1/*
2 * logfile.h - Exports for $LogFile handling.  Originated from the Linux-NTFS project.
3 *
4 * Copyright (c) 2000-2005 Anton Altaparmakov
5 * Copyright (c) 2016      Jean-Pierre Andre
6 *
7 * This program/include file is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License as published
9 * by the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * This program/include file is distributed in the hope that it will be
13 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
14 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program (in the main directory of the NTFS-3G
19 * distribution in the file COPYING); if not, write to the Free Software
20 * Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
21 */
22
23#ifndef _NTFS_LOGFILE_H
24#define _NTFS_LOGFILE_H
25
26#include "types.h"
27#include "endians.h"
28#include "layout.h"
29
30/*
31 * Journal ($LogFile) organization:
32 *
33 * Two restart areas present in the first two pages (restart pages, one restart
34 * area in each page).  When the volume is dismounted they should be identical,
35 * except for the update sequence array which usually has a different update
36 * sequence number.
37 *
38 * These are followed by log records organized in pages headed by a log record
39 * header going up to log file size.  Not all pages contain log records when a
40 * volume is first formatted, but as the volume ages, all records will be used.
41 * When the log file fills up, the records at the beginning are purged (by
42 * modifying the oldest_lsn to a higher value presumably) and writing begins
43 * at the beginning of the file.  Effectively, the log file is viewed as a
44 * circular entity.
45 *
46 * NOTE: Windows NT, 2000, and XP all use log file version 1.1 but they accept
47 * versions <= 1.x, including 0.-1.  (Yes, that is a minus one in there!)  We
48 * probably only want to support 1.1 as this seems to be the current version
49 * and we don't know how that differs from the older versions.  The only
50 * exception is if the journal is clean as marked by the two restart pages
51 * then it doesn't matter whether we are on an earlier version.  We can just
52 * reinitialize the logfile and start again with version 1.1.
53 */
54
55/* Some $LogFile related constants. */
56#define MaxLogFileSize		0x100000000ULL
57#define DefaultLogPageSize	4096
58#define MinLogRecordPages	48
59
60/**
61 * struct RESTART_PAGE_HEADER - Log file restart page header.
62 *
63 * Begins the restart area.
64 */
65typedef struct {
66/*Ofs*/
67/*  0	NTFS_RECORD; -- Unfolded here as gcc doesn't like unnamed structs. */
68/*  0*/	NTFS_RECORD_TYPES magic;/* The magic is "RSTR". */
69/*  4*/	le16 usa_ofs;		/* See NTFS_RECORD definition in layout.h.
70				   When creating, set this to be immediately
71				   after this header structure (without any
72				   alignment). */
73/*  6*/	le16 usa_count;		/* See NTFS_RECORD definition in layout.h. */
74
75/*  8*/	leLSN chkdsk_lsn;	/* The last log file sequence number found by
76				   chkdsk.  Only used when the magic is changed
77				   to "CHKD".  Otherwise this is zero. */
78/* 16*/	le32 system_page_size;	/* Byte size of system pages when the log file
79				   was created, has to be >= 512 and a power of
80				   2.  Use this to calculate the required size
81				   of the usa (usa_count) and add it to usa_ofs.
82				   Then verify that the result is less than the
83				   value of the restart_area_offset. */
84/* 20*/	le32 log_page_size;	/* Byte size of log file pages, has to be >=
85				   512 and a power of 2.  The default is 4096
86				   and is used when the system page size is
87				   between 4096 and 8192.  Otherwise this is
88				   set to the system page size instead. */
89/* 24*/	le16 restart_area_offset;/* Byte offset from the start of this header to
90				   the RESTART_AREA.  Value has to be aligned
91				   to 8-byte boundary.  When creating, set this
92				   to be after the usa. */
93/* 26*/	sle16 minor_ver;	/* Log file minor version.  Only check if major
94				   version is 1. */
95/* 28*/	sle16 major_ver;	/* Log file major version.  We only support
96				   version 1.1. */
97/* 30*/	le16 usn;
98/* sizeof() = 32 (0x20) bytes */
99} __attribute__((__packed__)) RESTART_PAGE_HEADER;
100
101/*
102 * Constant for the log client indices meaning that there are no client records
103 * in this particular client array.  Also inside the client records themselves,
104 * this means that there are no client records preceding or following this one.
