linux/fs/ubifs/recovery.c
<<
>>
Prefs
   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * This file is part of UBIFS.
   4 *
   5 * Copyright (C) 2006-2008 Nokia Corporation
   6 *
   7 * Authors: Adrian Hunter
   8 *          Artem Bityutskiy (Битюцкий Артём)
   9 */
  10
  11/*
  12 * This file implements functions needed to recover from unclean un-mounts.
  13 * When UBIFS is mounted, it checks a flag on the master node to determine if
  14 * an un-mount was completed successfully. If not, the process of mounting
  15 * incorporates additional checking and fixing of on-flash data structures.
  16 * UBIFS always cleans away all remnants of an unclean un-mount, so that
  17 * errors do not accumulate. However UBIFS defers recovery if it is mounted
  18 * read-only, and the flash is not modified in that case.
  19 *
  20 * The general UBIFS approach to the recovery is that it recovers from
  21 * corruptions which could be caused by power cuts, but it refuses to recover
  22 * from corruption caused by other reasons. And UBIFS tries to distinguish
  23 * between these 2 reasons of corruptions and silently recover in the former
  24 * case and loudly complain in the latter case.
  25 *
  26 * UBIFS writes only to erased LEBs, so it writes only to the flash space
  27 * containing only 0xFFs. UBIFS also always writes strictly from the beginning
  28 * of the LEB to the end. And UBIFS assumes that the underlying flash media
  29 * writes in @c->max_write_size bytes at a time.
  30 *
  31 * Hence, if UBIFS finds a corrupted node at offset X, it expects only the min.
  32 * I/O unit corresponding to offset X to contain corrupted data, all the
  33 * following min. I/O units have to contain empty space (all 0xFFs). If this is
  34 * not true, the corruption cannot be the result of a power cut, and UBIFS
  35 * refuses to mount.
  36 */
  37
  38#include <linux/crc32.h>
  39#include <linux/slab.h>
  40#include "ubifs.h"
  41
  42/**
  43 * is_empty - determine whether a buffer is empty (contains all 0xff).
  44 * @buf: buffer to clean
  45 * @len: length of buffer
  46 *
  47 * This function returns %1 if the buffer is empty (contains all 0xff) otherwise
  48 * %0 is returned.
  49 */
  50static int is_empty(void *buf, int len)
  51{
  52        uint8_t *p = buf;
  53        int i;
  54
  55        for (i = 0; i < len; i++)
  56                if (*p++ != 0xff)
  57                        return 0;
  58        return 1;
  59}
  60
  61/**
  62 * first_non_ff - find offset of the first non-0xff byte.
  63 * @buf: buffer to search in
  64 * @len: length of buffer
  65 *
  66 * This function returns offset of the first non-0xff byte in @buf or %-1 if
  67 * the buffer contains only 0xff bytes.
  68 */
  69static int first_non_ff(void *buf, int len)
  70{
  71        uint8_t *p = buf;
  72        int i;
  73
  74        for (i = 0; i < len; i++)
  75                if (*p++ != 0xff)
  76                        return i;
  77        return -1;
  78}
  79
  80/**
  81 * get_master_node - get the last valid master node allowing for corruption.
  82 * @c: UBIFS file-system description object
  83 * @lnum: LEB number
  84 * @pbuf: buffer containing the LEB read, is returned here
  85 * @mst: master node, if found, is returned here
  86 * @cor: corruption, if found, is returned here
  87 *
  88 * This function allocates a buffer, reads the LEB into it, and finds and
  89 * returns the last valid master node allowing for one area of corruption.
  90 * The corrupt area, if there is one, must be consistent with the assumption
  91 * that it is the result of an unclean unmount while the master node was being
  92 * written. Under those circumstances, it is valid to use the previously written
  93 * master node.
  94 *
  95 * This function returns %0 on success and a negative error code on failure.
  96 */
  97static int get_master_node(const struct ubifs_info *c, int lnum, void **pbuf,
  98                           struct ubifs_mst_node **mst, void **cor)
  99{
 100        const int sz = c->mst_node_alsz;
 101        int err, offs, len;
 102        void *sbuf, *buf;
 103
 104        sbuf = vmalloc(c->leb_size);
 105        if (!sbuf)
 106                return -ENOMEM;
 107
 108        err = ubifs_leb_read(c, lnum, sbuf, 0, c->leb_size, 0);
 109        if (err && err != -EBADMSG)
 110                goto out_free;
 111
 112        /* Find the first position that is definitely not a node */
 113        offs = 0;
 114        buf = sbuf;
 115        len = c->leb_size;
 116        while (offs + UBIFS_MST_NODE_SZ <= c->leb_size) {
 117                struct ubifs_ch *ch = buf;
 118
 119                if (le32_to_cpu(ch->magic) != UBIFS_NODE_MAGIC)
 120                        break;
 121                offs += sz;
 122                buf  += sz;
 123                len  -= sz;
 124        }
 125        /* See if there was a valid master node before that */
 126        if (offs) {
 127                int ret;
 128
 129                offs -= sz;
 130                buf  -= sz;
 131                len  += sz;
 132                ret = ubifs_scan_a_node(c, buf, len, lnum, offs, 1);
 133                if (ret != SCANNED_A_NODE && offs) {
 134                        /* Could have been corruption so check one place back */
 135                        offs -= sz;
 136                        buf  -= sz;
 137                        len  += sz;
 138                        ret = ubifs_scan_a_node(c, buf, len, lnum, offs, 1);
 139                        if (ret != SCANNED_A_NODE)
 140                                /*
 141                                 * We accept only one area of corruption because
 142                                 * we are assuming that it was caused while
 143                                 * trying to write a master node.
