| blob | 7b42b7f65a0bd3e61ae5f6dd1b12442e8d79b7bd |
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2020-2024 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <djwong@kernel.org>
5 */
48 /*
49 * Repairing The Directory Parent Pointer
50 * ======================================
51 *
52 * Currently, only directories support parent pointers (in the form of '..'
53 * entries), so we simply scan the filesystem and update the '..' entry.
54 *
55 * Note that because the only parent pointer is the dotdot entry, we won't
56 * touch an unhealthy directory, since the directory repair code is perfectly
57 * capable of rebuilding a directory with the proper parent inode.
58 *
59 * See the section on locking issues in dir_repair.c for more information about
60 * conflicts with the VFS. The findparent code wll keep our incore parent
61 * inode up to date.
62 *
63 * If parent pointers are enabled, we instead reconstruct the parent pointer
64 * information by visiting every directory entry of every directory in the
65 * system and translating the relevant dirents into parent pointers. In this
66 * case, it is advantageous to stash all parent pointers created from dirents
67 * from a single parent file before replaying them into the temporary file. To
68 * save memory, the live filesystem scan reuses the findparent object. Parent
69 * pointer repair chooses either directory scanning or findparent, but not
70 * both.
71 *
72 * When salvaging completes, the remaining stashed entries are replayed to the
73 * temporary file. All non-parent pointer extended attributes are copied to
74 * the temporary file's extended attributes. An atomic file mapping exchange
75 * is used to commit the new xattr blocks to the file being repaired. This
76 * will disrupt attrmulti cursors.
77 */
79 /* Create a parent pointer in the tempfile. */
80 #define XREP_PPTR_ADD (1)
82 /* Remove a parent pointer from the tempfile. */
83 #define XREP_PPTR_REMOVE (2)
85 /* A stashed parent pointer update. */
87 /* Cookie for retrieval of the pptr name. */
88 xfblob_cookie name_cookie;
90 /* Parent pointer record. */
93 /* Length of the pptr name. */
96 /* XREP_PPTR_{ADD,REMOVE} */
98 };
100 /*
101 * Stash up to 8 pages of recovered parent pointers in pptr_recs and
102 * pptr_names before we write them to the temp file.
103 */
104 #define XREP_PARENT_MAX_STASH_BYTES (PAGE_SIZE * 8)
109 /* Fixed-size array of xrep_pptr structures. */
112 /* Blobs containing parent pointer names. */
115 /* xattr keys */
118 /* xattr values */
121 /* Scratch buffers for saving extended attributes */
126 /*
127 * Information used to exchange the attr fork mappings, if the fs
128 * supports parent pointers.
129 */
132 /*
133 * Information used to scan the filesystem to find the inumber of the
134 * dotdot entry for this directory. On filesystems without parent
135 * pointers, we use the findparent_* functions on this object and
136 * access only the parent_ino field directly.
137 *
138 * When parent pointers are enabled, the directory entry scanner uses
139 * the iscan, hooks, and lock fields of this object directly.
140 * @pscan.lock coordinates access to pptr_recs, pptr_names, pptr, and
141 * pptr_scratch. This reduces the memory requirements of this
142 * structure.
143 *
144 * The lock also controls access to xattr_records and xattr_blobs(?)
145 */
148 /* Orphanage reparenting request. */
151 /* Directory entry name, plus the trailing null. */
155 /* Scratch buffer for scanning pptr xattrs */
158 /* Have we seen any live updates of parent pointers recently? */
161 /* Number of parents we found after all other repairs */
163 };
166 /* Cookie for retrieval of the xattr name. */
167 xfblob_cookie name_cookie;
169 /* Cookie for retrieval of the xattr value. */
170 xfblob_cookie value_cookie;
172 /* XFS_ATTR_* flags */
175 /* Length of the value and name. */
178 };
180 /*
181 * Stash up to 8 pages of attrs in xattr_records/xattr_blobs before we write
182 * them to the temp file.
