xref: /openbmc/linux/fs/xfs/scrub/quota.c (revision 023e41632e065d49bcbe31b3c4b336217f96a271)
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * Copyright (C) 2017 Oracle.  All Rights Reserved.
4  * Author: Darrick J. Wong <darrick.wong@oracle.com>
5  */
6 #include "xfs.h"
7 #include "xfs_fs.h"
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_defer.h"
13 #include "xfs_btree.h"
14 #include "xfs_bit.h"
15 #include "xfs_log_format.h"
16 #include "xfs_trans.h"
17 #include "xfs_sb.h"
18 #include "xfs_inode.h"
19 #include "xfs_inode_fork.h"
20 #include "xfs_alloc.h"
21 #include "xfs_bmap.h"
22 #include "xfs_quota.h"
23 #include "xfs_qm.h"
24 #include "xfs_dquot.h"
25 #include "xfs_dquot_item.h"
26 #include "scrub/xfs_scrub.h"
27 #include "scrub/scrub.h"
28 #include "scrub/common.h"
29 #include "scrub/trace.h"
30 
31 /* Convert a scrub type code to a DQ flag, or return 0 if error. */
32 static inline uint
33 xchk_quota_to_dqtype(
34 	struct xfs_scrub	*sc)
35 {
36 	switch (sc->sm->sm_type) {
37 	case XFS_SCRUB_TYPE_UQUOTA:
38 		return XFS_DQ_USER;
39 	case XFS_SCRUB_TYPE_GQUOTA:
40 		return XFS_DQ_GROUP;
41 	case XFS_SCRUB_TYPE_PQUOTA:
42 		return XFS_DQ_PROJ;
43 	default:
44 		return 0;
45 	}
46 }
47 
48 /* Set us up to scrub a quota. */
49 int
50 xchk_setup_quota(
51 	struct xfs_scrub	*sc,
52 	struct xfs_inode	*ip)
53 {
54 	uint			dqtype;
55 	int			error;
56 
57 	if (!XFS_IS_QUOTA_RUNNING(sc->mp) || !XFS_IS_QUOTA_ON(sc->mp))
58 		return -ENOENT;
59 
60 	dqtype = xchk_quota_to_dqtype(sc);
61 	if (dqtype == 0)
62 		return -EINVAL;
63 	sc->has_quotaofflock = true;
64 	mutex_lock(&sc->mp->m_quotainfo->qi_quotaofflock);
65 	if (!xfs_this_quota_on(sc->mp, dqtype))
66 		return -ENOENT;
67 	error = xchk_setup_fs(sc, ip);
68 	if (error)
69 		return error;
70 	sc->ip = xfs_quota_inode(sc->mp, dqtype);
71 	xfs_ilock(sc->ip, XFS_ILOCK_EXCL);
72 	sc->ilock_flags = XFS_ILOCK_EXCL;
73 	return 0;
74 }
75 
76 /* Quotas. */
77 
78 struct xchk_quota_info {
79 	struct xfs_scrub	*sc;
80 	xfs_dqid_t		last_id;
81 };
82 
83 /* Scrub the fields in an individual quota item. */
84 STATIC int
85 xchk_quota_item(
86 	struct xfs_dquot	*dq,
87 	uint			dqtype,
88 	void			*priv)
89 {
90 	struct xchk_quota_info	*sqi = priv;
91 	struct xfs_scrub	*sc = sqi->sc;
92 	struct xfs_mount	*mp = sc->mp;
93 	struct xfs_disk_dquot	*d = &dq->q_core;
94 	struct xfs_quotainfo	*qi = mp->m_quotainfo;
95 	xfs_fileoff_t		offset;
96 	unsigned long long	bsoft;
97 	unsigned long long	isoft;
98 	unsigned long long	rsoft;
99 	unsigned long long	bhard;
100 	unsigned long long	ihard;
101 	unsigned long long	rhard;
102 	unsigned long long	bcount;
103 	unsigned long long	icount;
104 	unsigned long long	rcount;
105 	xfs_ino_t		fs_icount;
106 	xfs_dqid_t		id = be32_to_cpu(d->d_id);
107 
108 	/*
109 	 * Except for the root dquot, the actual dquot we got must either have
110 	 * the same or higher id as we saw before.
111 	 */
112 	offset = id / qi->qi_dqperchunk;
113 	if (id && id <= sqi->last_id)
114 		xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
115 
116 	sqi->last_id = id;
117 
118 	/* Did we get the dquot type we wanted? */
119 	if (dqtype != (d->d_flags & XFS_DQ_ALLTYPES))
120 		xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
121 
122 	if (d->d_pad0 != cpu_to_be32(0) || d->d_pad != cpu_to_be16(0))
123 		xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
124 
125 	/* Check the limits. */
126 	bhard = be64_to_cpu(d->d_blk_hardlimit);
127 	ihard = be64_to_cpu(d->d_ino_hardlimit);
128 	rhard = be64_to_cpu(d->d_rtb_hardlimit);
129 
130 	bsoft = be64_to_cpu(d->d_blk_softlimit);
131 	isoft = be64_to_cpu(d->d_ino_softlimit);
132 	rsoft = be64_to_cpu(d->d_rtb_softlimit);
133 
134 	/*
135 	 * Warn if the hard limits are larger than the fs.