 144                                 */
 145                                goto out_err;
 146                }
 147                if (ret == SCANNED_A_NODE) {
 148                        struct ubifs_ch *ch = buf;
 149
 150                        if (ch->node_type != UBIFS_MST_NODE)
 151                                goto out_err;
 152                        dbg_rcvry("found a master node at %d:%d", lnum, offs);
 153                        *mst = buf;
 154                        offs += sz;
 155                        buf  += sz;
 156                        len  -= sz;
 157                }
 158        }
 159        /* Check for corruption */
 160        if (offs < c->leb_size) {
 161                if (!is_empty(buf, min_t(int, len, sz))) {
 162                        *cor = buf;
 163                        dbg_rcvry("found corruption at %d:%d", lnum, offs);
 164                }
 165                offs += sz;
 166                buf  += sz;
 167                len  -= sz;
 168        }
 169        /* Check remaining empty space */
 170        if (offs < c->leb_size)
 171                if (!is_empty(buf, len))
 172                        goto out_err;
 173        *pbuf = sbuf;
 174        return 0;
 175
 176out_err:
 177        err = -EINVAL;
 178out_free:
 179        vfree(sbuf);
 180        *mst = NULL;
 181        *cor = NULL;
 182        return err;
 183}
 184
 185/**
 186 * write_rcvrd_mst_node - write recovered master node.
 187 * @c: UBIFS file-system description object
 188 * @mst: master node
 189 *
 190 * This function returns %0 on success and a negative error code on failure.
 191 */
 192static int write_rcvrd_mst_node(struct ubifs_info *c,
 193                                struct ubifs_mst_node *mst)
 194{
 195        int err = 0, lnum = UBIFS_MST_LNUM, sz = c->mst_node_alsz;
 196        __le32 save_flags;
 197
 198        dbg_rcvry("recovery");
 199
 200        save_flags = mst->flags;
 201        mst->flags |= cpu_to_le32(UBIFS_MST_RCVRY);
 202
 203        err = ubifs_prepare_node_hmac(c, mst, UBIFS_MST_NODE_SZ,
 204                                      offsetof(struct ubifs_mst_node, hmac), 1);
 205        if (err)
 206                goto out;
 207        err = ubifs_leb_change(c, lnum, mst, sz);
 208        if (err)
 209                goto out;
 210        err = ubifs_leb_change(c, lnum + 1, mst, sz);
 211        if (err)
 212                goto out;
 213out:
 214        mst->flags = save_flags;
 215        return err;
 216}
 217
 218/**
 219 * ubifs_recover_master_node - recover the master node.
 220 * @c: UBIFS file-system description object
 221 *
 222 * This function recovers the master node from corruption that may occur due to
 223 * an unclean unmount.
 224 *
 225 * This function returns %0 on success and a negative error code on failure.
 226 */
 227int ubifs_recover_master_node(struct ubifs_info *c)
 228{
 229        void *buf1 = NULL, *buf2 = NULL, *cor1 = NULL, *cor2 = NULL;
 230        struct ubifs_mst_node *mst1 = NULL, *mst2 = NULL, *mst;
 231        const int sz = c->mst_node_alsz;
 232        int err, offs1, offs2;
 233
 234        dbg_rcvry("recovery");
 235
 236        err = get_master_node(c, UBIFS_MST_LNUM, &buf1, &mst1, &cor1);
 237        if (err)
 238                goto out_free;
 239
 240        err = get_master_node(c, UBIFS_MST_LNUM + 1, &buf2, &mst2, &cor2);
 241        if (err)
 242                goto out_free;
 243
 244        if (mst1) {
 245                offs1 = (void *)mst1 - buf1;
 246                if ((le32_to_cpu(mst1->flags) & UBIFS_MST_RCVRY) &&
 247                    (offs1 == 0 && !cor1)) {
 248                        /*
 249                         * mst1 was written by recovery at offset 0 with no
 250                         * corruption.
 251                         */
 252                        dbg_rcvry("recovery recovery");
 253                        mst = mst1;
 254                } else if (mst2) {
 255                        offs2 = (void *)mst2 - buf2;
 256                        if (offs1 == offs2) {
 257                                /* Same offset, so must be the same */
 258                                if (ubifs_compare_master_node(c, mst1, mst2))
 259                                        goto out_err;
 260                                mst = mst1;
 261                        } else if (offs2 + sz == offs1) {
 262                                /* 1st LEB was written, 2nd was not */
 263                                if (cor1)
 264                                        goto out_err;
 265                                mst = mst1;
 266                        } else if (offs1 == 0 &&
 267                                   c->leb_size - offs2 - sz < sz) {
 268                                /* 1st LEB was unmapped and written, 2nd not */
 269                                if (cor1)
 270                                        goto out_err;
 271                                mst = mst1;
 272                        } else
 273                                goto out_err;
 274                } else {
 275                        /*
 276                         * 2nd LEB was unmapped and about to be written, so
 277                         * there must be only one master node in the first LEB
 278                         * and no corruption.
 279                         */
 280                        if (offs1 != 0 || cor1)
 281                                goto out_err;
 282                        mst = mst1;
 283                }
 284        } else {
 285                if (!mst2)
 286                        goto out_err;
 287                /*
 288                 * 1st LEB was unmapped and about to be written, so there must
 289                 * be no room left in 2nd LEB.
 290                 */
 291                offs2 = (void *)mst2 - buf2;
 292                if (offs2 + sz + sz <= c->leb_size)
 293                        goto out_err;
 294                mst = mst2;
 295        }
 296
 297        ubifs_msg(c, "recovered master node from LEB %d",
 298                  (mst == mst1 ? UBIFS_MST_LNUM : UBIFS_MST_LNUM + 1));
 299
 300        memcpy(c->mst_node, mst, UBIFS_MST_NODE_SZ);
 301
 302        if (c->ro_mount) {
 303                /* Read-only mode. Keep a copy for switching to rw mode */
 304                c->rcvrd_mst_node = kmalloc(sz, GFP_KERNEL);
 305                if (!c->rcvrd_mst_node) {
 306                        err = -ENOMEM;
 307                        goto out_free;
 308                }
 309                memcpy(c->rcvrd_mst_node, c->mst_node, UBIFS_MST_NODE_SZ);
 310
 311                /*
 312                 * We had to recover the master node, which means there was an
 313                 * unclean reboot. However, it is possible that the master node
 314                 * is clean at this point, i.e., %UBIFS_MST_DIRTY is not set.
