1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * Copyright (C) 2019-2023 Oracle.  All Rights Reserved.
4 * Author: Darrick J. Wong <djwong@kernel.org>
5 */
6#include "xfs.h"
7#include "xfs_fs.h"
8#include "xfs_shared.h"
9#include "xfs_format.h"
10#include "xfs_trans_resv.h"
11#include "xfs_mount.h"
12#include "xfs_btree.h"
13#include "xfs_ag.h"
14#include "xfs_health.h"
15#include "scrub/scrub.h"
16#include "scrub/health.h"
17#include "scrub/common.h"
18
19/*
20 * Scrub and In-Core Filesystem Health Assessments
21 * ===============================================
22 *
23 * Online scrub and repair have the time and the ability to perform stronger
24 * checks than we can do from the metadata verifiers, because they can
25 * cross-reference records between data structures.  Therefore, scrub is in a
26 * good position to update the online filesystem health assessments to reflect
27 * the good/bad state of the data structure.
28 *
29 * We therefore extend scrub in the following ways to achieve this:
30 *
31 * 1. Create a "sick_mask" field in the scrub context.  When we're setting up a
32 * scrub call, set this to the default XFS_SICK_* flag(s) for the selected
33 * scrub type (call it A).  Scrub and repair functions can override the default
34 * sick_mask value if they choose.
35 *
36 * 2. If the scrubber returns a runtime error code, we exit making no changes
37 * to the incore sick state.
38 *
39 * 3. If the scrubber finds that A is clean, use sick_mask to clear the incore
40 * sick flags before exiting.
41 *
42 * 4. If the scrubber finds that A is corrupt, use sick_mask to set the incore
43 * sick flags.  If the user didn't want to repair then we exit, leaving the
44 * metadata structure unfixed and the sick flag set.
45 *
46 * 5. Now we know that A is corrupt and the user wants to repair, so run the
47 * repairer.  If the repairer returns an error code, we exit with that error
48 * code, having made no further changes to the incore sick state.
49 *
50 * 6. If repair rebuilds A correctly and the subsequent re-scrub of A is clean,
51 * use sick_mask to clear the incore sick flags.  This should have the effect
52 * that A is no longer marked sick.
53 *
54 * 7. If repair rebuilds A incorrectly, the re-scrub will find it corrupt and
55 * use sick_mask to set the incore sick flags.  This should have no externally
56 * visible effect since we already set them in step (4).
57 *
58 * There are some complications to this story, however.  For certain types of
59 * complementary metadata indices (e.g. inobt/finobt), it is easier to rebuild
60 * both structures at the same time.  The following principles apply to this
61 * type of repair strategy:
62 *
63 * 8. Any repair function that rebuilds multiple structures should update
64 * sick_mask_visible to reflect whatever other structures are rebuilt, and
65 * verify that all the rebuilt structures can pass a scrub check.  The outcomes
66 * of 5-7 still apply, but with a sick_mask that covers everything being
67 * rebuilt.
68 */
69
70/* Map our scrub type to a sick mask and a set of health update functions. */
71
72enum xchk_health_group {
73	XHG_FS = 1,
74	XHG_RT,
75	XHG_AG,
76	XHG_INO,
77};
78
79struct xchk_health_map {
80	enum xchk_health_group	group;
81	unsigned int		sick_mask;
82};
83
84static const struct xchk_health_map type_to_health_flag[XFS_SCRUB_TYPE_NR] = {
85	[XFS_SCRUB_TYPE_SB]		= { XHG_AG,  XFS_SICK_AG_SB },
86	[XFS_SCRUB_TYPE_AGF]		= { XHG_AG,  XFS_SICK_AG_AGF },
87	[XFS_SCRUB_TYPE_AGFL]		= { XHG_AG,  XFS_SICK_AG_AGFL },
88	[XFS_SCRUB_TYPE_AGI]		= { XHG_AG,  XFS_SICK_AG_AGI },
89	[XFS_SCRUB_TYPE_BNOBT]		= { XHG_AG,  XFS_SICK_AG_BNOBT },
90	[XFS_SCRUB_TYPE_CNTBT]		= { XHG_AG,  XFS_SICK_AG_CNTBT },
