dir.c revision b9a41fd39fb451c441a90e8959cb2dc2db84b497
/*
* Copyright 2005 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
/* All Rights Reserved */
/*
* Copyright (c) 1980, 1986, 1990 The Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that: (1) source distributions retain this entire copyright
* notice and comment, and (2) distributions including binaries display
* the following acknowledgement: ``This product includes software
* developed by the University of California, Berkeley and its contributors''
* in the documentation or other materials provided with the distribution
* and in all advertising materials mentioning features or use of this
* software. Neither the name of the University nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <sys/sysmacros.h>
#include <string.h>
#include <stdarg.h>
#define _KERNEL
#include "fsck.h"
struct rc_queue {
};
static struct dirtemplate dirhead = {
};
static void lftempname(char *, fsck_ino_t);
static int expanddir(fsck_ino_t, char *);
/*
* Propagate connected state through the tree.
*/
void
propagate(void)
{
do {
change = 0;
continue;
change++;
}
}
} while (change > 0);
}
/*
* Scan each entry in a directory block.
*/
int
{
union { /* keep lint happy about alignment */
} u;
if (idesc->id_entryno == 0 &&
return (SKIP);
}
/*
* If we were just passed a corrupt directory entry with
* d_reclen > DIRBLKSIZ, we don't want to memmove() all over
* our stack. This directory gets cleaned up later.
*/
/*
* We can ignore errors from getdirblk() here,
* as the block is still in memory thanks to
* buffering and fsck_readdir(). If there was
* an error reading it before, then all decisions
* leading to getting us here were based on the
* resulting zeros. As such, we have nothing
* to worry about at this point.
*/
sbdirty();
}
if (n & STOP)
return (n);
}
}
/*
* Get current entry in a directory (and peek at the next entry).
*/
static struct direct *
{
int dofixret;
int salvaged; /* when to report SALVAGED in preen mode */
/*
* Sanity check id_filesize and id_loc fields. The latter
* has to be within the block we're looking at, as well as
* aligned to a four-byte boundary. The alignment is due to
* a struct direct containing four-byte integers. It's
* unfortunate that the four is a magic number, but there's
* really no good way to derive it from the ufs header files.
*/
return (NULL);
/*
* We don't have to worry about holes in the directory's
* block list, because that was checked for when the
* inode was first encountered during pass1. We never
* scan a directory until after we've vetted its block list.
*/
/*
* We can ignore errors from getdirblk() here, as dircheck()
* will reject any entries that would have been in the bad
* sectors (fsck_bread() fills in zeros on failures). The main
* is less than the minimal size of a directory entry. Since
* entries can't span sectors, there's no worry about having
* a good beginning in one sector and the rest in the next,
* where that second sector was unreadable and therefore
* replaced with zeros.
*/
/* LINTED b_buf is aligned and id_loc was verified above */
/*
* Check the current entry in the directory.
*/
/*
* If we are in here, then either the current directory
* entry is bad or the next directory entry is bad.
*/
/*
* Find the amount of space left to the end of the
* directory block for either directory entry.
*/
/*
* Advance to the end of the directory block.
*/
/*
* Ask the question before we fix the in-core directory
* block because dofix() may reuse the buffer.
*/
/*
* If there was an error reading the block, then that
* same error can reasonably be expected to have occurred
* when it was read previously. As such, the decision
* to come here was based on the results of that partially-
* zerod block, and so anything we change should be
* based on it as well. Upshot: no need to check for
* errors here.
*/
/*
* This is the current directory entry and since it is
* corrupt we cannot trust the rest of the directory
* block so change the current directory entry to
* contain nothing and encompass the rest of the block.
*/
}
/*
* This is the next directory entry, i.e., we got here
* via a "goto next_is_bad". That directory entry is
* corrupt. However, the current directory entry is okay
* so if we are in fix mode, just extend its record size
* to encompass the rest of the block.
*/
else if (dofixret) {
}
/*
* If the user said to fix the directory corruption, then
* mark the block as dirty. Otherwise, our "repairs" only
* apply to the in-core copy so we don't hand back trash
* to the caller.
*
* Note: It is possible that saying "no" to a change in
* one part of the I/O buffer and "yes" to a later change
* in the same I/O buffer may still flush the change to
* which we said "no". This is the pathological case and
* no fix is planned at this time.
*/
if (dofixret) {
(void) printf(" (SALVAGED)\n");
lfdir = 0;
}
/*
* dp points into bp, which will get re-used at some
* arbitrary time in the future. We rely on the fact
* that we're singled-threaded, and that we'll be done
* with this directory entry by the time the next one
* is needed.
*/
return (dp);
}
/*
* The current directory entry checked out so advance past it.
*/
/*
* If we are not at the directory block boundary, then peek
* at the next directory entry and if it is bad we can add
* its space to the current directory entry (compression).
