search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dma: factor out mail handling code
[dragonfly.git] / sys / vfs / hammer / hammer_recover.c
blob8cbe3238f96e3d03fa85a5ad5359890905bdebe8
1 /*
2 * Copyright (c) 2008 The DragonFly Project. All rights reserved.
3 *
4 * This code is derived from software contributed to The DragonFly Project
5 * by Matthew Dillon <dillon@backplane.com>
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 * 3. Neither the name of The DragonFly Project nor the names of its
18 * contributors may be used to endorse or promote products derived
19 * from this software without specific, prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
29 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
30 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
31 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * $DragonFly: src/sys/vfs/hammer/hammer_recover.c,v 1.29 2008/07/26 05:36:21 dillon Exp $
35 */
36
37 #include "hammer.h"
38
39 static int hammer_check_tail_signature(hammer_fifo_tail_t tail,
40 hammer_off_t end_off);
41 static void hammer_recover_copy_undo(hammer_off_t undo_offset,
42 char *src, char *dst, int bytes);
43 #if 0
44 static void hammer_recover_debug_dump(int w, char *buf, int bytes);
45 #endif
46 static int hammer_recover_undo(hammer_mount_t hmp, hammer_volume_t root_volume,
47 hammer_fifo_undo_t undo, int bytes);
48
49 /*
50 * Recover a filesystem on mount
51 *
52 * NOTE: No information from the root volume has been cached in the
53 * hammer_mount structure yet, so we need to access the root volume's
54 * buffer directly.
55 */
56 int
57 hammer_recover(hammer_mount_t hmp, hammer_volume_t root_volume)
58 {
59 hammer_blockmap_t rootmap;
60 hammer_buffer_t buffer;
61 hammer_off_t scan_offset;
62 hammer_off_t bytes;
63 hammer_fifo_tail_t tail;
64 hammer_fifo_undo_t undo;
65 hammer_off_t first_offset;
66 hammer_off_t last_offset;
67 int error;
68
69 /*
70 * Examine the UNDO FIFO. If it is empty the filesystem is clean
71 * and no action need be taken.
72 */
73 rootmap = &root_volume->ondisk->vol0_blockmap[HAMMER_ZONE_UNDO_INDEX];
74
75 if (rootmap->first_offset == rootmap->next_offset)
76 return(0);
77
78 first_offset = rootmap->first_offset;
79 last_offset = rootmap->next_offset;
80
81 if (last_offset >= first_offset) {
82 bytes = last_offset - first_offset;
83 } else {
84 bytes = rootmap->alloc_offset - first_offset +
85 (last_offset & HAMMER_OFF_LONG_MASK);
86 }
87 kprintf("HAMMER(%s) Start Recovery %016llx - %016llx "
88 "(%lld bytes of UNDO)%s\n",
89 root_volume->ondisk->vol_name,
90 (long long)first_offset,
91 (long long)last_offset,
92 (long long)bytes,
93 (hmp->ronly ? " (RO)" : "(RW)"));
94 if (bytes > (rootmap->alloc_offset & HAMMER_OFF_LONG_MASK)) {
95 kprintf("Undo size is absurd, unable to mount\n");
96 return(EIO);
97 }
98
99 /*
100 * Scan the UNDOs backwards.
