xref: /netbsd-src/sys/ufs/lfs/lfs_rfw.c (revision 6a493d6bc668897c91594964a732d38505b70cbb)
1 /*	$NetBSD: lfs_rfw.c,v 1.18 2013/07/28 01:05:52 dholland Exp $	*/
2 
3 /*-
4  * Copyright (c) 1999, 2000, 2001, 2002, 2003 The NetBSD Foundation, Inc.
5  * All rights reserved.
6  *
7  * This code is derived from software contributed to The NetBSD Foundation
8  * by Konrad E. Schroder <perseant@hhhh.org>.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 __KERNEL_RCSID(0, "$NetBSD: lfs_rfw.c,v 1.18 2013/07/28 01:05:52 dholland Exp $");
34 
35 #if defined(_KERNEL_OPT)
36 #include "opt_quota.h"
37 #endif
38 
39 #include <sys/param.h>
40 #include <sys/systm.h>
41 #include <sys/namei.h>
42 #include <sys/proc.h>
43 #include <sys/kernel.h>
44 #include <sys/vnode.h>
45 #include <sys/mount.h>
46 #include <sys/kthread.h>
47 #include <sys/buf.h>
48 #include <sys/device.h>
49 #include <sys/mbuf.h>
50 #include <sys/file.h>
51 #include <sys/disklabel.h>
52 #include <sys/ioctl.h>
53 #include <sys/errno.h>
54 #include <sys/malloc.h>
55 #include <sys/pool.h>
56 #include <sys/socket.h>
57 #include <sys/syslog.h>
58 #include <uvm/uvm_extern.h>
59 #include <sys/sysctl.h>
60 #include <sys/conf.h>
61 #include <sys/kauth.h>
62 
63 #include <miscfs/specfs/specdev.h>
64 
65 #include <ufs/lfs/ulfs_quotacommon.h>
66 #include <ufs/lfs/ulfs_inode.h>
67 #include <ufs/lfs/ulfsmount.h>
68 #include <ufs/lfs/ulfs_extern.h>
69 
70 #include <uvm/uvm.h>
71 #include <uvm/uvm_stat.h>
72 #include <uvm/uvm_pager.h>
73 #include <uvm/uvm_pdaemon.h>
74 
75 #include <ufs/lfs/lfs.h>
76 #include <ufs/lfs/lfs_kernel.h>
77 #include <ufs/lfs/lfs_extern.h>
78 
79 #include <miscfs/genfs/genfs.h>
80 #include <miscfs/genfs/genfs_node.h>
81 
82 /*
83  * Roll-forward code.
84  */
85 static daddr_t check_segsum(struct lfs *, daddr_t, u_int64_t,
86     kauth_cred_t, int, int *, struct lwp *);
87 
88 extern int lfs_do_rfw;
89 
90 /*
91  * Allocate a particular inode with a particular version number, freeing
92  * any previous versions of this inode that may have gone before.
93  * Used by the roll-forward code.
94  *
95  * XXX this function does not have appropriate locking to be used on a live fs;
96  * XXX but something similar could probably be used for an "undelete" call.
97  *
98  * Called with the Ifile inode locked.
99  */
100 int
101 lfs_rf_valloc(struct lfs *fs, ino_t ino, int vers, struct lwp *l,
102 	      struct vnode **vpp)
103 {
104 	IFILE *ifp;
105 	struct buf *bp, *cbp;
106 	struct vnode *vp;
107 	struct inode *ip;
108 	ino_t tino, oldnext;
109 	int error;
110 	CLEANERINFO *cip;
111 
112 	ASSERT_SEGLOCK(fs); /* XXX it doesn't, really */
113 
114 	/*
115 	 * First, just try a vget. If the version number is the one we want,
116 	 * we don't have to do anything else.  If the version number is wrong,
117 	 * take appropriate action.