* Again, we sanity check the id_loc and id_filesize fields
* since we modified them above.
*/
/* LINTED b_buf is aligned and id_loc verified to be ok */
goto next_is_bad;
}
/*
* See comment above about dp pointing into bp.
*/
return (dp);
}
/*
* Verify that a directory entry is valid.
* This is a superset of the checks made in the kernel.
*/
static int
{
char *cp;
int spaceleft;
/*
* Recall that id_filesize is the number of bytes left to
* process in the directory. We check id_filesize >= size
* instead of id_filesize >= d_reclen because all that the
* directory is actually required to contain is the entry
* itself (and it's how the kernel does the allocation).
*
* We indirectly check for d_reclen going past the end of
* the allocated space by comparing it against spaceleft.
*/
return (1);
goto bad;
if (*cp == '\0')
return (1);
}
bad:
if (debug) {
(void) printf("Bad dir in inode %d at lbn %d, loc %d:\n",
(void) printf(" ino %d reclen %d namlen %d name `%s'\n",
}
return (0);
}
void
{
int saveiscorrupt;
/*
* If we have not hit any unresolved problems, are running
* in preen mode, and are on a file system using logging,
* then just toss any partially allocated files, as they are
* an expected occurrence.
*/
return;
} else {
/*
* The file system can be considered clean even if
* a file is not linked up, but is cleared. In
* other words, the kernel won't panic over it.
* Hence, iscorrupt should not be set when
* linkup is answered no, but clri is answered yes.
*
* If neither is answered yes, then we have a
* non-panic-inducing known corruption that the
* user needs to be reminded of when we exit.
*/
NULL) == 0) {
iscorrupt = 1;
return;
}
}
}
/*
* It doesn't happen often, but it's possible to get a true
* excess of links (especially if a lot of directories got
* orphaned and reattached to lost+found). Instead of wrapping
* around, do something semi-useful (i.e., give progress towards
* a less-broken filesystem) when this happens.
*/
return;
}
pwarn("LINK COUNT %s",
(void) printf(" COUNT %d SHOULD BE %d",
/*
* Even lost+found is subject to this, as whenever
* we modify it, we update both the in-memory and
* on-disk counts. Thus, they should still be in
* sync.
*/
if (preen) {
if (lcnt < 0) {
(void) printf("\n");
pwarn("LINK COUNT INCREASING");
else
pfatal("LINK COUNT INCREASING");
}
}
inodirty();
if (preen)
(void) printf(" (ADJUSTED)\n");
/*
* File counts can be off relatively harmlessly,
* but a bad directory count can cause the
* kernel to lose its mind.
*/
iscorrupt = 1;
}
}
}
static int
{
else
oldlen = 0;
return (KEEPON);
/* LINTED dirp is aligned and DIRSIZ() forces oldlen to be aligned */
}
static int
{
return (KEEPON);
}
int
{
int rval;
int lostdir;
int lostshadow;
(void) printf(
"old fsck would have left inode %d for reclaim thread\n",
orphan);
return (0);
goto noconnect;
if (lfdir == 0) {
} else {
if (lfdir != 0) {
if (preen)
(void) printf(" (CREATED)\n");
else
(void) printf("\n");
/*
* XXX What if we allocate an inode
* that's already been scanned? Then
* we need to leave lnctnp[] alone.
*/
lncntp[UFSROOTINO]++);
}
}
}
if (lfdir == 0) {
goto noconnect;
} else {
/*
* We searched for it via the namespace, so by
* definition it's been found. We have to do this
* because it is possible that we're called before
* the full namespace mapping is complete (especially
* from pass 1, if it encounters a corrupt directory
* that has to be cleared).
*/
}
}
if (reply("REALLOCATE") == 0) {
iscorrupt = 1;
goto noconnect;
}
if (lfdir == 0) {
iscorrupt = 1;
pfatal("SORRY. CANNOT CREATE %s DIRECTORY\n\n",
lfname);
goto noconnect;
}
inodirty();
}
/*
* Not a consistency problem of the sort that'll
* cause the kernel heartburn, so don't set iscorrupt.
*/
if (debug)
(void) printf("lfdir %d is in state 0x%x\n",
lfdir = 0;
goto noconnect;
}
return (rval);
/*
* Leaving things unconnected is harmless as far as trying to
* use the filesystem later, so don't set iscorrupt yet (it's
* just lost blocks and inodes, after all).
*
* Lost directories get noted for reporting after all checks
* are done - they may get cleared later.
*/
if (lostdir) {
errexit("linkup: out of memory");
}
return (0);
}
/*
* Connect an orphaned inode to lost+found.
*
* Returns non-zero for success, zero for failure.