91	[XFS_SCRUB_TYPE_INOBT]		= { XHG_AG,  XFS_SICK_AG_INOBT },
92	[XFS_SCRUB_TYPE_FINOBT]		= { XHG_AG,  XFS_SICK_AG_FINOBT },
93	[XFS_SCRUB_TYPE_RMAPBT]		= { XHG_AG,  XFS_SICK_AG_RMAPBT },
94	[XFS_SCRUB_TYPE_REFCNTBT]	= { XHG_AG,  XFS_SICK_AG_REFCNTBT },
95	[XFS_SCRUB_TYPE_INODE]		= { XHG_INO, XFS_SICK_INO_CORE },
96	[XFS_SCRUB_TYPE_BMBTD]		= { XHG_INO, XFS_SICK_INO_BMBTD },
97	[XFS_SCRUB_TYPE_BMBTA]		= { XHG_INO, XFS_SICK_INO_BMBTA },
98	[XFS_SCRUB_TYPE_BMBTC]		= { XHG_INO, XFS_SICK_INO_BMBTC },
99	[XFS_SCRUB_TYPE_DIR]		= { XHG_INO, XFS_SICK_INO_DIR },
100	[XFS_SCRUB_TYPE_XATTR]		= { XHG_INO, XFS_SICK_INO_XATTR },
101	[XFS_SCRUB_TYPE_SYMLINK]	= { XHG_INO, XFS_SICK_INO_SYMLINK },
102	[XFS_SCRUB_TYPE_PARENT]		= { XHG_INO, XFS_SICK_INO_PARENT },
103	[XFS_SCRUB_TYPE_RTBITMAP]	= { XHG_RT,  XFS_SICK_RT_BITMAP },
104	[XFS_SCRUB_TYPE_RTSUM]		= { XHG_RT,  XFS_SICK_RT_SUMMARY },
105	[XFS_SCRUB_TYPE_UQUOTA]		= { XHG_FS,  XFS_SICK_FS_UQUOTA },
106	[XFS_SCRUB_TYPE_GQUOTA]		= { XHG_FS,  XFS_SICK_FS_GQUOTA },
107	[XFS_SCRUB_TYPE_PQUOTA]		= { XHG_FS,  XFS_SICK_FS_PQUOTA },
108	[XFS_SCRUB_TYPE_FSCOUNTERS]	= { XHG_FS,  XFS_SICK_FS_COUNTERS },
109	[XFS_SCRUB_TYPE_QUOTACHECK]	= { XHG_FS,  XFS_SICK_FS_QUOTACHECK },
110	[XFS_SCRUB_TYPE_NLINKS]		= { XHG_FS,  XFS_SICK_FS_NLINKS },
111	[XFS_SCRUB_TYPE_DIRTREE]	= { XHG_INO, XFS_SICK_INO_DIRTREE },
112};
113
114/* Return the health status mask for this scrub type. */
115unsigned int
116xchk_health_mask_for_scrub_type(
117	__u32			scrub_type)
118{
119	return type_to_health_flag[scrub_type].sick_mask;
120}
121
122/*
123 * If the scrub state is clean, add @mask to the scrub sick mask to clear
124 * additional sick flags from the metadata object's sick state.
125 */
126void
127xchk_mark_healthy_if_clean(
128	struct xfs_scrub	*sc,
129	unsigned int		mask)
130{
131	if (!(sc->sm->sm_flags & (XFS_SCRUB_OFLAG_CORRUPT |
132				  XFS_SCRUB_OFLAG_XCORRUPT)))
133		sc->sick_mask |= mask;
134}
135
136/*
137 * If we're scrubbing a piece of file metadata for the first time, does it look
138 * like it has been zapped?  Skip the check if we just repaired the metadata
139 * and are revalidating it.
140 */
141bool
142xchk_file_looks_zapped(
143	struct xfs_scrub	*sc,
144	unsigned int		mask)
145{
146	ASSERT((mask & ~XFS_SICK_INO_ZAPPED) == 0);
147
148	if (sc->flags & XREP_ALREADY_FIXED)
149		return false;
150
151	return xfs_inode_has_sickness(sc->ip, mask);
152}
153
154/*
155 * Scrub gave the filesystem a clean bill of health, so clear all the indirect
156 * markers of past problems (at least for the fs and ags) so that we can be
157 * healthy again.
158 */
159STATIC void
160xchk_mark_all_healthy(
161	struct xfs_mount	*mp)
162{
163	struct xfs_perag	*pag;
164	xfs_agnumber_t		agno;
165
166	xfs_fs_mark_healthy(mp, XFS_SICK_FS_INDIRECT);
167	xfs_rt_mark_healthy(mp, XFS_SICK_RT_INDIRECT);
168	for_each_perag(mp, agno, pag)
169		xfs_ag_mark_healthy(pag, XFS_SICK_AG_INDIRECT);
170}
171
172/*
173 * Update filesystem health assessments based on what we found and did.
174 *
175 * If the scrubber finds errors, we mark sick whatever's mentioned in
176 * sick_mask, no matter whether this is a first scan or an
177 * evaluation of repair effectiveness.
178 *
179 * Otherwise, no direct corruption was found, so mark whatever's in
180 * sick_mask as healthy.
181 */
182void
183xchk_update_health(
184	struct xfs_scrub	*sc)
185{
186	struct xfs_perag	*pag;
187	bool			bad;
188
189	/*
190	 * The HEALTHY scrub type is a request from userspace to clear all the
191	 * indirect flags after a clean scan of the entire filesystem.  As such
192	 * there's no sick flag defined for it, so we branch here ahead of the
193	 * mask check.
