design/XFS_Filesystem_Structure/metadata_integrity.asciidoc - pub/scm/fs/xfs/xfs-documentation - Git at Google

 = Metadata Integrity

 Prior to version 5, most XFS metadata blocks contained a magic number that
 could provide a minimal sanity check that a block read off the disk contained
 the same type of data that the code thought it was reading off the disk.
 However, this was insufficient -- given a correct type code, it was still
 impossible to tell if the block was from a previous filesystem, or happened to
 be owned by something else, or had been written to the wrong location on disk.
 Furthermore, not all metadata blocks had magic numbers -- remote extended
 attributes and extent symbolic links had no protection at all.

 Therefore, the version 5 disk format introduced larger headers for all metadata
 types, which enable the filesystem to check information being read from the
 disk more rigorously.  Metadata integrity fields now include:

 * *Magic* numbers, to classify all types of metadata.  This is unchanged from v4.
 * A copy of the filesystem *UUID*, to confirm that a given disk block is connected to the superblock.
 * The *owner*, to avoid accessing a piece of metadata which belongs to some other part of the filesystem.
 * The filesystem *block number*, to detect misplaced writes.
 * The *log serial number* of the last write to this block, to avoid replaying obsolete log entries.
 * A CRC32c *checksum* of the entire block, to detect minor corruption.

 Metadata integrity coverage has been extended to all metadata blocks in the
 filesystem, with the following notes:

 * Inodes can have multiple ``owners'' in the directory tree; therefore the record contains the inode number instead of an owner or a block number.
 * Superblocks have no owners.
 * The disk quota file has no owner or block numbers.
 * Metadata owned by files list the inode number as the owner.
 * Per-AG data and B+tree blocks list the AG number as the owner.
 * Per-AG header sectors don't list owners or block numbers, since they have fixed locations.
 * Remote attribute blocks are not logged and therefore the LSN must be -1.

 This functionality enables XFS to decide that a block contents are so
 unexpected that it should stop immediately.  Unfortunately checksums do not
 allow for automatic correction.  Please keep regular backups, as always.
	= Metadata Integrity

	Prior to version 5, most XFS metadata blocks contained a magic number that
	could provide a minimal sanity check that a block read off the disk contained
	the same type of data that the code thought it was reading off the disk.
	However, this was insufficient -- given a correct type code, it was still
	impossible to tell if the block was from a previous filesystem, or happened to
	be owned by something else, or had been written to the wrong location on disk.
	Furthermore, not all metadata blocks had magic numbers -- remote extended
	attributes and extent symbolic links had no protection at all.

	Therefore, the version 5 disk format introduced larger headers for all metadata
	types, which enable the filesystem to check information being read from the
	disk more rigorously. Metadata integrity fields now include:

	* Magic numbers, to classify all types of metadata. This is unchanged from v4.
	* A copy of the filesystem UUID, to confirm that a given disk block is connected to the superblock.
	* The owner, to avoid accessing a piece of metadata which belongs to some other part of the filesystem.
	* The filesystem block number, to detect misplaced writes.
	* The log serial number of the last write to this block, to avoid replaying obsolete log entries.
	* A CRC32c checksum of the entire block, to detect minor corruption.

	Metadata integrity coverage has been extended to all metadata blocks in the
	filesystem, with the following notes:

	* Inodes can have multiple ``owners'' in the directory tree; therefore the record contains the inode number instead of an owner or a block number.
	* Superblocks have no owners.
	* The disk quota file has no owner or block numbers.
	* Metadata owned by files list the inode number as the owner.
	* Per-AG data and B+tree blocks list the AG number as the owner.
	* Per-AG header sectors don't list owners or block numbers, since they have fixed locations.
	* Remote attribute blocks are not logged and therefore the LSN must be -1.

	This functionality enables XFS to decide that a block contents are so
	unexpected that it should stop immediately. Unfortunately checksums do not
	allow for automatic correction. Please keep regular backups, as always.