfs_scrub_context	*sc,
293 	xfs_dablk_t			lblk,
294 	struct xfs_dir2_data_free	*bf,
295 	struct xfs_dir2_data_unused	*dup)
296 {
297 	struct xfs_dir2_data_free	*dfp;
298 	unsigned int			dup_length;
299 
300 	dup_length = be16_to_cpu(dup->length);
301 
302 	/* Unused entry is shorter than any of the bestfrees */
303 	if (dup_length < be16_to_cpu(bf[XFS_DIR2_DATA_FD_COUNT - 1].length))
304 		return;
305 
306 	for (dfp = &bf[XFS_DIR2_DATA_FD_COUNT - 1]; dfp >= bf; dfp--)
307 		if (dup_length == be16_to_cpu(dfp->length))
308 			return;
309 
310 	/* Unused entry should be in the bestfrees but wasn't found. */
311 	xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
312 }
313 
314 /* Check free space info in a directory data block. */
315 STATIC int
316 xfs_scrub_directory_data_bestfree(
317 	struct xfs_scrub_context	*sc,
318 	xfs_dablk_t			lblk,
319 	bool				is_block)
320 {
321 	struct xfs_dir2_data_unused	*dup;
322 	struct xfs_dir2_data_free	*dfp;
323 	struct xfs_buf			*bp;
324 	struct xfs_dir2_data_free	*bf;
325 	struct xfs_mount		*mp = sc->mp;
326 	const struct xfs_dir_ops	*d_ops;
327 	char				*ptr;
328 	char				*endptr;
329 	u16				tag;
330 	unsigned int			nr_bestfrees = 0;
331 	unsigned int			nr_frees = 0;
332 	unsigned int			smallest_bestfree;
333 	int				newlen;
334 	int				offset;
335 	int				error;
336 
337 	d_ops = sc->ip->d_ops;
338 
339 	if (is_block) {
340 		/* dir block format */
341 		if (lblk != XFS_B_TO_FSBT(mp, XFS_DIR2_DATA_OFFSET))
342 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
343 		error = xfs_dir3_block_read(sc->tp, sc->ip, &bp);
344 	} else {
345 		/* dir data format */
346 		error = xfs_dir3_data_read(sc->tp, sc->ip, lblk, -1, &bp);
347 	}
348 	if (!xfs_scrub_fblock_process_error(sc, XFS_DATA_FORK, lblk, &error))
349 		goto out;
350 	xfs_scrub_buffer_recheck(sc, bp);
351 
352 	/* XXX: Check xfs_dir3_data_hdr.pad is zero once we start setting it. */
353 
354 	if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
355 		goto out_buf;
356 
357 	/* Do the bestfrees correspond to actual free space? */
358 	bf = d_ops->data_bestfree_p(bp->b_addr);
359 	smallest_bestfree = UINT_MAX;
360 	for (dfp = &bf[0]; dfp < &bf[XFS_DIR2_DATA_FD_COUNT]; dfp++) {
361 		offset = be16_to_cpu(dfp->offset);
362 		if (offset == 0)
363 			continue;
364 		if (offset >= mp->m_dir_geo->blksize) {
365 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
366 			goto out_buf;
367 		}
368 		dup = (struct xfs_dir2_data_unused *)(bp->b_addr + offset);
369 		tag = be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup));
370 
371 		/* bestfree doesn't match the entry it points at? */
372 		if (dup->freetag != cpu_to_be16(XFS_DIR2_DATA_FREE_TAG) ||
373 		    be16_to_cpu(dup->length) != be16_to_cpu(dfp->length) ||
374 		    tag != ((char *)dup - (char *)bp->b_addr)) {
375 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
376 			goto out_buf;
377 		}
378 
379 		/* bestfree records should be ordered largest to smallest */
380 		if (smallest_bestfree < be16_to_cpu(dfp->length)) {
381 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
382 			goto out_buf;
383 		}
384 
385 		smallest_bestfree = be16_to_cpu(dfp->length);
386 		nr_bestfrees++;
387 	}
388 
389 	/* Make sure the bestfrees are actually the best free spaces. */
390 	ptr = (char *)d_ops->data_entry_p(bp->b_addr);
391 	endptr = xfs_dir3_data_endp(mp->m_dir_geo, bp->b_addr);
392 
393 	/* Iterate the entries, stopping when we hit or go past the end. */
394 	while (ptr < endptr) {
395 		dup = (struct xfs_dir2_data_unused *)ptr;
396 		/* Skip real entries */
397 		if (dup->freetag != cpu_to_be16(XFS_DIR2_DATA_FREE_TAG)) {
398 			struct xfs_dir2_data_entry	*dep;
399 
400 			dep = (struct xfs_dir2_data_entry *)ptr;
401 			newlen = d_ops->data_entsize(dep->namelen);
402 			if (newlen <= 0) {
403 				xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK,
404 						lblk);
405 				goto out_buf;
406 			}
407 			ptr += newlen;
408 			continue;
409 		}
410 
411 		/* Spot check this free entry */
412 		tag = be16_to_cpu(*xfs_dir2_data_unused_tag_p(dup));
413 		if (tag != ((char *)dup - (char *)bp->b_addr)) {
414 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
415 			goto out_buf;
416 		}
417 
418 		/*
419 		 * Either this entry is a bestfree or it's smaller than
420 		 * any of the bestfrees.
