1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * This file is part of UBIFS.
4 *
5 * Copyright (C) 2006-2008 Nokia Corporation.
6 *
7 * Authors: Adrian Hunter
8 * Artem Bityutskiy (Битюцкий Артём)
9 */
10
11 /*
12 * This file contains journal replay code. It runs when the file-system is being
13 * mounted and requires no locking.
14 *
15 * The larger is the journal, the longer it takes to scan it, so the longer it
16 * takes to mount UBIFS. This is why the journal has limited size which may be
17 * changed depending on the system requirements. But a larger journal gives
18 * faster I/O speed because it writes the index less frequently. So this is a
19 * trade-off. Also, the journal is indexed by the in-memory index (TNC), so the
20 * larger is the journal, the more memory its index may consume.
21 */
22
23 #include "ubifs.h"
24 #include <linux/list_sort.h>
25 #include <crypto/hash.h>
26 #include <crypto/algapi.h>
27
28 /**
29 * struct replay_entry - replay list entry.
30 * @lnum: logical eraseblock number of the node
31 * @offs: node offset
32 * @len: node length
33 * @deletion: non-zero if this entry corresponds to a node deletion
34 * @sqnum: node sequence number
35 * @list: links the replay list
36 * @key: node key
37 * @nm: directory entry name
38 * @old_size: truncation old size
39 * @new_size: truncation new size
40 *
41 * The replay process first scans all buds and builds the replay list, then
42 * sorts the replay list in nodes sequence number order, and then inserts all
43 * the replay entries to the TNC.
44 */
45 struct replay_entry {
46 int lnum;
47 int offs;
48 int len;
49 u8 hash[UBIFS_HASH_ARR_SZ];
50 unsigned int deletion:1;
51 unsigned long long sqnum;
52 struct list_head list;
53 union ubifs_key key;
54 union {
55 struct fscrypt_name nm;
56 struct {
57 loff_t old_size;
58 loff_t new_size;
59 };
60 };
61 };
62
63 /**
64 * struct bud_entry - entry in the list of buds to replay.
65 * @list: next bud in the list
66 * @bud: bud description object
67 * @sqnum: reference node sequence number
68 * @free: free bytes in the bud
69 * @dirty: dirty bytes in the bud
70 */
71 struct bud_entry {
72 struct list_head list;
73 struct ubifs_bud *bud;
74 unsigned long long sqnum;
75 int free;
76 int dirty;
77 };
78
79 /**
80 * set_bud_lprops - set free and dirty space used by a bud.
81 * @c: UBIFS file-system description object
82 * @b: bud entry which describes the bud
83 *
84 * This function makes sure the LEB properties of bud @b are set correctly
85 * after the replay. Returns zero in case of success and a negative error code
86 * in case of failure.
87 */
88 static int set_bud_lprops(struct ubifs_info *c, struct bud_entry *b)
89 {
90 const struct ubifs_lprops *lp;
91 int err = 0, dirty;
92
93 ubifs_get_lprops(c);
94
95 lp = ubifs_lpt_lookup_dirty(c, b->bud->lnum);
96 if (IS_ERR(lp)) {
97 err = PTR_ERR(lp);
98 goto out;
99 }
100
101 dirty = lp->dirty;
102 if (b->bud->start == 0 && (lp->free != c->leb_size || lp->dirty != 0)) {
103 /*
104 * The LEB was added to the journal with a starting offset of
105 * zero which means the LEB must have been empty. The LEB
106 * property values should be @lp->free == @c->leb_size and
107 * @lp->dirty == 0, but that is not the case. The reason is that
108 * the LEB had been garbage collected before it became the bud,
109 * and there was not commit inbetween. The garbage collector
110 * resets the free and dirty space without recording it
111 * anywhere except lprops, so if there was no commit then
112 * lprops does not have that information.
113 *
114 * We do not need to adjust free space because the scan has told
115 * us the exact value which is recorded in the replay entry as
116 * @b->free.
117 *
118 * However we do need to subtract from the dirty space the
119 * amount of space that the garbage collector reclaimed, which
120 * is the whole LEB minus the amount of space that was free.
121 */
122 dbg_mnt("bud LEB %d was GC'd (%d free, %d dirty)", b->bud->lnum,
123 lp->free, lp->dirty);
124 dbg_gc("bud LEB %d was GC'd (%d free, %d dirty)", b->bud->lnum,
125 lp->free, lp->dirty);
126 dirty -= c->leb_size - lp->free;
127 /*
128 * If the replay order was perfect the dirty space would now be
129 * zero. The order is not perfect because the journal heads
130 * race with each other. This is not a problem but is does mean
131 * that the dirty space may temporarily exceed c->leb_size
132 * during the replay.
133 */
134 if (dirty != 0)
135 dbg_mnt("LEB %d lp: %d free %d dirty replay: %d free %d dirty",
136 b->bud->lnum, lp->free, lp->dirty, b->free,
137 b->dirty);
138 }
139 lp = ubifs_change_lp(c, lp, b->free, dirty + b->dirty,
140 lp->flags | LPROPS_TAKEN, 0);
141 if (IS_ERR(lp)) {
142 err = PTR_ERR(lp);
143 goto out;
144 }
145
146 /* Make sure the journal head points to the latest bud */
147 err = ubifs_wbuf_seek_nolock(&c->jheads[b->bud->jhead].wbuf,
148 b->bud->lnum, c->leb_size - b->free);
149
150 out:
151 ubifs_release_lprops(c);
152 return err;
153 }
154
155 /**
156 * set_buds_lprops - set free and dirty space for all replayed buds.
