34c9382c12
It's possible that the dentry cache can tell us the parent of a directory. Therefore, when repairing directory dot dot entries, query the dcache as a last resort before scanning the entire filesystem. A reviewer asks: "How high is the chance that we actually have a valid dcache entry for a file in a corrupted directory?" There's a decent chance of this actually working. Say you have a 1000-block directory foo, and block 980 gets corrupted. Let's further suppose that block 0 has a correct entry for ".." and "bar". If someone accesses /mnt/foo/bar, that will cause the dcache to create a dentry from /mnt to /mnt/foo whose d_parent points back to /mnt. If you then want to rebuild the directory, XFS can obtain the parent from the dcache without needing to wander into parent pointers or scan the filesystem to find /mnt's connection to foo. Signed-off-by: Darrick J. Wong <djwong@kernel.org> Reviewed-by: Christoph Hellwig <hch@lst.de>
449 lines
11 KiB
C
449 lines
11 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* Copyright (c) 2020-2024 Oracle. All Rights Reserved.
|
|
* Author: Darrick J. Wong <djwong@kernel.org>
|
|
*/
|
|
#include "xfs.h"
|
|
#include "xfs_fs.h"
|
|
#include "xfs_shared.h"
|
|
#include "xfs_format.h"
|
|
#include "xfs_trans_resv.h"
|
|
#include "xfs_mount.h"
|
|
#include "xfs_defer.h"
|
|
#include "xfs_bit.h"
|
|
#include "xfs_log_format.h"
|
|
#include "xfs_trans.h"
|
|
#include "xfs_sb.h"
|
|
#include "xfs_inode.h"
|
|
#include "xfs_icache.h"
|
|
#include "xfs_da_format.h"
|
|
#include "xfs_da_btree.h"
|
|
#include "xfs_dir2.h"
|
|
#include "xfs_bmap_btree.h"
|
|
#include "xfs_dir2_priv.h"
|
|
#include "xfs_trans_space.h"
|
|
#include "xfs_health.h"
|
|
#include "xfs_exchmaps.h"
|
|
#include "scrub/xfs_scrub.h"
|
|
#include "scrub/scrub.h"
|
|
#include "scrub/common.h"
|
|
#include "scrub/trace.h"
|
|
#include "scrub/repair.h"
|
|
#include "scrub/iscan.h"
|
|
#include "scrub/findparent.h"
|
|
#include "scrub/readdir.h"
|
|
#include "scrub/tempfile.h"
|
|
|
|
/*
|
|
* Finding the Parent of a Directory
|
|
* =================================
|
|
*
|
|
* Directories have parent pointers, in the sense that each directory contains
|
|
* a dotdot entry that points to the single allowed parent. The brute force
|
|
* way to find the parent of a given directory is to scan every directory in
|
|
* the filesystem looking for a child dirent that references this directory.
|
|
*
|
|
* This module wraps the process of scanning the directory tree. It requires
|
|
* that @sc->ip is the directory whose parent we want to find, and that the
|
|
* caller hold only the IOLOCK on that directory. The scan itself needs to
|
|
* take the ILOCK of each directory visited.
|
|
*
|
|
* Because we cannot hold @sc->ip's ILOCK during a scan of the whole fs, it is
|
|
* necessary to use dirent hook to update the parent scan results. Callers
|
|
* must not read the scan results without re-taking @sc->ip's ILOCK.
|
|
*
|
|
* There are a few shortcuts that we can take to avoid scanning the entire
|
|
* filesystem, such as noticing directory tree roots and querying the dentry
|
|
* cache for parent information.
|
|
*/
|
|
|
|
struct xrep_findparent_info {
|
|
/* The directory currently being scanned. */
|
|
struct xfs_inode *dp;
|
|
|
|
/*
|
|
* Scrub context. We're looking for a @dp containing a directory
|
|
* entry pointing to sc->ip->i_ino.
|
|
*/
|
|
struct xfs_scrub *sc;
|
|
|
|
/* Optional scan information for a xrep_findparent_scan call. */
|
|
struct xrep_parent_scan_info *parent_scan;
|
|
|
|
/*
|
|
* Parent that we've found for sc->ip. If we're scanning the entire
|
|
* directory tree, we need this to ensure that we only find /one/
|
|
* parent directory.
|
|
*/
|
|
xfs_ino_t found_parent;
|
|
|
|
/*
|
|
* This is set to true if @found_parent was not observed directly from
|
|
* the directory scan but by noticing a change in dotdot entries after
|
|
* cycling the sc->ip IOLOCK.