 315                 * E.g., consider the following chain of events:
 316                 *
 317                 * 1. UBIFS was cleanly unmounted, so the master node is clean
 318                 * 2. UBIFS is being mounted R/W and starts changing the master
 319                 *    node in the first (%UBIFS_MST_LNUM). A power cut happens,
 320                 *    so this LEB ends up with some amount of garbage at the
 321                 *    end.
 322                 * 3. UBIFS is being mounted R/O. We reach this place and
 323                 *    recover the master node from the second LEB
 324                 *    (%UBIFS_MST_LNUM + 1). But we cannot update the media
 325                 *    because we are being mounted R/O. We have to defer the
 326                 *    operation.
 327                 * 4. However, this master node (@c->mst_node) is marked as
 328                 *    clean (since the step 1). And if we just return, the
 329                 *    mount code will be confused and won't recover the master
 330                 *    node when it is re-mounter R/W later.
 331                 *
 332                 *    Thus, to force the recovery by marking the master node as
 333                 *    dirty.
 334                 */
 335                c->mst_node->flags |= cpu_to_le32(UBIFS_MST_DIRTY);
 336        } else {
 337                /* Write the recovered master node */
 338                c->max_sqnum = le64_to_cpu(mst->ch.sqnum) - 1;
 339                err = write_rcvrd_mst_node(c, c->mst_node);
 340                if (err)
 341                        goto out_free;
 342        }
 343
 344        vfree(buf2);
 345        vfree(buf1);
 346
 347        return 0;
 348
 349out_err:
 350        err = -EINVAL;
 351out_free:
 352        ubifs_err(c, "failed to recover master node");
 353        if (mst1) {
 354                ubifs_err(c, "dumping first master node");
 355                ubifs_dump_node(c, mst1);
 356        }
 357        if (mst2) {
 358                ubifs_err(c, "dumping second master node");
 359                ubifs_dump_node(c, mst2);
 360        }
 361        vfree(buf2);
 362        vfree(buf1);
 363        return err;
 364}
 365
 366/**
 367 * ubifs_write_rcvrd_mst_node - write the recovered master node.
 368 * @c: UBIFS file-system description object
 369 *
 370 * This function writes the master node that was recovered during mounting in
 371 * read-only mode and must now be written because we are remounting rw.
 372 *
 373 * This function returns %0 on success and a negative error code on failure.
 374 */
 375int ubifs_write_rcvrd_mst_node(struct ubifs_info *c)
 376{
 377        int err;
 378
 379        if (!c->rcvrd_mst_node)
 380                return 0;
 381        c->rcvrd_mst_node->flags |= cpu_to_le32(UBIFS_MST_DIRTY);
 382        c->mst_node->flags |= cpu_to_le32(UBIFS_MST_DIRTY);
 383        err = write_rcvrd_mst_node(c, c->rcvrd_mst_node);
 384        if (err)
 385                return err;
 386        kfree(c->rcvrd_mst_node);
 387        c->rcvrd_mst_node = NULL;
 388        return 0;
 389}
 390
 391/**
 392 * is_last_write - determine if an offset was in the last write to a LEB.
 393 * @c: UBIFS file-system description object
 394 * @buf: buffer to check
 395 * @offs: offset to check
 396 *
 397 * This function returns %1 if @offs was in the last write to the LEB whose data
 398 * is in @buf, otherwise %0 is returned. The determination is made by checking
 399 * for subsequent empty space starting from the next @c->max_write_size
 400 * boundary.
 401 */
 402static int is_last_write(const struct ubifs_info *c, void *buf, int offs)
 403{
 404        int empty_offs, check_len;
 405        uint8_t *p;
 406
 407        /*
 408         * Round up to the next @c->max_write_size boundary i.e. @offs is in
 409         * the last wbuf written. After that should be empty space.
 410         */
 411        empty_offs = ALIGN(offs + 1, c->max_write_size);
 412        check_len = c->leb_size - empty_offs;
 413        p = buf + empty_offs - offs;
 414        return is_empty(p, check_len);
 415}
 416
 417/**
 418 * clean_buf - clean the data from an LEB sitting in a buffer.
 419 * @c: UBIFS file-system description object
 420 * @buf: buffer to clean
 421 * @lnum: LEB number to clean
 422 * @offs: offset from which to clean
 423 * @len: length of buffer
 424 *
 425 * This function pads up to the next min_io_size boundary (if there is one) and
 426 * sets empty space to all 0xff. @buf, @offs and @len are updated to the next
 427 * @c->min_io_size boundary.
 428 */
 429static void clean_buf(const struct ubifs_info *c, void **buf, int lnum,
 430                      int *offs, int *len)
 431{
 432        int empty_offs, pad_len;
 433
 434        dbg_rcvry("cleaning corruption at %d:%d", lnum, *offs);
 435
 436        ubifs_assert(c, !(*offs & 7));
 437        empty_offs = ALIGN(*offs, c->min_io_size);
 438        pad_len = empty_offs - *offs;
 439        ubifs_pad(c, *buf, pad_len);
 440        *offs += pad_len;
 441        *buf += pad_len;
 442        *len -= pad_len;
 443        memset(*buf, 0xff, c->leb_size - empty_offs);
 444}
 445
 446/**
 447 * no_more_nodes - determine if there are no more nodes in a buffer.
 448 * @c: UBIFS file-system description object
 449 * @buf: buffer to check
 450 * @len: length of buffer
 451 * @lnum: LEB number of the LEB from which @buf was read
 452 * @offs: offset from which @buf was read
 453 *
 454 * This function ensures that the corrupted node at @offs is the last thing
 455 * written to a LEB. This function returns %1 if more data is not found and
 456 * %0 if more data is found.