157 * @c: UBIFS file-system description object
158 *
159 * This function sets LEB properties for all replayed buds. Returns zero in
160 * case of success and a negative error code in case of failure.
161 */
162 static int set_buds_lprops(struct ubifs_info *c)
163 {
164 struct bud_entry *b;
165 int err;
166
167 list_for_each_entry(b, &c->replay_buds, list) {
168 err = set_bud_lprops(c, b);
169 if (err)
170 return err;
171 }
172
173 return 0;
174 }
175
176 /**
177 * trun_remove_range - apply a replay entry for a truncation to the TNC.
178 * @c: UBIFS file-system description object
179 * @r: replay entry of truncation
180 */
181 static int trun_remove_range(struct ubifs_info *c, struct replay_entry *r)
182 {
183 unsigned min_blk, max_blk;
184 union ubifs_key min_key, max_key;
185 ino_t ino;
186
187 min_blk = r->new_size / UBIFS_BLOCK_SIZE;
188 if (r->new_size & (UBIFS_BLOCK_SIZE - 1))
189 min_blk += 1;
190
191 max_blk = r->old_size / UBIFS_BLOCK_SIZE;
192 if ((r->old_size & (UBIFS_BLOCK_SIZE - 1)) == 0)
193 max_blk -= 1;
194
195 ino = key_inum(c, &r->key);
196
197 data_key_init(c, &min_key, ino, min_blk);
198 data_key_init(c, &max_key, ino, max_blk);
199
200 return ubifs_tnc_remove_range(c, &min_key, &max_key);
201 }
202
203 /**
204 * inode_still_linked - check whether inode in question will be re-linked.
205 * @c: UBIFS file-system description object
206 * @rino: replay entry to test
207 *
208 * O_TMPFILE files can be re-linked, this means link count goes from 0 to 1.
209 * This case needs special care, otherwise all references to the inode will
210 * be removed upon the first replay entry of an inode with link count 0
211 * is found.
212 */
213 static bool inode_still_linked(struct ubifs_info *c, struct replay_entry *rino)
214 {
215 struct replay_entry *r;
216
217 ubifs_assert(c, rino->deletion);
218 ubifs_assert(c, key_type(c, &rino->key) == UBIFS_INO_KEY);
219
220 /*
221 * Find the most recent entry for the inode behind @rino and check
222 * whether it is a deletion.
223 */
224 list_for_each_entry_reverse(r, &c->replay_list, list) {
225 ubifs_assert(c, r->sqnum >= rino->sqnum);
226 if (key_inum(c, &r->key) == key_inum(c, &rino->key))
227 return r->deletion == 0;
228
229 }
230
231 ubifs_assert(c, 0);
232 return false;
233 }
234
235 /**
236 * apply_replay_entry - apply a replay entry to the TNC.
237 * @c: UBIFS file-system description object
238 * @r: replay entry to apply
239 *
240 * Apply a replay entry to the TNC.
241 */
242 static int apply_replay_entry(struct ubifs_info *c, struct replay_entry *r)
243 {
244 int err;
245
246 dbg_mntk(&r->key, "LEB %d:%d len %d deletion %d sqnum %llu key ",
247 r->lnum, r->offs, r->len, r->deletion, r->sqnum);
248
249 if (is_hash_key(c, &r->key)) {
250 if (r->deletion)
251 err = ubifs_tnc_remove_nm(c, &r->key, &r->nm);
252 else
253 err = ubifs_tnc_add_nm(c, &r->key, r->lnum, r->offs,
254 r->len, r->hash, &r->nm);
255 } else {
256 if (r->deletion)
257 switch (key_type(c, &r->key)) {
258 case UBIFS_INO_KEY:
259 {
260 ino_t inum = key_inum(c, &r->key);
261
262 if (inode_still_linked(c, r)) {
263 err = 0;
264 break;
265 }
266
267 err = ubifs_tnc_remove_ino(c, inum);
268 break;
269 }
270 case UBIFS_TRUN_KEY:
271 err = trun_remove_range(c, r);
272 break;
273 default:
274 err = ubifs_tnc_remove(c, &r->key);
275 break;
276 }
277 else
278 err = ubifs_tnc_add(c, &r->key, r->lnum, r->offs,
279 r->len, r->hash);
280 if (err)
281 return err;
282
283 if (c->need_recovery)
284 err = ubifs_recover_size_accum(c, &r->key, r->deletion,
285 r->new_size);
286 }
287
288 return err;
289 }
290
291 /**
292 * replay_entries_cmp - compare 2 replay entries.
293 * @priv: UBIFS file-system description object
294 * @a: first replay entry
295 * @b: second replay entry
296 *
297 * This is a comparios function for 'list_sort()' which compares 2 replay
298 * entries @a and @b by comparing their sequence numer. Returns %1 if @a has
299 * greater sequence number and %-1 otherwise.
300 */
301 static int replay_entries_cmp(void *priv, struct list_head *a,
302 struct list_head *b)
303 {
304 struct ubifs_info *c = priv;
305 struct replay_entry *ra, *rb;
306
307 cond_resched();
308 if (a == b)
309 return 0;
310
311 ra = list_entry(a, struct replay_entry, list);
312 rb = list_entry(b, struct replay_entry, list);
313 ubifs_assert(c, ra->sqnum != rb->sqnum);
314 if (ra->sqnum > rb->sqnum)
315 return 1;
316 return -1;
317 }
318
319 /**
320 * apply_replay_list - apply the replay list to the TNC.
321 * @c: UBIFS file-system description object
322 *
323 * Apply all entries in the replay list to the TNC. Returns zero in case of
324 * success and a negative error code in case of failure.