*/
static int
{
int lostdir;
goto noconnect;
goto noconnect;
}
goto noconnect;
}
/*
* Make sure that anything we put into the normal namespace
* looks like it belongs there. Attributes can only be in
* attribute directories, not the normal directory lost+found.
*/
if (lostdir) {
/*
* Can't be creating a duplicate entry with makeentry(),
* because changeino() will succeed if ".." already
* exists.
*/
/*
* If we were half-detached, don't try to get
* inode 0 later on.
*/
if (parentdir == 0)
parentdir = -1;
/*
* Fix up link counts.
*
* XXX This section is getting pretty byzantine, espcially
* when combined with changeino()/chgino()'s link manipulation.
*/
reattached_dir = 1;
/*
* Have to clear the parent's reference. Otherwise,
* if it's an orphan, then we may clear this orphan
* in pass 4 even though we've reconnected it.
*
* We already have the reference count
* allowing for a parent link, so undo the
* adjustment done above. Otherwise we come
* out high by one.
*/
}
if (!preen)
(void) printf("\n");
} else if (preen) {
(void) printf(" (RECONNECTED)\n");
}
return (1);
/*
* Leaving things unconnected is harmless as far as trying to
* use the filesystem later, so don't set iscorrupt yet (it's
* just lost blocks and inodes, after all).
*
* Lost directories get noted for reporting after all checks
* are done - they may get cleared later.
*/
if (lostdir) {
errexit("linkup: out of memory");
}
return (0);
}
/*
* fix an entry in a directory.
*/
int
{
}
/*
* make an entry in a directory
*/
int
{
int repeat;
return (0);
repeat = 0;
inodirty();
}
return (1);
}
if (repeat == 0) {
return (0);
repeat = 1;
goto again;
}
return (0);
}
/*
* Attempt to expand the size of a directory
*/
static int
{
char *cp;
int bc, f;
int n;
int allocIndir;
int frag2blks;
int lffragsz = 0;
int c = 0;
int retval = 0;
goto bail;
}
/*
* Check that none of the nominally in-use direct block
* addresses for the directory are bogus.
*/
goto bail;
}
}
/*
* Determine our data block allocation needs. We always need to
* allocate at least one data block. We may need a second, the
* indirect block itself.
*/
allocIndir = 0;
nxtibn = -1;
n = 0;
/*
* Still in direct blocks. Check for the unlikely
* case where the last block is a frag rather than
* a full block. This would only happen if someone had
* created a file in lost+found, and then that caused
* the dynamic directory shrinking capabilities of ufs
* to kick in.
*
* Note that we test nxtbn <= NDADDR, as it's the
* next block (i.e., one greater than the current/
* actual block being examined).
*/
}
/*
* Only go one level of indirection
*/
if (nxtibn >= n) {
goto bail;
}
/*
* First indirect block means we need to pick up
* the actual indirect pointer block as well.
*/
if (nxtibn == 0)
allocIndir++;
}
/*
* Allocate all the new blocks we need.
*/
goto bail;
}
c++;
if (allocIndir) {
goto bail;
}
c++;
}
/*
* Take care of the block that will hold new directory entries.
* This one is always allocated.
*/
goto bail;
}
if (lffragsz) {
/*
* Preserve the partially-populated existing directory.
*/
}
}
/*
* Initialize the new fragments. lffragsz is zero if this
* is a completely-new block.
*/
sizeof (emptydir));
}
/*
* If we allocated the indirect block, zero it out. Otherwise
* read it in if we're using one.
*/
if (allocIndir) {
goto bail;
}
} else if (nxtibn >= 0) {
/* Check that the indirect block pointer looks okay */
goto bail;
}
goto bail;
}
/* LINTED pointer cast alignment */
goto bail;
}
}
}
/*
* Since the filesystem's consistency isn't affected by
* whether or not we actually do the expansion, iscorrupt
* is left alone for any of the approval paths.
*/
goto bail;
/*
* Now that everything we need is gathered up and the
* necessary approvals acquired, we can make our provisional
* changes permanent.
*/
if (lffragsz) {
/*
* We've saved the data from the old end fragment(s) in
* our new block, so we can just swap the new one in.
* Make sure the size reflects the expansion of the
*/
inodirty();
retval = 1;
goto done;
}
/*
* Full-block addition's much easier. It's just an append.
*/
if (allocIndir) {
}
inodirty();
if (nxtibn < 0) {
/*
* Still in direct blocks
*/
} else {
/*
* Last indirect is always going to point at the
* new directory buffer
*/
if (allocIndir)
/* LINTED pointer case alignment */
}
if (preen)
(void) printf(" (EXPANDED)\n");
retval = 1;
goto done;
bail:
for (f = 0; f < c; f++)
done:
/*
* bp[0] is handled by the directory cache's auto-release.
*/
return (retval);
}
static fsck_ino_t
{
/*
* This function creates a new directory and populates it with
* "." and "..", then links to it as NAME in PARENT.