101 */
102 scan_offset = last_offset;
103 buffer = NULL;
104 if (scan_offset > rootmap->alloc_offset) {
105 kprintf("HAMMER(%s) UNDO record at %016llx FIFO overflow\n",
106 root_volume->ondisk->vol_name,
107 (long long)scan_offset);
108 error = EIO;
109 goto done;
110 }
111
112 while ((int64_t)bytes > 0) {
113 if (hammer_debug_general & 0x0080)
114 kprintf("scan_offset %016llx\n",
115 (long long)scan_offset);
116 if (scan_offset == HAMMER_ZONE_ENCODE(HAMMER_ZONE_UNDO_INDEX, 0)) {
117 scan_offset = rootmap->alloc_offset;
118 continue;
119 }
120 if (scan_offset - sizeof(*tail) <
121 HAMMER_ZONE_ENCODE(HAMMER_ZONE_UNDO_INDEX, 0)) {
122 kprintf("HAMMER(%s) UNDO record at %016llx FIFO "
123 "underflow\n",
124 root_volume->ondisk->vol_name,
125 (long long)scan_offset);
126 error = EIO;
127 break;
128 }
129 tail = hammer_bread(hmp, scan_offset - sizeof(*tail),
130 &error, &buffer);
131 if (error) {
132 kprintf("HAMMER(%s) Unable to read UNDO TAIL "
133 "at %016llx\n",
134 root_volume->ondisk->vol_name,
135 (long long)scan_offset - sizeof(*tail));
136 break;
137 }
138
139 if (hammer_check_tail_signature(tail, scan_offset) != 0) {
140 kprintf("HAMMER(%s) Illegal UNDO TAIL signature "
141 "at %016llx\n",
142 root_volume->ondisk->vol_name,
143 (long long)scan_offset - sizeof(*tail));
144 error = EIO;
145 break;
146 }
147 undo = (void *)((char *)tail + sizeof(*tail) - tail->tail_size);
148
149 error = hammer_recover_undo(hmp, root_volume, undo,
150 HAMMER_BUFSIZE -
151 (int)((char *)undo - (char *)buffer->ondisk));
152 if (error) {
153 kprintf("HAMMER(%s) UNDO record at %016llx failed\n",
154 root_volume->ondisk->vol_name,
155 (long long)scan_offset - tail->tail_size);
156 break;
157 }
158 scan_offset -= tail->tail_size;
159 bytes -= tail->tail_size;
160
161 /*
162 * If too many dirty buffers have built up we have to flush'm
163 * out. As long as we do not flush out the volume header
164 * a crash here should not cause any problems.
165 *
166 * buffer must be released so the flush can assert that
167 * all buffers are idle.
168 */
169 if (hammer_flusher_meta_limit(hmp)) {
170 if (buffer) {
171 hammer_rel_buffer(buffer, 0);
172 buffer = NULL;
173 }
174 if (hmp->ronly == 0) {
175 hammer_recover_flush_buffers(hmp, root_volume,
176 0);
177 kprintf("HAMMER(%s) Continuing recovery\n",
178 root_volume->ondisk->vol_name);
179 } else {
180 kprintf("HAMMER(%s) Recovery failure: Insufficient buffer cache to hold dirty buffers on read-only mount!\n",
181 root_volume->ondisk->vol_name);
182 error = EIO;
183 break;
184 }
185 }
186 }
187 done:
188 if (buffer)
189 hammer_rel_buffer(buffer, 0);
190
191 /*
192 * After completely flushing all the recovered buffers the volume
193 * header will also be flushed. Force the UNDO FIFO to 0-length.
194 */
195 if (root_volume->io.recovered == 0) {
196 hammer_ref_volume(root_volume);
197 root_volume->io.recovered = 1;
198 }
199
200 /*
201 * Finish up flushing (or discarding) recovered buffers
202 */
203 if (error == 0) {
204 hammer_modify_volume(NULL, root_volume, NULL, 0);
205 rootmap = &root_volume->ondisk->vol0_blockmap[HAMMER_ZONE_UNDO_INDEX];
206 rootmap->first_offset = last_offset;
207 rootmap->next_offset = last_offset;
208 hammer_modify_volume_done(root_volume);
209 if (hmp->ronly == 0)
210 hammer_recover_flush_buffers(hmp, root_volume, 1);
211 } else {
212 hammer_recover_flush_buffers(hmp, root_volume, -1);
213 }
214 kprintf("HAMMER(%s) End Recovery\n", root_volume->ondisk->vol_name);
215 return (error);
216 }
217
218 static int
219 hammer_check_tail_signature(hammer_fifo_tail_t tail, hammer_off_t end_off)
220 {
221 int max_bytes;
222
223 max_bytes = ((end_off - sizeof(*tail)) & HAMMER_BUFMASK);
224 max_bytes += sizeof(*tail);
225
226 /*
227 * tail overlaps buffer boundary
228 */
229 if (((end_off - sizeof(*tail)) ^ (end_off - 1)) & ~HAMMER_BUFMASK64) {
230 return(1);
231 }
232
233 /*
234 * signature check, the tail signature is allowed to be the head
235 * signature only for 8-byte PADs.