421 		 */
422 		xfs_scrub_directory_check_free_entry(sc, lblk, bf, dup);
423 		if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
424 			goto out_buf;
425 
426 		/* Move on. */
427 		newlen = be16_to_cpu(dup->length);
428 		if (newlen <= 0) {
429 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
430 			goto out_buf;
431 		}
432 		ptr += newlen;
433 		if (ptr <= endptr)
434 			nr_frees++;
435 	}
436 
437 	/* We're required to fill all the space. */
438 	if (ptr != endptr)
439 		xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
440 
441 	/* Did we see at least as many free slots as there are bestfrees? */
442 	if (nr_frees < nr_bestfrees)
443 		xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
444 out_buf:
445 	xfs_trans_brelse(sc->tp, bp);
446 out:
447 	return error;
448 }
449 
450 /*
451  * Does the free space length in the free space index block ($len) match
452  * the longest length in the directory data block's bestfree array?
453  * Assume that we've already checked that the data block's bestfree
454  * array is in order.
455  */
456 STATIC void
457 xfs_scrub_directory_check_freesp(
458 	struct xfs_scrub_context	*sc,
459 	xfs_dablk_t			lblk,
460 	struct xfs_buf			*dbp,
461 	unsigned int			len)
462 {
463 	struct xfs_dir2_data_free	*dfp;
464 
465 	dfp = sc->ip->d_ops->data_bestfree_p(dbp->b_addr);
466 
467 	if (len != be16_to_cpu(dfp->length))
468 		xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
469 
470 	if (len > 0 && be16_to_cpu(dfp->offset) == 0)
471 		xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
472 }
473 
474 /* Check free space info in a directory leaf1 block. */
475 STATIC int
476 xfs_scrub_directory_leaf1_bestfree(
477 	struct xfs_scrub_context	*sc,
478 	struct xfs_da_args		*args,
479 	xfs_dablk_t			lblk)
480 {
481 	struct xfs_dir3_icleaf_hdr	leafhdr;
482 	struct xfs_dir2_leaf_entry	*ents;
483 	struct xfs_dir2_leaf_tail	*ltp;
484 	struct xfs_dir2_leaf		*leaf;
485 	struct xfs_buf			*dbp;
486 	struct xfs_buf			*bp;
487 	const struct xfs_dir_ops	*d_ops = sc->ip->d_ops;
488 	struct xfs_da_geometry		*geo = sc->mp->m_dir_geo;
489 	__be16				*bestp;
490 	__u16				best;
491 	__u32				hash;
492 	__u32				lasthash = 0;
493 	__u32				bestcount;
494 	unsigned int			stale = 0;
495 	int				i;
496 	int				error;
497 
498 	/* Read the free space block. */
499 	error = xfs_dir3_leaf_read(sc->tp, sc->ip, lblk, -1, &bp);
500 	if (!xfs_scrub_fblock_process_error(sc, XFS_DATA_FORK, lblk, &error))
501 		goto out;
502 	xfs_scrub_buffer_recheck(sc, bp);
503 
504 	leaf = bp->b_addr;
505 	d_ops->leaf_hdr_from_disk(&leafhdr, leaf);
506 	ents = d_ops->leaf_ents_p(leaf);
507 	ltp = xfs_dir2_leaf_tail_p(geo, leaf);
508 	bestcount = be32_to_cpu(ltp->bestcount);
509 	bestp = xfs_dir2_leaf_bests_p(ltp);
510 
511 	if (xfs_sb_version_hascrc(&sc->mp->m_sb)) {
512 		struct xfs_dir3_leaf_hdr	*hdr3 = bp->b_addr;
513 
514 		if (hdr3->pad != cpu_to_be32(0))
515 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
516 	}
517 
518 	/*
519 	 * There should be as many bestfree slots as there are dir data
520 	 * blocks that can fit under i_size.