 457 */
 458static int no_more_nodes(const struct ubifs_info *c, void *buf, int len,
 459                        int lnum, int offs)
 460{
 461        struct ubifs_ch *ch = buf;
 462        int skip, dlen = le32_to_cpu(ch->len);
 463
 464        /* Check for empty space after the corrupt node's common header */
 465        skip = ALIGN(offs + UBIFS_CH_SZ, c->max_write_size) - offs;
 466        if (is_empty(buf + skip, len - skip))
 467                return 1;
 468        /*
 469         * The area after the common header size is not empty, so the common
 470         * header must be intact. Check it.
 471         */
 472        if (ubifs_check_node(c, buf, lnum, offs, 1, 0) != -EUCLEAN) {
 473                dbg_rcvry("unexpected bad common header at %d:%d", lnum, offs);
 474                return 0;
 475        }
 476        /* Now we know the corrupt node's length we can skip over it */
 477        skip = ALIGN(offs + dlen, c->max_write_size) - offs;
 478        /* After which there should be empty space */
 479        if (is_empty(buf + skip, len - skip))
 480                return 1;
 481        dbg_rcvry("unexpected data at %d:%d", lnum, offs + skip);
 482        return 0;
 483}
 484
 485/**
 486 * fix_unclean_leb - fix an unclean LEB.
 487 * @c: UBIFS file-system description object
 488 * @sleb: scanned LEB information
 489 * @start: offset where scan started
 490 */
 491static int fix_unclean_leb(struct ubifs_info *c, struct ubifs_scan_leb *sleb,
 492                           int start)
 493{
 494        int lnum = sleb->lnum, endpt = start;
 495
 496        /* Get the end offset of the last node we are keeping */
 497        if (!list_empty(&sleb->nodes)) {
 498                struct ubifs_scan_node *snod;
 499
 500                snod = list_entry(sleb->nodes.prev,
 501                                  struct ubifs_scan_node, list);
 502                endpt = snod->offs + snod->len;
 503        }
 504
 505        if (c->ro_mount && !c->remounting_rw) {
 506                /* Add to recovery list */
 507                struct ubifs_unclean_leb *ucleb;
 508
 509                dbg_rcvry("need to fix LEB %d start %d endpt %d",
 510                          lnum, start, sleb->endpt);
 511                ucleb = kzalloc(sizeof(struct ubifs_unclean_leb), GFP_NOFS);
 512                if (!ucleb)
 513                        return -ENOMEM;
 514                ucleb->lnum = lnum;
 515                ucleb->endpt = endpt;
 516                list_add_tail(&ucleb->list, &c->unclean_leb_list);
 517        } else {
 518                /* Write the fixed LEB back to flash */
 519                int err;
 520
 521                dbg_rcvry("fixing LEB %d start %d endpt %d",
 522                          lnum, start, sleb->endpt);
 523                if (endpt == 0) {
 524                        err = ubifs_leb_unmap(c, lnum);
 525                        if (err)
 526                                return err;
 527                } else {
 528                        int len = ALIGN(endpt, c->min_io_size);
 529
 530                        if (start) {
 531                                err = ubifs_leb_read(c, lnum, sleb->buf, 0,
 532                                                     start, 1);
 533                                if (err)
 534                                        return err;
 535                        }
 536                        /* Pad to min_io_size */
 537                        if (len > endpt) {
 538                                int pad_len = len - ALIGN(endpt, 8);
 539
 540                                if (pad_len > 0) {
 541                                        void *buf = sleb->buf + len - pad_len;
 542
 543                                        ubifs_pad(c, buf, pad_len);
 544                                }
 545                        }
 546                        err = ubifs_leb_change(c, lnum, sleb->buf, len);
 547                        if (err)
 548                                return err;
 549                }
 550        }
 551        return 0;
 552}
 553
 554/**
 555 * drop_last_group - drop the last group of nodes.
 556 * @sleb: scanned LEB information
 557 * @offs: offset of dropped nodes is returned here
 558 *
 559 * This is a helper function for 'ubifs_recover_leb()' which drops the last
 560 * group of nodes of the scanned LEB.
 561 */
 562static void drop_last_group(struct ubifs_scan_leb *sleb, int *offs)
 563{
 564        while (!list_empty(&sleb->nodes)) {
 565                struct ubifs_scan_node *snod;
 566                struct ubifs_ch *ch;
 567
 568                snod = list_entry(sleb->nodes.prev, struct ubifs_scan_node,
 569                                  list);
 570                ch = snod->node;
 571                if (ch->group_type != UBIFS_IN_NODE_GROUP)
 572                        break;
 573
 574                dbg_rcvry("dropping grouped node at %d:%d",
 575                          sleb->lnum, snod->offs);
 576                *offs = snod->offs;
 577                list_del(&snod->list);
 578                kfree(snod);
 579                sleb->nodes_cnt -= 1;
 580        }
 581}
 582
 583/**
 584 * drop_last_node - drop the last node.
 585 * @sleb: scanned LEB information
 586 * @offs: offset of dropped nodes is returned here
 587 *
 588 * This is a helper function for 'ubifs_recover_leb()' which drops the last
 589 * node of the scanned LEB.
 590 */
 591static void drop_last_node(struct ubifs_scan_leb *sleb, int *offs)
 592{
 593        struct ubifs_scan_node *snod;
 594
 595        if (!list_empty(&sleb->nodes)) {
 596                snod = list_entry(sleb->nodes.prev, struct ubifs_scan_node,
 597                                  list);
 598
 599                dbg_rcvry("dropping last node at %d:%d",
 600                          sleb->lnum, snod->offs);
 601                *offs = snod->offs;
 602                list_del(&snod->list);
 603                kfree(snod);
 604                sleb->nodes_cnt -= 1;
 605        }
 606}
 607
 608/**
 609 * ubifs_recover_leb - scan and recover a LEB.