105 */
106#define LOGFILE_NO_CLIENT_CPU	0xffff
107#define LOGFILE_NO_CLIENT	const_cpu_to_le16(LOGFILE_NO_CLIENT_CPU)
108
109/*
110 * These are the so far known RESTART_AREA_* flags (16-bit) which contain
111 * information about the log file in which they are present.
112 */
113enum {
114	RESTART_VOLUME_IS_CLEAN	= const_cpu_to_le16(0x0002),
115	RESTART_SPACE_FILLER	= 0xffff, /* gcc: Force enum bit width to 16. */
116} __attribute__((__packed__));
117
118typedef le16 RESTART_AREA_FLAGS;
119
120/**
121 * struct RESTART_AREA - Log file restart area record.
122 *
123 * The offset of this record is found by adding the offset of the
124 * RESTART_PAGE_HEADER to the restart_area_offset value found in it.
125 * See notes at restart_area_offset above.
126 */
127typedef struct {
128/*Ofs*/
129/*  0*/	leLSN current_lsn;	/* The current, i.e. last LSN inside the log
130				   when the restart area was last written.
131				   This happens often but what is the interval?
132				   Is it just fixed time or is it every time a
133				   check point is written or something else?
134				   On create set to 0. */
135/*  8*/	le16 log_clients;	/* Number of log client records in the array of
136				   log client records which follows this
137				   restart area.  Must be 1.  */
138/* 10*/	le16 client_free_list;	/* The index of the first free log client record
139				   in the array of log client records.
140				   LOGFILE_NO_CLIENT means that there are no
141				   free log client records in the array.
142				   If != LOGFILE_NO_CLIENT, check that
143				   log_clients > client_free_list.  On Win2k
144				   and presumably earlier, on a clean volume
145				   this is != LOGFILE_NO_CLIENT, and it should
146				   be 0, i.e. the first (and only) client
147				   record is free and thus the logfile is
148				   closed and hence clean.  A dirty volume
149				   would have left the logfile open and hence
150				   this would be LOGFILE_NO_CLIENT.  On WinXP
151				   and presumably later, the logfile is always
152				   open, even on clean shutdown so this should
153				   always be LOGFILE_NO_CLIENT. */
154/* 12*/	le16 client_in_use_list;/* The index of the first in-use log client
155				   record in the array of log client records.
156				   LOGFILE_NO_CLIENT means that there are no
157				   in-use log client records in the array.  If
158				   != LOGFILE_NO_CLIENT check that log_clients
159				   > client_in_use_list.  On Win2k and
160				   presumably earlier, on a clean volume this
161				   is LOGFILE_NO_CLIENT, i.e. there are no
162				   client records in use and thus the logfile
163				   is closed and hence clean.  A dirty volume
164				   would have left the logfile open and hence
165				   this would be != LOGFILE_NO_CLIENT, and it
166				   should be 0, i.e. the first (and only)
167				   client record is in use.  On WinXP and
168				   presumably later, the logfile is always
169				   open, even on clean shutdown so this should
170				   always be 0. */
171/* 14*/	RESTART_AREA_FLAGS flags;/* Flags modifying LFS behaviour.  On Win2k
172				   and presumably earlier this is always 0.  On
173				   WinXP and presumably later, if the logfile
174				   was shutdown cleanly, the second bit,
175				   RESTART_VOLUME_IS_CLEAN, is set.  This bit
176				   is cleared when the volume is mounted by
177				   WinXP and set when the volume is dismounted,
178				   thus if the logfile is dirty, this bit is
179				   clear.  Thus we don't need to check the
180				   Windows version to determine if the logfile
181				   is clean.  Instead if the logfile is closed,
182				   we know it must be clean.  If it is open and
183				   this bit is set, we also know it must be
184				   clean.  If on the other hand the logfile is
185				   open and this bit is clear, we can be almost
186				   certain that the logfile is dirty. */
187/* 16*/	le32 seq_number_bits;	/* How many bits to use for the sequence
188				   number.  This is calculated as 67 - the
189				   number of bits required to store the logfile
190				   size in bytes and this can be used in with
191				   the specified file_size as a consistency
192				   check. */
193/* 20*/	le16 restart_area_length;/* Length of the restart area including the
194				   client array.  Following checks required if
195				   version matches.  Otherwise, skip them.
