• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * logfile.h - Exports for $LogFile handling.  Originated from the Linux-NTFS project.
3  *
4  * Copyright (c) 2000-2005 Anton Altaparmakov
5  * Copyright (c) 2016      Jean-Pierre Andre
6  *
7  * This program/include file is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License as published
9  * by the Free Software Foundation; either version 2 of the License, or
10  * (at your option) any later version.
11  *
12  * This program/include file is distributed in the hope that it will be
13  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
14  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program (in the main directory of the NTFS-3G
19  * distribution in the file COPYING); if not, write to the Free Software
20  * Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
21  */
22 
23 #ifndef _NTFS_LOGFILE_H
24 #define _NTFS_LOGFILE_H
25 
26 #include "types.h"
27 #include "endians.h"
28 #include "layout.h"
29 
30 /*
31  * Journal ($LogFile) organization:
32  *
33  * Two restart areas present in the first two pages (restart pages, one restart
34  * area in each page).  When the volume is dismounted they should be identical,
35  * except for the update sequence array which usually has a different update
36  * sequence number.
37  *
38  * These are followed by log records organized in pages headed by a log record
39  * header going up to log file size.  Not all pages contain log records when a
40  * volume is first formatted, but as the volume ages, all records will be used.
41  * When the log file fills up, the records at the beginning are purged (by
42  * modifying the oldest_lsn to a higher value presumably) and writing begins
43  * at the beginning of the file.  Effectively, the log file is viewed as a
44  * circular entity.
45  *
46  * NOTE: Windows NT, 2000, and XP all use log file version 1.1 but they accept
47  * versions <= 1.x, including 0.-1.  (Yes, that is a minus one in there!)  We
48  * probably only want to support 1.1 as this seems to be the current version
49  * and we don't know how that differs from the older versions.  The only
50  * exception is if the journal is clean as marked by the two restart pages
51  * then it doesn't matter whether we are on an earlier version.  We can just
52  * reinitialize the logfile and start again with version 1.1.
53  */
54 
55 /* Some $LogFile related constants. */
56 #define MaxLogFileSize		0x100000000ULL
57 #define DefaultLogPageSize	4096
58 #define MinLogRecordPages	48
59 
60 /**
61  * struct RESTART_PAGE_HEADER - Log file restart page header.
62  *
63  * Begins the restart area.
64  */
65 typedef struct {
66 /*Ofs*/
67 /*  0	NTFS_RECORD; -- Unfolded here as gcc doesn't like unnamed structs. */
68 /*  0*/	NTFS_RECORD_TYPES magic;/* The magic is "RSTR". */
69 /*  4*/	le16 usa_ofs;		/* See NTFS_RECORD definition in layout.h.
70 				   When creating, set this to be immediately
71 				   after this header structure (without any
72 				   alignment). */
73 /*  6*/	le16 usa_count;		/* See NTFS_RECORD definition in layout.h. */
74 
75 /*  8*/	leLSN chkdsk_lsn;	/* The last log file sequence number found by
76 				   chkdsk.  Only used when the magic is changed
77 				   to "CHKD".  Otherwise this is zero. */
78 /* 16*/	le32 system_page_size;	/* Byte size of system pages when the log file
79 				   was created, has to be >= 512 and a power of
80 				   2.  Use this to calculate the required size
81 				   of the usa (usa_count) and add it to usa_ofs.
82 				   Then verify that the result is less than the
83 				   value of the restart_area_offset. */
84 /* 20*/	le32 log_page_size;	/* Byte size of log file pages, has to be >=
85 				   512 and a power of 2.  The default is 4096
86 				   and is used when the system page size is
87 				   between 4096 and 8192.  Otherwise this is
88 				   set to the system page size instead. */
89 /* 24*/	le16 restart_area_offset;/* Byte offset from the start of this header to
90 				   the RESTART_AREA.  Value has to be aligned
91 				   to 8-byte boundary.  When creating, set this
92 				   to be after the usa. */
93 /* 26*/	sle16 minor_ver;	/* Log file minor version.  Only check if major
94 				   version is 1. */
95 /* 28*/	sle16 major_ver;	/* Log file major version.  We only support
96 				   version 1.1. */
97 /* 30*/	le16 usn;
98 /* sizeof() = 32 (0x20) bytes */
99 } __attribute__((__packed__)) RESTART_PAGE_HEADER;
100 
101 /*
102  * Constant for the log client indices meaning that there are no client records
103  * in this particular client array.  Also inside the client records themselves,
104  * this means that there are no client records preceding or following this one.