118 	 */
119 	error = VFS_VGET(fs->lfs_ivnode->v_mount, ino, &vp);
120 	if (error == 0) {
121 		DLOG((DLOG_RF, "lfs_rf_valloc[1]: ino %d vp %p\n", ino, vp));
122 
123 		*vpp = vp;
124 		ip = VTOI(vp);
125 		if (ip->i_gen == vers)
126 			return 0;
127 		else if (ip->i_gen < vers) {
128 			lfs_truncate(vp, (off_t)0, 0, NOCRED);
129 			ip->i_gen = ip->i_ffs1_gen = vers;
130 			LFS_SET_UINO(ip, IN_CHANGE | IN_UPDATE);
131 			return 0;
132 		} else {
133 			DLOG((DLOG_RF, "ino %d: sought version %d, got %d\n",
134 			       ino, vers, ip->i_ffs1_gen));
135 			vput(vp);
136 			*vpp = NULLVP;
137 			return EEXIST;
138 		}
139 	}
140 
141 	/*
142 	 * The inode is not in use.  Find it on the free list.
143 	 */
144 	/* If the Ifile is too short to contain this inum, extend it */
145 	while (VTOI(fs->lfs_ivnode)->i_size <= (ino /
146 		fs->lfs_ifpb + fs->lfs_cleansz + fs->lfs_segtabsz)
147 		<< fs->lfs_bshift) {
148 		lfs_extend_ifile(fs, NOCRED);
149 	}
150 
151 	LFS_IENTRY(ifp, fs, ino, bp);
152 	oldnext = ifp->if_nextfree;
153 	ifp->if_version = vers;
154 	brelse(bp, 0);
155 
156 	LFS_GET_HEADFREE(fs, cip, cbp, &ino);
157 	if (ino) {
158 		LFS_PUT_HEADFREE(fs, cip, cbp, oldnext);
159 	} else {
160 		tino = ino;
161 		while (1) {
162 			LFS_IENTRY(ifp, fs, tino, bp);
163 			if (ifp->if_nextfree == ino ||
164 			    ifp->if_nextfree == LFS_UNUSED_INUM)
165 				break;
166 			tino = ifp->if_nextfree;
167 			brelse(bp, 0);
168 		}
169 		if (ifp->if_nextfree == LFS_UNUSED_INUM) {
170 			brelse(bp, 0);
171 			return ENOENT;
172 		}
173 		ifp->if_nextfree = oldnext;
174 		LFS_BWRITE_LOG(bp);
175 	}
176 
177 	error = lfs_ialloc(fs, fs->lfs_ivnode, ino, vers, &vp);
178 	if (error == 0) {
179 		/*
180 		 * Make it VREG so we can put blocks on it.  We will change
181 		 * this later if it turns out to be some other kind of file.
182 		 */
183 		ip = VTOI(vp);
184 		ip->i_mode = ip->i_ffs1_mode = LFS_IFREG;
185 		ip->i_nlink = ip->i_ffs1_nlink = 1;
186 		ulfs_vinit(vp->v_mount, lfs_specop_p, lfs_fifoop_p, &vp);
187 		ip = VTOI(vp);
188 
189 		DLOG((DLOG_RF, "lfs_rf_valloc: ino %d vp %p\n", ino, vp));
190 
191 		/* The dirop-nature of this vnode is past */
192 		lfs_unmark_vnode(vp);
193 		(void)lfs_vunref(vp);
194 		vp->v_uflag &= ~VU_DIROP;
195 		mutex_enter(&lfs_lock);
196 		--lfs_dirvcount;
197 		--fs->lfs_dirvcount;
198 		TAILQ_REMOVE(&fs->lfs_dchainhd, ip, i_lfs_dchain);
199 		wakeup(&lfs_dirvcount);
200 		wakeup(&fs->lfs_dirvcount);
201 		mutex_exit(&lfs_lock);
202 	}
203 	*vpp = vp;
204 	return error;
205 }
206 
207 /*
208  * Load the appropriate indirect block, and change the appropriate pointer.
