| blob | c7eb94069cafcd001879ecc6533466f65388627b |
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2018-2024 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <djwong@kernel.org>
5 */
46 /*
47 * Extended Attribute Repair
48 * =========================
49 *
50 * We repair extended attributes by reading the attr leaf blocks looking for
51 * attributes entries that look salvageable (name passes verifiers, value can
52 * be retrieved, etc). Each extended attribute worth salvaging is stashed in
53 * memory, and the stashed entries are periodically replayed into a temporary
54 * file to constrain memory use. Batching the construction of the temporary
55 * extended attribute structure in this fashion reduces lock cycling of the
56 * file being repaired and the temporary file.
57 *
58 * When salvaging completes, the remaining stashed attributes are replayed to
59 * the temporary file. An atomic file contents exchange is used to commit the
60 * new xattr blocks to the file being repaired. This will disrupt attrmulti
61 * cursors.
62 */
65 /* Cookie for retrieval of the xattr name. */
66 xfblob_cookie name_cookie;
68 /* Cookie for retrieval of the xattr value. */
69 xfblob_cookie value_cookie;
71 /* XFS_ATTR_* flags */
74 /* Length of the value and name. */
77 };
79 /*
80 * Stash up to 8 pages of attrs in xattr_records/xattr_blobs before we write
81 * them to the temp file.
82 */
83 #define XREP_XATTR_MAX_STASH_BYTES (PAGE_SIZE * 8)
88 /* Information for exchanging attr fork mappings at the end. */
91 /* xattr keys */
94 /* xattr values */
97 /* Number of attributes that we are salvaging. */
100 /* Can we flush stashed attrs to the tempfile? */
103 /* Did the live update fail, and hence the repair is now out of date? */
106 /* Lock protecting parent pointer updates */
109 /* Fixed-size array of xrep_xattr_pptr structures. */
112 /* Blobs containing parent pointer names. */
115 /* Hook to capture parent pointer updates. */
118 /* Scratch buffer for capturing parent pointers. */
121 /* Name buffer */
124 };
126 /* Create a parent pointer in the tempfile. */
127 #define XREP_XATTR_PPTR_ADD (1)
129 /* Remove a parent pointer from the tempfile. */
130 #define XREP_XATTR_PPTR_REMOVE (2)
132 /* A stashed parent pointer update. */
134 /* Cookie for retrieval of the pptr name. */
135 xfblob_cookie name_cookie;
137 /* Parent pointer record. */
140 /* Length of the pptr name. */
143 /* XREP_XATTR_PPTR_{ADD,REMOVE} */
145 };
147 /* Set up to recreate the extended attributes. */
148 int
151 {
156 }
158 /*
159 * Decide if we want to salvage this attribute. We don't bother with
160 * incomplete or oversized keys or values. The @value parameter can be null
161 * for remote attrs.
162 */
163 STATIC int
171 {
184 }
186 /* Allocate an in-core record to hold xattrs while we rebuild the xattr data. */
187 STATIC int
195 {
199 };
206 /*
207 * Truncate the name to the first character that would trip namecheck.
208 * If we no longer have a name after that, ignore this attribute.
209 */
217 i++;
224 }
242 }
244 /*
245 * Record a shortform extended attribute key & value for later reinsertion
246 * into the inode.
247 */
248 STATIC int
253 {
273 }
275 /*
276 * Record a local format extended attribute key & value for later reinsertion
277 * into the inode.
278 */
279 STATIC int
286 {
292 /*
293 * Decode the leaf local entry format. If something seems wrong, we
294 * junk the attribute.
295 */
307 /* Try to save this attribute. */
310 }
312 /*
313 * Record a remote format extended attribute key & value for later reinsertion
314 * into the inode.
315 */
316 STATIC int
325 {
338 };
342 /*
343 * Decode the leaf remote entry format. If something seems wrong, we
344 * junk the attribute. Note that we should never find a zero-length
345 * remote attribute value.