183 */
184 #define XREP_PARENT_XATTR_MAX_STASH_BYTES (PAGE_SIZE * 8)
186 /* Tear down all the incore stuff we created. */
187 static void
190 {
208 }
210 /* Set up for a parent repair. */
211 int
214 {
232 }
234 /*
235 * Scan all files in the filesystem for a child dirent that we can turn into
236 * the dotdot entry for this directory.
237 */
238 STATIC int
241 {
243 xfs_ino_t ino;
247 /*
248 * Avoid sick directories. There shouldn't be anyone else clearing the
249 * directory's sick status.
250 */
259 }
261 /*
262 * Drop the ILOCK on this directory so that we can scan for the dotdot
263 * entry. Figure out who is going to be the parent of this directory,
264 * then retake the ILOCK so that we can salvage directory entries.
265 */
268 /* Does the VFS dcache have an answer for us? */
275 }
276 }
278 /* Scan the entire filesystem for a parent. */
280 out_relock:
284 }
286 /*
287 * Add this stashed incore parent pointer to the temporary file.
288 * The caller must hold the tempdir's IOLOCK, must not hold any ILOCKs, and
289 * must not be in transaction context.
290 */
291 STATIC int
296 {
301 /* Create parent pointer. */
308 /* Remove parent pointer. */
314 }
318 }
320 /*
321 * Flush stashed parent pointer updates that have been recorded by the scanner.
322 * This is done to reduce the memory requirements of the parent pointer
323 * rebuild, since files can have a lot of hardlinks and the fs can be busy.
324 *
325 * Caller must not hold transactions or ILOCKs. Caller must hold the tempfile
326 * IOLOCK.
327 */
328 STATIC int
331 {
332 xfarray_idx_t array_cur;
355 }
357 /* Empty out both arrays now that we've added the entries. */
362 out_unlock:
365 }
367 /*
368 * Remember that we want to create a parent pointer in the tempfile. These
369 * stashed actions will be replayed later.
370 */
371 STATIC int
376 {
380 };
391 }
393 /*
394 * Remember that we want to remove a parent pointer from the tempfile. These
395 * stashed actions will be replayed later.
396 */
397 STATIC int
402 {
406 };
417 }
419 /*
420 * Examine an entry of a directory. If this dirent leads us back to the file
421 * whose parent pointers we're rebuilding, add a pptr to the temporary
422 * directory.
423 */
424 STATIC int
428 xfs_dir2_dataptr_t dapos,
430 xfs_ino_t ino,
432 {
436 /* Dirent doesn't point to this directory. */
440 /* No weird looking names. */
444 /* No mismatching ftypes. */
448 /* Don't pick up dot or dotdot entries; we only want child dirents. */
453 /*
454 * Transform this dirent into a parent pointer and queue it for later
455 * addition to the temporary file.
456 */
461 }
463 /*
464 * Decide if we want to look for dirents in this directory. Skip the file
465 * being repaired and any files being used to stage repairs.
466 */
471 {
473 }
475 /*
476 * Take ILOCK on a file that we want to scan.
477 *
478 * Select ILOCK_EXCL if the file is a directory with an unloaded data bmbt.
479 * Otherwise, take ILOCK_SHARED.
480 */
485 {
488 /* Still need to take the shared ILOCK to advance the iscan cursor. */
495 }
497 lock:
500 }
502 /*
503 * Scan this file for relevant child dirents that point to the file whose
504 * parent pointers we're rebuilding.
505 */
506 STATIC int
510 {
520 /*
521 * If the directory looks as though it has been zapped by the
522 * inode record repair code, we cannot scan for child dirents.
523 */
527 }
532 }
534 scan_done:
538 }
540 /* Decide if we've stashed too much pptr data in memory. */
544 {
549 }
551 /*
552 * Scan all directories in the filesystem to look for dirents that we can turn
553 * into parent pointers.
554 */
555 STATIC int
558 {
563 /*
564 * Filesystem scans are time consuming. Drop the file ILOCK and all
565 * other resources for the duration of the scan and hope for the best.
566 * The live update hooks will keep our scan information up to date.
