1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * Copyright (C) 2017 Oracle. All Rights Reserved. 4 * Author: Darrick J. Wong <darrick.wong@oracle.com> 5 */ 6 #include "xfs.h" 7 #include "xfs_fs.h" 8 #include "xfs_shared.h" 9 #include "xfs_format.h" 10 #include "xfs_trans_resv.h" 11 #include "xfs_mount.h" 12 #include "xfs_defer.h" 13 #include "xfs_btree.h" 14 #include "xfs_bit.h" 15 #include "xfs_log_format.h" 16 #include "xfs_trans.h" 17 #include "xfs_sb.h" 18 #include "xfs_inode.h" 19 #include "xfs_icache.h" 20 #include "xfs_inode_buf.h" 21 #include "xfs_inode_fork.h" 22 #include "xfs_ialloc.h" 23 #include "xfs_da_format.h" 24 #include "xfs_reflink.h" 25 #include "xfs_rmap.h" 26 #include "xfs_bmap.h" 27 #include "xfs_bmap_util.h" 28 #include "scrub/xfs_scrub.h" 29 #include "scrub/scrub.h" 30 #include "scrub/common.h" 31 #include "scrub/btree.h" 32 #include "scrub/trace.h" 33 34 /* 35 * Grab total control of the inode metadata. It doesn't matter here if 36 * the file data is still changing; exclusive access to the metadata is 37 * the goal. 38 */ 39 int 40 xfs_scrub_setup_inode( 41 struct xfs_scrub_context *sc, 42 struct xfs_inode *ip) 43 { 44 int error; 45 46 /* 47 * Try to get the inode. If the verifiers fail, we try again 48 * in raw mode. 49 */ 50 error = xfs_scrub_get_inode(sc, ip); 51 switch (error) { 52 case 0: 53 break; 54 case -EFSCORRUPTED: 55 case -EFSBADCRC: 56 return xfs_scrub_trans_alloc(sc, 0); 57 default: 58 return error; 59 } 60 61 /* Got the inode, lock it and we're ready to go. */ 62 sc->ilock_flags = XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL; 63 xfs_ilock(sc->ip, sc->ilock_flags); 64 error = xfs_scrub_trans_alloc(sc, 0); 65 if (error) 66 goto out; 67 sc->ilock_flags |= XFS_ILOCK_EXCL; 68 xfs_ilock(sc->ip, XFS_ILOCK_EXCL); 69 70 out: 71 /* scrub teardown will unlock and release the inode for us */ 72 return error; 73 } 74 75 /* Inode core */ 76 77 /* Validate di_extsize hint. */ 78 STATIC void 79 xfs_scrub_inode_extsize( 80 struct xfs_scrub_context *sc, 81 struct xfs_dinode *dip, 82 xfs_ino_t ino, 83 uint16_t mode, 84 uint16_t flags) 85 { 86 xfs_failaddr_t fa; 87 88 fa = xfs_inode_validate_extsize(sc->mp, be32_to_cpu(dip->di_extsize), 89 mode, flags); 90 if (fa) 91 xfs_scrub_ino_set_corrupt(sc, ino); 92 } 93 94 /* 95 * Validate di_cowextsize hint. 96 * 97 * The rules are documented at xfs_ioctl_setattr_check_cowextsize(). 98 * These functions must be kept in sync with each other. 