236 */
237 switch(tail->tail_signature) {
238 case HAMMER_TAIL_SIGNATURE:
239 break;
240 case HAMMER_HEAD_SIGNATURE:
241 if (tail->tail_type != HAMMER_HEAD_TYPE_PAD ||
242 tail->tail_size != sizeof(*tail)) {
243 return(2);
244 }
245 break;
246 }
247
248 /*
249 * The undo structure must not overlap a buffer boundary.
250 */
251 if (tail->tail_size < sizeof(*tail) || tail->tail_size > max_bytes) {
252 return(3);
253 }
254 return(0);
255 }
256
257 static int
258 hammer_recover_undo(hammer_mount_t hmp, hammer_volume_t root_volume,
259 hammer_fifo_undo_t undo, int bytes)
260 {
261 hammer_fifo_tail_t tail;
262 hammer_volume_t volume;
263 hammer_buffer_t buffer;
264 hammer_off_t buf_offset;
265 int zone;
266 int error;
267 int vol_no;
268 int max_bytes;
269 u_int32_t offset;
270 u_int32_t crc;
271
272 /*
273 * Basic sanity checks
274 */
275 if (bytes < HAMMER_HEAD_ALIGN) {
276 kprintf("HAMMER: Undo alignment error (%d)\n", bytes);
277 return(EIO);
278 }
279 if (undo->head.hdr_signature != HAMMER_HEAD_SIGNATURE) {
280 kprintf("HAMMER: Bad head signature %04x\n",
281 undo->head.hdr_signature);
282 return(EIO);
283 }
284 if (undo->head.hdr_size < HAMMER_HEAD_ALIGN ||
285 undo->head.hdr_size > bytes) {
286 kprintf("HAMMER: Bad size %d\n", bytes);
287 return(EIO);
288 }
289
290 /*
291 * Skip PAD records. Note that PAD records also do not require
292 * a tail and may have a truncated structure.
293 */
294 if (undo->head.hdr_type == HAMMER_HEAD_TYPE_PAD)
295 return(0);
296
297 /*
298 * Check the CRC
299 */
300 crc = crc32(undo, HAMMER_FIFO_HEAD_CRCOFF) ^
301 crc32(&undo->head + 1, undo->head.hdr_size - sizeof(undo->head));
302 if (undo->head.hdr_crc != crc) {
303 kprintf("HAMMER: Undo record CRC failed %08x %08x\n",
304 undo->head.hdr_crc, crc);
305 return(EIO);
306 }
307
308
309 /*
310 * Check the tail
311 */
312 bytes = undo->head.hdr_size;
313 tail = (void *)((char *)undo + bytes - sizeof(*tail));
314 if (tail->tail_size != undo->head.hdr_size) {
315 kprintf("HAMMER: Bad tail size %d\n", tail->tail_size);
316 return(EIO);
317 }
318 if (tail->tail_type != undo->head.hdr_type) {
319 kprintf("HAMMER: Bad tail type %d\n", tail->tail_type);
320 return(EIO);
321 }
322
323 /*
324 * Only process UNDO records
325 */
326 if (undo->head.hdr_type != HAMMER_HEAD_TYPE_UNDO)
327 return(0);
328
329 /*
330 * Validate the UNDO record.
331 */
332 max_bytes = undo->head.hdr_size - sizeof(*undo) - sizeof(*tail);
333 if (undo->undo_data_bytes < 0 || undo->undo_data_bytes > max_bytes) {
334 kprintf("HAMMER: Corrupt UNDO record, undo_data_bytes %d/%d\n",
335 undo->undo_data_bytes, max_bytes);
336 return(EIO);
337 }
338
339 /*
340 * The undo offset may only be a zone-1 or zone-2 offset.