521 	 */
522 	if (bestcount != xfs_dir2_byte_to_db(geo, sc->ip->i_d.di_size)) {
523 		xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
524 		goto out;
525 	}
526 
527 	/* Is the leaf count even remotely sane? */
528 	if (leafhdr.count > d_ops->leaf_max_ents(geo)) {
529 		xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
530 		goto out;
531 	}
532 
533 	/* Leaves and bests don't overlap in leaf format. */
534 	if ((char *)&ents[leafhdr.count] > (char *)bestp) {
535 		xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
536 		goto out;
537 	}
538 
539 	/* Check hash value order, count stale entries.  */
540 	for (i = 0; i < leafhdr.count; i++) {
541 		hash = be32_to_cpu(ents[i].hashval);
542 		if (i > 0 && lasthash > hash)
543 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
544 		lasthash = hash;
545 		if (ents[i].address == cpu_to_be32(XFS_DIR2_NULL_DATAPTR))
546 			stale++;
547 	}
548 	if (leafhdr.stale != stale)
549 		xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
550 	if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
551 		goto out;
552 
553 	/* Check all the bestfree entries. */
554 	for (i = 0; i < bestcount; i++, bestp++) {
555 		best = be16_to_cpu(*bestp);
556 		if (best == NULLDATAOFF)
557 			continue;
558 		error = xfs_dir3_data_read(sc->tp, sc->ip,
559 				i * args->geo->fsbcount, -1, &dbp);
560 		if (!xfs_scrub_fblock_process_error(sc, XFS_DATA_FORK, lblk,
561 				&error))
562 			break;
563 		xfs_scrub_directory_check_freesp(sc, lblk, dbp, best);
564 		xfs_trans_brelse(sc->tp, dbp);
565 		if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
566 			goto out;
567 	}
568 out:
569 	return error;
570 }
571 
572 /* Check free space info in a directory freespace block. */
573 STATIC int
574 xfs_scrub_directory_free_bestfree(
575 	struct xfs_scrub_context	*sc,
576 	struct xfs_da_args		*args,
577 	xfs_dablk_t			lblk)
578 {
579 	struct xfs_dir3_icfree_hdr	freehdr;
580 	struct xfs_buf			*dbp;
581 	struct xfs_buf			*bp;
582 	__be16				*bestp;
583 	__u16				best;
584 	unsigned int			stale = 0;
585 	int				i;
586 	int				error;
587 
588 	/* Read the free space block */
589 	error = xfs_dir2_free_read(sc->tp, sc->ip, lblk, &bp);
590 	if (!xfs_scrub_fblock_process_error(sc, XFS_DATA_FORK, lblk, &error))
591 		goto out;
592 	xfs_scrub_buffer_recheck(sc, bp);
593 
594 	if (xfs_sb_version_hascrc(&sc->mp->m_sb)) {
595 		struct xfs_dir3_free_hdr	*hdr3 = bp->b_addr;
596 
597 		if (hdr3->pad != cpu_to_be32(0))
598 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
599 	}
600 
601 	/* Check all the entries. */
602 	sc->ip->d_ops->free_hdr_from_disk(&freehdr, bp->b_addr);
603 	bestp = sc->ip->d_ops->free_bests_p(bp->b_addr);
604 	for (i = 0; i < freehdr.nvalid; i++, bestp++) {
605 		best = be16_to_cpu(*bestp);
606 		if (best == NULLDATAOFF) {
607 			stale++;
608 			continue;
609 		}
610 		error = xfs_dir3_data_read(sc->tp, sc->ip,
611 				(freehdr.firstdb + i) * args->geo->fsbcount,
612 				-1, &dbp);
613 		if (!xfs_scrub_fblock_process_error(sc, XFS_DATA_FORK, lblk,
614 				&error))
615 			break;
616 		xfs_scrub_directory_check_freesp(sc, lblk, dbp, best);
617 		xfs_trans_brelse(sc->tp, dbp);
618 	}
619 
620 	if (freehdr.nused + stale != freehdr.nvalid)
621 		xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
622 out:
623 	return error;
624 }
625 
626 /* Check free space information in directories. */
627 STATIC int
628 xfs_scrub_directory_blocks(
629 	struct xfs_scrub_context	*sc)
630 {
631 	struct xfs_bmbt_irec		got;