*/
if (dino != 0) {
/*
* We don't touch numdirs, because it's just a cache of
* what the filesystem claimed originally and is used
* to calculate hash keys.
*/
dino = 0;
}
}
return (dino);
}
/*
* Replace whatever NAME refers to in PARENT with a new directory.
* Note that if the old inode REQUEST is a directory, all of its
* contents will be freed and reaped.
*/
static fsck_ino_t
{
int retval;
if (newino != 0) {
/*
* No change made, so name doesn't exist, so
* unwind allocation rather than leak it.
*/
newino = 0;
}
}
return (newino);
}
/*
* allocate a new directory
*/
{
struct dirtemplate *dirp;
if (ino == 0)
return (0);
return (0);
}
sizeof (struct dirtemplate));
inodirty();
} else {
/*
* re-using an old directory inode
*/
if (debug)
errexit("allocdir got NULL from getinoinfo "
"for existing entry I=%d\n",
ino);
} else {
}
}
/*
* Short-circuit all the dancing around below if it's the
* root inode. The net effect's the same.
*/
if (ino == UFSROOTINO) {
return (ino);
}
if (!update_parent)
return (ino);
/*
* We never create attribute directories, which can have
* non-directory parents. So, the parent of the directory
* we're creating must itself be a directory.
*/
if (!INO_IS_DVALID(parent)) {
return (0);
}
/*
* Make sure the parent can handle another link.
* Since we might only update one version of the
* count (disk versus in-memory), we have to check both.
*/
/*
* No parent any more, so bail out. Callers
* are expected to handle this possibility.
* Since most just throw up their hands if
* we return 0, this just happens to work.
*/
return (0);
}
}
/*
* We've created a directory with two entries, "." and "..",
* and a link count of two ("." and one from its parent). If
* the parent's not been scanned yet, which means this inode
* will get scanned later as well, then make our in-core count
* match what we pushed out to disk. Similarly, update the
* parent. On the other hand, if the parent's already been
* looked at (statemap[ino] == DFOUND), the discrepancy
* between lncntp[] and di_nlink will be noted later, with
* appropriate reporting and propagation, in pass2.
*
* We're explicitly skipping where the parent was DZLINK or
* DFOUND. If it has zero links, it can't be gotten to, so
* we want a discrepancy set up that will be caught in pass2.
* DFOUND was discussed above.
*
* Regarding the claim of a link from the parent: we've not
* done anything to create such a link here. We depend on the
* semantics of our callers attaching the inode we return to
* an existing entry in the directory or creating the entry
* themselves, but in either case, not modifying the link
* count.
*
* Note that setting lncntp[ino] to zero means that both claimed
* links have been ``found''.
*/
if (INO_IS_DVALID(parent)) {
}
inodirty();
return (ino);
}
/*
* free a directory inode
*/
static void
{
/*
* Make sure that the desired parent gets a link
* count update from freeino()/truncino(). If
* we can't look it up, then it's not really a
* directory, so there's nothing to worry about.
*/
}
}
/*
* generate a temporary name for use in the lost+found directory.
*/
static void
{
int namlen;
cp++;
*--cp = '\0';
/* LINTED difference will not overflow an int */
errexit("buffer overflow in lftempname()\n");
}
in /= 10;
}
*cp = '#';
}
/*
* Get a directory block.
* Insure that it is held until another is requested.
*
* prepared to handle blocks of zeros in the middle of a
* directory.
*/
static struct bufarea *
{
if (pdirbp != 0) {
}
return (pdirbp);
}
/*
* Create a unique name for INODE to be created in directory PARENT.
* Use NAME if it is provided (non-NULL) and doesn't already exist.
* Returning NULL indicates no unique name could be generated.
*
* If we were given a name, and it conflicts with an existing
* entry, use our usual temp name instead. Without this check,
* we could end up creating duplicate entries for multiple
* orphaned directories in lost+found with the same name (but
* different parents). Of course, our usual name might already
* be in use as well, so be paranoid.
*
* We could do something like keep tacking something onto the
* end of tempname until we come up with something that's not
* in use, but that has liabilities as well. This is a
* sufficiently rare case that it's not worth going that
* overboard for.
*/
static caddr_t
{
}
/*
* No name given, or it wasn't unique.
*/
"Name ``%s'' for inode %d already exists in %s \n",
if (reply("REMOVE OLD ENTRY") == 0) {
"Could not reconnect inode %d\n\n",
inode);
else
"Could not create entry for %d\n\n",
inode);
goto noconnect;
}
/*
* Do a best-effort, but if we're not
* allowed to do the clear, the fs is
* corrupt in any case, so just carry on.
*/
&idesc);
iscorrupt = 1;
} else {
}
}
}
return (name);
}