341 *
342 * Currently we only support a zone-1 offset representing the
343 * volume header.
344 */
345 zone = HAMMER_ZONE_DECODE(undo->undo_offset);
346 offset = undo->undo_offset & HAMMER_BUFMASK;
347
348 if (offset + undo->undo_data_bytes > HAMMER_BUFSIZE) {
349 kprintf("HAMMER: Corrupt UNDO record, bad offset\n");
350 return (EIO);
351 }
352
353 switch(zone) {
354 case HAMMER_ZONE_RAW_VOLUME_INDEX:
355 vol_no = HAMMER_VOL_DECODE(undo->undo_offset);
356 volume = hammer_get_volume(hmp, vol_no, &error);
357 if (volume == NULL) {
358 kprintf("HAMMER: UNDO record, "
359 "cannot access volume %d\n", vol_no);
360 break;
361 }
362 hammer_modify_volume(NULL, volume, NULL, 0);
363 hammer_recover_copy_undo(undo->undo_offset,
364 (char *)(undo + 1),
365 (char *)volume->ondisk + offset,
366 undo->undo_data_bytes);
367 hammer_modify_volume_done(volume);
368
369 /*
370 * Multiple modifications may be made to the same buffer.
371 * Also, the volume header cannot be written out until
372 * everything else has been flushed. This also
373 * covers the read-only case by preventing the kernel from
374 * flushing the buffer.
375 */
376 if (volume->io.recovered == 0)
377 volume->io.recovered = 1;
378 else
379 hammer_rel_volume(volume, 0);
380 break;
381 case HAMMER_ZONE_RAW_BUFFER_INDEX:
382 buf_offset = undo->undo_offset & ~HAMMER_BUFMASK64;
383 buffer = hammer_get_buffer(hmp, buf_offset, HAMMER_BUFSIZE,
384 0, &error);
385 if (buffer == NULL) {
386 kprintf("HAMMER: UNDO record, "
387 "cannot access buffer %016llx\n",
388 (long long)undo->undo_offset);
389 break;
390 }
391 hammer_modify_buffer(NULL, buffer, NULL, 0);
392 hammer_recover_copy_undo(undo->undo_offset,
393 (char *)(undo + 1),
394 (char *)buffer->ondisk + offset,
395 undo->undo_data_bytes);
396 hammer_modify_buffer_done(buffer);
397
398 /*
399 * Multiple modifications may be made to the same buffer,
400 * improve performance by delaying the flush. This also
401 * covers the read-only case by preventing the kernel from
402 * flushing the buffer.
403 */
404 if (buffer->io.recovered == 0)
405 buffer->io.recovered = 1;
406 else
407 hammer_rel_buffer(buffer, 0);
408 break;
409 default:
410 kprintf("HAMMER: Corrupt UNDO record\n");
411 error = EIO;
412 }
413 return (error);
414 }
415
416 static void
417 hammer_recover_copy_undo(hammer_off_t undo_offset,
418 char *src, char *dst, int bytes)
419 {
420 if (hammer_debug_general & 0x0080) {
421 kprintf("UNDO %016llx: %d\n",
422 (long long)undo_offset, bytes);
423 }
424 #if 0
425 kprintf("UNDO %016llx:", (long long)undo_offset);
426 hammer_recover_debug_dump(22, dst, bytes);
427 kprintf("%22s", "to:");
428 hammer_recover_debug_dump(22, src, bytes);
429 #endif
430 bcopy(src, dst, bytes);
431 }
432
433 #if 0
434
435 static void
436 hammer_recover_debug_dump(int w, char *buf, int bytes)
437 {
438 int i;
439
440 for (i = 0; i < bytes; ++i) {
441 if (i && (i & 15) == 0)
442 kprintf("\n%*.*s", w, w, "");
443 kprintf(" %02x", (unsigned char)buf[i]);
444 }
445 kprintf("\n");
446 }
447
448 #endif
449
450 /*
451 * Flush recovered buffers from recovery operations. The call to this
452 * routine may be delayed if a read-only mount was made and then later
453 * upgraded to read-write.