325 */
326 static int apply_replay_list(struct ubifs_info *c)
327 {
328 struct replay_entry *r;
329 int err;
330
331 list_sort(c, &c->replay_list, &replay_entries_cmp);
332
333 list_for_each_entry(r, &c->replay_list, list) {
334 cond_resched();
335
336 err = apply_replay_entry(c, r);
337 if (err)
338 return err;
339 }
340
341 return 0;
342 }
343
344 /**
345 * destroy_replay_list - destroy the replay.
346 * @c: UBIFS file-system description object
347 *
348 * Destroy the replay list.
349 */
350 static void destroy_replay_list(struct ubifs_info *c)
351 {
352 struct replay_entry *r, *tmp;
353
354 list_for_each_entry_safe(r, tmp, &c->replay_list, list) {
355 if (is_hash_key(c, &r->key))
356 kfree(fname_name(&r->nm));
357 list_del(&r->list);
358 kfree(r);
359 }
360 }
361
362 /**
363 * insert_node - insert a node to the replay list
364 * @c: UBIFS file-system description object
365 * @lnum: node logical eraseblock number
366 * @offs: node offset
367 * @len: node length
368 * @key: node key
369 * @sqnum: sequence number
370 * @deletion: non-zero if this is a deletion
371 * @used: number of bytes in use in a LEB
372 * @old_size: truncation old size
373 * @new_size: truncation new size
374 *
375 * This function inserts a scanned non-direntry node to the replay list. The
376 * replay list contains @struct replay_entry elements, and we sort this list in
377 * sequence number order before applying it. The replay list is applied at the
378 * very end of the replay process. Since the list is sorted in sequence number
379 * order, the older modifications are applied first. This function returns zero
380 * in case of success and a negative error code in case of failure.
381 */
382 static int insert_node(struct ubifs_info *c, int lnum, int offs, int len,
383 const u8 *hash, union ubifs_key *key,
384 unsigned long long sqnum, int deletion, int *used,
385 loff_t old_size, loff_t new_size)
386 {
387 struct replay_entry *r;
388
389 dbg_mntk(key, "add LEB %d:%d, key ", lnum, offs);
390
391 if (key_inum(c, key) >= c->highest_inum)
392 c->highest_inum = key_inum(c, key);
393
394 r = kzalloc(sizeof(struct replay_entry), GFP_KERNEL);
395 if (!r)
396 return -ENOMEM;
397
398 if (!deletion)
399 *used += ALIGN(len, 8);
400 r->lnum = lnum;
401 r->offs = offs;
402 r->len = len;
403 ubifs_copy_hash(c, hash, r->hash);
404 r->deletion = !!deletion;
405 r->sqnum = sqnum;
406 key_copy(c, key, &r->key);
407 r->old_size = old_size;
408 r->new_size = new_size;
409
410 list_add_tail(&r->list, &c->replay_list);
411 return 0;
412 }
413
414 /**
415 * insert_dent - insert a directory entry node into the replay list.
416 * @c: UBIFS file-system description object
417 * @lnum: node logical eraseblock number
418 * @offs: node offset
419 * @len: node length
420 * @key: node key
421 * @name: directory entry name
422 * @nlen: directory entry name length
423 * @sqnum: sequence number
424 * @deletion: non-zero if this is a deletion
425 * @used: number of bytes in use in a LEB
426 *
427 * This function inserts a scanned directory entry node or an extended
428 * attribute entry to the replay list. Returns zero in case of success and a
429 * negative error code in case of failure.
430 */
431 static int insert_dent(struct ubifs_info *c, int lnum, int offs, int len,
432 const u8 *hash, union ubifs_key *key,
433 const char *name, int nlen, unsigned long long sqnum,
434 int deletion, int *used)
435 {
436 struct replay_entry *r;
437 char *nbuf;
438
439 dbg_mntk(key, "add LEB %d:%d, key ", lnum, offs);
440 if (key_inum(c, key) >= c->highest_inum)
441 c->highest_inum = key_inum(c, key);
442
443 r = kzalloc(sizeof(struct replay_entry), GFP_KERNEL);
444 if (!r)
445 return -ENOMEM;
446
447 nbuf = kmalloc(nlen + 1, GFP_KERNEL);
448 if (!nbuf) {
449 kfree(r);
450 return -ENOMEM;
451 }
452
453 if (!deletion)
454 *used += ALIGN(len, 8);
455 r->lnum = lnum;
456 r->offs = offs;
457 r->len = len;
458 ubifs_copy_hash(c, hash, r->hash);
459 r->deletion = !!deletion;
460 r->sqnum = sqnum;
461 key_copy(c, key, &r->key);
462 fname_len(&r->nm) = nlen;
463 memcpy(nbuf, name, nlen);
464 nbuf[nlen] = '\0';
465 fname_name(&r->nm) = nbuf;
466
467 list_add_tail(&r->list, &c->replay_list);
468 return 0;
469 }
470
471 /**
472 * ubifs_validate_entry - validate directory or extended attribute entry node.
473 * @c: UBIFS file-system description object
474 * @dent: the node to validate
475 *
476 * This function validates directory or extended attribute entry node @dent.
477 * Returns zero if the node is all right and a %-EINVAL if not.
478 */
479 int ubifs_validate_entry(struct ubifs_info *c,
480 const struct ubifs_dent_node *dent)
481 {
482 int key_type = key_type_flash(c, dent->key);
483 int nlen = le16_to_cpu(dent->nlen);
484
485 if (le32_to_cpu(dent->ch.len) != nlen + UBIFS_DENT_NODE_SZ + 1 ||
486 dent->type >= UBIFS_ITYPES_CNT ||
487 nlen > UBIFS_MAX_NLEN || dent->name[nlen] != 0 ||
488 (key_type == UBIFS_XENT_KEY && strnlen(dent->name, nlen) != nlen) ||
489 le64_to_cpu(dent->inum) > MAX_INUM) {
490 ubifs_err(c, "bad %s node", key_type == UBIFS_DENT_KEY ?