105  */
106 #define LOGFILE_NO_CLIENT_CPU	0xffff
107 #define LOGFILE_NO_CLIENT	const_cpu_to_le16(LOGFILE_NO_CLIENT_CPU)
108 
109 /*
110  * These are the so far known RESTART_AREA_* flags (16-bit) which contain
111  * information about the log file in which they are present.
112  */
113 enum {
114 	RESTART_VOLUME_IS_CLEAN	= const_cpu_to_le16(0x0002),
115 	RESTART_SPACE_FILLER	= 0xffff, /* gcc: Force enum bit width to 16. */
116 } __attribute__((__packed__));
117 
118 typedef le16 RESTART_AREA_FLAGS;
119 
120 /**
121  * struct RESTART_AREA - Log file restart area record.
122  *
123  * The offset of this record is found by adding the offset of the
124  * RESTART_PAGE_HEADER to the restart_area_offset value found in it.
125  * See notes at restart_area_offset above.
126  */
127 typedef struct {
128 /*Ofs*/
129 /*  0*/	leLSN current_lsn;	/* The current, i.e. last LSN inside the log
130 				   when the restart area was last written.
131 				   This happens often but what is the interval?
132 				   Is it just fixed time or is it every time a
133 				   check point is written or something else?
134 				   On create set to 0. */
135 /*  8*/	le16 log_clients;	/* Number of log client records in the array of
136 				   log client records which follows this
137 				   restart area.  Must be 1.  */
138 /* 10*/	le16 client_free_list;	/* The index of the first free log client record
139 				   in the array of log client records.
140 				   LOGFILE_NO_CLIENT means that there are no
141 				   free log client records in the array.
142 				   If != LOGFILE_NO_CLIENT, check that
143 				   log_clients > client_free_list.  On Win2k
144 				   and presumably earlier, on a clean volume
145 				   this is != LOGFILE_NO_CLIENT, and it should
146 				   be 0, i.e. the first (and only) client
147 				   record is free and thus the logfile is
148 				   closed and hence clean.  A dirty volume
149 				   would have left the logfile open and hence
150 				   this would be LOGFILE_NO_CLIENT.  On WinXP
151 				   and presumably later, the logfile is always
152 				   open, even on clean shutdown so this should
153 				   always be LOGFILE_NO_CLIENT. */
154 /* 12*/	le16 client_in_use_list;/* The index of the first in-use log client
155 				   record in the array of log client records.
156 				   LOGFILE_NO_CLIENT means that there are no
157 				   in-use log client records in the array.  If
158 				   != LOGFILE_NO_CLIENT check that log_clients
159 				   > client_in_use_list.  On Win2k and
160 				   presumably earlier, on a clean volume this
161 				   is LOGFILE_NO_CLIENT, i.e. there are no
162 				   client records in use and thus the logfile
163 				   is closed and hence clean.  A dirty volume
164 				   would have left the logfile open and hence
165 				   this would be != LOGFILE_NO_CLIENT, and it
166 				   should be 0, i.e. the first (and only)
167 				   client record is in use.  On WinXP and
168 				   presumably later, the logfile is always
169 				   open, even on clean shutdown so this should
170 				   always be 0. */
171 /* 14*/	RESTART_AREA_FLAGS flags;/* Flags modifying LFS behaviour.  On Win2k
172 				   and presumably earlier this is always 0.  On
173 				   WinXP and presumably later, if the logfile
174 				   was shutdown cleanly, the second bit,
175 				   RESTART_VOLUME_IS_CLEAN, is set.  This bit
176 				   is cleared when the volume is mounted by
177 				   WinXP and set when the volume is dismounted,
178 				   thus if the logfile is dirty, this bit is
179 				   clear.  Thus we don't need to check the
180 				   Windows version to determine if the logfile
181 				   is clean.  Instead if the logfile is closed,
182 				   we know it must be clean.  If it is open and
183 				   this bit is set, we also know it must be
184 				   clean.  If on the other hand the logfile is
185 				   open and this bit is clear, we can be almost
186 				   certain that the logfile is dirty. */
187 /* 16*/	le32 seq_number_bits;	/* How many bits to use for the sequence
188 				   number.  This is calculated as 67 - the
189 				   number of bits required to store the logfile
190 				   size in bytes and this can be used in with
191 				   the specified file_size as a consistency
192 				   check. */
193 /* 20*/	le16 restart_area_length;/* Length of the restart area including the
194 				   client array.  Following checks required if
195 				   version matches.  Otherwise, skip them.