|
|
*/
|
|
bool parent_tentative;
|
|
};
|
|
|
|
/*
|
|
* If this directory entry points to the scrub target inode, then the directory
|
|
* we're scanning is the parent of the scrub target inode.
|
|
*/
|
|
STATIC int
|
|
xrep_findparent_dirent(
|
|
struct xfs_scrub *sc,
|
|
struct xfs_inode *dp,
|
|
xfs_dir2_dataptr_t dapos,
|
|
const struct xfs_name *name,
|
|
xfs_ino_t ino,
|
|
void *priv)
|
|
{
|
|
struct xrep_findparent_info *fpi = priv;
|
|
int error = 0;
|
|
|
|
if (xchk_should_terminate(fpi->sc, &error))
|
|
return error;
|
|
|
|
if (ino != fpi->sc->ip->i_ino)
|
|
return 0;
|
|
|
|
/* Ignore garbage directory entry names. */
|
|
if (name->len == 0 || !xfs_dir2_namecheck(name->name, name->len))
|
|
return -EFSCORRUPTED;
|
|
|
|
/*
|
|
* Ignore dotdot and dot entries -- we're looking for parent -> child
|
|
* links only.
|
|
*/
|
|
if (name->name[0] == '.' && (name->len == 1 ||
|
|
(name->len == 2 && name->name[1] == '.')))
|
|
return 0;
|
|
|
|
/* Uhoh, more than one parent for a dir? */
|
|
if (fpi->found_parent != NULLFSINO &&
|
|
!(fpi->parent_tentative && fpi->found_parent == fpi->dp->i_ino)) {
|
|
trace_xrep_findparent_dirent(fpi->sc->ip, 0);
|
|
return -EFSCORRUPTED;
|
|
}
|
|
|
|
/* We found a potential parent; remember this. */
|
|
trace_xrep_findparent_dirent(fpi->sc->ip, fpi->dp->i_ino);
|
|
fpi->found_parent = fpi->dp->i_ino;
|
|
fpi->parent_tentative = false;
|
|
|
|
if (fpi->parent_scan)
|
|
xrep_findparent_scan_found(fpi->parent_scan, fpi->dp->i_ino);
|
|
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* If this is a directory, walk the dirents looking for any that point to the
|
|
* scrub target inode.
|
|
*/
|
|
STATIC int
|
|
xrep_findparent_walk_directory(
|
|
struct xrep_findparent_info *fpi)
|
|
{
|
|
struct xfs_scrub *sc = fpi->sc;
|
|
struct xfs_inode *dp = fpi->dp;
|
|
unsigned int lock_mode;
|
|
int error = 0;
|
|
|
|
/*
|
|
* The inode being scanned cannot be its own parent, nor can any
|
|
* temporary directory we created to stage this repair.
|
|
*/
|
|
if (dp == sc->ip || dp == sc->tempip)
|
|
return 0;
|
|
|
|
/*
|
|
* Similarly, temporary files created to stage a repair cannot be the
|
|
* parent of this inode.
|
|
*/
|
|
if (xrep_is_tempfile(dp))
|
|
return 0;
|
|
|
|
/*
|
|
* Scan the directory to see if there it contains an entry pointing to
|
|
* the directory that we are repairing.
|
|
*/
|
|
lock_mode = xfs_ilock_data_map_shared(dp);
|
|
|
|
/*
|
|
* If this directory is known to be sick, we cannot scan it reliably
|
|
* and must abort.
|
|
*/
|
|
if (xfs_inode_has_sickness(dp, XFS_SICK_INO_CORE |
|
|
XFS_SICK_INO_BMBTD |
|
|
XFS_SICK_INO_DIR)) {
|
|
error = -EFSCORRUPTED;
|
|
goto out_unlock;
|
|
}
|
|
|
|
/*
|
|
* We cannot complete our parent pointer scan if a directory looks as
|
|
* though it has been zapped by the inode record repair code.
|
|
*/
|
|
if (xchk_dir_looks_zapped(dp)) {
|
|
error = -EBUSY;
|
|
goto out_unlock;
|
|
}
|
|
|
|
error = xchk_dir_walk(sc, dp, xrep_findparent_dirent, fpi);
|
|
if (error)
|
|
goto out_unlock;
|
|
|
|
out_unlock:
|
|
xfs_iunlock(dp, lock_mode);
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* Update this directory's dotdot pointer based on ongoing dirent updates.