491 "directory entry" : "extended attribute entry");
492 return -EINVAL;
493 }
494
495 if (key_type != UBIFS_DENT_KEY && key_type != UBIFS_XENT_KEY) {
496 ubifs_err(c, "bad key type %d", key_type);
497 return -EINVAL;
498 }
499
500 return 0;
501 }
502
503 /**
504 * is_last_bud - check if the bud is the last in the journal head.
505 * @c: UBIFS file-system description object
506 * @bud: bud description object
507 *
508 * This function checks if bud @bud is the last bud in its journal head. This
509 * information is then used by 'replay_bud()' to decide whether the bud can
510 * have corruptions or not. Indeed, only last buds can be corrupted by power
511 * cuts. Returns %1 if this is the last bud, and %0 if not.
512 */
513 static int is_last_bud(struct ubifs_info *c, struct ubifs_bud *bud)
514 {
515 struct ubifs_jhead *jh = &c->jheads[bud->jhead];
516 struct ubifs_bud *next;
517 uint32_t data;
518 int err;
519
520 if (list_is_last(&bud->list, &jh->buds_list))
521 return 1;
522
523 /*
524 * The following is a quirk to make sure we work correctly with UBIFS
525 * images used with older UBIFS.
526 *
527 * Normally, the last bud will be the last in the journal head's list
528 * of bud. However, there is one exception if the UBIFS image belongs
529 * to older UBIFS. This is fairly unlikely: one would need to use old
530 * UBIFS, then have a power cut exactly at the right point, and then
531 * try to mount this image with new UBIFS.
532 *
533 * The exception is: it is possible to have 2 buds A and B, A goes
534 * before B, and B is the last, bud B is contains no data, and bud A is
535 * corrupted at the end. The reason is that in older versions when the
536 * journal code switched the next bud (from A to B), it first added a
537 * log reference node for the new bud (B), and only after this it
538 * synchronized the write-buffer of current bud (A). But later this was
539 * changed and UBIFS started to always synchronize the write-buffer of
540 * the bud (A) before writing the log reference for the new bud (B).
541 *
542 * But because older UBIFS always synchronized A's write-buffer before
543 * writing to B, we can recognize this exceptional situation but
544 * checking the contents of bud B - if it is empty, then A can be
545 * treated as the last and we can recover it.
546 *
547 * TODO: remove this piece of code in a couple of years (today it is
548 * 16.05.2011).
549 */
550 next = list_entry(bud->list.next, struct ubifs_bud, list);
551 if (!list_is_last(&next->list, &jh->buds_list))
552 return 0;
553
554 err = ubifs_leb_read(c, next->lnum, (char *)&data, next->start, 4, 1);
555 if (err)
556 return 0;
557
558 return data == 0xFFFFFFFF;
559 }
560
561 /* authenticate_sleb_hash and authenticate_sleb_hmac are split out for stack usage */
562 static int authenticate_sleb_hash(struct ubifs_info *c, struct shash_desc *log_hash, u8 *hash)
563 {
564 SHASH_DESC_ON_STACK(hash_desc, c->hash_tfm);
565
566 hash_desc->tfm = c->hash_tfm;
567
568 ubifs_shash_copy_state(c, log_hash, hash_desc);
569 return crypto_shash_final(hash_desc, hash);
570 }
571
572 static int authenticate_sleb_hmac(struct ubifs_info *c, u8 *hash, u8 *hmac)
573 {
574 SHASH_DESC_ON_STACK(hmac_desc, c->hmac_tfm);
575
576 hmac_desc->tfm = c->hmac_tfm;
577
578 return crypto_shash_digest(hmac_desc, hash, c->hash_len, hmac);
579 }
580
581 /**
582 * authenticate_sleb - authenticate one scan LEB
583 * @c: UBIFS file-system description object
584 * @sleb: the scan LEB to authenticate
585 * @log_hash:
586 * @is_last: if true, this is is the last LEB
587 *
588 * This function iterates over the buds of a single LEB authenticating all buds
589 * with the authentication nodes on this LEB. Authentication nodes are written
590 * after some buds and contain a HMAC covering the authentication node itself
591 * and the buds between the last authentication node and the current
592 * authentication node. It can happen that the last buds cannot be authenticated
593 * because a powercut happened when some nodes were written but not the
594 * corresponding authentication node. This function returns the number of nodes
595 * that could be authenticated or a negative error code.
596 */
597 static int authenticate_sleb(struct ubifs_info *c, struct ubifs_scan_leb *sleb,
598 struct shash_desc *log_hash, int is_last)
599 {
600 int n_not_auth = 0;
601 struct ubifs_scan_node *snod;
602 int n_nodes = 0;
603 int err;
604 u8 hash[UBIFS_HASH_ARR_SZ];
605 u8 hmac[UBIFS_HMAC_ARR_SZ];
606
607 if (!ubifs_authenticated(c))
608 return sleb->nodes_cnt;
609
610 list_for_each_entry(snod, &sleb->nodes, list) {
611
612 n_nodes++;
613
614 if (snod->type == UBIFS_AUTH_NODE) {
615 struct ubifs_auth_node *auth = snod->node;
616
617 err = authenticate_sleb_hash(c, log_hash, hash);
618 if (err)
619 goto out;
620
621 err = authenticate_sleb_hmac(c, hash, hmac);
622 if (err)
623 goto out;
624
625 err = ubifs_check_hmac(c, auth->hmac, hmac);
626 if (err) {
627 err = -EPERM;
628 goto out;
629 }
630 n_not_auth = 0;
631 } else {
632 err = crypto_shash_update(log_hash, snod->node,
633 snod->len);
634 if (err)
635 goto out;
636 n_not_auth++;
637 }
638 }
639
640 /*
641 * A powercut can happen when some nodes were written, but not yet
642 * the corresponding authentication node. This may only happen on
643 * the last bud though.