196				   restart_area_offset + restart_area_length
197				   has to be <= system_page_size.  Also,
198				   restart_area_length has to be >=
199				   client_array_offset + (log_clients *
200				   sizeof(log client record)). */
201/* 22*/	le16 client_array_offset;/* Offset from the start of this record to
202				   the first log client record if versions are
203				   matched.  When creating, set this to be
204				   after this restart area structure, aligned
205				   to 8-bytes boundary.  If the versions do not
206				   match, this is ignored and the offset is
207				   assumed to be (sizeof(RESTART_AREA) + 7) &
208				   ~7, i.e. rounded up to first 8-byte
209				   boundary.  Either way, client_array_offset
210				   has to be aligned to an 8-byte boundary.
211				   Also, restart_area_offset +
212				   client_array_offset has to be <= 510.
213				   Finally, client_array_offset + (log_clients
214				   * sizeof(log client record)) has to be <=
215				   system_page_size.  On Win2k and presumably
216				   earlier, this is 0x30, i.e. immediately
217				   following this record.  On WinXP and
218				   presumably later, this is 0x40, i.e. there
219				   are 16 extra bytes between this record and
220				   the client array.  This probably means that
221				   the RESTART_AREA record is actually bigger
222				   in WinXP and later. */
223/* 24*/	sle64 file_size;	/* Usable byte size of the log file.  If the
224				   restart_area_offset + the offset of the
225				   file_size are > 510 then corruption has
226				   occurred.  This is the very first check when
227				   starting with the restart_area as if it
228				   fails it means that some of the above values
229				   will be corrupted by the multi sector
230				   transfer protection.  The file_size has to
231				   be rounded down to be a multiple of the
232				   log_page_size in the RESTART_PAGE_HEADER and
233				   then it has to be at least big enough to
234				   store the two restart pages and 48 (0x30)
235				   log record pages. */
236/* 32*/	le32 last_lsn_data_length;/* Length of data of last LSN, not including
237				   the log record header.  On create set to
238				   0. */
239/* 36*/	le16 log_record_header_length;/* Byte size of the log record header.
240				   If the version matches then check that the
241				   value of log_record_header_length is a
242				   multiple of 8, i.e.
243				   (log_record_header_length + 7) & ~7 ==
244				   log_record_header_length.  When creating set
245				   it to sizeof(LOG_RECORD_HEADER), aligned to
246				   8 bytes. */
247/* 38*/	le16 log_page_data_offset;/* Offset to the start of data in a log record
248				   page.  Must be a multiple of 8.  On create
249				   set it to immediately after the update
250				   sequence array of the log record page. */
251/* 40*/	le32 restart_log_open_count;/* A counter that gets incremented every
252				   time the logfile is restarted which happens
253				   at mount time when the logfile is opened.
254				   When creating set to a random value.  Win2k
255				   sets it to the low 32 bits of the current
256				   system time in NTFS format (see time.h). */
257/* 44*/	le32 reserved;		/* Reserved/alignment to 8-byte boundary. */
258/* sizeof() = 48 (0x30) bytes */
259} __attribute__((__packed__)) RESTART_AREA;
260
261/**
262 * struct LOG_CLIENT_RECORD - Log client record.
263 *
264 * The offset of this record is found by adding the offset of the
265 * RESTART_AREA to the client_array_offset value found in it.
