1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright (C) 2019 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <darrick.wong@oracle.com>
8 #include "xfs_shared.h"
9 #include "xfs_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_alloc.h"
13 #include "xfs_ialloc.h"
14 #include "xfs_health.h"
15 #include "xfs_btree.h"
17 #include "xfs_rtalloc.h"
18 #include "xfs_inode.h"
19 #include "scrub/scrub.h"
20 #include "scrub/common.h"
21 #include "scrub/trace.h"
27 * The basics of filesystem summary counter checking are that we iterate the
28 * AGs counting the number of free blocks, free space btree blocks, per-AG
29 * reservations, inodes, delayed allocation reservations, and free inodes.
30 * Then we compare what we computed against the in-core counters.
32 * However, the reality is that summary counters are a tricky beast to check.
33 * While we /could/ freeze the filesystem and scramble around the AGs counting
34 * the free blocks, in practice we prefer not do that for a scan because
35 * freezing is costly. To get around this, we added a per-cpu counter of the
36 * delalloc reservations so that we can rotor around the AGs relatively
37 * quickly, and we allow the counts to be slightly off because we're not taking
38 * any locks while we do this.
40 * So the first thing we do is warm up the buffer cache in the setup routine by
41 * walking all the AGs to make sure the incore per-AG structure has been
42 * initialized. The expected value calculation then iterates the incore per-AG
43 * structures as quickly as it can. We snapshot the percpu counters before and
44 * after this operation and use the difference in counter values to guess at
45 * our tolerance for mismatch between expected and actual counter values.
48 struct xchk_fscounters {
54 unsigned long long icount_min;
55 unsigned long long icount_max;
59 * Since the expected value computation is lockless but only browses incore
60 * values, the percpu counters should be fairly close to each other. However,
61 * we'll allow ourselves to be off by at least this (arbitrary) amount.
63 #define XCHK_FSCOUNT_MIN_VARIANCE (512)
66 * Make sure the per-AG structure has been initialized from the on-disk header
67 * contents and trust that the incore counters match the ondisk counters. (The
68 * AGF and AGI scrubbers check them, and a normal xfs_scrub run checks the
69 * summary counters after checking all AG headers). Do this from the setup
70 * function so that the inner AG aggregation loop runs as quickly as possible.
72 * This function runs during the setup phase /before/ we start checking any
79 struct xfs_mount *mp = sc->mp;
80 struct xfs_buf *agi_bp = NULL;
81 struct xfs_buf *agf_bp = NULL;
82 struct xfs_perag *pag = NULL;
86 for_each_perag(mp, agno, pag) {
87 if (xchk_should_terminate(sc, &error))
89 if (pag->pagi_init && pag->pagf_init)
92 /* Lock both AG headers. */
93 error = xfs_ialloc_read_agi(pag, sc->tp, &agi_bp);
96 error = xfs_alloc_read_agf(pag, sc->tp, 0, &agf_bp);
101 * These are supposed to be initialized by the header read
104 if (!pag->pagi_init || !pag->pagf_init) {
105 error = -EFSCORRUPTED;
109 xfs_buf_relse(agf_bp);
111 xfs_buf_relse(agi_bp);
116 xfs_buf_relse(agf_bp);
118 xfs_buf_relse(agi_bp);
125 xchk_setup_fscounters(
126 struct xfs_scrub *sc)
128 struct xchk_fscounters *fsc;
131 sc->buf = kzalloc(sizeof(struct xchk_fscounters), XCHK_GFP_FLAGS);
137 xfs_icount_range(sc->mp, &fsc->icount_min, &fsc->icount_max);
139 /* We must get the incore counters set up before we can proceed. */
140 error = xchk_fscount_warmup(sc);
145 * Pause background reclaim while we're scrubbing to reduce the
146 * likelihood of background perturbations to the counters throwing off
149 xchk_stop_reaping(sc);
151 return xchk_trans_alloc(sc, 0);
155 * Part 1: Collecting filesystem summary counts. For each AG, we add its
156 * summary counts (total inodes, free inodes, free data blocks) to an incore
157 * copy of the overall filesystem summary counts.
159 * To avoid false corruption reports in part 2, any failure in this part must
160 * set the INCOMPLETE flag even when a negative errno is returned. This care
161 * must be taken with certain errno values (i.e. EFSBADCRC, EFSCORRUPTED,
162 * ECANCELED) that are absorbed into a scrub state flag update by
163 * xchk_*_process_error.