644 */
645 if (n_not_auth) {
646 if (is_last) {
647 dbg_mnt("%d unauthenticated nodes found on LEB %d, Ignoring them",
648 n_not_auth, sleb->lnum);
649 err = 0;
650 } else {
651 dbg_mnt("%d unauthenticated nodes found on non-last LEB %d",
652 n_not_auth, sleb->lnum);
653 err = -EPERM;
654 }
655 } else {
656 err = 0;
657 }
658 out:
659 return err ? err : n_nodes - n_not_auth;
660 }
661
662 /**
663 * replay_bud - replay a bud logical eraseblock.
664 * @c: UBIFS file-system description object
665 * @b: bud entry which describes the bud
666 *
667 * This function replays bud @bud, recovers it if needed, and adds all nodes
668 * from this bud to the replay list. Returns zero in case of success and a
669 * negative error code in case of failure.
670 */
671 static int replay_bud(struct ubifs_info *c, struct bud_entry *b)
672 {
673 int is_last = is_last_bud(c, b->bud);
674 int err = 0, used = 0, lnum = b->bud->lnum, offs = b->bud->start;
675 int n_nodes, n = 0;
676 struct ubifs_scan_leb *sleb;
677 struct ubifs_scan_node *snod;
678
679 dbg_mnt("replay bud LEB %d, head %d, offs %d, is_last %d",
680 lnum, b->bud->jhead, offs, is_last);
681
682 if (c->need_recovery && is_last)
683 /*
684 * Recover only last LEBs in the journal heads, because power
685 * cuts may cause corruptions only in these LEBs, because only
686 * these LEBs could possibly be written to at the power cut
687 * time.
688 */
689 sleb = ubifs_recover_leb(c, lnum, offs, c->sbuf, b->bud->jhead);
690 else
691 sleb = ubifs_scan(c, lnum, offs, c->sbuf, 0);
692 if (IS_ERR(sleb))
693 return PTR_ERR(sleb);
694
695 n_nodes = authenticate_sleb(c, sleb, b->bud->log_hash, is_last);
696 if (n_nodes < 0) {
697 err = n_nodes;
698 goto out;
699 }
700
701 ubifs_shash_copy_state(c, b->bud->log_hash,
702 c->jheads[b->bud->jhead].log_hash);
703
704 /*
705 * The bud does not have to start from offset zero - the beginning of
706 * the 'lnum' LEB may contain previously committed data. One of the
707 * things we have to do in replay is to correctly update lprops with
708 * newer information about this LEB.
709 *
710 * At this point lprops thinks that this LEB has 'c->leb_size - offs'
711 * bytes of free space because it only contain information about
712 * committed data.
713 *
714 * But we know that real amount of free space is 'c->leb_size -
715 * sleb->endpt', and the space in the 'lnum' LEB between 'offs' and
716 * 'sleb->endpt' is used by bud data. We have to correctly calculate
717 * how much of these data are dirty and update lprops with this
718 * information.
719 *
720 * The dirt in that LEB region is comprised of padding nodes, deletion
721 * nodes, truncation nodes and nodes which are obsoleted by subsequent
722 * nodes in this LEB. So instead of calculating clean space, we
723 * calculate used space ('used' variable).
724 */
725
726 list_for_each_entry(snod, &sleb->nodes, list) {
727 u8 hash[UBIFS_HASH_ARR_SZ];
728 int deletion = 0;
729
730 cond_resched();
731
732 if (snod->sqnum >= SQNUM_WATERMARK) {
733 ubifs_err(c, "file system's life ended");
734 goto out_dump;
735 }
736
737 ubifs_node_calc_hash(c, snod->node, hash);
738
739 if (snod->sqnum > c->max_sqnum)
740 c->max_sqnum = snod->sqnum;
741
742 switch (snod->type) {
743 case UBIFS_INO_NODE:
744 {
745 struct ubifs_ino_node *ino = snod->node;
746 loff_t new_size = le64_to_cpu(ino->size);
747
748 if (le32_to_cpu(ino->nlink) == 0)
749 deletion = 1;
750 err = insert_node(c, lnum, snod->offs, snod->len, hash,
751 &snod->key, snod->sqnum, deletion,
752 &used, 0, new_size);
753 break;
754 }
755 case UBIFS_DATA_NODE:
756 {
757 struct ubifs_data_node *dn = snod->node;
758 loff_t new_size = le32_to_cpu(dn->size) +
759 key_block(c, &snod->key) *
760 UBIFS_BLOCK_SIZE;
761
762 err = insert_node(c, lnum, snod->offs, snod->len, hash,
763 &snod->key, snod->sqnum, deletion,
764 &used, 0, new_size);
765 break;
766 }
767 case UBIFS_DENT_NODE:
768 case UBIFS_XENT_NODE:
769 {
770 struct ubifs_dent_node *dent = snod->node;
771
772 err = ubifs_validate_entry(c, dent);
773 if (err)
774 goto out_dump;
775
776 err = insert_dent(c, lnum, snod->offs, snod->len, hash,
777 &snod->key, dent->name,
778 le16_to_cpu(dent->nlen), snod->sqnum,
779 !le64_to_cpu(dent->inum), &used);
780 break;
781 }
782 case UBIFS_TRUN_NODE:
783 {
784 struct ubifs_trun_node *trun = snod->node;
785 loff_t old_size = le64_to_cpu(trun->old_size);
786 loff_t new_size = le64_to_cpu(trun->new_size);
787 union ubifs_key key;
788
789 /* Validate truncation node */
790 if (old_size < 0 || old_size > c->max_inode_sz ||
791 new_size < 0 || new_size > c->max_inode_sz ||
792 old_size <= new_size) {
793 ubifs_err(c, "bad truncation node");
794 goto out_dump;
795 }
796
797 /*
798 * Create a fake truncation key just to use the same
799 * functions which expect nodes to have keys.