209  * Mark the block dirty.  Do segment and avail accounting.
210  */
211 static int
212 update_meta(struct lfs *fs, ino_t ino, int vers, daddr_t lbn,
213 	    daddr_t ndaddr, size_t size, struct lwp *l)
214 {
215 	int error;
216 	struct vnode *vp;
217 	struct inode *ip;
218 #ifdef DEBUG
219 	daddr_t odaddr;
220 	struct indir a[ULFS_NIADDR];
221 	int num;
222 	int i;
223 #endif /* DEBUG */
224 	struct buf *bp;
225 	SEGUSE *sup;
226 
227 	KASSERT(lbn >= 0);	/* no indirect blocks */
228 
229 	if ((error = lfs_rf_valloc(fs, ino, vers, l, &vp)) != 0) {
230 		DLOG((DLOG_RF, "update_meta: ino %d: lfs_rf_valloc"
231 		      " returned %d\n", ino, error));
232 		return error;
233 	}
234 
235 	if ((error = lfs_balloc(vp, (lbn << fs->lfs_bshift), size,
236 				NOCRED, 0, &bp)) != 0) {
237 		vput(vp);
238 		return (error);
239 	}
240 	/* No need to write, the block is already on disk */
241 	if (bp->b_oflags & BO_DELWRI) {
242 		LFS_UNLOCK_BUF(bp);
243 		fs->lfs_avail += lfs_btofsb(fs, bp->b_bcount);
244 	}
245 	brelse(bp, BC_INVAL);
246 
247 	/*
248 	 * Extend the file, if it is not large enough already.
249 	 * XXX this is not exactly right, we don't know how much of the
250 	 * XXX last block is actually used.  We hope that an inode will
251 	 * XXX appear later to give the correct size.
252 	 */
253 	ip = VTOI(vp);
254 	if (ip->i_size <= (lbn << fs->lfs_bshift)) {
255 		u_int64_t newsize;
256 
257 		if (lbn < ULFS_NDADDR)
258 			newsize = ip->i_ffs1_size = (lbn << fs->lfs_bshift) +
259 				(size - fs->lfs_fsize) + 1;
260 		else
261 			newsize = ip->i_ffs1_size = (lbn << fs->lfs_bshift) + 1;
262 
263 		if (ip->i_size < newsize) {
264 			ip->i_size = newsize;
265 			/*
266 			 * tell vm our new size for the case the inode won't
267 			 * appear later.
268 			 */
269 			uvm_vnp_setsize(vp, newsize);
270 		}
271 	}
272 
273 	lfs_update_single(fs, NULL, vp, lbn, ndaddr, size);
274 
275 	LFS_SEGENTRY(sup, fs, lfs_dtosn(fs, ndaddr), bp);
276 	sup->su_nbytes += size;
277 	LFS_WRITESEGENTRY(sup, fs, lfs_dtosn(fs, ndaddr), bp);
278 
279 	/* differences here should be due to UNWRITTEN indirect blocks. */
280 	KASSERT((lfs_lblkno(fs, ip->i_size) > ULFS_NDADDR &&
281 	    ip->i_lfs_effnblks == ip->i_ffs1_blocks) ||
282 	    ip->i_lfs_effnblks >= ip->i_ffs1_blocks);
283 
284 #ifdef DEBUG
285 	/* Now look again to make sure it worked */
286 	ulfs_bmaparray(vp, lbn, &odaddr, &a[0], &num, NULL, NULL);
287 	for (i = num; i > 0; i--) {
288 		if (!a[i].in_exists)
289 			panic("update_meta: absent %d lv indirect block", i);
290 	}
291 	if (LFS_DBTOFSB(fs, odaddr) != ndaddr)
292 		DLOG((DLOG_RF, "update_meta: failed setting ino %d lbn %"
293 		      PRId64 " to %" PRId64 "\n", ino, lbn, ndaddr));
294 #endif /* DEBUG */
295 	vput(vp);
296 	return 0;
297 }
298 
299 static int
300 update_inoblk(struct lfs *fs, daddr_t offset, kauth_cred_t cred,
301 	      struct lwp *l)
302 {
303 	struct vnode *devvp, *vp;
304 	struct inode *ip;
305 	struct ulfs1_dinode *dip;
306 	struct buf *dbp, *ibp;
307 	int error;
308 	daddr_t daddr;
309 	IFILE *ifp;
310 	SEGUSE *sup;
311 
312 	devvp = VTOI(fs->lfs_ivnode)->i_devvp;
313 
314 	/*
315 	 * Get the inode, update times and perms.