|
|
*/
|
|
STATIC int
|
|
xrep_findparent_live_update(
|
|
struct notifier_block *nb,
|
|
unsigned long action,
|
|
void *data)
|
|
{
|
|
struct xfs_dir_update_params *p = data;
|
|
struct xrep_parent_scan_info *pscan;
|
|
struct xfs_scrub *sc;
|
|
|
|
pscan = container_of(nb, struct xrep_parent_scan_info,
|
|
dhook.dirent_hook.nb);
|
|
sc = pscan->sc;
|
|
|
|
/*
|
|
* If @p->ip is the subdirectory that we're interested in and we've
|
|
* already scanned @p->dp, update the dotdot target inumber to the
|
|
* parent inode.
|
|
*/
|
|
if (p->ip->i_ino == sc->ip->i_ino &&
|
|
xchk_iscan_want_live_update(&pscan->iscan, p->dp->i_ino)) {
|
|
if (p->delta > 0) {
|
|
xrep_findparent_scan_found(pscan, p->dp->i_ino);
|
|
} else {
|
|
xrep_findparent_scan_found(pscan, NULLFSINO);
|
|
}
|
|
}
|
|
|
|
return NOTIFY_DONE;
|
|
}
|
|
|
|
/*
|
|
* Set up a scan to find the parent of a directory. The provided dirent hook
|
|
* will be called when there is a dotdot update for the inode being repaired.
|
|
*/
|
|
int
|
|
xrep_findparent_scan_start(
|
|
struct xfs_scrub *sc,
|
|
struct xrep_parent_scan_info *pscan)
|
|
{
|
|
int error;
|
|
|
|
if (!(sc->flags & XCHK_FSGATES_DIRENTS)) {
|
|
ASSERT(sc->flags & XCHK_FSGATES_DIRENTS);
|
|
return -EINVAL;
|
|
}
|
|
|
|
pscan->sc = sc;
|
|
pscan->parent_ino = NULLFSINO;
|
|
|
|
mutex_init(&pscan->lock);
|
|
|
|
xchk_iscan_start(sc, 30000, 100, &pscan->iscan);
|
|
|
|
/*
|
|
* Hook into the dirent update code. The hook only operates on inodes
|
|
* that were already scanned, and the scanner thread takes each inode's
|
|
* ILOCK, which means that any in-progress inode updates will finish
|
|
* before we can scan the inode.
|
|
*/
|
|
xfs_dir_hook_setup(&pscan->dhook, xrep_findparent_live_update);
|
|
error = xfs_dir_hook_add(sc->mp, &pscan->dhook);
|
|
if (error)
|
|
goto out_iscan;
|
|
|
|
return 0;
|
|
out_iscan:
|
|
xchk_iscan_teardown(&pscan->iscan);
|
|
mutex_destroy(&pscan->lock);
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* Scan the entire filesystem looking for a parent inode for the inode being
|
|
* scrubbed. @sc->ip must not be the root of a directory tree. Callers must
|
|
* not hold a dirty transaction or any lock that would interfere with taking
|
|
* an ILOCK.
|
|
*
|
|
* Returns 0 with @pscan->parent_ino set to the parent that we found.
|
|
* Returns 0 with @pscan->parent_ino set to NULLFSINO if we found no parents.
|
|
* Returns the usual negative errno if something else happened.
|
|
*/
|
|
int
|
|
xrep_findparent_scan(
|
|
struct xrep_parent_scan_info *pscan)
|
|
{
|
|
struct xrep_findparent_info fpi = {
|
|
.sc = pscan->sc,
|
|
.found_parent = NULLFSINO,
|
|
.parent_scan = pscan,
|
|
};
|
|
struct xfs_scrub *sc = pscan->sc;
|
|
int ret;
|
|
|
|
ASSERT(S_ISDIR(VFS_IC(sc->ip)->i_mode));
|
|
|
|
while ((ret = xchk_iscan_iter(&pscan->iscan, &fpi.dp)) == 1) {
|
|
if (S_ISDIR(VFS_I(fpi.dp)->i_mode))
|
|
ret = xrep_findparent_walk_directory(&fpi);
|
|
else
|
|
ret = 0;
|
|
xchk_iscan_mark_visited(&pscan->iscan, fpi.dp);
|
|
xchk_irele(sc, fpi.dp);
|
|
if (ret)
|
|
break;
|
|
|
|
if (xchk_should_terminate(sc, &ret))
|
|
break;
|
|
}
|
|
xchk_iscan_iter_finish(&pscan->iscan);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/* Tear down a parent scan. */
|
|
void
|
|
xrep_findparent_scan_teardown(
|
|
struct xrep_parent_scan_info *pscan)
|
|
{
|
|
xfs_dir_hook_del(pscan->sc->mp, &pscan->dhook);
|
|
xchk_iscan_teardown(&pscan->iscan);
|
|
mutex_destroy(&pscan->lock);
|
|
}
|
|
|
|
/* Finish a parent scan early. */
|
|
void
|
|
xrep_findparent_scan_finish_early(
|
|
struct xrep_parent_scan_info *pscan,
|
|
xfs_ino_t ino)
|
|
{
|
|
xrep_findparent_scan_found(pscan, ino);
|
|
xchk_iscan_finish_early(&pscan->iscan);
|
|
}
|
|
|
|
/*
|
|
* Confirm that the directory @parent_ino actually contains a directory entry
|
|
* pointing to the child @sc->ip->ino. This function returns one of several
|
|
* ways:
|
|
*
|
|
* Returns 0 with @parent_ino unchanged if the parent was confirmed.