166 /* Count free space btree blocks manually for pre-lazysbcount filesystems. */
168 xchk_fscount_btreeblks(
169 struct xfs_scrub *sc,
170 struct xchk_fscounters *fsc,
176 error = xchk_ag_init_existing(sc, agno, &sc->sa);
180 error = xfs_btree_count_blocks(sc->sa.bno_cur, &blocks);
183 fsc->fdblocks += blocks - 1;
185 error = xfs_btree_count_blocks(sc->sa.cnt_cur, &blocks);
188 fsc->fdblocks += blocks - 1;
191 xchk_ag_free(sc, &sc->sa);
196 * Calculate what the global in-core counters ought to be from the incore
197 * per-AG structure. Callers can compare this to the actual in-core counters
198 * to estimate by how much both in-core and on-disk counters need to be
202 xchk_fscount_aggregate_agcounts(
203 struct xfs_scrub *sc,
204 struct xchk_fscounters *fsc)
206 struct xfs_mount *mp = sc->mp;
207 struct xfs_perag *pag;
218 for_each_perag(mp, agno, pag) {
219 if (xchk_should_terminate(sc, &error))
222 /* This somehow got unset since the warmup? */
223 if (!pag->pagi_init || !pag->pagf_init) {
224 error = -EFSCORRUPTED;
228 /* Count all the inodes */
229 fsc->icount += pag->pagi_count;
230 fsc->ifree += pag->pagi_freecount;
232 /* Add up the free/freelist/bnobt/cntbt blocks */
233 fsc->fdblocks += pag->pagf_freeblks;
234 fsc->fdblocks += pag->pagf_flcount;
235 if (xfs_has_lazysbcount(sc->mp)) {
236 fsc->fdblocks += pag->pagf_btreeblks;
238 error = xchk_fscount_btreeblks(sc, fsc, agno);
244 * Per-AG reservations are taken out of the incore counters,
245 * so they must be left out of the free blocks computation.
247 fsc->fdblocks -= pag->pag_meta_resv.ar_reserved;
248 fsc->fdblocks -= pag->pag_rmapbt_resv.ar_orig_reserved;
254 xchk_set_incomplete(sc);
259 * The global incore space reservation is taken from the incore
260 * counters, so leave that out of the computation.
262 fsc->fdblocks -= mp->m_resblks_avail;
265 * Delayed allocation reservations are taken out of the incore counters
266 * but not recorded on disk, so leave them and their indlen blocks out
267 * of the computation.
269 delayed = percpu_counter_sum(&mp->m_delalloc_blks);
270 fsc->fdblocks -= delayed;
272 trace_xchk_fscounters_calc(mp, fsc->icount, fsc->ifree, fsc->fdblocks,
276 /* Bail out if the values we compute are totally nonsense. */
277 if (fsc->icount < fsc->icount_min || fsc->icount > fsc->icount_max ||
278 fsc->fdblocks > mp->m_sb.sb_dblocks ||
279 fsc->ifree > fsc->icount_max)
280 return -EFSCORRUPTED;
283 * If ifree > icount then we probably had some perturbation in the
284 * counters while we were calculating things. We'll try a few times
285 * to maintain ifree <= icount before giving up.
287 if (fsc->ifree > fsc->icount) {
290 xchk_set_incomplete(sc);
299 xchk_fscount_add_frextent(
300 struct xfs_mount *mp,
301 struct xfs_trans *tp,
302 const struct xfs_rtalloc_rec *rec,
305 struct xchk_fscounters *fsc = priv;
308 fsc->frextents += rec->ar_extcount;
310 xchk_should_terminate(fsc->sc, &error);
314 /* Calculate the number of free realtime extents from the realtime bitmap. */
316 xchk_fscount_count_frextents(
317 struct xfs_scrub *sc,
318 struct xchk_fscounters *fsc)
320 struct xfs_mount *mp = sc->mp;
324 if (!xfs_has_realtime(mp))
327 xfs_ilock(sc->mp->m_rbmip, XFS_ILOCK_SHARED | XFS_ILOCK_RTBITMAP);
328 error = xfs_rtalloc_query_all(sc->mp, sc->tp,
329 xchk_fscount_add_frextent, fsc);
331 xchk_set_incomplete(sc);
336 xfs_iunlock(sc->mp->m_rbmip, XFS_ILOCK_SHARED | XFS_ILOCK_RTBITMAP);
341 xchk_fscount_count_frextents(
342 struct xfs_scrub *sc,
343 struct xchk_fscounters *fsc)
348 #endif /* CONFIG_XFS_RT */
351 * Part 2: Comparing filesystem summary counters. All we have to do here is
352 * sum the percpu counters and compare them to what we've observed.