316 	 * DO NOT update disk blocks, we do that separately.
317 	 */
318 	error = bread(devvp, LFS_FSBTODB(fs, offset), fs->lfs_ibsize,
319 	    cred, 0, &dbp);
320 	if (error) {
321 		DLOG((DLOG_RF, "update_inoblk: bread returned %d\n", error));
322 		return error;
323 	}
324 	dip = ((struct ulfs1_dinode *)(dbp->b_data)) + LFS_INOPB(fs);
325 	while (--dip >= (struct ulfs1_dinode *)dbp->b_data) {
326 		if (dip->di_inumber > LFS_IFILE_INUM) {
327 			error = lfs_rf_valloc(fs, dip->di_inumber, dip->di_gen,
328 					      l, &vp);
329 			if (error) {
330 				DLOG((DLOG_RF, "update_inoblk: lfs_rf_valloc"
331 				      " returned %d\n", error));
332 				continue;
333 			}
334 			ip = VTOI(vp);
335 			if (dip->di_size != ip->i_size)
336 				lfs_truncate(vp, dip->di_size, 0, NOCRED);
337 			/* Get mode, link count, size, and times */
338 			memcpy(ip->i_din.ffs1_din, dip,
339 			       offsetof(struct ulfs1_dinode, di_db[0]));
340 
341 			/* Then the rest, except di_blocks */
342 			ip->i_flags = ip->i_ffs1_flags = dip->di_flags;
343 			ip->i_gen = ip->i_ffs1_gen = dip->di_gen;
344 			ip->i_uid = ip->i_ffs1_uid = dip->di_uid;
345 			ip->i_gid = ip->i_ffs1_gid = dip->di_gid;
346 
347 			ip->i_mode = ip->i_ffs1_mode;
348 			ip->i_nlink = ip->i_ffs1_nlink;
349 			ip->i_size = ip->i_ffs1_size;
350 
351 			LFS_SET_UINO(ip, IN_CHANGE | IN_UPDATE);
352 
353 			/* Re-initialize to get type right */
354 			ulfs_vinit(vp->v_mount, lfs_specop_p, lfs_fifoop_p,
355 				  &vp);
356 			vput(vp);
357 
358 			/* Record change in location */
359 			LFS_IENTRY(ifp, fs, dip->di_inumber, ibp);
360 			daddr = ifp->if_daddr;
361 			ifp->if_daddr = LFS_DBTOFSB(fs, dbp->b_blkno);
362 			error = LFS_BWRITE_LOG(ibp); /* Ifile */
363 			/* And do segment accounting */
364 			if (lfs_dtosn(fs, daddr) != lfs_dtosn(fs, LFS_DBTOFSB(fs, dbp->b_blkno))) {
365 				if (daddr > 0) {
366 					LFS_SEGENTRY(sup, fs, lfs_dtosn(fs, daddr),
367 						     ibp);
368 					sup->su_nbytes -= sizeof (struct ulfs1_dinode);
369 					LFS_WRITESEGENTRY(sup, fs,
370 							  lfs_dtosn(fs, daddr),
371 							  ibp);
372 				}
373 				LFS_SEGENTRY(sup, fs, lfs_dtosn(fs, LFS_DBTOFSB(fs, dbp->b_blkno)),
374 					     ibp);
375 				sup->su_nbytes += sizeof (struct ulfs1_dinode);
376 				LFS_WRITESEGENTRY(sup, fs,
377 						  lfs_dtosn(fs, LFS_DBTOFSB(fs, dbp->b_blkno)),
378 						  ibp);
379 			}
380 		}
381 	}
382 	brelse(dbp, BC_AGE);
383 
384 	return 0;
385 }
386 
387 #define CHECK_CKSUM   0x0001  /* Check the checksum to make sure it's valid */