194	 */
195	if (sc->sm->sm_type == XFS_SCRUB_TYPE_HEALTHY &&
196	    !(sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)) {
197		xchk_mark_all_healthy(sc->mp);
198		return;
199	}
200
201	if (!sc->sick_mask)
202		return;
203
204	bad = (sc->sm->sm_flags & (XFS_SCRUB_OFLAG_CORRUPT |
205				   XFS_SCRUB_OFLAG_XCORRUPT));
206	switch (type_to_health_flag[sc->sm->sm_type].group) {
207	case XHG_AG:
208		pag = xfs_perag_get(sc->mp, sc->sm->sm_agno);
209		if (bad)
210			xfs_ag_mark_corrupt(pag, sc->sick_mask);
211		else
212			xfs_ag_mark_healthy(pag, sc->sick_mask);
213		xfs_perag_put(pag);
214		break;
215	case XHG_INO:
216		if (!sc->ip)
217			return;
218		if (bad) {
219			unsigned int	mask = sc->sick_mask;
220
221			/*
222			 * If we're coming in for repairs then we don't want
223			 * sickness flags to propagate to the incore health
224			 * status if the inode gets inactivated before we can
225			 * fix it.
226			 */
227			if (sc->sm->sm_flags & XFS_SCRUB_IFLAG_REPAIR)
228				mask |= XFS_SICK_INO_FORGET;
229			xfs_inode_mark_corrupt(sc->ip, mask);
230		} else
231			xfs_inode_mark_healthy(sc->ip, sc->sick_mask);
232		break;
233	case XHG_FS:
234		if (bad)
235			xfs_fs_mark_corrupt(sc->mp, sc->sick_mask);
236		else
237			xfs_fs_mark_healthy(sc->mp, sc->sick_mask);
238		break;
239	case XHG_RT:
240		if (bad)
241			xfs_rt_mark_corrupt(sc->mp, sc->sick_mask);
242		else
243			xfs_rt_mark_healthy(sc->mp, sc->sick_mask);
244		break;
245	default:
246		ASSERT(0);
247		break;
248	}
249}
250
251/* Is the given per-AG btree healthy enough for scanning? */
252void
253xchk_ag_btree_del_cursor_if_sick(
254	struct xfs_scrub	*sc,
255	struct xfs_btree_cur	**curp,
256	unsigned int		sm_type)
257{
258	unsigned int		mask = (*curp)->bc_ops->sick_mask;
259
260	/*
261	 * We always want the cursor if it's the same type as whatever we're
262	 * scrubbing, even if we already know the structure is corrupt.
263	 *
264	 * Otherwise, we're only interested in the btree for cross-referencing.
265	 * If we know the btree is bad then don't bother, just set XFAIL.
266	 */
267	if (sc->sm->sm_type == sm_type)
268		return;
269
270	/*
271	 * If we just repaired some AG metadata, sc->sick_mask will reflect all
272	 * the per-AG metadata types that were repaired.  Exclude these from
273	 * the filesystem health query because we have not yet updated the
274	 * health status and we want everything to be scanned.
275	 */
276	if ((sc->flags & XREP_ALREADY_FIXED) &&
277	    type_to_health_flag[sc->sm->sm_type].group == XHG_AG)
278		mask &= ~sc->sick_mask;
279
280	if (xfs_ag_has_sickness((*curp)->bc_ag.pag, mask)) {
281		sc->sm->sm_flags |= XFS_SCRUB_OFLAG_XFAIL;
282		xfs_btree_del_cursor(*curp, XFS_BTREE_NOERROR);
283		*curp = NULL;
284	}
285}
286
287/*
288 * Quick scan to double-check that there isn't any evidence of lingering
289 * primary health problems.  If we're still clear, then the health update will
290 * take care of clearing the indirect evidence.
291 */
292int
293xchk_health_record(
294	struct xfs_scrub	*sc)
295{
296	struct xfs_mount	*mp = sc->mp;
297	struct xfs_perag	*pag;
298	xfs_agnumber_t		agno;
299
300	unsigned int		sick;
301	unsigned int		checked;
302
303	xfs_fs_measure_sickness(mp, &sick, &checked);
304	if (sick & XFS_SICK_FS_PRIMARY)
305		xchk_set_corrupt(sc);
306
307	xfs_rt_measure_sickness(mp, &sick, &checked);
308	if (sick & XFS_SICK_RT_PRIMARY)
309		xchk_set_corrupt(sc);
310
311	for_each_perag(mp, agno, pag) {
312		xfs_ag_measure_sickness(pag, &sick, &checked);
313		if (sick & XFS_SICK_AG_PRIMARY)
314			xchk_set_corrupt(sc);
315	}
316
317	return 0;
318}
319