196 				   restart_area_offset + restart_area_length
197 				   has to be <= system_page_size.  Also,
198 				   restart_area_length has to be >=
199 				   client_array_offset + (log_clients *
200 				   sizeof(log client record)). */
201 /* 22*/	le16 client_array_offset;/* Offset from the start of this record to
202 				   the first log client record if versions are
203 				   matched.  When creating, set this to be
204 				   after this restart area structure, aligned
205 				   to 8-bytes boundary.  If the versions do not
206 				   match, this is ignored and the offset is
207 				   assumed to be (sizeof(RESTART_AREA) + 7) &
208 				   ~7, i.e. rounded up to first 8-byte
209 				   boundary.  Either way, client_array_offset
210 				   has to be aligned to an 8-byte boundary.
211 				   Also, restart_area_offset +
212 				   client_array_offset has to be <= 510.
213 				   Finally, client_array_offset + (log_clients
214 				   * sizeof(log client record)) has to be <=
215 				   system_page_size.  On Win2k and presumably
216 				   earlier, this is 0x30, i.e. immediately
217 				   following this record.  On WinXP and
218 				   presumably later, this is 0x40, i.e. there
219 				   are 16 extra bytes between this record and
220 				   the client array.  This probably means that
221 				   the RESTART_AREA record is actually bigger
222 				   in WinXP and later. */
223 /* 24*/	sle64 file_size;	/* Usable byte size of the log file.  If the
224 				   restart_area_offset + the offset of the
225 				   file_size are > 510 then corruption has
226 				   occurred.  This is the very first check when
227 				   starting with the restart_area as if it
228 				   fails it means that some of the above values
229 				   will be corrupted by the multi sector
230 				   transfer protection.  The file_size has to
231 				   be rounded down to be a multiple of the
232 				   log_page_size in the RESTART_PAGE_HEADER and
233 				   then it has to be at least big enough to
234 				   store the two restart pages and 48 (0x30)
235 				   log record pages. */
236 /* 32*/	le32 last_lsn_data_length;/* Length of data of last LSN, not including
237 				   the log record header.  On create set to
238 				   0. */
239 /* 36*/	le16 log_record_header_length;/* Byte size of the log record header.
240 				   If the version matches then check that the
241 				   value of log_record_header_length is a
242 				   multiple of 8, i.e.
243 				   (log_record_header_length + 7) & ~7 ==
244 				   log_record_header_length.  When creating set
245 				   it to sizeof(LOG_RECORD_HEADER), aligned to
246 				   8 bytes. */
247 /* 38*/	le16 log_page_data_offset;/* Offset to the start of data in a log record
248 				   page.  Must be a multiple of 8.  On create
249 				   set it to immediately after the update
250 				   sequence array of the log record page. */
251 /* 40*/	le32 restart_log_open_count;/* A counter that gets incremented every
252 				   time the logfile is restarted which happens
253 				   at mount time when the logfile is opened.
254 				   When creating set to a random value.  Win2k
255 				   sets it to the low 32 bits of the current
256 				   system time in NTFS format (see time.h). */
257 /* 44*/	le32 reserved;		/* Reserved/alignment to 8-byte boundary. */
258 /* sizeof() = 48 (0x30) bytes */
259 } __attribute__((__packed__)) RESTART_AREA;
260 
261 /**
262  * struct LOG_CLIENT_RECORD - Log client record.
263  *
264  * The offset of this record is found by adding the offset of the
265  * RESTART_AREA to the client_array_offset value found in it.