388 #define CHECK_UPDATE  0x0002  /* Update Ifile for new data blocks / inodes */
389 
390 static daddr_t
391 check_segsum(struct lfs *fs, daddr_t offset, u_int64_t nextserial,
392 	     kauth_cred_t cred, int flags, int *pseg_flags, struct lwp *l)
393 {
394 	struct vnode *devvp;
395 	struct buf *bp, *dbp;
396 	int error, nblocks = 0, ninos, i, j; /* XXX: gcc */
397 	SEGSUM *ssp;
398 	u_long *dp = NULL, *datap = NULL; /* XXX u_int32_t */
399 	daddr_t oldoffset;
400 	int32_t *iaddr;	/* XXX ondisk32 */
401 	FINFO *fip;
402 	SEGUSE *sup;
403 	size_t size;
404 
405 	devvp = VTOI(fs->lfs_ivnode)->i_devvp;
406 	/*
407 	 * If the segment has a superblock and we're at the top
408 	 * of the segment, skip the superblock.
409 	 */
410 	if (lfs_sntod(fs, lfs_dtosn(fs, offset)) == offset) {
411 		LFS_SEGENTRY(sup, fs, lfs_dtosn(fs, offset), bp);
412 		if (sup->su_flags & SEGUSE_SUPERBLOCK)
413 			offset += lfs_btofsb(fs, LFS_SBPAD);
414 		brelse(bp, 0);
415 	}
416 
417 	/* Read in the segment summary */
418 	error = bread(devvp, LFS_FSBTODB(fs, offset), fs->lfs_sumsize,
419 	    cred, 0, &bp);
420 	if (error)
421 		return -1;
422 
423 	/* Check summary checksum */
424 	ssp = (SEGSUM *)bp->b_data;
425 	if (flags & CHECK_CKSUM) {
426 		if (ssp->ss_sumsum != cksum(&ssp->ss_datasum,
427 					   fs->lfs_sumsize -
428 					   sizeof(ssp->ss_sumsum))) {
429 			DLOG((DLOG_RF, "Sumsum error at 0x%" PRIx64 "\n", offset));
430 			offset = -1;
431 			goto err1;
432 		}
433 		if (ssp->ss_nfinfo == 0 && ssp->ss_ninos == 0) {
434 			DLOG((DLOG_RF, "Empty pseg at 0x%" PRIx64 "\n", offset));
435 			offset = -1;
436 			goto err1;
437 		}
438 		if (ssp->ss_create < fs->lfs_tstamp) {
439 			DLOG((DLOG_RF, "Old data at 0x%" PRIx64 "\n", offset));
440 			offset = -1;
441 			goto err1;
442 		}
443 	}
444 	if (fs->lfs_version > 1) {
445 		if (ssp->ss_serial != nextserial) {
446 			DLOG((DLOG_RF, "Unexpected serial number at 0x%" PRIx64
447 			      "\n", offset));
448 			offset = -1;
449 			goto err1;
450 		}
451 		if (ssp->ss_ident != fs->lfs_ident) {
452 			DLOG((DLOG_RF, "Incorrect fsid (0x%x vs 0x%x) at 0x%"
453 			      PRIx64 "\n", ssp->ss_ident, fs->lfs_ident, offset));
454 			offset = -1;
455 			goto err1;
456 		}
457 	}
458 	if (pseg_flags)
459 		*pseg_flags = ssp->ss_flags;
460 	oldoffset = offset;
461 	offset += lfs_btofsb(fs, fs->lfs_sumsize);
462 
463 	ninos = howmany(ssp->ss_ninos, LFS_INOPB(fs));
464 	/* XXX ondisk32 */