99 */ 100 STATIC void 101 xfs_scrub_inode_cowextsize( 102 struct xfs_scrub_context *sc, 103 struct xfs_dinode *dip, 104 xfs_ino_t ino, 105 uint16_t mode, 106 uint16_t flags, 107 uint64_t flags2) 108 { 109 xfs_failaddr_t fa; 110 111 fa = xfs_inode_validate_cowextsize(sc->mp, 112 be32_to_cpu(dip->di_cowextsize), mode, flags, 113 flags2); 114 if (fa) 115 xfs_scrub_ino_set_corrupt(sc, ino); 116 } 117 118 /* Make sure the di_flags make sense for the inode. */ 119 STATIC void 120 xfs_scrub_inode_flags( 121 struct xfs_scrub_context *sc, 122 struct xfs_dinode *dip, 123 xfs_ino_t ino, 124 uint16_t mode, 125 uint16_t flags) 126 { 127 struct xfs_mount *mp = sc->mp; 128 129 if (flags & ~XFS_DIFLAG_ANY) 130 goto bad; 131 132 /* rt flags require rt device */ 133 if ((flags & (XFS_DIFLAG_REALTIME | XFS_DIFLAG_RTINHERIT)) && 134 !mp->m_rtdev_targp) 135 goto bad; 136 137 /* new rt bitmap flag only valid for rbmino */ 138 if ((flags & XFS_DIFLAG_NEWRTBM) && ino != mp->m_sb.sb_rbmino) 139 goto bad; 140 141 /* directory-only flags */ 142 if ((flags & (XFS_DIFLAG_RTINHERIT | 143 XFS_DIFLAG_EXTSZINHERIT | 144 XFS_DIFLAG_PROJINHERIT | 145 XFS_DIFLAG_NOSYMLINKS)) && 146 !S_ISDIR(mode)) 147 goto bad; 148 149 /* file-only flags */ 150 if ((flags & (XFS_DIFLAG_REALTIME | FS_XFLAG_EXTSIZE)) && 151 !S_ISREG(mode)) 152 goto bad; 153 154 /* filestreams and rt make no sense */ 155 if ((flags & XFS_DIFLAG_FILESTREAM) && (flags & XFS_DIFLAG_REALTIME)) 156 goto bad; 157 158 return; 159 bad: 160 xfs_scrub_ino_set_corrupt(sc, ino); 161 } 162 163 /* Make sure the di_flags2 make sense for the inode. */ 164 STATIC void 165 xfs_scrub_inode_flags2( 166 struct xfs_scrub_context *sc, 167 struct xfs_dinode *dip, 168 xfs_ino_t ino, 169 uint16_t mode, 170 uint16_t flags, 171 uint64_t flags2) 172 { 173 struct xfs_mount *mp = sc->mp; 174 175 if (flags2 & ~XFS_DIFLAG2_ANY) 176 goto bad; 177 178 /* reflink flag requires reflink feature */ 179 if ((flags2 & XFS_DIFLAG2_REFLINK) && 180 !xfs_sb_version_hasreflink(&mp->m_sb)) 181 goto bad; 182 183 /* cowextsize flag is checked w.r.t. mode separately */ 184 185 /* file/dir-only flags */ 186 if ((flags2 & XFS_DIFLAG2_DAX) && !(S_ISREG(mode) || S_ISDIR(mode))) 187 goto bad; 188 189 /* file-only flags */ 190 if ((flags2 & XFS_DIFLAG2_REFLINK) && !S_ISREG(mode)) 191 goto bad; 192 193 /* realtime and reflink make no sense, currently */ 194 if ((flags & XFS_DIFLAG_REALTIME) && (flags2 & XFS_DIFLAG2_REFLINK)) 195 goto bad; 196 197 /* dax and reflink make no sense, currently */ 198 if ((flags2 & XFS_DIFLAG2_DAX) && (flags2 & XFS_DIFLAG2_REFLINK)) 199 goto bad; 200 201 return; 202 bad: 203 xfs_scrub_ino_set_corrupt(sc, ino); 204 } 205 206 /* Scrub all the ondisk inode fields. */ 207 STATIC void 208 xfs_scrub_dinode( 209 struct xfs_scrub_context *sc, 210 struct xfs_dinode *dip, 211 xfs_ino_t ino) 212 { 213 struct xfs_mount *mp = sc->mp; 214 size_t fork_recs; 215 unsigned long long isize; 216 uint64_t flags2; 217 uint32_t nextents; 218 uint16_t flags; 219 uint16_t mode; 220 221 flags = be16_to_cpu(dip->di_flags); 222 if (dip->di_version >= 3) 223 flags2 = be64_to_cpu(dip->di_flags2); 224 else 225 flags2 = 0; 226 227 /* di_mode */ 228 mode = be16_to_cpu(dip->di_mode); 229 switch (mode & S_IFMT) { 230 case S_IFLNK: 231 case S_IFREG: 232 case S_IFDIR: 233 case S_IFCHR: 234 case S_IFBLK: 235 case S_IFIFO: 236 case S_IFSOCK: 237 /* mode is recognized */ 238 break; 239 default: 240 xfs_scrub_ino_set_corrupt(sc, ino); 241 break; 242 } 243 244 /* v1/v2 fields */ 245 switch (dip->di_version) { 246 case 1: 247 /* 248 * We autoconvert v1 inodes into v2 inodes on writeout, 249 * so just mark this inode for preening. 250 */ 251 xfs_scrub_ino_set_preen(sc, ino); 252 break; 253 case 2: 254 case 3: 255 if (dip->di_onlink != 0) 256 xfs_scrub_ino_set_corrupt(sc, ino); 257 258 if (dip->di_mode == 0 && sc->ip) 259 xfs_scrub_ino_set_corrupt(sc, ino); 260 261 if (dip->di_projid_hi != 0 && 262 !xfs_sb_version_hasprojid32bit(&mp->m_sb)) 263 xfs_scrub_ino_set_corrupt(sc, ino); 264 break; 265 default: 266 xfs_scrub_ino_set_corrupt(sc, ino); 267 return; 268 } 269 270 /* 271 * di_uid/di_gid -- -1 isn't invalid, but there's no way that 272 * userspace could have created that. 273 */ 274 if (dip->di_uid == cpu_to_be32(-1U) || 275 dip->di_gid == cpu_to_be32(-1U)) 276 xfs_scrub_ino_set_warning(sc, ino); 277 278 /* di_format */ 279 switch (dip->di_format) { 280 case XFS_DINODE_FMT_DEV: 281 if (!S_ISCHR(mode) && !S_ISBLK(mode) && 282 !S_ISFIFO(mode) && !S_ISSOCK(mode)) 283 xfs_scrub_ino_set_corrupt(sc, ino); 284 break; 285 case XFS_DINODE_FMT_LOCAL: 286 if (!S_ISDIR(mode) && !S_ISLNK(mode)) 287 xfs_scrub_ino_set_corrupt(sc, ino); 288 break; 289 case XFS_DINODE_FMT_EXTENTS: 290 if (!S_ISREG(mode) && !S_ISDIR(mode) && !S_ISLNK(mode)) 291 xfs_scrub_ino_set_corrupt(sc, ino); 292 break; 293 case XFS_DINODE_FMT_BTREE: 294 if (!S_ISREG(mode) && !S_ISDIR(mode)) 295 xfs_scrub_ino_set_corrupt(sc, ino); 296 break; 297 case XFS_DINODE_FMT_UUID: 298 default: 299 xfs_scrub_ino_set_corrupt(sc, ino); 300 break; 301 } 302 303 /* di_[amc]time.nsec */ 304 if (be32_to_cpu(dip->di_atime.t_nsec) >= NSEC_PER_SEC) 305 xfs_scrub_ino_set_corrupt(sc, ino); 306 if (be32_to_cpu(dip->di_mtime.t_nsec) >= NSEC_PER_SEC) 307 xfs_scrub_ino_set_corrupt(sc, ino); 308 if (be32_to_cpu(dip->di_ctime.t_nsec) >= NSEC_PER_SEC) 309 xfs_scrub_ino_set_corrupt(sc, ino); 310 311 /* 312 * di_size. xfs_dinode_verify checks for things that screw up 313 * the VFS such as the upper bit being set and zero-length 314 * symlinks/directories, but we can do more here. 315 */ 316 isize = be64_to_cpu(dip->di_size); 317 if (isize & (1ULL << 63)) 318 xfs_scrub_ino_set_corrupt(sc, ino); 319 320 /* Devices, fifos, and sockets must have zero size */ 321 if (!S_ISDIR(mode) && !S_ISREG(mode) && !S_ISLNK(mode) && isize != 0) 322 xfs_scrub_ino_set_corrupt(sc, ino); 323 324 /* Directories can't be larger than the data section size (32G) */ 325 if (S_ISDIR(mode) && (isize == 0 || isize >= XFS_DIR2_SPACE_SIZE)) 326 