800 */
801 trun_key_init(c, &key, le32_to_cpu(trun->inum));
802 err = insert_node(c, lnum, snod->offs, snod->len, hash,
803 &key, snod->sqnum, 1, &used,
804 old_size, new_size);
805 break;
806 }
807 case UBIFS_AUTH_NODE:
808 break;
809 default:
810 ubifs_err(c, "unexpected node type %d in bud LEB %d:%d",
811 snod->type, lnum, snod->offs);
812 err = -EINVAL;
813 goto out_dump;
814 }
815 if (err)
816 goto out;
817
818 n++;
819 if (n == n_nodes)
820 break;
821 }
822
823 ubifs_assert(c, ubifs_search_bud(c, lnum));
824 ubifs_assert(c, sleb->endpt - offs >= used);
825 ubifs_assert(c, sleb->endpt % c->min_io_size == 0);
826
827 b->dirty = sleb->endpt - offs - used;
828 b->free = c->leb_size - sleb->endpt;
829 dbg_mnt("bud LEB %d replied: dirty %d, free %d",
830 lnum, b->dirty, b->free);
831
832 out:
833 ubifs_scan_destroy(sleb);
834 return err;
835
836 out_dump:
837 ubifs_err(c, "bad node is at LEB %d:%d", lnum, snod->offs);
838 ubifs_dump_node(c, snod->node);
839 ubifs_scan_destroy(sleb);
840 return -EINVAL;
841 }
842
843 /**
844 * replay_buds - replay all buds.
845 * @c: UBIFS file-system description object
846 *
847 * This function returns zero in case of success and a negative error code in
848 * case of failure.
849 */
850 static int replay_buds(struct ubifs_info *c)
851 {
852 struct bud_entry *b;
853 int err;
854 unsigned long long prev_sqnum = 0;
855
856 list_for_each_entry(b, &c->replay_buds, list) {
857 err = replay_bud(c, b);
858 if (err)
859 return err;
860
861 ubifs_assert(c, b->sqnum > prev_sqnum);
862 prev_sqnum = b->sqnum;
863 }
864
865 return 0;
866 }
867
868 /**
869 * destroy_bud_list - destroy the list of buds to replay.
870 * @c: UBIFS file-system description object
871 */
872 static void destroy_bud_list(struct ubifs_info *c)
873 {
874 struct bud_entry *b;
875
876 while (!list_empty(&c->replay_buds)) {
877 b = list_entry(c->replay_buds.next, struct bud_entry, list);
878 list_del(&b->list);
879 kfree(b);
880 }
881 }
882
883 /**
884 * add_replay_bud - add a bud to the list of buds to replay.
885 * @c: UBIFS file-system description object
886 * @lnum: bud logical eraseblock number to replay
887 * @offs: bud start offset
888 * @jhead: journal head to which this bud belongs
889 * @sqnum: reference node sequence number
890 *
891 * This function returns zero in case of success and a negative error code in
892 * case of failure.
893 */
894 static int add_replay_bud(struct ubifs_info *c, int lnum, int offs, int jhead,
895 unsigned long long sqnum)
896 {
897 struct ubifs_bud *bud;
898 struct bud_entry *b;
899 int err;
900
901 dbg_mnt("add replay bud LEB %d:%d, head %d", lnum, offs, jhead);
902
903 bud = kmalloc(sizeof(struct ubifs_bud), GFP_KERNEL);
904 if (!bud)
905 return -ENOMEM;
906
907 b = kmalloc(sizeof(struct bud_entry), GFP_KERNEL);
908 if (!b) {
909 err = -ENOMEM;
910 goto out;
911 }
912
913 bud->lnum = lnum;
914 bud->start = offs;
915 bud->jhead = jhead;
916 bud->log_hash = ubifs_hash_get_desc(c);
917 if (IS_ERR(bud->log_hash)) {
918 err = PTR_ERR(bud->log_hash);
919 goto out;
920 }
921
922 ubifs_shash_copy_state(c, c->log_hash, bud->log_hash);
923
924 ubifs_add_bud(c, bud);
925
926 b->bud = bud;
927 b->sqnum = sqnum;
928 list_add_tail(&b->list, &c->replay_buds);
929
930 return 0;
931 out:
932 kfree(bud);
933 kfree(b);
934
935 return err;
936 }
937
938 /**
939 * validate_ref - validate a reference node.
940 * @c: UBIFS file-system description object
941 * @ref: the reference node to validate
942 * @ref_lnum: LEB number of the reference node
943 * @ref_offs: reference node offset
944 *
945 * This function returns %1 if a bud reference already exists for the LEB. %0 is
946 * returned if the reference node is new, otherwise %-EINVAL is returned if
947 * validation failed.