346 */
357 /*
358 * Enlarge the buffer (if needed) to hold the value that we're trying
359 * to salvage from the old extended attribute data.
360 */
367 /* Look up the remote value and stash it for reconstruction. */
376 /* Try to save this attribute. */
379 err_free:
380 /* remote value was garbage, junk it */
384 }
386 /* Extract every xattr key that we can from this attr fork block. */
387 STATIC int
391 {
410 /* Check the leaf header */
422 /* Skip key if it conflicts with something else? */
428 /* Check the name information. */
442 }
445 }
448 }
450 /* Try to recover shortform attrs. */
451 STATIC int
454 {
487 /*
488 * No conflicts with the sf entry; let's save this
489 * attribute.
490 */
494 }
497 }
500 }
502 /*
503 * Try to return a buffer of xattr data for a given physical extent.
504 *
505 * Because the buffer cache get function complains if it finds a buffer
506 * matching the block number but not matching the length, we must be careful to
507 * look for incore buffers (up to the maximum length of a remote value) that
508 * could be hiding anywhere in the physical range. If we find an incore
509 * buffer, we can pass that to the caller. Optionally, read a single block and
510 * pass that back.
511 *
512 * Note the subtlety that remote attr value blocks for which there is no incore
513 * buffer will be passed to the callback one block at a time. These buffers
514 * will not have any ops attached and must be staled to prevent aliasing with
515 * multiblock buffers once we drop the ILOCK.
516 */
517 STATIC int
520 xfs_fsblock_t fsbno,
521 xfs_extlen_t max_len,
524 {
529 };
535 }
540 }
544 }
546 /*
547 * Deal with a buffer that we found during our walk of the attr fork.
548 *
549 * Attribute leaf and node blocks are simple -- they're a single block, so we
550 * can walk them one at a time and we never have to worry about discontiguous
551 * multiblock buffers like we do for directories.
552 *
553 * Unfortunately, remote attr blocks add a lot of complexity here. Each disk
554 * block is totally self contained, in the sense that the v5 header provides no
555 * indication that there could be more data in the next block. The incore
556 * buffers can span multiple blocks, though they never cross extent records.
557 * However, they don't necessarily start or end on an extent record boundary.
558 * Therefore, we need a special buffer find function to walk the buffer cache
559 * for us.
560 *
561 * The caller must hold the ILOCK on the file being repaired. We use
562 * XBF_TRYLOCK here to skip any locked buffer on the assumption that we don't
563 * own the block and don't want to hang the system on a potentially garbage
564 * buffer.
565 */
566 STATIC int
569 xfs_dablk_t dabno,
570 xfs_fsblock_t fsbno,
571 xfs_extlen_t max_len,
573 {
587 /*
588 * If the buffer has the right magic number for an attr leaf block and
589 * passes a structure check (we don't care about checksums), salvage
590 * as much as we can from the block. */
596 /*
597 * If the buffer didn't already have buffer ops set, it was read in by
598 * the _find_buf function and could very well be /part/ of a multiblock
599 * remote block. Mark it stale so that it doesn't hang around in
600 * memory to cause problems.
601 */
607 }
609 /* Insert one xattr key/value. */
610 STATIC int
614 {
624 };
628 /*
629 * Grab pointers to the scrub buffer so that we can use them to insert
630 * attrs into the temp file.
631 */
635 /*
636 * The attribute name is stored near the end of the in-core buffer,
637 * though we reserve one more byte to ensure null termination.
638 */
669 }
671 /*
672 * xfs_attr_set creates and commits its own transaction. If the attr
673 * already exists, we'll just drop it during the rebuild.
674 */
681 }
683 /*
684 * Periodically flush salvaged attributes to the temporary file. This is done
685 * to reduce the memory requirements of the xattr rebuild because files can
686 * contain millions of attributes.