 610 * @c: UBIFS file-system description object
 611 * @lnum: LEB number
 612 * @offs: offset
 613 * @sbuf: LEB-sized buffer to use
 614 * @jhead: journal head number this LEB belongs to (%-1 if the LEB does not
 615 *         belong to any journal head)
 616 *
 617 * This function does a scan of a LEB, but caters for errors that might have
 618 * been caused by the unclean unmount from which we are attempting to recover.
 619 * Returns the scanned information on success and a negative error code on
 620 * failure.
 621 */
 622struct ubifs_scan_leb *ubifs_recover_leb(struct ubifs_info *c, int lnum,
 623                                         int offs, void *sbuf, int jhead)
 624{
 625        int ret = 0, err, len = c->leb_size - offs, start = offs, min_io_unit;
 626        int grouped = jhead == -1 ? 0 : c->jheads[jhead].grouped;
 627        struct ubifs_scan_leb *sleb;
 628        void *buf = sbuf + offs;
 629
 630        dbg_rcvry("%d:%d, jhead %d, grouped %d", lnum, offs, jhead, grouped);
 631
 632        sleb = ubifs_start_scan(c, lnum, offs, sbuf);
 633        if (IS_ERR(sleb))
 634                return sleb;
 635
 636        ubifs_assert(c, len >= 8);
 637        while (len >= 8) {
 638                dbg_scan("look at LEB %d:%d (%d bytes left)",
 639                         lnum, offs, len);
 640
 641                cond_resched();
 642
 643                /*
 644                 * Scan quietly until there is an error from which we cannot
 645                 * recover
 646                 */
 647                ret = ubifs_scan_a_node(c, buf, len, lnum, offs, 1);
 648                if (ret == SCANNED_A_NODE) {
 649                        /* A valid node, and not a padding node */
 650                        struct ubifs_ch *ch = buf;
 651                        int node_len;
 652
 653                        err = ubifs_add_snod(c, sleb, buf, offs);
 654                        if (err)
 655                                goto error;
 656                        node_len = ALIGN(le32_to_cpu(ch->len), 8);
 657                        offs += node_len;
 658                        buf += node_len;
 659                        len -= node_len;
 660                } else if (ret > 0) {
 661                        /* Padding bytes or a valid padding node */
 662                        offs += ret;
 663                        buf += ret;
 664                        len -= ret;
 665                } else if (ret == SCANNED_EMPTY_SPACE ||
 666                           ret == SCANNED_GARBAGE     ||
 667                           ret == SCANNED_A_BAD_PAD_NODE ||
 668                           ret == SCANNED_A_CORRUPT_NODE) {
 669                        dbg_rcvry("found corruption (%d) at %d:%d",
 670                                  ret, lnum, offs);
 671                        break;
 672                } else {
 673                        ubifs_err(c, "unexpected return value %d", ret);
 674                        err = -EINVAL;
 675                        goto error;
 676                }
 677        }
 678
 679        if (ret == SCANNED_GARBAGE || ret == SCANNED_A_BAD_PAD_NODE) {
 680                if (!is_last_write(c, buf, offs))
 681                        goto corrupted_rescan;
 682        } else if (ret == SCANNED_A_CORRUPT_NODE) {
 683                if (!no_more_nodes(c, buf, len, lnum, offs))
 684                        goto corrupted_rescan;
 685        } else if (!is_empty(buf, len)) {
 686                if (!is_last_write(c, buf, offs)) {
 687                        int corruption = first_non_ff(buf, len);
 688
 689                        /*
 690                         * See header comment for this file for more
 691                         * explanations about the reasons we have this check.
 692                         */
 693                        ubifs_err(c, "corrupt empty space LEB %d:%d, corruption starts at %d",
 694                                  lnum, offs, corruption);
 695                        /* Make sure we dump interesting non-0xFF data */
 696                        offs += corruption;
 697                        buf += corruption;
 698                        goto corrupted;
 699                }
 700        }
 701
 702        min_io_unit = round_down(offs, c->min_io_size);
 703        if (grouped)
 704                /*
 705                 * If nodes are grouped, always drop the incomplete group at
 706                 * the end.
 707                 */
 708                drop_last_group(sleb, &offs);
 709
 710        if (jhead == GCHD) {
 711                /*
 712                 * If this LEB belongs to the GC head then while we are in the
 713                 * middle of the same min. I/O unit keep dropping nodes. So
 714                 * basically, what we want is to make sure that the last min.
 715                 * I/O unit where we saw the corruption is dropped completely
 716                 * with all the uncorrupted nodes which may possibly sit there.
 717                 *
 718                 * In other words, let's name the min. I/O unit where the
 719                 * corruption starts B, and the previous min. I/O unit A. The
 720                 * below code tries to deal with a situation when half of B
 721                 * contains valid nodes or the end of a valid node, and the
 722                 * second half of B contains corrupted data or garbage. This
 723                 * means that UBIFS had been writing to B just before the power
 724                 * cut happened. I do not know how realistic is this scenario
 725                 * that half of the min. I/O unit had been written successfully
 726                 * and the other half not, but this is possible in our 'failure
 727                 * mode emulation' infrastructure at least.
 728                 *
 729                 * So what is the problem, why we need to drop those nodes? Why
 730                 * can't we just clean-up the second half of B by putting a
 731                 * padding node there? We can, and this works fine with one
 732                 * exception which was reproduced with power cut emulation
 733                 * testing and happens extremely rarely.
 734                 *
 735                 * Imagine the file-system is full, we run GC which starts
 736                 * moving valid nodes from LEB X to LEB Y (obviously, LEB Y is
 737                 * the current GC head LEB). The @c->gc_lnum is -1, which means
 738                 * that GC will retain LEB X and will try to continue. Imagine
 739                 * that LEB X is currently the dirtiest LEB, and the amount of
 740                 * used space in LEB Y is exactly the same as amount of free
 741                 * space in LEB X.
