fs/xfs/scrub/quota.c

   1 // SPDX-License-Identifier: GPL-2.0+
   2 /*
   3  * Copyright (C) 2017 Oracle.  All Rights Reserved.
   4  * Author: Darrick J. Wong <darrick.wong@oracle.com>
   5  */
   6 #include "xfs.h"
   7 #include "xfs_fs.h"
   8 #include "xfs_shared.h"
   9 #include "xfs_format.h"
  10 #include "xfs_trans_resv.h"
  11 #include "xfs_mount.h"
  12 #include "xfs_log_format.h"
  13 #include "xfs_trans.h"
  14 #include "xfs_inode.h"
  15 #include "xfs_quota.h"
  16 #include "xfs_qm.h"
  17 #include "scrub/scrub.h"
  18 #include "scrub/common.h"
  19
  20 /* Convert a scrub type code to a DQ flag, or return 0 if error. */
  21 static inline xfs_dqtype_t
  22 xchk_quota_to_dqtype(
  23         struct xfs_scrub        *sc)
  24 {
  25         switch (sc->sm->sm_type) {
  26         case XFS_SCRUB_TYPE_UQUOTA:
  27                 return XFS_DQTYPE_USER;
  28         case XFS_SCRUB_TYPE_GQUOTA:
  29                 return XFS_DQTYPE_GROUP;
  30         case XFS_SCRUB_TYPE_PQUOTA:
  31                 return XFS_DQTYPE_PROJ;
  32         default:
  33                 return 0;
  34         }
  35 }
  36
  37 /* Set us up to scrub a quota. */
  38 int
  39 xchk_setup_quota(
  40         struct xfs_scrub        *sc,
  41         struct xfs_inode        *ip)
  42 {
  43         xfs_dqtype_t            dqtype;
  44         int                     error;
  45
  46         if (!XFS_IS_QUOTA_RUNNING(sc->mp) || !XFS_IS_QUOTA_ON(sc->mp))
  47                 return -ENOENT;
  48
  49         dqtype = xchk_quota_to_dqtype(sc);
  50         if (dqtype == 0)
  51                 return -EINVAL;
  52         sc->flags |= XCHK_HAS_QUOTAOFFLOCK;
  53         mutex_lock(&sc->mp->m_quotainfo->qi_quotaofflock);
  54         if (!xfs_this_quota_on(sc->mp, dqtype))
  55                 return -ENOENT;
  56         error = xchk_setup_fs(sc, ip);
  57         if (error)
  58                 return error;
  59         sc->ip = xfs_quota_inode(sc->mp, dqtype);
  60         xfs_ilock(sc->ip, XFS_ILOCK_EXCL);
  61         sc->ilock_flags = XFS_ILOCK_EXCL;
  62         return 0;
  63 }
  64
  65 /* Quotas. */
  66
  67 struct xchk_quota_info {
  68         struct xfs_scrub        *sc;
  69         xfs_dqid_t              last_id;
  70 };
  71
  72 /* Scrub the fields in an individual quota item. */
  73 STATIC int
  74 xchk_quota_item(
  75         struct xfs_dquot        *dq,
  76         xfs_dqtype_t            dqtype,
  77         void                    *priv)
  78 {
  79         struct xchk_quota_info  *sqi = priv;
  80         struct xfs_scrub        *sc = sqi->sc;
  81         struct xfs_mount        *mp = sc->mp;
  82         struct xfs_quotainfo    *qi = mp->m_quotainfo;
  83         xfs_fileoff_t           offset;
  84         xfs_ino_t               fs_icount;
  85         int                     error = 0;
  86
  87         if (xchk_should_terminate(sc, &error))
  88                 return error;
  89
  90         /*
  91          * Except for the root dquot, the actual dquot we got must either have
  92          * the same or higher id as we saw before.
  93          */
  94         offset = dq->q_id / qi->qi_dqperchunk;
  95         if (dq->q_id && dq->q_id <= sqi->last_id)
  96                 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
  97
  98         sqi->last_id = dq->q_id;
  99
 100         /*
 101          * Warn if the hard limits are larger than the fs.
 102          * Administrators can do this, though in production this seems
 103          * suspect, which is why we flag it for review.
 104          *
 105          * Complain about corruption if the soft limit is greater than
 106          * the hard limit.
 107          */
 108         if (dq->q_blk.hardlimit > mp->m_sb.sb_dblocks)
 109                 xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
 110         if (dq->q_blk.softlimit > dq->q_blk.hardlimit)
 111                 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
 112
 113         if (dq->q_ino.hardlimit > M_IGEO(mp)->maxicount)
 114                 xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
 115         if (dq->q_ino.softlimit > dq->q_ino.hardlimit)
 116                 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
 117
 118         if (dq->q_rtb.hardlimit > mp->m_sb.sb_rblocks)
 119                 xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
 120         if (dq->q_rtb.softlimit > dq->q_rtb.hardlimit)
 121                 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
 122
 123         /* Check the resource counts. */
 124         fs_icount = percpu_counter_sum(&mp->m_icount);
 125
 126         /*
 127          * Check that usage doesn't exceed physical limits.  However, on
 128          * a reflink filesystem we're allowed to exceed physical space
 129          * if there are no quota limits.