465 	iaddr = (int32_t *)((char*)bp->b_data + fs->lfs_sumsize - sizeof(int32_t));
466 	if (flags & CHECK_CKSUM) {
467 		/* Count blocks */
468 		nblocks = 0;
469 		fip = (FINFO *)((char*)bp->b_data + SEGSUM_SIZE(fs));
470 		for (i = 0; i < ssp->ss_nfinfo; ++i) {
471 			nblocks += fip->fi_nblocks;
472 			if (fip->fi_nblocks <= 0)
473 				break;
474 			/* XXX ondisk32 */
475 			fip = (FINFO *)(((char *)fip) + FINFOSIZE +
476 					(fip->fi_nblocks * sizeof(int32_t)));
477 		}
478 		nblocks += ninos;
479 		/* Create the sum array */
480 		datap = dp = (u_long *)malloc(nblocks * sizeof(u_long),
481 					      M_SEGMENT, M_WAITOK);
482 	}
483 
484 	/* Handle individual blocks */
485 	fip = (FINFO *)((char*)bp->b_data + SEGSUM_SIZE(fs));
486 	for (i = 0; i < ssp->ss_nfinfo || ninos; ++i) {
487 		/* Inode block? */
488 		if (ninos && *iaddr == offset) {
489 			if (flags & CHECK_CKSUM) {
490 				/* Read in the head and add to the buffer */
491 				error = bread(devvp, LFS_FSBTODB(fs, offset), fs->lfs_bsize,
492 					      cred, 0, &dbp);
493 				if (error) {
494 					offset = -1;
495 					goto err2;
496 				}
497 				(*dp++) = ((u_long *)(dbp->b_data))[0];
498 				brelse(dbp, BC_AGE);
499 			}
500 			if (flags & CHECK_UPDATE) {
501 				if ((error = update_inoblk(fs, offset, cred, l))
502 				    != 0) {
503 					offset = -1;
504 					goto err2;
505 				}
506 			}
507 			offset += lfs_btofsb(fs, fs->lfs_ibsize);
508 			--iaddr;
509 			--ninos;
510 			--i; /* compensate */
511 			continue;
512 		}
513 		size = fs->lfs_bsize;
514 		for (j = 0; j < fip->fi_nblocks; ++j) {
515 			if (j == fip->fi_nblocks - 1)
516 				size = fip->fi_lastlength;
517 			if (flags & CHECK_CKSUM) {
518 				error = bread(devvp, LFS_FSBTODB(fs, offset), size,
519 				    cred, 0, &dbp);
520 				if (error) {
521 					offset = -1;
522 					goto err2;
523 				}
524 				(*dp++) = ((u_long *)(dbp->b_data))[0];
525 				brelse(dbp, BC_AGE);
526 			}
527 			/* Account for and update any direct blocks */
528 			if ((flags & CHECK_UPDATE) &&
529 			   fip->fi_ino > LFS_IFILE_INUM &&
530 			   fip->fi_blocks[j] >= 0) {
531 				update_meta(fs, fip->fi_ino, fip->fi_version,
532 					    fip->fi_blocks[j], offset, size, l);
533 			}
534 			offset += lfs_btofsb(fs, size);
535 		}
536 		/* XXX ondisk32 */
537 		fip = (FINFO *)(((char *)fip) + FINFOSIZE
538 				+ fip->fi_nblocks * sizeof(int32_t));
539 	}
540 	/* Checksum the array, compare */
541 	if ((flags & CHECK_CKSUM) &&
542 	   ssp->ss_datasum != cksum(datap, nblocks * sizeof(u_long)))