266 */
267typedef struct {
268/*Ofs*/
269/*  0*/	leLSN oldest_lsn;	/* Oldest LSN needed by this client.  On create
270				   set to 0. */
271/*  8*/	leLSN client_restart_lsn;/* LSN at which this client needs to restart
272				   the volume, i.e. the current position within
273				   the log file.  At present, if clean this
274				   should = current_lsn in restart area but it
275				   probably also = current_lsn when dirty most
276				   of the time.  At create set to 0. */
277/* 16*/	le16 prev_client;	/* The offset to the previous log client record
278				   in the array of log client records.
279				   LOGFILE_NO_CLIENT means there is no previous
280				   client record, i.e. this is the first one.
281				   This is always LOGFILE_NO_CLIENT. */
282/* 18*/	le16 next_client;	/* The offset to the next log client record in
283				   the array of log client records.
284				   LOGFILE_NO_CLIENT means there are no next
285				   client records, i.e. this is the last one.
286				   This is always LOGFILE_NO_CLIENT. */
287/* 20*/	le16 seq_number;	/* On Win2k and presumably earlier, this is set
288				   to zero every time the logfile is restarted
289				   and it is incremented when the logfile is
290				   closed at dismount time.  Thus it is 0 when
291				   dirty and 1 when clean.  On WinXP and
292				   presumably later, this is always 0. */
293/* 22*/	u8 reserved[6];		/* Reserved/alignment. */
294/* 28*/	le32 client_name_length;/* Length of client name in bytes.  Should
295				   always be 8. */
296/* 32*/	ntfschar client_name[64];/* Name of the client in Unicode.  Should
297				   always be "NTFS" with the remaining bytes
298				   set to 0. */
299/* sizeof() = 160 (0xa0) bytes */
300} __attribute__((__packed__)) LOG_CLIENT_RECORD;
301
302/**
303 * struct RECORD_PAGE_HEADER - Log page record page header.
304 *
305 * Each log page begins with this header and is followed by several LOG_RECORD
306 * structures, starting at offset 0x40 (the size of this structure and the
307 * following update sequence array and then aligned to 8 byte boundary, but is
308 * this specified anywhere?).
309 */
310typedef struct {
311/*  0	NTFS_RECORD; -- Unfolded here as gcc doesn't like unnamed structs. */
312	NTFS_RECORD_TYPES magic;/* Usually the magic is "RCRD". */
313	le16 usa_ofs;		/* See NTFS_RECORD definition in layout.h.
314				   When creating, set this to be immediately
315				   after this header structure (without any
316				   alignment). */
317	le16 usa_count;		/* See NTFS_RECORD definition in layout.h. */
318
319	union {
320		leLSN last_lsn;
321		sle64 file_offset;
322	} __attribute__((__packed__)) copy;
323	le32 flags;
324	le16 page_count;
325	le16 page_position;
326	le16 next_record_offset;
327	le16 reserved[3];
328	leLSN last_end_lsn;
329} __attribute__((__packed__)) RECORD_PAGE_HEADER;
330
331/**
332 * enum LOG_RECORD_FLAGS - Possible 16-bit flags for log records.
333 *
334 *	Some flags describe what kind of update is being logged.
335 *
336 * (Or is it log record pages?)
337 */
338typedef enum {
339	LOG_RECORD_MULTI_PAGE = const_cpu_to_le16(0x0001),	/* ??? */
340		/* The flags below were introduced in Windows 10 */
341	LOG_RECORD_DELETING =	const_cpu_to_le16(0x0002),
342	LOG_RECORD_ADDING =	const_cpu_to_le16(0x0004),
343	LOG_RECORD_SIZE_PLACE_HOLDER = 0xffff,
344		/* This has nothing to do with the log record. It is only so
345		   gcc knows to make the flags 16-bit. */
346} __attribute__((__packed__)) LOG_RECORD_FLAGS;
347
348/**
349 * struct LOG_CLIENT_ID - The log client id structure identifying a log client.
350 */
351typedef struct {
352	le16 seq_number;
353	le16 client_index;
354} __attribute__((__packed__)) LOG_CLIENT_ID;
355
356/*
357 *	LOG_RECORD_TYPE : types of log records
358 */
359
360enum {
361	LOG_STANDARD =		const_cpu_to_le32(1),
362	LOG_CHECKPOINT =	const_cpu_to_le32(2),
363	LOG_RECORD_TYPE_PLACE_HOLDER = 0xffffffffU
364} ;
365typedef le32 LOG_RECORD_TYPE;
366
367/*
368 *	ATTRIBUTE_FLAGS : flags describing the kind of NTFS record
369 *	is being updated.