 130          */
 131         if (xfs_sb_version_hasreflink(&mp->m_sb)) {
 132                 if (mp->m_sb.sb_dblocks < dq->q_blk.count)
 133                         xchk_fblock_set_warning(sc, XFS_DATA_FORK,
 134                                         offset);
 135         } else {
 136                 if (mp->m_sb.sb_dblocks < dq->q_blk.count)
 137                         xchk_fblock_set_corrupt(sc, XFS_DATA_FORK,
 138                                         offset);
 139         }
 140         if (dq->q_ino.count > fs_icount || dq->q_rtb.count > mp->m_sb.sb_rblocks)
 141                 xchk_fblock_set_corrupt(sc, XFS_DATA_FORK, offset);
 142
 143         /*
 144          * We can violate the hard limits if the admin suddenly sets a
 145          * lower limit than the actual usage.  However, we flag it for
 146          * admin review.
 147          */
 148         if (dq->q_id == 0)
 149                 goto out;
 150
 151         if (dq->q_blk.hardlimit != 0 &&
 152             dq->q_blk.count > dq->q_blk.hardlimit)
 153                 xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
 154
 155         if (dq->q_ino.hardlimit != 0 &&
 156             dq->q_ino.count > dq->q_ino.hardlimit)
 157                 xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
 158
 159         if (dq->q_rtb.hardlimit != 0 &&
 160             dq->q_rtb.count > dq->q_rtb.hardlimit)
 161                 xchk_fblock_set_warning(sc, XFS_DATA_FORK, offset);
 162
 163 out:
 164         if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
 165                 return -EFSCORRUPTED;
 166
 167         return 0;
 168 }
 169
 170 /* Check the quota's data fork. */
 171 STATIC int
 172 xchk_quota_data_fork(
 173         struct xfs_scrub        *sc)
 174 {
 175         struct xfs_bmbt_irec    irec = { 0 };
 176         struct xfs_iext_cursor  icur;
 177         struct xfs_quotainfo    *qi = sc->mp->m_quotainfo;
 178         struct xfs_ifork        *ifp;
 179         xfs_fileoff_t           max_dqid_off;
 180         int                     error = 0;
 181
 182         /* Invoke the fork scrubber. */
 183         error = xchk_metadata_inode_forks(sc);
 184         if (error || (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT))
 185                 return error;
 186
 187         /* Check for data fork problems that apply only to quota files. */
 188         max_dqid_off = ((xfs_dqid_t)-1) / qi->qi_dqperchunk;
 189         ifp = XFS_IFORK_PTR(sc->ip, XFS_DATA_FORK);
 190         for_each_xfs_iext(ifp, &icur, &irec) {
 191                 if (xchk_should_terminate(sc, &error))
 192                         break;
 193                 /*
 194                  * delalloc extents or blocks mapped above the highest
 195                  * quota id shouldn't happen.
 196                  */
 197                 if (isnullstartblock(irec.br_startblock) ||
 198                     irec.br_startoff > max_dqid_off ||
 199                     irec.br_startoff + irec.br_blockcount - 1 > max_dqid_off) {
 200                         xchk_fblock_set_corrupt(sc, XFS_DATA_FORK,
 201                                         irec.br_startoff);
 202                         break;
 203                 }
 204         }
 205
 206         return error;
 207 }
 208
 209 /* Scrub all of a quota type's items. */
 210 int
 211 xchk_quota(
 212         struct xfs_scrub        *sc)
 213 {
 214         struct xchk_quota_info  sqi;
 215         struct xfs_mount        *mp = sc->mp;
 216         struct xfs_quotainfo    *qi = mp->m_quotainfo;
 217         xfs_dqtype_t            dqtype;
 218         int                     error = 0;
 219
 220         dqtype = xchk_quota_to_dqtype(sc);
 221
 222         /* Look for problem extents. */
 223         error = xchk_quota_data_fork(sc);
 224         if (error)
 225                 goto out;
 226         if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_CORRUPT)
 227                 goto out;
 228
 229         /*
 230          * Check all the quota items.  Now that we've checked the quota inode
 231          * data fork we have to drop ILOCK_EXCL to use the regular dquot
 232          * functions.
 233          */
 234         xfs_iunlock(sc->ip, sc->ilock_flags);
 235         sc->ilock_flags = 0;
 236         sqi.sc = sc;
 237         sqi.last_id = 0;
 238         error = xfs_qm_dqiterate(mp, dqtype, xchk_quota_item, &sqi);
 239         sc->ilock_flags = XFS_ILOCK_EXCL;
 240         xfs_ilock(sc->ip, sc->ilock_flags);
 241         if (!xchk_fblock_process_error(sc, XFS_DATA_FORK,
 242                         sqi.last_id * qi->qi_dqperchunk, &error))
 243                 goto out;
 244
 245 out:
 246         return error;
 247 }