543 	{
544 		DLOG((DLOG_RF, "Datasum error at 0x%" PRIx64
545 		      " (wanted %x got %x)\n",
546 		      offset, ssp->ss_datasum, cksum(datap, nblocks *
547 						     sizeof(u_long))));
548 		offset = -1;
549 		goto err2;
550 	}
551 
552 	/* If we're at the end of the segment, move to the next */
553 	if (lfs_dtosn(fs, offset + lfs_btofsb(fs, fs->lfs_sumsize + fs->lfs_bsize)) !=
554 	   lfs_dtosn(fs, offset)) {
555 		if (lfs_dtosn(fs, offset) == lfs_dtosn(fs, ssp->ss_next)) {
556 			offset = -1;
557 			goto err2;
558 		}
559 		offset = ssp->ss_next;
560 		DLOG((DLOG_RF, "LFS roll forward: moving to offset 0x%" PRIx64
561 		       " -> segment %d\n", offset, lfs_dtosn(fs,offset)));
562 	}
563 
564 	if (flags & CHECK_UPDATE) {
565 		fs->lfs_avail -= (offset - oldoffset);
566 		/* Don't clog the buffer queue */
567 		mutex_enter(&lfs_lock);
568 		if (locked_queue_count > LFS_MAX_BUFS ||
569 		    locked_queue_bytes > LFS_MAX_BYTES) {
570 			lfs_flush(fs, SEGM_CKP, 0);
571 		}
572 		mutex_exit(&lfs_lock);
573 	}
574 
575     err2:
576 	if (flags & CHECK_CKSUM)
577 		free(datap, M_SEGMENT);
578     err1:
579 	brelse(bp, BC_AGE);
580 
581 	/* XXX should we update the serial number even for bad psegs? */
582 	if ((flags & CHECK_UPDATE) && offset > 0 && fs->lfs_version > 1)
583 		fs->lfs_serial = nextserial;
584 	return offset;
585 }
586 
587 void
588 lfs_roll_forward(struct lfs *fs, struct mount *mp, struct lwp *l)
589 {
590 	int flags, dirty;
591 	daddr_t offset, oldoffset, lastgoodpseg;
592 	int sn, curseg, do_rollforward;
593 	struct proc *p;
594 	kauth_cred_t cred;
595 	SEGUSE *sup;
596 	struct buf *bp;
597 
598 	p = l ? l->l_proc : NULL;
599 	cred = p ? p->p_cred : NOCRED;
600 
601 	/*
602 	 * Roll forward.
603 	 *
604 	 * We don't roll forward for v1 filesystems, because
605 	 * of the danger that the clock was turned back between the last
606 	 * checkpoint and crash.  This would roll forward garbage.
607 	 *
608 	 * v2 filesystems don't have this problem because they use a
609 	 * monotonically increasing serial number instead of a timestamp.
610 	 */
611 	do_rollforward = (!(fs->lfs_pflags & LFS_PF_CLEAN) &&
612 			  lfs_do_rfw && fs->lfs_version > 1 && p != NULL);
613 	if (do_rollforward) {
614 		u_int64_t nextserial;
615 		/*
616 		 * Phase I: Find the address of the last good partial
617 		 * segment that was written after the checkpoint.  Mark
618 		 * the segments in question dirty, so they won't be
619 		 * reallocated.