632 	struct xfs_da_args		args;
633 	struct xfs_ifork		*ifp;
634 	struct xfs_mount		*mp = sc->mp;
635 	xfs_fileoff_t			leaf_lblk;
636 	xfs_fileoff_t			free_lblk;
637 	xfs_fileoff_t			lblk;
638 	struct xfs_iext_cursor		icur;
639 	xfs_dablk_t			dabno;
640 	bool				found;
641 	int				is_block = 0;
642 	int				error;
643 
644 	/* Ignore local format directories. */
645 	if (sc->ip->i_d.di_format != XFS_DINODE_FMT_EXTENTS &&
646 	    sc->ip->i_d.di_format != XFS_DINODE_FMT_BTREE)
647 		return 0;
648 
649 	ifp = XFS_IFORK_PTR(sc->ip, XFS_DATA_FORK);
650 	lblk = XFS_B_TO_FSB(mp, XFS_DIR2_DATA_OFFSET);
651 	leaf_lblk = XFS_B_TO_FSB(mp, XFS_DIR2_LEAF_OFFSET);
652 	free_lblk = XFS_B_TO_FSB(mp, XFS_DIR2_FREE_OFFSET);
653 
654 	/* Is this a block dir? */
655 	args.dp = sc->ip;
656 	args.geo = mp->m_dir_geo;
657 	args.trans = sc->tp;
658 	error = xfs_dir2_isblock(&args, &is_block);
659 	if (!xfs_scrub_fblock_process_error(sc, XFS_DATA_FORK, lblk, &error))
660 		goto out;
661 
662 	/* Iterate all the data extents in the directory... */
663 	found = xfs_iext_lookup_extent(sc->ip, ifp, lblk, &icur, &got);
664 	while (found && !(sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)) {
665 		/* Block directories only have a single block at offset 0. */
666 		if (is_block &&
667 		    (got.br_startoff > 0 ||
668 		     got.br_blockcount != args.geo->fsbcount)) {
669 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK,
670 					got.br_startoff);
671 			break;
672 		}
673 
674 		/* No more data blocks... */
675 		if (got.br_startoff >= leaf_lblk)
676 			break;
677 
678 		/*
679 		 * Check each data block's bestfree data.
680 		 *
681 		 * Iterate all the fsbcount-aligned block offsets in
682 		 * this directory.  The directory block reading code is
683 		 * smart enough to do its own bmap lookups to handle
684 		 * discontiguous directory blocks.  When we're done
685 		 * with the extent record, re-query the bmap at the
686 		 * next fsbcount-aligned offset to avoid redundant
687 		 * block checks.
688 		 */
689 		for (lblk = roundup((xfs_dablk_t)got.br_startoff,
690 				args.geo->fsbcount);
691 		     lblk < got.br_startoff + got.br_blockcount;
692 		     lblk += args.geo->fsbcount) {
693 			error = xfs_scrub_directory_data_bestfree(sc, lblk,
694 					is_block);
695 			if (error)
696 				goto out;
697 		}
698 		dabno = got.br_startoff + got.br_blockcount;
699 		lblk = roundup(dabno, args.geo->fsbcount);
700 		found = xfs_iext_lookup_extent(sc->ip, ifp, lblk, &icur, &got);
701 	}
702 
703 	if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
704 		goto out;
705 
706 	/* Look for a leaf1 block, which has free info. */
707 	if (xfs_iext_lookup_extent(sc->ip, ifp, leaf_lblk, &icur, &got) &&
708 	    got.br_startoff == leaf_lblk &&
709 	    got.br_blockcount == args.geo->fsbcount &&
710 	    !xfs_iext_next_extent(ifp, &icur, &got)) {
711 		if (is_block) {
712 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
713 			goto out;
714 		}
715 		error = xfs_scrub_directory_leaf1_bestfree(sc, &args,
716 				leaf_lblk);
717 		if (error)
718 			goto out;
719 	}
720 
721 	if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
722 		goto out;
723 
724 	/* Scan for free blocks */
725 	lblk = free_lblk;
726 	found = xfs_iext_lookup_extent(sc->ip, ifp, lblk, &icur, &got);
727 	while (found && !(sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)) {
728 		/*
729 		 * Dirs can't have blocks mapped above 2^32.
730 		 * Single-block dirs shouldn't even be here.