136 	 * Administrators can do this, though in production this seems
137 	 * suspect, which is why we flag it for review.
138 	 *
139 	 * Complain about corruption if the soft limit is greater than
140 	 * the hard limit.
141 	 */
142 	if (bhard > mp->m_sb.sb_dblocks)
143 		xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
144 	if (bsoft > bhard)
145 		xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
146 
147 	if (ihard > mp->m_maxicount)
148 		xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
149 	if (isoft > ihard)
150 		xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
151 
152 	if (rhard > mp->m_sb.sb_rblocks)
153 		xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
154 	if (rsoft > rhard)
155 		xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
156 
157 	/* Check the resource counts. */
158 	bcount = be64_to_cpu(d->d_bcount);
159 	icount = be64_to_cpu(d->d_icount);
160 	rcount = be64_to_cpu(d->d_rtbcount);
161 	fs_icount = percpu_counter_sum(&mp->m_icount);
162 
163 	/*
164 	 * Check that usage doesn't exceed physical limits.  However, on
165 	 * a reflink filesystem we're allowed to exceed physical space
166 	 * if there are no quota limits.
167 	 */
168 	if (xfs_sb_version_hasreflink(&mp->m_sb)) {
169 		if (mp->m_sb.sb_dblocks < bcount)
170 			xchk_fblock_set_warning(sc, XFS_DATA_FORK,
171 					offset);
172 	} else {
173 		if (mp->m_sb.sb_dblocks < bcount)
174 			xchk_fblock_set_corrupt(sc, XFS_DATA_FORK,
175 					offset);
176 	}
177 	if (icount > fs_icount || rcount > mp->m_sb.sb_rblocks)
178 		xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
179 
180 	/*
181 	 * We can violate the hard limits if the admin suddenly sets a
182 	 * lower limit than the actual usage.  However, we flag it for
183 	 * admin review.
184 	 */
185 	if (id != 0 && bhard != 0 && bcount > bhard)
186 		xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
187 	if (id != 0 && ihard != 0 && icount > ihard)
188 		xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
189 	if (id != 0 && rhard != 0 && rcount > rhard)
190 		xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
191 
192 	return 0;
193 }
194 
195 /* Check the quota's data fork. */
196 STATIC int
197 xchk_quota_data_fork(
198 	struct xfs_scrub	*sc)
199 {
200 	struct xfs_bmbt_irec	irec = { 0 };
201 	struct xfs_iext_cursor	icur;
202 	struct xfs_quotainfo	*qi = sc->mp->m_quotainfo;
203 	struct xfs_ifork	*ifp;
204 	xfs_fileoff_t		max_dqid_off;
205 	int			error = 0;
206 
207 	/* Invoke the fork scrubber. */
208 	error = xchk_metadata_inode_forks(sc);
209 	if (error || (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT))
210 		return error;
211 
212 	/* Check for data fork problems that apply only to quota files. */
213 	max_dqid_off = ((xfs_dqid_t)-1) / qi->qi_dqperchunk;
214 	ifp = XFS_IFORK_PTR(sc->ip, XFS_DATA_FORK);
215 	for_each_xfs_iext(ifp, &icur, &irec) {
216 		if (xchk_should_terminate(sc, &error))
217 			break;
218 		/*
219 		 * delalloc extents or blocks mapped above the highest
220 		 * quota id shouldn't happen.
221 		 */
222 		if (isnullstartblock(irec.br_startblock) ||
223 		    irec.br_startoff > max_dqid_off ||
224 		    irec.br_startoff + irec.br_blockcount - 1 > max_dqid_off) {
225 			xchk_fblock_set_corrupt(sc, XFS_DATA_FORK,
226 					irec.br_startoff);
227 			break;
228 		}
229 	}
230 
231 	return error;
232 }
233 
234 /* Scrub all of a quota type's items. */
235 int
236 xchk_quota(
237 	struct xfs_scrub	*sc)
238 {
239 	struct xchk_quota_info	sqi;
240 	struct xfs_mount	*mp = sc->mp;
241 	struct xfs_quotainfo	*qi = mp->m_quotainfo;
242 	uint			dqtype;
243 	int			error = 0;
244 
245 	dqtype = xchk_quota_to_dqtype(sc);
246 
247 	/* Look for problem extents. */
248 	error = xchk_quota_data_fork(sc);
249 	if (error)
250 		goto out;
251 	if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
252 		goto out;
253 
254 	/*
255 	 * Check all the quota items.  Now that we've checked the quota inode
256 	 * data fork we have to drop ILOCK_EXCL to use the regular dquot
257 	 * functions.
258 	 */
259 	xfs_iunlock(sc->ip, sc->ilock_flags);
260 	sc->ilock_flags = 0;
261 	sqi.sc = sc;
262 	sqi.last_id = 0;
263 	error = xfs_qm_dqiterate(mp, dqtype, xchk_quota_item, &sqi);
264 	sc->ilock_flags = XFS_ILOCK_EXCL;
265 	xfs_ilock(sc->ip, sc->ilock_flags);
266 	if (!xchk_fblock_process_error(sc, XFS_DATA_FORK,
267 			sqi.last_id * qi->qi_dqperchunk, &error))
268 		goto out;
269 
270 out:
271 	return error;
272 }
273