687 */
688 STATIC int
691 {
692 xfarray_idx_t array_cur;
695 /*
696 * Entering this function, the scrub context has a reference to the
697 * inode being repaired, the temporary file, and a scrub transaction
698 * that we use during xattr salvaging to avoid livelocking if there
699 * are cycles in the xattr structures. We hold ILOCK_EXCL on both
700 * the inode being repaired, though it is not ijoined to the scrub
701 * transaction.
702 *
703 * To constrain kernel memory use, we occasionally flush salvaged
704 * xattrs from the xfarray and xfblob structures into the temporary
705 * file in preparation for exchanging the xattr structures at the end.
706 * Updating the temporary file requires a transaction, so we commit the
707 * scrub transaction and drop the two ILOCKs so that xfs_attr_set can
708 * allocate whatever transaction it wants.
709 *
710 * We still hold IOLOCK_EXCL on the inode being repaired, which
711 * prevents anyone from modifying the damaged xattr data while we
712 * repair it.
713 */
719 /*
720 * Take the IOLOCK of the temporary file while we modify xattrs. This
721 * isn't strictly required because the temporary file is never revealed
722 * to userspace, but we follow the same locking rules. We still hold
723 * sc->ip's IOLOCK.
724 */
729 /* Add all the salvaged attrs to the temporary file. */
740 }
742 /* Empty out both arrays now that we've added the entries. */
748 /* Recreate the salvage transaction and relock the inode. */
754 }
756 /* Decide if we've stashed too much xattr data in memory. */
760 {
769 }
771 /*
772 * Did we observe rename changing parent pointer xattrs while we were flushing
773 * salvaged attrs?
774 */
778 {
793 }
795 /*
796 * Reset the entire repair state back to initial conditions, now that we've
797 * detected a parent pointer update to the attr structure while we were
798 * flushing salvaged attrs. See the locking notes in dir_repair.c for more
799 * information on why this is all necessary.
800 */
801 STATIC int
804 {
812 /* The temporary file's data fork had better not be in btree format. */
816 }
818 /*
819 * We begin in transaction context with sc->ip ILOCKed but not joined
820 * to the transaction. To reset to the initial state, we must hold
821 * sc->ip's ILOCK to prevent rename from updating parent pointer
822 * information and the tempfile's ILOCK to clear its contents.
823 */
829 /*
830 * Free all the blocks of the attr fork of the temp file, and reset
831 * it back to local format.
832 */
841 }
843 /* Reinitialize the attr fork to an empty shortform structure. */
849 /*
850 * Roll this transaction to commit our reset ondisk. The tempfile
851 * should no longer be joined to the transaction, so we drop its ILOCK.
852 * This should leave us in transaction context with sc->ip ILOCKed but
853 * not joined to the transaction.
854 */
860 /*
861 * Erase any accumulated parent pointer updates now that we've erased
862 * the tempfile's attr fork. We're resetting the entire repair state
863 * back to where we were initially, except now we won't flush salvaged
864 * xattrs until the very end.
865 */
877 }
879 /* Extract as many attribute keys and values as we can. */
880 STATIC int
883 {
887 xfs_fileoff_t offset;
888 xfs_extlen_t len;
889 xfs_dablk_t dabno;
893 restart:
894 /*
895 * Iterate each xattr leaf block in the attr fork to scan them for any
896 * attributes that we might salvage.
897 */
915 xfs_extlen_t maxlen;
939 }
940 }
941 }
942 }
945 }
947 /*
948 * Reset the extended attribute fork to a state where we can start re-adding
949 * the salvaged attributes.
950 */
951 STATIC int
955 {
959 /*
960 * If the data fork is in btree format, we can't change di_forkoff
961 * because we could run afoul of the rule that the data fork isn't
962 * supposed to be in btree format if there's enough space in the fork
963 * that it could have used extents format. Instead, reinitialize the
964 * attr fork to have a shortform structure with zero attributes.
965 */
969 XFS_ATTR_FORK);
975 }
977 /* If we still have attr fork extents, something's wrong. */
992 }
995 }
999 }
1001 /*
1002 * Free all the attribute fork blocks of the file being repaired and delete the
1003 * fork. The caller must ILOCK the scrub file and join it to the transaction.