 742                 *
 743                 * And a power cut happens when nodes are moved from LEB X to
 744                 * LEB Y. We are here trying to recover LEB Y which is the GC
 745                 * head LEB. We find the min. I/O unit B as described above.
 746                 * Then we clean-up LEB Y by padding min. I/O unit. And later
 747                 * 'ubifs_rcvry_gc_commit()' function fails, because it cannot
 748                 * find a dirty LEB which could be GC'd into LEB Y! Even LEB X
 749                 * does not match because the amount of valid nodes there does
 750                 * not fit the free space in LEB Y any more! And this is
 751                 * because of the padding node which we added to LEB Y. The
 752                 * user-visible effect of this which I once observed and
 753                 * analysed is that we cannot mount the file-system with
 754                 * -ENOSPC error.
 755                 *
 756                 * So obviously, to make sure that situation does not happen we
 757                 * should free min. I/O unit B in LEB Y completely and the last
 758                 * used min. I/O unit in LEB Y should be A. This is basically
 759                 * what the below code tries to do.
 760                 */
 761                while (offs > min_io_unit)
 762                        drop_last_node(sleb, &offs);
 763        }
 764
 765        buf = sbuf + offs;
 766        len = c->leb_size - offs;
 767
 768        clean_buf(c, &buf, lnum, &offs, &len);
 769        ubifs_end_scan(c, sleb, lnum, offs);
 770
 771        err = fix_unclean_leb(c, sleb, start);
 772        if (err)
 773                goto error;
 774
 775        return sleb;
 776
 777corrupted_rescan:
 778        /* Re-scan the corrupted data with verbose messages */
 779        ubifs_err(c, "corruption %d", ret);
 780        ubifs_scan_a_node(c, buf, len, lnum, offs, 0);
 781corrupted:
 782        ubifs_scanned_corruption(c, lnum, offs, buf);
 783        err = -EUCLEAN;
 784error:
 785        ubifs_err(c, "LEB %d scanning failed", lnum);
 786        ubifs_scan_destroy(sleb);
 787        return ERR_PTR(err);
 788}
 789
 790/**
 791 * get_cs_sqnum - get commit start sequence number.
 792 * @c: UBIFS file-system description object
 793 * @lnum: LEB number of commit start node
 794 * @offs: offset of commit start node
 795 * @cs_sqnum: commit start sequence number is returned here
 796 *
 797 * This function returns %0 on success and a negative error code on failure.
 798 */
 799static int get_cs_sqnum(struct ubifs_info *c, int lnum, int offs,
 800                        unsigned long long *cs_sqnum)
 801{
 802        struct ubifs_cs_node *cs_node = NULL;
 803        int err, ret;
 804
 805        dbg_rcvry("at %d:%d", lnum, offs);
 806        cs_node = kmalloc(UBIFS_CS_NODE_SZ, GFP_KERNEL);
 807        if (!cs_node)
 808                return -ENOMEM;
 809        if (c->leb_size - offs < UBIFS_CS_NODE_SZ)
 810                goto out_err;
 811        err = ubifs_leb_read(c, lnum, (void *)cs_node, offs,
 812                             UBIFS_CS_NODE_SZ, 0);
 813        if (err && err != -EBADMSG)
 814                goto out_free;
 815        ret = ubifs_scan_a_node(c, cs_node, UBIFS_CS_NODE_SZ, lnum, offs, 0);
 816        if (ret != SCANNED_A_NODE) {
 817                ubifs_err(c, "Not a valid node");
 818                goto out_err;
 819        }
 820        if (cs_node->ch.node_type != UBIFS_CS_NODE) {
 821                ubifs_err(c, "Not a CS node, type is %d", cs_node->ch.node_type);
 822                goto out_err;
 823        }
 824        if (le64_to_cpu(cs_node->cmt_no) != c->cmt_no) {
 825                ubifs_err(c, "CS node cmt_no %llu != current cmt_no %llu",
 826                          (unsigned long long)le64_to_cpu(cs_node->cmt_no),
 827                          c->cmt_no);
 828                goto out_err;
 829        }
 830        *cs_sqnum = le64_to_cpu(cs_node->ch.sqnum);
 831        dbg_rcvry("commit start sqnum %llu", *cs_sqnum);
 832        kfree(cs_node);
 833        return 0;
 834
 835out_err:
 836        err = -EINVAL;
 837out_free:
 838        ubifs_err(c, "failed to get CS sqnum");
 839        kfree(cs_node);
 840        return err;
 841}
 842
 843/**
 844 * ubifs_recover_log_leb - scan and recover a log LEB.
 845 * @c: UBIFS file-system description object
 846 * @lnum: LEB number
 847 * @offs: offset
 848 * @sbuf: LEB-sized buffer to use
 849 *
 850 * This function does a scan of a LEB, but caters for errors that might have
 851 * been caused by unclean reboots from which we are attempting to recover
 852 * (assume that only the last log LEB can be corrupted by an unclean reboot).
 853 *
 854 * This function returns %0 on success and a negative error code on failure.
 855 */
 856struct ubifs_scan_leb *ubifs_recover_log_leb(struct ubifs_info *c, int lnum,
 857                                             int offs, void *sbuf)
 858{
 859        struct ubifs_scan_leb *sleb;
 860        int next_lnum;
 861
 862        dbg_rcvry("LEB %d", lnum);
 863        next_lnum = lnum + 1;
 864        if (next_lnum >= UBIFS_LOG_LNUM + c->log_lebs)
 865                next_lnum = UBIFS_LOG_LNUM;
 866        if (next_lnum != c->ltail_lnum) {
 867                /*
 868                 * We can only recover at the end of the log, so check that the
 869                 * next log LEB is empty or out of date.