948 */
949 static int validate_ref(struct ubifs_info *c, const struct ubifs_ref_node *ref)
950 {
951 struct ubifs_bud *bud;
952 int lnum = le32_to_cpu(ref->lnum);
953 unsigned int offs = le32_to_cpu(ref->offs);
954 unsigned int jhead = le32_to_cpu(ref->jhead);
955
956 /*
957 * ref->offs may point to the end of LEB when the journal head points
958 * to the end of LEB and we write reference node for it during commit.
959 * So this is why we require 'offs > c->leb_size'.
960 */
961 if (jhead >= c->jhead_cnt || lnum >= c->leb_cnt ||
962 lnum < c->main_first || offs > c->leb_size ||
963 offs & (c->min_io_size - 1))
964 return -EINVAL;
965
966 /* Make sure we have not already looked at this bud */
967 bud = ubifs_search_bud(c, lnum);
968 if (bud) {
969 if (bud->jhead == jhead && bud->start <= offs)
970 return 1;
971 ubifs_err(c, "bud at LEB %d:%d was already referred", lnum, offs);
972 return -EINVAL;
973 }
974
975 return 0;
976 }
977
978 /**
979 * replay_log_leb - replay a log logical eraseblock.
980 * @c: UBIFS file-system description object
981 * @lnum: log logical eraseblock to replay
982 * @offs: offset to start replaying from
983 * @sbuf: scan buffer
984 *
985 * This function replays a log LEB and returns zero in case of success, %1 if
986 * this is the last LEB in the log, and a negative error code in case of
987 * failure.
988 */
989 static int replay_log_leb(struct ubifs_info *c, int lnum, int offs, void *sbuf)
990 {
991 int err;
992 struct ubifs_scan_leb *sleb;
993 struct ubifs_scan_node *snod;
994 const struct ubifs_cs_node *node;
995
996 dbg_mnt("replay log LEB %d:%d", lnum, offs);
997 sleb = ubifs_scan(c, lnum, offs, sbuf, c->need_recovery);
998 if (IS_ERR(sleb)) {
999 if (PTR_ERR(sleb) != -EUCLEAN || !c->need_recovery)
1000 return PTR_ERR(sleb);
1001 /*
1002 * Note, the below function will recover this log LEB only if
1003 * it is the last, because unclean reboots can possibly corrupt
1004 * only the tail of the log.
1005 */
1006 sleb = ubifs_recover_log_leb(c, lnum, offs, sbuf);
1007 if (IS_ERR(sleb))
1008 return PTR_ERR(sleb);
1009 }
1010
1011 if (sleb->nodes_cnt == 0) {
1012 err = 1;
1013 goto out;
1014 }
1015
1016 node = sleb->buf;
1017 snod = list_entry(sleb->nodes.next, struct ubifs_scan_node, list);
1018 if (c->cs_sqnum == 0) {
1019 /*
1020 * This is the first log LEB we are looking at, make sure that
1021 * the first node is a commit start node. Also record its
1022 * sequence number so that UBIFS can determine where the log
1023 * ends, because all nodes which were have higher sequence
1024 * numbers.
1025 */
1026 if (snod->type != UBIFS_CS_NODE) {
1027 ubifs_err(c, "first log node at LEB %d:%d is not CS node",
1028 lnum, offs);
1029 goto out_dump;
1030 }
1031 if (le64_to_cpu(node->cmt_no) != c->cmt_no) {
1032 ubifs_err(c, "first CS node at LEB %d:%d has wrong commit number %llu expected %llu",
1033 lnum, offs,
1034 (unsigned long long)le64_to_cpu(node->cmt_no),
1035 c->cmt_no);
1036 goto out_dump;
1037 }
1038
1039 c->cs_sqnum = le64_to_cpu(node->ch.sqnum);
1040 dbg_mnt("commit start sqnum %llu", c->cs_sqnum);
1041
1042 err = ubifs_shash_init(c, c->log_hash);
1043 if (err)
1044 goto out;
1045
1046 err = ubifs_shash_update(c, c->log_hash, node, UBIFS_CS_NODE_SZ);
1047 if (err < 0)
1048 goto out;
1049 }
1050
1051 if (snod->sqnum < c->cs_sqnum) {
1052 /*
1053 * This means that we reached end of log and now
1054 * look to the older log data, which was already
1055 * committed but the eraseblock was not erased (UBIFS
1056 * only un-maps it). So this basically means we have to
1057 * exit with "end of log" code.