1004 * This function returns with the inode joined to a clean transaction.
1005 */
1006 int
1009 {
1014 /* Unmap all the attr blocks. */
1019 }
1026 }
1028 /*
1029 * Free all the attribute fork blocks of the temporary file and delete the attr
1030 * fork. The caller must ILOCK the tempfile and join it to the transaction.
1031 * This function returns with the inode joined to a clean scrub transaction.
1032 */
1033 int
1036 {
1041 /*
1042 * Wipe out the attr fork of the temp file so that regular inode
1043 * inactivation won't trip over the corrupt attr fork.
1044 */
1049 }
1052 }
1054 /*
1055 * Find all the extended attributes for this inode by scraping them out of the
1056 * attribute key blocks by hand, and flushing them into the temp file.
1057 * When we're done, free the staging memory before exchanging the xattr
1058 * structures to reduce memory usage.
1059 */
1060 STATIC int
1063 {
1067 /* Short format xattrs are easy! */
1074 }
1076 /*
1077 * For non-inline xattr structures, the salvage function scans the
1078 * buffer cache looking for potential attr leaf blocks. The scan
1079 * requires the ability to lock any buffer found and runs independently
1080 * of any transaction <-> buffer item <-> buffer linkage. Therefore,
1081 * roll the transaction to ensure there are no buffers joined. We hold
1082 * the ILOCK independently of the transaction.
1083 */
1097 }
1099 /*
1100 * Add this stashed incore parent pointer to the temporary file. The caller
1101 * must hold the tempdir's IOLOCK, must not hold any ILOCKs, and must not be in
1102 * transaction context.
1103 */
1104 STATIC int
1109 {
1115 /* Create parent pointer. */
1124 /* Remove parent pointer. */
1132 }
1136 }
1138 /*
1139 * Flush stashed parent pointer updates that have been recorded by the scanner.
1140 * This is done to reduce the memory requirements of the xattr rebuild, since
1141 * files can have a lot of hardlinks and the fs can be busy.
1142 *
1143 * Caller must not hold transactions or ILOCKs. Caller must hold the tempfile
1144 * IOLOCK.
1145 */
1146 STATIC int
1149 {
1150 xfarray_idx_t array_cur;
1172 }
1174 /* Empty out both arrays now that we've added the entries. */
1179 out_unlock:
1182 }
1184 /*
1185 * Remember that we want to create a parent pointer in the tempfile. These
1186 * stashed actions will be replayed later.
1187 */
1188 STATIC int
1193 {
1197 };
1208 }
1210 /*
1211 * Remember that we want to remove a parent pointer from the tempfile. These
1212 * stashed actions will be replayed later.
1213 */
1214 STATIC int
1219 {
1223 };
1234 }
1236 /*
1237 * Capture dirent updates being made by other threads. We will have to replay
1238 * the parent pointer updates before exchanging attr forks.
1239 */
1240 STATIC int
1245 {
1254 /*
1255 * This thread updated a dirent that points to the file that we're
1256 * repairing, so stash the update for replay against the temporary
1257 * file.
1258 */
1265 else
1271 }
1273 /*
1274 * Prepare both inodes' attribute forks for an exchange. Promote the tempfile
1275 * from short format to leaf format, and if the file being repaired has a short
1276 * format attr fork, turn it into an empty extent list.
1277 */
1278 STATIC int
1283 {
1286 /*
1287 * If the tempfile's attributes are in shortform format, convert that
1288 * to a single leaf extent so that we can use the atomic mapping
1289 * exchange.
1290 */
1299 };
1305 /*
1306 * Roll the deferred log items to get us back to a clean
1307 * transaction.
1308 */
1312 }
1314 /*
1315 * If the file being repaired had a shortform attribute fork, convert
1316 * that to an empty extent list in preparation for the atomic mapping
1317 * exchange.