266  */
267 typedef struct {
268 /*Ofs*/
269 /*  0*/	leLSN oldest_lsn;	/* Oldest LSN needed by this client.  On create
270 				   set to 0. */
271 /*  8*/	leLSN client_restart_lsn;/* LSN at which this client needs to restart
272 				   the volume, i.e. the current position within
273 				   the log file.  At present, if clean this
274 				   should = current_lsn in restart area but it
275 				   probably also = current_lsn when dirty most
276 				   of the time.  At create set to 0. */
277 /* 16*/	le16 prev_client;	/* The offset to the previous log client record
278 				   in the array of log client records.
279 				   LOGFILE_NO_CLIENT means there is no previous
280 				   client record, i.e. this is the first one.
281 				   This is always LOGFILE_NO_CLIENT. */
282 /* 18*/	le16 next_client;	/* The offset to the next log client record in
283 				   the array of log client records.
284 				   LOGFILE_NO_CLIENT means there are no next
285 				   client records, i.e. this is the last one.
286 				   This is always LOGFILE_NO_CLIENT. */
287 /* 20*/	le16 seq_number;	/* On Win2k and presumably earlier, this is set
288 				   to zero every time the logfile is restarted
289 				   and it is incremented when the logfile is
290 				   closed at dismount time.  Thus it is 0 when
291 				   dirty and 1 when clean.  On WinXP and
292 				   presumably later, this is always 0. */
293 /* 22*/	u8 reserved[6];		/* Reserved/alignment. */
294 /* 28*/	le32 client_name_length;/* Length of client name in bytes.  Should
295 				   always be 8. */
296 /* 32*/	ntfschar client_name[64];/* Name of the client in Unicode.  Should
297 				   always be "NTFS" with the remaining bytes
298 				   set to 0. */
299 /* sizeof() = 160 (0xa0) bytes */
300 } __attribute__((__packed__)) LOG_CLIENT_RECORD;
301 
302 /**
303  * struct RECORD_PAGE_HEADER - Log page record page header.
304  *
305  * Each log page begins with this header and is followed by several LOG_RECORD
306  * structures, starting at offset 0x40 (the size of this structure and the
307  * following update sequence array and then aligned to 8 byte boundary, but is
308  * this specified anywhere?).
309  */
310 typedef struct {
311 /*  0	NTFS_RECORD; -- Unfolded here as gcc doesn't like unnamed structs. */
312 	NTFS_RECORD_TYPES magic;/* Usually the magic is "RCRD". */
313 	le16 usa_ofs;		/* See NTFS_RECORD definition in layout.h.
314 				   When creating, set this to be immediately
315 				   after this header structure (without any
316 				   alignment). */
317 	le16 usa_count;		/* See NTFS_RECORD definition in layout.h. */
318 
319 	union {
320 		leLSN last_lsn;
321 		sle64 file_offset;
322 	} __attribute__((__packed__)) copy;
323 	le32 flags;
324 	le16 page_count;
325 	le16 page_position;
326 	le16 next_record_offset;
327 	le16 reserved[3];
328 	leLSN last_end_lsn;
329 } __attribute__((__packed__)) RECORD_PAGE_HEADER;
330 
331 /**
332  * enum LOG_RECORD_FLAGS - Possible 16-bit flags for log records.
333  *
334  *	Some flags describe what kind of update is being logged.
335  *
336  * (Or is it log record pages?)
337  */
338 typedef enum {
339 	LOG_RECORD_MULTI_PAGE = const_cpu_to_le16(0x0001),	/* ??? */
340 		/* The flags below were introduced in Windows 10 */
341 	LOG_RECORD_DELETING =	const_cpu_to_le16(0x0002),
342 	LOG_RECORD_ADDING =	const_cpu_to_le16(0x0004),
343 	LOG_RECORD_SIZE_PLACE_HOLDER = 0xffff,
344 		/* This has nothing to do with the log record. It is only so
345 		   gcc knows to make the flags 16-bit. */
346 } __attribute__((__packed__)) LOG_RECORD_FLAGS;
347 
348 /**
349  * struct LOG_CLIENT_ID - The log client id structure identifying a log client.
350  */
351 typedef struct {
352 	le16 seq_number;
353 	le16 client_index;
354 } __attribute__((__packed__)) LOG_CLIENT_ID;
355 
356 /*
357  *	LOG_RECORD_TYPE : types of log records
358  */
359 
360 enum {
361 	LOG_STANDARD =		const_cpu_to_le32(1),
362 	LOG_CHECKPOINT =	const_cpu_to_le32(2),
363 	LOG_RECORD_TYPE_PLACE_HOLDER = 0xffffffffU
364 } ;
365 typedef le32 LOG_RECORD_TYPE;
366 
367 /*
368  *	ATTRIBUTE_FLAGS : flags describing the kind of NTFS record
369  *	is being updated.