731 		 */
732 		lblk = got.br_startoff;
733 		if (lblk & ~0xFFFFFFFFULL) {
734 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
735 			goto out;
736 		}
737 		if (is_block) {
738 			xfs_scrub_fblock_set_corrupt(sc, XFS_DATA_FORK, lblk);
739 			goto out;
740 		}
741 
742 		/*
743 		 * Check each dir free block's bestfree data.
744 		 *
745 		 * Iterate all the fsbcount-aligned block offsets in
746 		 * this directory.  The directory block reading code is
747 		 * smart enough to do its own bmap lookups to handle
748 		 * discontiguous directory blocks.  When we're done
749 		 * with the extent record, re-query the bmap at the
750 		 * next fsbcount-aligned offset to avoid redundant
751 		 * block checks.
752 		 */
753 		for (lblk = roundup((xfs_dablk_t)got.br_startoff,
754 				args.geo->fsbcount);
755 		     lblk < got.br_startoff + got.br_blockcount;
756 		     lblk += args.geo->fsbcount) {
757 			error = xfs_scrub_directory_free_bestfree(sc, &args,
758 					lblk);
759 			if (error)
760 				goto out;
761 		}
762 		dabno = got.br_startoff + got.br_blockcount;
763 		lblk = roundup(dabno, args.geo->fsbcount);
764 		found = xfs_iext_lookup_extent(sc->ip, ifp, lblk, &icur, &got);
765 	}
766 out:
767 	return error;
768 }
769 
770 /* Scrub a whole directory. */
771 int
772 xfs_scrub_directory(
773 	struct xfs_scrub_context	*sc)
774 {
775 	struct xfs_scrub_dir_ctx	sdc = {
776 		.dir_iter.actor = xfs_scrub_dir_actor,
777 		.dir_iter.pos = 0,
778 		.sc = sc,
779 	};
780 	size_t				bufsize;
781 	loff_t				oldpos;
782 	int				error = 0;
783 
784 	if (!S_ISDIR(VFS_I(sc->ip)->i_mode))
785 		return -ENOENT;
786 
787 	/* Plausible size? */
788 	if (sc->ip->i_d.di_size < xfs_dir2_sf_hdr_size(0)) {
789 		xfs_scrub_ino_set_corrupt(sc, sc->ip->i_ino);
790 		goto out;
791 	}
792 
793 	/* Check directory tree structure */
794 	error = xfs_scrub_da_btree(sc, XFS_DATA_FORK, xfs_scrub_dir_rec, NULL);
795 	if (error)
796 		return error;
797 
798 	if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
799 		return error;
800 
801 	/* Check the freespace. */
802 	error = xfs_scrub_directory_blocks(sc);
803 	if (error)
804 		return error;
805 
806 	if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
807 		return error;
808 
809 	/*
810 	 * Check that every dirent we see can also be looked up by hash.
811 	 * Userspace usually asks for a 32k buffer, so we will too.
812 	 */
813 	bufsize = (size_t)min_t(loff_t, XFS_READDIR_BUFSIZE,
814 			sc->ip->i_d.di_size);
815 
816 	/*
817 	 * Look up every name in this directory by hash.
818 	 *
819 	 * Use the xfs_readdir function to call xfs_scrub_dir_actor on
820 	 * every directory entry in this directory.  In _actor, we check
821 	 * the name, inode number, and ftype (if applicable) of the
822 	 * entry.  xfs_readdir uses the VFS filldir functions to provide
823 	 * iteration context.
824 	 *
825 	 * The VFS grabs a read or write lock via i_rwsem before it reads
826 	 * or writes to a directory.  If we've gotten this far we've
827 	 * already obtained IOLOCK_EXCL, which (since 4.10) is the same as
828 	 * getting a write lock on i_rwsem.  Therefore, it is safe for us
829 	 * to drop the ILOCK here in order to reuse the _readdir and
830 	 * _dir_lookup routines, which do their own ILOCK locking.
831 	 */
832 	oldpos = 0;
833 	sc->ilock_flags &= ~XFS_ILOCK_EXCL;
834 	xfs_iunlock(sc->ip, XFS_ILOCK_EXCL);
835 	while (true) {
836 		error = xfs_readdir(sc->tp, sc->ip, &sdc.dir_iter, bufsize);
837 		if (!xfs_scrub_fblock_process_error(sc, XFS_DATA_FORK, 0,
838 				&error))
839 			goto out;
840 		if (oldpos == sdc.dir_iter.pos)
841 			break;
842 		oldpos = sdc.dir_iter.pos;
843 	}
844 
845 out:
846 	return error;
847 }
848