xfs_scrub_ino_set_corrupt(sc, ino); 327 328 /* Symlinks can't be larger than SYMLINK_MAXLEN */ 329 if (S_ISLNK(mode) && (isize == 0 || isize >= XFS_SYMLINK_MAXLEN)) 330 xfs_scrub_ino_set_corrupt(sc, ino); 331 332 /* 333 * Warn if the running kernel can't handle the kinds of offsets 334 * needed to deal with the file size. In other words, if the 335 * pagecache can't cache all the blocks in this file due to 336 * overly large offsets, flag the inode for admin review. 337 */ 338 if (isize >= mp->m_super->s_maxbytes) 339 xfs_scrub_ino_set_warning(sc, ino); 340 341 /* di_nblocks */ 342 if (flags2 & XFS_DIFLAG2_REFLINK) { 343 ; /* nblocks can exceed dblocks */ 344 } else if (flags & XFS_DIFLAG_REALTIME) { 345 /* 346 * nblocks is the sum of data extents (in the rtdev), 347 * attr extents (in the datadev), and both forks' bmbt 348 * blocks (in the datadev). This clumsy check is the 349 * best we can do without cross-referencing with the 350 * inode forks. 351 */ 352 if (be64_to_cpu(dip->di_nblocks) >= 353 mp->m_sb.sb_dblocks + mp->m_sb.sb_rblocks) 354 xfs_scrub_ino_set_corrupt(sc, ino); 355 } else { 356 if (be64_to_cpu(dip->di_nblocks) >= mp->m_sb.sb_dblocks) 357 xfs_scrub_ino_set_corrupt(sc, ino); 358 } 359 360 xfs_scrub_inode_flags(sc, dip, ino, mode, flags); 361 362 xfs_scrub_inode_extsize(sc, dip, ino, mode, flags); 363 364 /* di_nextents */ 365 nextents = be32_to_cpu(dip->di_nextents); 366 fork_recs = XFS_DFORK_DSIZE(dip, mp) / sizeof(struct xfs_bmbt_rec); 367 switch (dip->di_format) { 368 case XFS_DINODE_FMT_EXTENTS: 369 if (nextents > fork_recs) 370 xfs_scrub_ino_set_corrupt(sc, ino); 371 break; 372 case XFS_DINODE_FMT_BTREE: 373 if (nextents <= fork_recs) 374 xfs_scrub_ino_set_corrupt(sc, ino); 375 break; 376 default: 377 if (nextents != 0) 378 xfs_scrub_ino_set_corrupt(sc, ino); 379 break; 380 } 381 382 /* di_forkoff */ 383 if (XFS_DFORK_APTR(dip) >= (char *)dip + mp->m_sb.sb_inodesize) 384 xfs_scrub_ino_set_corrupt(sc, ino); 385 if (dip->di_anextents != 0 && dip->di_forkoff == 0) 386 xfs_scrub_ino_set_corrupt(sc, ino); 387 if (dip->di_forkoff == 0 && dip->di_aformat != XFS_DINODE_FMT_EXTENTS) 388 xfs_scrub_ino_set_corrupt(sc, ino); 389 390 /* di_aformat */ 391 if (dip->di_aformat != XFS_DINODE_FMT_LOCAL && 392 dip->di_aformat != XFS_DINODE_FMT_EXTENTS && 393 dip->di_aformat != XFS_DINODE_FMT_BTREE) 394 xfs_scrub_ino_set_corrupt(sc, ino); 395 396 /* di_anextents */ 397 nextents = be16_to_cpu(dip->di_anextents); 398 fork_recs = XFS_DFORK_ASIZE(dip, mp) / sizeof(struct xfs_bmbt_rec); 399 switch (dip->di_aformat) { 400 case XFS_DINODE_FMT_EXTENTS: 401 if (nextents > fork_recs) 402 xfs_scrub_ino_set_corrupt(sc, ino); 403 break; 404 case XFS_DINODE_FMT_BTREE: 405 if (nextents <= fork_recs) 406 xfs_scrub_ino_set_corrupt(sc, ino); 407 break; 408 default: 409 if (nextents != 0) 410 