454 *
455 * The volume header is always written last. The UNDO FIFO will be forced
456 * to zero-length by setting next_offset to first_offset. This leaves the
457 * (now stale) UNDO information used to recover the disk available for
458 * forensic analysis.
459 *
460 * final is typically 0 or 1. The volume header is only written if final
461 * is 1. If final is -1 the recovered buffers are discarded instead of
462 * written and root_volume can also be passed as NULL in that case.
463 */
464 static int hammer_recover_flush_volume_callback(hammer_volume_t, void *);
465 static int hammer_recover_flush_buffer_callback(hammer_buffer_t, void *);
466
467 void
468 hammer_recover_flush_buffers(hammer_mount_t hmp, hammer_volume_t root_volume,
469 int final)
470 {
471 /*
472 * Flush the buffers out asynchronously, wait for all the I/O to
473 * complete, then do it again to destroy the buffer cache buffer
474 * so it doesn't alias something later on.
475 */
476 RB_SCAN(hammer_buf_rb_tree, &hmp->rb_bufs_root, NULL,
477 hammer_recover_flush_buffer_callback, &final);
478 hammer_io_wait_all(hmp, "hmrrcw");
479 RB_SCAN(hammer_buf_rb_tree, &hmp->rb_bufs_root, NULL,
480 hammer_recover_flush_buffer_callback, &final);
481
482 /*
483 * Flush all volume headers except the root volume. If final < 0
484 * we discard all volume headers including the root volume.
485 */
486 if (final >= 0) {
487 RB_SCAN(hammer_vol_rb_tree, &hmp->rb_vols_root, NULL,
488 hammer_recover_flush_volume_callback, root_volume);
489 } else {
490 RB_SCAN(hammer_vol_rb_tree, &hmp->rb_vols_root, NULL,
491 hammer_recover_flush_volume_callback, NULL);
492 }
493
494 /*
495 * Finalize the root volume header.
496 */
497 if (root_volume && root_volume->io.recovered && final > 0) {
498 crit_enter();
499 while (hmp->io_running_space > 0)
500 tsleep(&hmp->io_running_space, 0, "hmrflx", 0);
501 crit_exit();
502 root_volume->io.recovered = 0;
503 hammer_io_flush(&root_volume->io, 0);
504 hammer_rel_volume(root_volume, 0);
505 }
506 }
507
508 /*
509 * Callback to flush volume headers. If discarding data will be NULL and
510 * all volume headers (including the root volume) will be discarded.
511 * Otherwise data is the root_volume and we flush all volume headers
512 * EXCEPT the root_volume.
513 */
514 static
515 int
516 hammer_recover_flush_volume_callback(hammer_volume_t volume, void *data)
517 {
518 hammer_volume_t root_volume = data;
519
520 if (volume->io.recovered && volume != root_volume) {
521 volume->io.recovered = 0;
522 if (root_volume != NULL)
523 hammer_io_flush(&volume->io, 0);
524 else
525 hammer_io_clear_modify(&volume->io, 1);
526 hammer_rel_volume(volume, 0);
527 }
528 return(0);
529 }
530
531 static
532 int
533 hammer_recover_flush_buffer_callback(hammer_buffer_t buffer, void *data)
534 {
535 int final = *(int *)data;
536
537 if (buffer->io.recovered) {
538 buffer->io.recovered = 0;
539 buffer->io.reclaim = 1;
540 if (final < 0)
541 hammer_io_clear_modify(&buffer->io, 1);
542 else
543 hammer_io_flush(&buffer->io, 0);
544 hammer_rel_buffer(buffer, 0);
545 } else {
546 KKASSERT(buffer->io.lock.refs == 0);
547 ++hammer_count_refedbufs;
548 hammer_ref(&buffer->io.lock);
549 buffer->io.reclaim = 1;
550 hammer_rel_buffer(buffer, 1);
551 }
552 return(0);
553 }
554
DragonFly BSD