620 		 */
621 		lastgoodpseg = oldoffset = offset = fs->lfs_offset;
622 		flags = 0x0;
623 		DLOG((DLOG_RF, "LFS roll forward phase 1: start at offset 0x%"
624 		      PRIx64 "\n", offset));
625 		LFS_SEGENTRY(sup, fs, lfs_dtosn(fs, offset), bp);
626 		if (!(sup->su_flags & SEGUSE_DIRTY))
627 			--fs->lfs_nclean;
628 		sup->su_flags |= SEGUSE_DIRTY;
629 		LFS_WRITESEGENTRY(sup, fs, lfs_dtosn(fs, offset), bp);
630 		nextserial = fs->lfs_serial + 1;
631 		while ((offset = check_segsum(fs, offset, nextserial,
632 		    cred, CHECK_CKSUM, &flags, l)) > 0) {
633 			nextserial++;
634 			if (lfs_sntod(fs, oldoffset) != lfs_sntod(fs, offset)) {
635 				LFS_SEGENTRY(sup, fs, lfs_dtosn(fs, oldoffset),
636 					     bp);
637 				if (!(sup->su_flags & SEGUSE_DIRTY))
638 					--fs->lfs_nclean;
639 				sup->su_flags |= SEGUSE_DIRTY;
640 				LFS_WRITESEGENTRY(sup, fs, lfs_dtosn(fs, oldoffset),
641 					     bp);
642 			}
643 
644 			DLOG((DLOG_RF, "LFS roll forward phase 1: offset=0x%"
645 			      PRIx64 "\n", offset));
646 			if (flags & SS_DIROP) {
647 				DLOG((DLOG_RF, "lfs_mountfs: dirops at 0x%"
648 				      PRIx64 "\n", oldoffset));
649 				if (!(flags & SS_CONT)) {
650 				     DLOG((DLOG_RF, "lfs_mountfs: dirops end "
651 					   "at 0x%" PRIx64 "\n", oldoffset));
652 				}
653 			}
654 			if (!(flags & SS_CONT))
655 				lastgoodpseg = offset;
656 			oldoffset = offset;
657 		}
658 		if (flags & SS_CONT) {
659 			DLOG((DLOG_RF, "LFS roll forward: warning: incomplete "
660 			      "dirops discarded\n"));
661 		}
662 		DLOG((DLOG_RF, "LFS roll forward phase 1: completed: "
663 		      "lastgoodpseg=0x%" PRIx64 "\n", lastgoodpseg));
664 		oldoffset = fs->lfs_offset;
665 		if (fs->lfs_offset != lastgoodpseg) {
666 			/* Don't overwrite what we're trying to preserve */
667 			offset = fs->lfs_offset;
668 			fs->lfs_offset = lastgoodpseg;
669 			fs->lfs_curseg = lfs_sntod(fs, lfs_dtosn(fs, fs->lfs_offset));
670 			for (sn = curseg = lfs_dtosn(fs, fs->lfs_curseg);;) {
671 				sn = (sn + 1) % fs->lfs_nseg;
672 				if (sn == curseg)
673 					panic("lfs_mountfs: no clean segments");
674 				LFS_SEGENTRY(sup, fs, sn, bp);
675 				dirty = (sup->su_flags & SEGUSE_DIRTY);
676 				brelse(bp, 0);
677 				if (!dirty)
678 					break;
679 			}
680 			fs->lfs_nextseg = lfs_sntod(fs, sn);
681 
682 			/*
683 			 * Phase II: Roll forward from the first superblock.
684 			 */
685 			while (offset != lastgoodpseg) {
686 				DLOG((DLOG_RF, "LFS roll forward phase 2: 0x%"
687 				      PRIx64 "\n", offset));
688 				offset = check_segsum(fs, offset,
689 				    fs->lfs_serial + 1, cred, CHECK_UPDATE,
690 				    NULL, l);
691 			}
692 
693 			/*
694 			 * Finish: flush our changes to disk.
695 			 */
696 			lfs_segwrite(mp, SEGM_CKP | SEGM_SYNC);
697 			DLOG((DLOG_RF, "lfs_mountfs: roll forward ",
698 			      "recovered %lld blocks\n",
699 			      (long long)(lastgoodpseg - oldoffset)));
700 		}
701 		DLOG((DLOG_RF, "LFS roll forward complete\n"));
702 	}
703 }
704