 870                 */
 871                sleb = ubifs_scan(c, next_lnum, 0, sbuf, 0);
 872                if (IS_ERR(sleb))
 873                        return sleb;
 874                if (sleb->nodes_cnt) {
 875                        struct ubifs_scan_node *snod;
 876                        unsigned long long cs_sqnum = c->cs_sqnum;
 877
 878                        snod = list_entry(sleb->nodes.next,
 879                                          struct ubifs_scan_node, list);
 880                        if (cs_sqnum == 0) {
 881                                int err;
 882
 883                                err = get_cs_sqnum(c, lnum, offs, &cs_sqnum);
 884                                if (err) {
 885                                        ubifs_scan_destroy(sleb);
 886                                        return ERR_PTR(err);
 887                                }
 888                        }
 889                        if (snod->sqnum > cs_sqnum) {
 890                                ubifs_err(c, "unrecoverable log corruption in LEB %d",
 891                                          lnum);
 892                                ubifs_scan_destroy(sleb);
 893                                return ERR_PTR(-EUCLEAN);
 894                        }
 895                }
 896                ubifs_scan_destroy(sleb);
 897        }
 898        return ubifs_recover_leb(c, lnum, offs, sbuf, -1);
 899}
 900
 901/**
 902 * recover_head - recover a head.
 903 * @c: UBIFS file-system description object
 904 * @lnum: LEB number of head to recover
 905 * @offs: offset of head to recover
 906 * @sbuf: LEB-sized buffer to use
 907 *
 908 * This function ensures that there is no data on the flash at a head location.
 909 *
 910 * This function returns %0 on success and a negative error code on failure.
 911 */
 912static int recover_head(struct ubifs_info *c, int lnum, int offs, void *sbuf)
 913{
 914        int len = c->max_write_size, err;
 915
 916        if (offs + len > c->leb_size)
 917                len = c->leb_size - offs;
 918
 919        if (!len)
 920                return 0;
 921
 922        /* Read at the head location and check it is empty flash */
 923        err = ubifs_leb_read(c, lnum, sbuf, offs, len, 1);
 924        if (err || !is_empty(sbuf, len)) {
 925                dbg_rcvry("cleaning head at %d:%d", lnum, offs);
 926                if (offs == 0)
 927                        return ubifs_leb_unmap(c, lnum);
 928                err = ubifs_leb_read(c, lnum, sbuf, 0, offs, 1);
 929                if (err)
 930                        return err;
 931                return ubifs_leb_change(c, lnum, sbuf, offs);
 932        }
 933
 934        return 0;
 935}
 936
 937/**
 938 * ubifs_recover_inl_heads - recover index and LPT heads.
 939 * @c: UBIFS file-system description object
 940 * @sbuf: LEB-sized buffer to use
 941 *
 942 * This function ensures that there is no data on the flash at the index and
 943 * LPT head locations.
 944 *
 945 * This deals with the recovery of a half-completed journal commit. UBIFS is
 946 * careful never to overwrite the last version of the index or the LPT. Because
 947 * the index and LPT are wandering trees, data from a half-completed commit will
 948 * not be referenced anywhere in UBIFS. The data will be either in LEBs that are
 949 * assumed to be empty and will be unmapped anyway before use, or in the index
 950 * and LPT heads.
 951 *
 952 * This function returns %0 on success and a negative error code on failure.
 953 */
 954int ubifs_recover_inl_heads(struct ubifs_info *c, void *sbuf)
 955{
 956        int err;
 957
 958        ubifs_assert(c, !c->ro_mount || c->remounting_rw);
 959
 960        dbg_rcvry("checking index head at %d:%d", c->ihead_lnum, c->ihead_offs);
 961        err = recover_head(c, c->ihead_lnum, c->ihead_offs, sbuf);
 962        if (err)
 963                return err;
 964
 965        dbg_rcvry("checking LPT head at %d:%d", c->nhead_lnum, c->nhead_offs);
 966
 967        return recover_head(c, c->nhead_lnum, c->nhead_offs, sbuf);
 968}
 969
 970/**
 971 * clean_an_unclean_leb - read and write a LEB to remove corruption.
 972 * @c: UBIFS file-system description object
 973 * @ucleb: unclean LEB information
 974 * @sbuf: LEB-sized buffer to use
 975 *
 976 * This function reads a LEB up to a point pre-determined by the mount recovery,
 977 * checks the nodes, and writes the result back to the flash, thereby cleaning
 978 * off any following corruption, or non-fatal ECC errors.
 979 *
 980 * This function returns %0 on success and a negative error code on failure.
 981 */
 982static int clean_an_unclean_leb(struct ubifs_info *c,
 983                                struct ubifs_unclean_leb *ucleb, void *sbuf)
 984{
 985        int err, lnum = ucleb->lnum, offs = 0, len = ucleb->endpt, quiet = 1;
 986        void *buf = sbuf;
 987
 988        dbg_rcvry("LEB %d len %d", lnum, len);
 989
 990        if (len == 0) {
 991                /* Nothing to read, just unmap it */
 992                return ubifs_leb_unmap(c, lnum);
 993        }
 994
 995        err = ubifs_leb_read(c, lnum, buf, offs, len, 0);
 996        if (err && err != -EBADMSG)
 997                return err;
 998
 999        while (len >= 8) {
1000                int ret;
1001
1002                cond_resched();
1003
1004                /* Scan quietly until there is an error */
1005                ret = ubifs_scan_a_node(c, buf, len, lnum, offs, quiet);
1006
1007                if (ret == SCANNED_A_NODE) {
1008                        /* A valid node, and not a padding node */
1009                        struct ubifs_ch *ch = buf;
1010                        int node_len;
1011
1012                        node_len = ALIGN(le32_to_cpu(ch->len), 8);
1013                        offs += node_len;
1014                        buf += node_len;
1015                        len -= node_len;
1016                        continue;
1017                }
1018
1019                if (ret > 0) {
1020                        /* Padding bytes or a valid padding node */
1021                        offs += ret;
1022                        buf += ret;
1023                        len -= ret;
1024                        continue;
1025                }
1026
1027                if (ret == SCANNED_EMPTY_SPACE) {
1028                        ubifs_err(c, "unexpected empty space at %d:%d",
1029                                  lnum, offs);
1030                        return -EUCLEAN;
1031                }
1032
1033                if (quiet) {
1034                        /* Redo the last scan but noisily */
1035                        quiet = 0;
1036                        continue;
1037                }
1038
1039                ubifs_scanned_corruption(c, lnum, offs, buf);
1040                return -EUCLEAN;
1041        }
1042
1043        /* Pad to min_io_size */
1044        len = ALIGN(ucleb->endpt, c->min_io_size);
1045        if (len > ucleb->endpt) {
1046                int pad_len = len - ALIGN(ucleb->endpt, 8);
1047
1048                if (pad_len > 0) {
1049                        buf = c->sbuf + len - pad_len;
1050                        ubifs_pad(c, buf, pad_len);
1051                }
1052        }
1053
1054        /* Write back the LEB atomically */
1055        err = ubifs_leb_change(c, lnum, sbuf, len);
1056        if (err)
1057                return err;
1058
1059        dbg_rcvry("cleaned LEB %d", lnum);
1060
1061        return 0;
1062}
1063
1064/**
1065 * ubifs_clean_lebs - clean LEBs recovered during read-only mount.