|
|
* Returns 0 with @parent_ino set to NULLFSINO if the parent was not valid.
|
|
* Returns the usual negative errno if something else happened.
|
|
*/
|
|
int
|
|
xrep_findparent_confirm(
|
|
struct xfs_scrub *sc,
|
|
xfs_ino_t *parent_ino)
|
|
{
|
|
struct xrep_findparent_info fpi = {
|
|
.sc = sc,
|
|
.found_parent = NULLFSINO,
|
|
};
|
|
int error;
|
|
|
|
/*
|
|
* The root directory always points to itself. Unlinked dirs can point
|
|
* anywhere, so we point them at the root dir too.
|
|
*/
|
|
if (sc->ip == sc->mp->m_rootip || VFS_I(sc->ip)->i_nlink == 0) {
|
|
*parent_ino = sc->mp->m_sb.sb_rootino;
|
|
return 0;
|
|
}
|
|
|
|
/* Reject garbage parent inode numbers and self-referential parents. */
|
|
if (*parent_ino == NULLFSINO)
|
|
return 0;
|
|
if (!xfs_verify_dir_ino(sc->mp, *parent_ino) ||
|
|
*parent_ino == sc->ip->i_ino) {
|
|
*parent_ino = NULLFSINO;
|
|
return 0;
|
|
}
|
|
|
|
error = xchk_iget(sc, *parent_ino, &fpi.dp);
|
|
if (error)
|
|
return error;
|
|
|
|
if (!S_ISDIR(VFS_I(fpi.dp)->i_mode)) {
|
|
*parent_ino = NULLFSINO;
|
|
goto out_rele;
|
|
}
|
|
|
|
error = xrep_findparent_walk_directory(&fpi);
|
|
if (error)
|
|
goto out_rele;
|
|
|
|
*parent_ino = fpi.found_parent;
|
|
out_rele:
|
|
xchk_irele(sc, fpi.dp);
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* If we're the root of a directory tree, we are our own parent. If we're an
|
|
* unlinked directory, the parent /won't/ have a link to us. Set the parent
|
|
* directory to the root for both cases. Returns NULLFSINO if we don't know
|
|
* what to do.
|
|
*/
|
|
xfs_ino_t
|
|
xrep_findparent_self_reference(
|
|
struct xfs_scrub *sc)
|
|
{
|
|
if (sc->ip->i_ino == sc->mp->m_sb.sb_rootino)
|
|
return sc->mp->m_sb.sb_rootino;
|
|
|
|
if (VFS_I(sc->ip)->i_nlink == 0)
|
|
return sc->mp->m_sb.sb_rootino;
|
|
|
|
return NULLFSINO;
|
|
}
|
|
|
|
/* Check the dentry cache to see if knows of a parent for the scrub target. */
|
|
xfs_ino_t
|
|
xrep_findparent_from_dcache(
|
|
struct xfs_scrub *sc)
|
|
{
|
|
struct inode *pip = NULL;
|
|
struct dentry *dentry, *parent;
|
|
xfs_ino_t ret = NULLFSINO;
|
|
|
|
dentry = d_find_alias(VFS_I(sc->ip));
|
|
if (!dentry)
|
|
goto out;
|
|
|
|
parent = dget_parent(dentry);
|
|
if (!parent)
|
|
goto out_dput;
|
|
|
|
ASSERT(parent->d_sb == sc->ip->i_mount->m_super);
|
|
|
|
pip = igrab(d_inode(parent));
|
|
dput(parent);
|
|
|
|
if (S_ISDIR(pip->i_mode)) {
|
|
trace_xrep_findparent_from_dcache(sc->ip, XFS_I(pip)->i_ino);
|
|
ret = XFS_I(pip)->i_ino;
|
|
}
|
|
|
|
xchk_irele(sc, XFS_I(pip));
|
|
|
|
out_dput:
|
|
dput(dentry);
|
|
out:
|
|
return ret;
|
|
}
|