567 */
571 XFS_ILOCK_EXCL));
584 /* Flush stashed pptr updates to constrain memory usage. */
603 }
607 }
610 /*
611 * If we couldn't grab an inode that was busy with a state
612 * change, change the error code so that we exit to userspace
613 * as quickly as possible.
614 */
618 }
620 /*
621 * Retake sc->ip's ILOCK now that we're done flushing stashed parent
622 * pointers. We end this function with an empty transaction and the
623 * ILOCK.
624 */
627 }
629 /*
630 * Capture dirent updates being made by other threads which are relevant to the
631 * file being repaired.
632 */
633 STATIC int
638 {
647 /*
648 * This thread updated a dirent that points to the file that we're
649 * repairing, so stash the update for replay against the temporary
650 * file.
651 */
657 else
665 }
668 out_abort:
671 }
673 /* Reset a directory's dotdot entry, if needed. */
674 STATIC int
677 {
679 xfs_ino_t ino;
693 /*
694 * Reserve more space just in case we have to expand the dir. We're
695 * allowed to exceed quota to repair inconsistent metadata.
696 */
709 /*
710 * Roll transaction to detach the inode from the transaction but retain
711 * ILOCK_EXCL.
712 */
714 }
716 /* Pass back the parent inumber if this a parent pointer */
717 STATIC int
727 {
729 xfs_ino_t parent_ino;
742 }
744 /*
745 * Find the first parent of the scrub target by walking parent pointers for
746 * the purpose of deciding if we're going to move it to the orphanage.
747 * We don't care if the attr fork is zapped.
748 */
749 STATIC int
753 {
759 inop);
763 }
765 /*
766 * Move the current file to the orphanage.
767 *
768 * Caller must hold IOLOCK_EXCL on @sc->ip, and no other inode locks. Upon
769 * successful return, the scrub transaction will have enough extra reservation
770 * to make the move; it will hold IOLOCK_EXCL and ILOCK_EXCL of @sc->ip and the
771 * orphanage; and both inodes will be ijoined.
772 */
773 STATIC int
776 {
782 /*
783 * We are about to drop the ILOCK on sc->ip to lock the
784 * orphanage and prepare for the adoption. Therefore, look up
785 * the old dotdot entry for sc->ip so that we can compare it
786 * after we re-lock sc->ip.
787 */
793 /*
794 * We haven't dropped the ILOCK since we committed the new
795 * xattr structure (and hence the new parent pointer records),
796 * which means that the file cannot have been moved in the
797 * directory tree, and there are no parents.
798 */
800 }
802 /*
803 * Drop the ILOCK on the scrub target and commit the transaction.
804 * Adoption computes its own resource requirements and gathers the
805 * necessary components.
806 */
812 /* If we can take the orphanage's iolock then we're ready to move. */
818 }
820 /* Grab transaction and ILOCK the two files. */
829 /*
830 * Now that we've reacquired the ILOCK on sc->ip, look up the dotdot
831 * entry again. If the parent changed or the child was unlinked while
832 * the child directory was unlocked, we don't need to move the child to
833 * the orphanage after all. For a non-directory, we have to scan for
834 * the first parent pointer to see if one has been added.
835 */
839 else
844 /*
845 * Attach to the orphanage if we still have a linked directory and it
846 * hasn't been moved.
847 */
852 }
854 /*
855 * Launder the scrub transaction so we can drop the orphanage ILOCK
856 * and IOLOCK. Return holding the scrub target's ILOCK and IOLOCK.
857 */
865 }
867 /* Ensure that the xattr value buffer is large enough. */
868 STATIC int
872 {
882 }
891 }
893 /* Retrieve the (remote) value of a non-pptr xattr. */
894 STATIC int
902 {
914 };
917 /*
918 * If we need a larger value buffer, try to allocate one. If that
919 * fails, return with -EDEADLOCK to try harder.
920 */
930 }
932 /* Stash non-pptr attributes for later replay into the temporary file. */
933 STATIC int
943 {
948 };
962 }
978 }
980 /* Insert one xattr key/value. */
981 STATIC int
985 {
995 };
1000 /*
1001 * Grab pointers to the scrub buffer so that we can use them to insert
1002 * attrs into the temp file.