1058 */
1059 err = 1;
1060 goto out;
1061 }
1062
1063 /* Make sure the first node sits at offset zero of the LEB */
1064 if (snod->offs != 0) {
1065 ubifs_err(c, "first node is not at zero offset");
1066 goto out_dump;
1067 }
1068
1069 list_for_each_entry(snod, &sleb->nodes, list) {
1070 cond_resched();
1071
1072 if (snod->sqnum >= SQNUM_WATERMARK) {
1073 ubifs_err(c, "file system's life ended");
1074 goto out_dump;
1075 }
1076
1077 if (snod->sqnum < c->cs_sqnum) {
1078 ubifs_err(c, "bad sqnum %llu, commit sqnum %llu",
1079 snod->sqnum, c->cs_sqnum);
1080 goto out_dump;
1081 }
1082
1083 if (snod->sqnum > c->max_sqnum)
1084 c->max_sqnum = snod->sqnum;
1085
1086 switch (snod->type) {
1087 case UBIFS_REF_NODE: {
1088 const struct ubifs_ref_node *ref = snod->node;
1089
1090 err = validate_ref(c, ref);
1091 if (err == 1)
1092 break; /* Already have this bud */
1093 if (err)
1094 goto out_dump;
1095
1096 err = ubifs_shash_update(c, c->log_hash, ref,
1097 UBIFS_REF_NODE_SZ);
1098 if (err)
1099 goto out;
1100
1101 err = add_replay_bud(c, le32_to_cpu(ref->lnum),
1102 le32_to_cpu(ref->offs),
1103 le32_to_cpu(ref->jhead),
1104 snod->sqnum);
1105 if (err)
1106 goto out;
1107
1108 break;
1109 }
1110 case UBIFS_CS_NODE:
1111 /* Make sure it sits at the beginning of LEB */
1112 if (snod->offs != 0) {
1113 ubifs_err(c, "unexpected node in log");
1114 goto out_dump;
1115 }
1116 break;
1117 default:
1118 ubifs_err(c, "unexpected node in log");
1119 goto out_dump;
1120 }
1121 }
1122
1123 if (sleb->endpt || c->lhead_offs >= c->leb_size) {
1124 c->lhead_lnum = lnum;
1125 c->lhead_offs = sleb->endpt;
1126 }
1127
1128 err = !sleb->endpt;
1129 out:
1130 ubifs_scan_destroy(sleb);
1131 return err;
1132
1133 out_dump:
1134 ubifs_err(c, "log error detected while replaying the log at LEB %d:%d",
1135 lnum, offs + snod->offs);
1136 ubifs_dump_node(c, snod->node);
1137 ubifs_scan_destroy(sleb);
1138 return -EINVAL;
1139 }
1140
1141 /**
1142 * take_ihead - update the status of the index head in lprops to 'taken'.
1143 * @c: UBIFS file-system description object
1144 *
1145 * This function returns the amount of free space in the index head LEB or a
1146 * negative error code.
1147 */
1148 static int take_ihead(struct ubifs_info *c)
1149 {
1150 const struct ubifs_lprops *lp;
1151 int err, free;
1152
1153 ubifs_get_lprops(c);
1154
1155 lp = ubifs_lpt_lookup_dirty(c, c->ihead_lnum);
1156 if (IS_ERR(lp)) {
1157 err = PTR_ERR(lp);
1158 goto out;
1159 }
1160
1161 free = lp->free;
1162
1163 lp = ubifs_change_lp(c, lp, LPROPS_NC, LPROPS_NC,
1164 lp->flags | LPROPS_TAKEN, 0);
1165 if (IS_ERR(lp)) {
1166 err = PTR_ERR(lp);
1167 goto out;
1168 }
1169
1170 err = free;
1171 out:
1172 ubifs_release_lprops(c);
1173 return err;
1174 }
1175
1176 /**
1177 * ubifs_replay_journal - replay journal.
1178 * @c: UBIFS file-system description object
1179 *
1180 * This function scans the journal, replays and cleans it up. It makes sure all
1181 * memory data structures related to uncommitted journal are built (dirty TNC
1182 * tree, tree of buds, modified lprops, etc).
1183 */
1184 int ubifs_replay_journal(struct ubifs_info *c)
1185 {
1186 int err, lnum, free;
1187
1188 BUILD_BUG_ON(UBIFS_TRUN_KEY > 5);
1189
1190 /* Update the status of the index head in lprops to 'taken' */
1191 free = take_ihead(c);
1192 if (free < 0)
1193 return free; /* Error code */
1194
1195 if (c->ihead_offs != c->leb_size - free) {
1196 ubifs_err(c, "bad index head LEB %d:%d", c->ihead_lnum,
1197 c->ihead_offs);
1198 return -EINVAL;
1199 }
1200
1201 dbg_mnt("start replaying the journal");
1202 c->replaying = 1;
1203 lnum = c->ltail_lnum = c->lhead_lnum;
1204
1205 do {
1206 err = replay_log_leb(c, lnum, 0, c->sbuf);
1207 if (err == 1) {
1208 if (lnum != c->lhead_lnum)
1209 /* We hit the end of the log */
1210 break;
1211
1212 /*
1213 * The head of the log must always start with the
1214 * "commit start" node on a properly formatted UBIFS.
1215 * But we found no nodes at all, which means that
1216 * something went wrong and we cannot proceed mounting
1217 * the file-system.
1218 */
1219 ubifs_err(c, "no UBIFS nodes found at the log head LEB %d:%d, possibly corrupted",
1220 lnum, 0);
1221 err = -EINVAL;
1222 }
1223 if (err)
1224 goto out;
1225 lnum = ubifs_next_log_lnum(c, lnum);
1226 } while (lnum != c->ltail_lnum);
1227
1228 err = replay_buds(c);
1229 if (err)
1230 goto out;
1231
1232 err = apply_replay_list(c);
1233 if (err)
1234 goto out;
1235
1236 err = set_buds_lprops(c);
1237 if (err)
1238 goto out;
1239
1240 /*
1241 * UBIFS budgeting calculations use @c->bi.uncommitted_idx variable
1242 * to roughly estimate index growth. Things like @c->bi.min_idx_lebs
1243 * depend on it. This means we have to initialize it to make sure
1244 * budgeting works properly.
1245 */
1246 c->bi.uncommitted_idx = atomic_long_read(&c->dirty_zn_cnt);
1247 c->bi.uncommitted_idx *= c->max_idx_node_sz;
1248
1249 ubifs_assert(c, c->bud_bytes <= c->max_bud_bytes || c->need_recovery);
1250 dbg_mnt("finished, log head LEB %d:%d, max_sqnum %llu, highest_inum %lu",
1251 c->lhead_lnum, c->lhead_offs, c->max_sqnum,
1252 (unsigned long)c->highest_inum);
1253 out:
1254 destroy_replay_list(c);
1255 destroy_bud_list(c);
1256 c->replaying = 0;
1257 return err;
1258 }