370  *	These flags were introduced in Vista, only two flags are known?
371  */
372 
373 enum {
374 	ACTS_ON_MFT =		const_cpu_to_le16(2),
375 	ACTS_ON_INDX =		const_cpu_to_le16(8),
376 	ATTRIBUTE_FLAGS_PLACE_HOLDER = 0xffff,
377 } ;
378 typedef le16 ATTRIBUTE_FLAGS;
379 
380 #define LOG_RECORD_HEAD_SZ 0x30 /* size of header of struct LOG_RECORD */
381 
382 /**
383  * struct LOG_RECORD - Log record header.
384  *
385  * Each log record seems to have a constant size of 0x70 bytes.
386  */
387 typedef struct {
388 	leLSN this_lsn;
389 	leLSN client_previous_lsn;
390 	leLSN client_undo_next_lsn;
391 	le32 client_data_length;
392 	LOG_CLIENT_ID client_id;
393 	LOG_RECORD_TYPE record_type;
394 	le32 transaction_id;
395 	LOG_RECORD_FLAGS log_record_flags;
396 	le16 reserved_or_alignment[3];
397 /* Now are at ofs 0x30 into struct. */
398 	le16 redo_operation;
399 	le16 undo_operation;
400 	le16 redo_offset;
401 	le16 redo_length;
402 	union {
403 		struct {
404 			le16 undo_offset;
405 			le16 undo_length;
406 			le16 target_attribute;
407 			le16 lcns_to_follow;   /* Number of lcn_list entries
408 					      following this entry. */
409 /* Now at ofs 0x40. */
410 			le16 record_offset;
411 			le16 attribute_offset;
412 			le16 cluster_index;
413 			ATTRIBUTE_FLAGS attribute_flags;
414 			leVCN target_vcn;
415 /* Now at ofs 0x50. */
416 			leLCN lcn_list[0]; /* Only present if lcns_to_follow
417 						is not 0. */
418 		} __attribute__((__packed__));
419 		struct {
420 			leLSN transaction_lsn;
421 			leLSN attributes_lsn;
422 			leLSN names_lsn;
423 			leLSN dirty_pages_lsn;
424 			le64 unknown_list[0];
425 		} __attribute__((__packed__));
426 	} __attribute__((__packed__));
427 } __attribute__((__packed__)) LOG_RECORD;
428 
429 /**
430  * struct BITMAP_ACTION - Bitmap change being logged
431  */
432 
433 struct BITMAP_ACTION {
434 	le32 firstbit;
435 	le32 count;
436 } ;
437 
438 /**
439  * struct ATTR - Attribute record.
440  *
441  *	The format of an attribute record has changed from Windows 10.
442  *	The old format was 44 bytes long, despite having 8 bytes fields,
443  *	and this leads to alignment problems in arrays.
444  *	This problem does not occur in the new format, which is shorter.
445  *	The format being used can generally be determined from size.
446  */
447 typedef struct {	/* Format up to Win10 (44 bytes) */
448 	le64 unknown1;
449 	le64 unknown2;
450 	le64 inode;
451 	leLSN lsn;
452 	le32 unknown3;
453 	le32 type;
454 	le32 unknown4;
455 } __attribute__((__packed__)) ATTR_OLD;
456 
457 typedef struct {	/* Format since Win10 (40 bytes) */
458 	le64 unknown1;
459 	le64 unknown2;
460 	le32 type;
461 	le32 unknown3;
462 	le64 inode;
463 	leLSN lsn;
464 } __attribute__((__packed__)) ATTR_NEW;
465 
466 extern BOOL ntfs_check_logfile(ntfs_attr *log_na, RESTART_PAGE_HEADER **rp);
467 extern BOOL ntfs_is_logfile_clean(ntfs_attr *log_na, RESTART_PAGE_HEADER *rp);
468 extern int ntfs_empty_logfile(ntfs_attr *na);
469 
470 #endif /* defined _NTFS_LOGFILE_H */
471