1003 */
1007 /*
1008 * The attribute name is stored near the end of the in-core buffer,
1009 * though we reserve one more byte to ensure null termination.
1010 */
1038 }
1040 /*
1041 * Periodically flush salvaged attributes to the temporary file. This is done
1042 * to reduce the memory requirements of the xattr rebuild because files can
1043 * contain millions of attributes.
1044 */
1045 STATIC int
1048 {
1049 xfarray_idx_t array_cur;
1052 /*
1053 * Entering this function, the scrub context has a reference to the
1054 * inode being repaired, the temporary file, and the empty scrub
1055 * transaction that we created for the xattr scan. We hold ILOCK_EXCL
1056 * on the inode being repaired.
1057 *
1058 * To constrain kernel memory use, we occasionally flush salvaged
1059 * xattrs from the xfarray and xfblob structures into the temporary
1060 * file in preparation for exchanging the xattr structures at the end.
1061 * Updating the temporary file requires a transaction, so we commit the
1062 * scrub transaction and drop the ILOCK so that xfs_attr_set can
1063 * allocate whatever transaction it wants.
1064 *
1065 * We still hold IOLOCK_EXCL on the inode being repaired, which
1066 * prevents anyone from adding xattrs (or parent pointers) while we're
1067 * flushing.
1068 */
1072 /*
1073 * Take the IOLOCK of the temporary file while we modify xattrs. This
1074 * isn't strictly required because the temporary file is never revealed
1075 * to userspace, but we follow the same locking rules. We still hold
1076 * sc->ip's IOLOCK.
1077 */
1082 /* Add all the salvaged attrs to the temporary file. */
1093 }
1095 /* Empty out both arrays now that we've added the entries. */
1101 /* Recreate the empty transaction and relock the inode. */
1107 }
1109 /* Decide if we've stashed too much xattr data in memory. */
1113 {
1119 }
1121 /* Flush staged attributes to the temporary file if we're over the limit. */
1122 STATIC int
1126 {
1137 /*
1138 * If there were any parent pointer updates to the xattr structure
1139 * while we dropped the ILOCK, the xattr structure is now stale.
1140 * Signal to the attr copy process that we need to start over, but
1141 * this time without opportunistic attr flushing.
1142 *
1143 * This is unlikely to happen, so we're ok with restarting the copy.
1144 */
1150 }
1152 /* Copy all the non-pptr extended attributes into the temporary file. */
1153 STATIC int
1156 {
1160 /*
1161 * Clear the pptr updates flag. We hold sc->ip ILOCKed, so there
1162 * can't be any parent pointer updates in progress.
1163 */
1168 /* Copy xattrs, stopping periodically to flush the incore buffers. */
1175 /*
1176 * The xattr copy collided with a parent pointer update.
1177 * Restart the copy, but this time hold the ILOCK all the way
1178 * to the end to lock out any directory parent pointer updates.
1179 */
1184 }
1186 /* Flush any remaining stashed xattrs to the temporary file. */
1191 }
1193 /*
1194 * Ensure that @sc->ip and @sc->tempip both have attribute forks before we head
1195 * into the attr fork exchange transaction. All files on a filesystem with
1196 * parent pointers must have an attr fork because the parent pointer code does
1197 * not itself add attribute forks.
1198 *
1199 * Note: Unlinkable unlinked files don't need one, but the overhead of having
1200 * an unnecessary attr fork is not justified by the additional code complexity
1201 * that would be needed to track that state correctly.
1202 */
1203 STATIC int
1206 {
1215 }
1217 /*
1218 * Finish replaying stashed parent pointer updates, allocate a transaction for
1219 * exchanging extent mappings, and take the ILOCKs of both files before we
1220 * commit the new attribute structure.
1221 */
1222 STATIC int
1225 {
1229 /*
1230 * Repair relies on the ILOCK to quiesce all possible xattr updates.
1231 * Replay all queued parent pointer updates into the tempfile before
1232 * exchanging the contents, even if that means dropping the ILOCKs and
1233 * the transaction.