370 *	These flags were introduced in Vista, only two flags are known?
371 */
372
373enum {
374	ACTS_ON_MFT =		const_cpu_to_le16(2),
375	ACTS_ON_INDX =		const_cpu_to_le16(8),
376	ATTRIBUTE_FLAGS_PLACE_HOLDER = 0xffff,
377} ;
378typedef le16 ATTRIBUTE_FLAGS;
379
380#define LOG_RECORD_HEAD_SZ 0x30 /* size of header of struct LOG_RECORD */
381
382/**
383 * struct LOG_RECORD - Log record header.
384 *
385 * Each log record seems to have a constant size of 0x70 bytes.
386 */
387typedef struct {
388	leLSN this_lsn;
389	leLSN client_previous_lsn;
390	leLSN client_undo_next_lsn;
391	le32 client_data_length;
392	LOG_CLIENT_ID client_id;
393	LOG_RECORD_TYPE record_type;
394	le32 transaction_id;
395	LOG_RECORD_FLAGS log_record_flags;
396	le16 reserved_or_alignment[3];
397/* Now are at ofs 0x30 into struct. */
398	le16 redo_operation;
399	le16 undo_operation;
400	le16 redo_offset;
401	le16 redo_length;
402	union {
403		struct {
404			le16 undo_offset;
405			le16 undo_length;
406			le16 target_attribute;
407			le16 lcns_to_follow;   /* Number of lcn_list entries
408					      following this entry. */
409/* Now at ofs 0x40. */
410			le16 record_offset;
411			le16 attribute_offset;
412			le16 cluster_index;
413			ATTRIBUTE_FLAGS attribute_flags;
414			leVCN target_vcn;
415/* Now at ofs 0x50. */
416			leLCN lcn_list[0]; /* Only present if lcns_to_follow
417						is not 0. */
418		} __attribute__((__packed__));
419		struct {
420			leLSN transaction_lsn;
421			leLSN attributes_lsn;
422			leLSN names_lsn;
423			leLSN dirty_pages_lsn;
424			le64 unknown_list[0];
425		} __attribute__((__packed__));
426	} __attribute__((__packed__));
427} __attribute__((__packed__)) LOG_RECORD;
428
429/**
430 * struct BITMAP_ACTION - Bitmap change being logged
431 */
432
433struct BITMAP_ACTION {
434	le32 firstbit;
435	le32 count;
436} ;
437
438/**
439 * struct ATTR - Attribute record.
440 *
441 *	The format of an attribute record has changed from Windows 10.
442 *	The old format was 44 bytes long, despite having 8 bytes fields,
443 *	and this leads to alignment problems in arrays.
444 *	This problem does not occur in the new format, which is shorter.
445 *	The format being used can generally be determined from size.
446 */
447typedef struct {	/* Format up to Win10 (44 bytes) */
448	le64 unknown1;
449	le64 unknown2;
450	le64 inode;
451	leLSN lsn;
452	le32 unknown3;
453	le32 type;
454	le32 unknown4;
455} __attribute__((__packed__)) ATTR_OLD;
456
457typedef struct {	/* Format since Win10 (40 bytes) */
458	le64 unknown1;
459	le64 unknown2;
460	le32 type;
461	le32 unknown3;
462	le64 inode;
463	leLSN lsn;
464} __attribute__((__packed__)) ATTR_NEW;
465
466extern BOOL ntfs_check_logfile(ntfs_attr *log_na, RESTART_PAGE_HEADER **rp);
467extern BOOL ntfs_is_logfile_clean(ntfs_attr *log_na, RESTART_PAGE_HEADER *rp);
468extern int ntfs_empty_logfile(ntfs_attr *na);
469
470#endif /* defined _NTFS_LOGFILE_H */
471