356 * Is the @counter reasonably close to the @expected value?
358 * We neither locked nor froze anything in the filesystem while aggregating the
359 * per-AG data to compute the @expected value, which means that the counter
360 * could have changed. We know the @old_value of the summation of the counter
361 * before the aggregation, and we re-sum the counter now. If the expected
362 * value falls between the two summations, we're ok.
364 * Otherwise, we /might/ have a problem. If the change in the summations is
365 * more than we want to tolerate, the filesystem is probably busy and we should
366 * just send back INCOMPLETE and see if userspace will try again.
369 xchk_fscount_within_range(
370 struct xfs_scrub *sc,
371 const int64_t old_value,
372 struct percpu_counter *counter,
375 int64_t min_value, max_value;
376 int64_t curr_value = percpu_counter_sum(counter);
378 trace_xchk_fscounters_within_range(sc->mp, expected, curr_value,
381 /* Negative values are always wrong. */
385 /* Exact matches are always ok. */
386 if (curr_value == expected)
389 min_value = min(old_value, curr_value);
390 max_value = max(old_value, curr_value);
392 /* Within the before-and-after range is ok. */
393 if (expected >= min_value && expected <= max_value)
397 * If the difference between the two summations is too large, the fs
398 * might just be busy and so we'll mark the scrub incomplete. Return
399 * true here so that we don't mark the counter corrupt.
401 * XXX: In the future when userspace can grant scrub permission to
402 * quiesce the filesystem to solve the outsized variance problem, this
403 * check should be moved up and the return code changed to signal to
404 * userspace that we need quiesce permission.
406 if (max_value - min_value >= XCHK_FSCOUNT_MIN_VARIANCE) {
407 xchk_set_incomplete(sc);
414 /* Check the superblock counters. */
417 struct xfs_scrub *sc)
419 struct xfs_mount *mp = sc->mp;
420 struct xchk_fscounters *fsc = sc->buf;
421 int64_t icount, ifree, fdblocks, frextents;
424 /* Snapshot the percpu counters. */
425 icount = percpu_counter_sum(&mp->m_icount);
426 ifree = percpu_counter_sum(&mp->m_ifree);
427 fdblocks = percpu_counter_sum(&mp->m_fdblocks);
428 frextents = percpu_counter_sum(&mp->m_frextents);
430 /* No negative values, please! */
431 if (icount < 0 || ifree < 0 || fdblocks < 0 || frextents < 0)
432 xchk_set_corrupt(sc);
434 /* See if icount is obviously wrong. */
435 if (icount < fsc->icount_min || icount > fsc->icount_max)
436 xchk_set_corrupt(sc);
438 /* See if fdblocks is obviously wrong. */
439 if (fdblocks > mp->m_sb.sb_dblocks)
440 xchk_set_corrupt(sc);
442 /* See if frextents is obviously wrong. */
443 if (frextents > mp->m_sb.sb_rextents)
444 xchk_set_corrupt(sc);
447 * If ifree exceeds icount by more than the minimum variance then
448 * something's probably wrong with the counters.
450 if (ifree > icount && ifree - icount > XCHK_FSCOUNT_MIN_VARIANCE)
451 xchk_set_corrupt(sc);
453 /* Walk the incore AG headers to calculate the expected counters. */
454 error = xchk_fscount_aggregate_agcounts(sc, fsc);
455 if (!xchk_process_error(sc, 0, XFS_SB_BLOCK(mp), &error))
457 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_INCOMPLETE)
460 /* Count the free extents counter for rt volumes. */
461 error = xchk_fscount_count_frextents(sc, fsc);
462 if (!xchk_process_error(sc, 0, XFS_SB_BLOCK(mp), &error))
464 if (sc->sm->sm_flags & XFS_SCRUB_OFLAG_INCOMPLETE)
467 /* Compare the in-core counters with whatever we counted. */
468 if (!xchk_fscount_within_range(sc, icount, &mp->m_icount, fsc->icount))
469 xchk_set_corrupt(sc);
471 if (!xchk_fscount_within_range(sc, ifree, &mp->m_ifree, fsc->ifree))
472 xchk_set_corrupt(sc);
474 if (!xchk_fscount_within_range(sc, fdblocks, &mp->m_fdblocks,
476 xchk_set_corrupt(sc);
478 if (!xchk_fscount_within_range(sc, frextents, &mp->m_frextents,
480 xchk_set_corrupt(sc);
projects / platform / kernel / linux-starfive.git / blob