1234 */
1255 }
1257 /*
1258 * Replay all the stashed parent pointers into the temporary file, copy all
1259 * the non-pptr xattrs from the file being repaired into the temporary file,
1260 * and exchange the attr fork contents atomically.
1261 */
1262 STATIC int
1265 {
1270 /*
1271 * Copy non-ppttr xattrs from the file being repaired into the
1272 * temporary file's xattr structure. We hold sc->ip's IOLOCK, which
1273 * prevents setxattr/removexattr calls from occurring, but renames
1274 * update the parent pointers without holding IOLOCK. If we detect
1275 * stale attr structures, we restart the scan but only flush at the
1276 * end.
1277 */
1282 /*
1283 * Cancel the empty transaction that we used to walk and copy attrs,
1284 * and drop the ILOCK so that we can take the IOLOCK on the temporary
1285 * file. We still hold sc->ip's IOLOCK.
1286 */
1294 /*
1295 * Allocate transaction, lock inodes, and make sure that we've replayed
1296 * all the stashed pptr updates to the tempdir. After this point,
1297 * we're ready to exchange the attr fork mappings.
1298 */
1303 /* Last chance to abort before we start committing pptr fixes. */
1310 /*
1311 * Exchange the attr fork contents and junk the old attr fork contents,
1312 * which are now in the tempfile.
1313 */
1321 /*
1322 * Roll to get a transaction without any inodes joined to it. Then we
1323 * can drop the tempfile's ILOCK and IOLOCK before doing more work on
1324 * the scrub target file.
1325 */
1332 /*
1333 * We've committed the new parent pointers. Find at least one parent
1334 * so that we can decide if we're moving this file to the orphanage.
1335 * For this purpose, root directories are their own parents.
1336 */
1345 }
1347 }
1349 /*
1350 * Commit the new parent pointer structure (currently only the dotdot entry) to
1351 * the file that we're repairing.
1352 */
1353 STATIC int
1356 {
1363 }
1369 }
1375 }
1377 /* Count the number of parent pointers. */
1378 STATIC int
1388 {
1402 }
1404 /*
1405 * After all parent pointer rebuilding and adoption activity completes, reset
1406 * the link count of this nondirectory, having scanned the fs to rebuild all
1407 * parent pointers.
1408 */
1409 STATIC int
1412 {
1419 /* Count parent pointers so we can reset the file link count. */
1429 /*
1430 * The file is on the unlinked list but we found parents.
1431 * Remove the file from the unlinked list.
1432 */
1437 }
1447 /*
1448 * The file is not on the unlinked list but we found no
1449 * parents. Add the file to the unlinked list.
1450 */
1454 }
1456 /* Set the correct link count. */
1461 }
1464 XFS_NLINK_PINNED));
1465 }
1467 /* Log the inode to keep it moving forward if we dirtied anything. */
1471 }
1473 /* Set up the filesystem scan so we can look for parents. */
1474 STATIC int
1477 {
1487 /* Buffers for copying non-pptr attrs to the tempfile */
1492 /*
1493 * Allocate enough memory to handle loading local attr values from the
1494 * xfblob data while flushing stashed attrs to the temporary file.
1495 * We only realloc the buffer when salvaging remote attr values, so
1496 * TRY_HARDER means we allocate the maximal attr value size.
1497 */
1500 else
1506 /* Set up some staging memory for logging parent pointer updates. */
1520 /* Set up some storage for copying attrs before the mapping exchange */
1537 xrep_parent_live_update);
1543 out_attr_values:
1546 out_attr_keys:
1549 out_names:
1552 out_recs:
1555 out_xattr_value:
1558 out_xattr_name:
1562 }
1564 int
1567 {
1571 /*
1572 * When the parent pointers feature is enabled, repairs are committed
1573 * by atomically committing a new xattr structure and reaping the old
1574 * attr fork. Reaping requires rmap and exchange-range to be enabled.
1575 */
1581 }
1589 else
1594 /* Last chance to abort before we start committing dotdot fixes. */
1605 }
1609 out_teardown:
1612 }