1318 */
1333 }
1336 }
1338 /* Exchange the temporary file's attribute fork with the one being repaired. */
1339 int
1343 {
1350 /*
1351 * If the both files have a local format attr fork and the rebuilt
1352 * xattr data would fit in the repaired file's attr fork, just copy
1353 * the contents from the tempfile and declare ourselves done.
1354 */
1365 }
1366 }
1368 /* Otherwise, make sure both attr forks are in block-mapping mode. */
1374 }
1376 /*
1377 * Finish replaying stashed parent pointer updates, allocate a transaction for
1378 * exchanging extent mappings, and take the ILOCKs of both files before we
1379 * commit the new extended attribute structure.
1380 */
1381 STATIC int
1384 {
1391 /*
1392 * Repair relies on the ILOCK to quiesce all possible xattr updates.
1393 * Replay all queued parent pointer updates into the tempfile before
1394 * exchanging the contents, even if that means dropping the ILOCKs and
1395 * the transaction.
1396 */
1413 }
1415 /*
1416 * Exchange the new extended attribute data (which we created in the tempfile)
1417 * with the file being repaired.
1418 */
1419 STATIC int
1422 {
1426 /*
1427 * If we didn't find any attributes to salvage, repair the file by
1428 * zapping its attr fork.
1429 */
1437 }
1441 /*
1442 * Commit the repair transaction and drop the ILOCKs so that we can use
1443 * the atomic file content exchange helper functions to compute the
1444 * correct resource reservations.
1445 *
1446 * We still hold IOLOCK_EXCL (aka i_rwsem) which will prevent xattr
1447 * modifications, but there's nothing to prevent userspace from reading
1448 * the attributes until we're ready for the exchange operation. Reads
1449 * will return -EIO without shutting down the fs, so we're ok with
1450 * that.
1451 */
1458 /*
1459 * Take the IOLOCK on the temporary file so that we can run xattr
1460 * operations with the same locks held as we would for a normal file.
1461 * We still hold sc->ip's IOLOCK.
1462 */
1467 /*
1468 * Allocate transaction, lock inodes, and make sure that we've replayed
1469 * all the stashed parent pointer updates to the temp file. After this
1470 * point, we're ready to exchange attr fork mappings.
1471 */
1476 /*
1477 * Exchange the blocks mapped by the tempfile's attr fork with the file
1478 * being repaired. The old attr blocks will then be attached to the
1479 * tempfile, so reap its attr fork.
1480 */
1489 /*
1490 * Roll to get a transaction without any inodes joined to it. Then we
1491 * can drop the tempfile's ILOCK and IOLOCK before doing more work on
1492 * the scrub target file.
1493 */
1501 forget_acls:
1502 /* Invalidate cached ACLs now that we've reloaded all the xattrs. */
1506 }
1508 /* Tear down all the incore scan stuff we created. */
1509 STATIC void
1512 {
1523 }
1525 /* Set up the filesystem scan so we can regenerate extended attributes. */
1526 STATIC int
1530 {
1545 /*
1546 * Allocate enough memory to handle loading local attr values from the
1547 * xfblob data while flushing stashed attrs to the temporary file.
1548 * We only realloc the buffer when salvaging remote attr values.
1549 */
1557 /* Set up some staging for salvaged attribute keys and values */
1594 }
1598 out_ppnames:
1600 out_pprecs:
1602 out_values:
1604 out_keys:
1606 out_rx:
1610 }
1612 /*
1613 * Repair the extended attribute metadata.
1614 *
1615 * XXX: Remote attribute value buffers encompass the entire (up to 64k) buffer.
1616 * The buffer cache in XFS can't handle aliased multiblock buffers, so this
1617 * might misbehave if the attr fork is crosslinked with other filesystem
1618 * metadata.
1619 */
1620 int
1623 {
1630 /* The rmapbt is required to reap the old attr fork. */
1633 /* We require atomic file exchange range to rebuild anything. */
1650 }
1652 /* Last chance to abort before we start committing fixes. */
1660 out_scan:
1663 }