xfs_scrub_ino_set_corrupt(sc, ino); 411 } 412 413 if (dip->di_version >= 3) { 414 if (be32_to_cpu(dip->di_crtime.t_nsec) >= NSEC_PER_SEC) 415 xfs_scrub_ino_set_corrupt(sc, ino); 416 xfs_scrub_inode_flags2(sc, dip, ino, mode, flags, flags2); 417 xfs_scrub_inode_cowextsize(sc, dip, ino, mode, flags, 418 flags2); 419 } 420 } 421 422 /* 423 * Make sure the finobt doesn't think this inode is free. 424 * We don't have to check the inobt ourselves because we got the inode via 425 * IGET_UNTRUSTED, which checks the inobt for us. 426 */ 427 static void 428 xfs_scrub_inode_xref_finobt( 429 struct xfs_scrub_context *sc, 430 xfs_ino_t ino) 431 { 432 struct xfs_inobt_rec_incore rec; 433 xfs_agino_t agino; 434 int has_record; 435 int error; 436 437 if (!sc->sa.fino_cur || xfs_scrub_skip_xref(sc->sm)) 438 return; 439 440 agino = XFS_INO_TO_AGINO(sc->mp, ino); 441 442 /* 443 * Try to get the finobt record. If we can't get it, then we're 444 * in good shape. 445 */ 446 error = xfs_inobt_lookup(sc->sa.fino_cur, agino, XFS_LOOKUP_LE, 447 &has_record); 448 if (!xfs_scrub_should_check_xref(sc, &error, &sc->sa.fino_cur) || 449 !has_record) 450 return; 451 452 error = xfs_inobt_get_rec(sc->sa.fino_cur, &rec, &has_record); 453 if (!xfs_scrub_should_check_xref(sc, &error, &sc->sa.fino_cur) || 454 !has_record) 455 return; 456 457 /* 458 * Otherwise, make sure this record either doesn't cover this inode, 459 * or that it does but it's marked present. 460 */ 461 if (rec.ir_startino > agino || 462 rec.ir_startino + XFS_INODES_PER_CHUNK <= agino) 463 return; 464 465 if (rec.ir_free & XFS_INOBT_MASK(agino - rec.ir_startino)) 466 xfs_scrub_btree_xref_set_corrupt(sc, sc->sa.fino_cur, 0); 467 } 468 469 /* Cross reference the inode fields with the forks. */ 470 STATIC void 471 xfs_scrub_inode_xref_bmap( 472 struct xfs_scrub_context *sc, 473 struct xfs_dinode *dip) 474 { 475 xfs_extnum_t nextents; 476 xfs_filblks_t count; 477 xfs_filblks_t acount; 478 int error; 479 480 if (xfs_scrub_skip_xref(sc->sm)) 481 return; 482 483 /* Walk all the extents to check nextents/naextents/nblocks. */ 484 error = xfs_bmap_count_blocks(sc->tp, sc->ip, XFS_DATA_FORK, 485 &nextents, &count); 486 if (!xfs_scrub_should_check_xref(sc, &error, NULL)) 487 return; 488 if (nextents < be32_to_cpu(dip->di_nextents)) 489 xfs_scrub_ino_xref_set_corrupt(sc, sc->ip->i_ino); 490 491 error = xfs_bmap_count_blocks(sc->tp, sc->ip, XFS_ATTR_FORK, 492 &nextents, &acount); 493 if (!xfs_scrub_should_check_xref(sc, &error, NULL)) 494 return; 495 if (nextents != be16_to_cpu(dip->di_anextents)) 496 xfs_scrub_ino_xref_set_corrupt(sc, sc->ip->i_ino); 497 498 /* Check nblocks against the inode. */ 499 if (count + acount != be64_to_cpu(dip->di_nblocks)) 500 xfs_scrub_ino_xref_set_corrupt(sc, sc->ip->i_ino); 501 } 502 503 /* Cross-reference with the other btrees. */ 504 STATIC void 505 xfs_scrub_inode_xref( 506 struct xfs_scrub_context *sc, 507 xfs_ino_t ino, 508 struct xfs_dinode *dip) 509 { 510 struct xfs_owner_info oinfo; 511 xfs_agnumber_t agno; 512 xfs_agblock_t agbno; 513 int error; 514 515 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 516 return; 517 518 agno = XFS_INO_TO_AGNO(sc->mp, ino); 519 agbno = XFS_INO_TO_AGBNO(sc->mp, ino); 520 521 error = xfs_scrub_ag_init(sc, agno, &sc->sa); 522 if (!xfs_scrub_xref_process_error(sc, agno, agbno, &error)) 523 return; 524 525 xfs_scrub_xref_is_used_space(sc, agbno, 1); 526 xfs_scrub_inode_xref_finobt(sc, ino); 527 xfs_rmap_ag_owner(&oinfo, XFS_RMAP_OWN_INODES); 528 xfs_scrub_xref_is_owned_by(sc, agbno, 1, &oinfo); 529 xfs_scrub_xref_is_not_shared(sc, agbno, 1); 530 xfs_scrub_inode_xref_bmap(sc, dip); 531 532 xfs_scrub_ag_free(sc, &sc->sa); 533 } 534 535 /* 536 * If the reflink iflag disagrees with a scan for shared data fork extents, 537 * either flag an error (shared extents w/ no flag) or a preen (flag set w/o 538 * any shared extents). We already checked for reflink iflag set on a non 539 * reflink filesystem. 540 */ 541 static void 542 xfs_scrub_inode_check_reflink_iflag( 543 struct xfs_scrub_context *sc, 544 xfs_ino_t ino) 545 { 546 struct xfs_mount *mp = sc->mp; 547 bool has_shared; 548 int error; 549 550 if (!xfs_sb_version_hasreflink(&mp->m_sb)) 551 return; 552 553 error = xfs_reflink_inode_has_shared_extents(sc->tp, sc->ip, 554 &has_shared); 555 if (!xfs_scrub_xref_process_error(sc, XFS_INO_TO_AGNO(mp, ino), 556 XFS_INO_TO_AGBNO(mp, ino), &error)) 557 return; 558 if (xfs_is_reflink_inode(sc->ip) && !has_shared) 559 xfs_scrub_ino_set_preen(sc, ino); 560 else if (!xfs_is_reflink_inode(sc->ip) && has_shared) 561 xfs_scrub_ino_set_corrupt(sc, ino); 562 } 563 564 /* Scrub an inode. */ 565 int 566 xfs_scrub_inode( 567 struct xfs_scrub_context *sc) 568 { 569 struct xfs_dinode di; 570 int error = 0; 571 572 /* 573 * If sc->ip is NULL, that means that the setup function called 574 * xfs_iget to look up the inode. xfs_iget returned a EFSCORRUPTED 575 * and a NULL inode, so flag the corruption error and return. 576 */ 577 if (!sc->ip) { 578 xfs_scrub_ino_set_corrupt(sc, sc->sm->sm_ino); 579 return 0; 580 } 581 582 /* Scrub the inode core. */ 583 xfs_inode_to_disk(sc->ip, &di, 0); 584 xfs_scrub_dinode(sc, &di, sc->ip->i_ino); 585 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT) 586 goto out; 587 588 /* 589 * Look for discrepancies between file's data blocks and the reflink 590 * iflag. We already checked the iflag against the file mode when 591 * we scrubbed the dinode. 592 */ 593 if (S_ISREG(VFS_I(sc->ip)->i_mode)) 594 xfs_scrub_inode_check_reflink_iflag(sc, sc->ip->i_ino); 595 596 xfs_scrub_inode_xref(sc, sc->ip->i_ino, &di); 597 out: 598 return error; 599 } 600