1066 * @c: UBIFS file-system description object
1067 * @sbuf: LEB-sized buffer to use
1068 *
1069 * This function cleans a LEB identified during recovery that needs to be
1070 * written but was not because UBIFS was mounted read-only. This happens when
1071 * remounting to read-write mode.
1072 *
1073 * This function returns %0 on success and a negative error code on failure.
1074 */
1075int ubifs_clean_lebs(struct ubifs_info *c, void *sbuf)
1076{
1077        dbg_rcvry("recovery");
1078        while (!list_empty(&c->unclean_leb_list)) {
1079                struct ubifs_unclean_leb *ucleb;
1080                int err;
1081
1082                ucleb = list_entry(c->unclean_leb_list.next,
1083                                   struct ubifs_unclean_leb, list);
1084                err = clean_an_unclean_leb(c, ucleb, sbuf);
1085                if (err)
1086                        return err;
1087                list_del(&ucleb->list);
1088                kfree(ucleb);
1089        }
1090        return 0;
1091}
1092
1093/**
1094 * grab_empty_leb - grab an empty LEB to use as GC LEB and run commit.
1095 * @c: UBIFS file-system description object
1096 *
1097 * This is a helper function for 'ubifs_rcvry_gc_commit()' which grabs an empty
1098 * LEB to be used as GC LEB (@c->gc_lnum), and then runs the commit. Returns
1099 * zero in case of success and a negative error code in case of failure.
1100 */
1101static int grab_empty_leb(struct ubifs_info *c)
1102{
1103        int lnum, err;
1104
1105        /*
1106         * Note, it is very important to first search for an empty LEB and then
1107         * run the commit, not vice-versa. The reason is that there might be
1108         * only one empty LEB at the moment, the one which has been the
1109         * @c->gc_lnum just before the power cut happened. During the regular
1110         * UBIFS operation (not now) @c->gc_lnum is marked as "taken", so no
1111         * one but GC can grab it. But at this moment this single empty LEB is
1112         * not marked as taken, so if we run commit - what happens? Right, the
1113         * commit will grab it and write the index there. Remember that the
1114         * index always expands as long as there is free space, and it only
1115         * starts consolidating when we run out of space.
1116         *
1117         * IOW, if we run commit now, we might not be able to find a free LEB
1118         * after this.
1119         */
1120        lnum = ubifs_find_free_leb_for_idx(c);
1121        if (lnum < 0) {
1122                ubifs_err(c, "could not find an empty LEB");
1123                ubifs_dump_lprops(c);
1124                ubifs_dump_budg(c, &c->bi);
1125                return lnum;
1126        }
1127
1128        /* Reset the index flag */
1129        err = ubifs_change_one_lp(c, lnum, LPROPS_NC, LPROPS_NC, 0,
1130                                  LPROPS_INDEX, 0);
1131        if (err)
1132                return err;
1133
1134        c->gc_lnum = lnum;
1135        dbg_rcvry("found empty LEB %d, run commit", lnum);
1136
1137        return ubifs_run_commit(c);
1138}
1139
1140/**
1141 * ubifs_rcvry_gc_commit - recover the GC LEB number and run the commit.
1142 * @c: UBIFS file-system description object
1143 *
1144 * Out-of-place garbage collection requires always one empty LEB with which to
1145 * start garbage collection. The LEB number is recorded in c->gc_lnum and is
1146 * written to the master node on unmounting. In the case of an unclean unmount
1147 * the value of gc_lnum recorded in the master node is out of date and cannot
1148 * be used. Instead, recovery must allocate an empty LEB for this purpose.
1149 * However, there may not be enough empty space, in which case it must be
1150 * possible to GC the dirtiest LEB into the GC head LEB.
1151 *
1152 * This function also runs the commit which causes the TNC updates from
1153 * size-recovery and orphans to be written to the flash. That is important to
1154 * ensure correct replay order for subsequent mounts.
1155 *
1156 * This function returns %0 on success and a negative error code on failure.
1157 */
1158int ubifs_rcvry_gc_commit(struct ubifs_info *c)
1159{
1160        struct ubifs_wbuf *wbuf = &c->jheads[GCHD].wbuf;
1161        struct ubifs_lprops lp;
1162        int err;
1163
1164        dbg_rcvry("GC head LEB %d, offs %d", wbuf->lnum, wbuf->offs);
1165
1166        c->gc_lnum = -1;
1167        if (wbuf->lnum == -1 || wbuf->offs == c->leb_size)
1168                return grab_empty_leb(c);
1169
1170        err = ubifs_find_dirty_leb(c, &lp, wbuf->offs, 2);
1171        if (err) {
1172                if (err != -ENOSPC)
1173                        return err;
1174
1175                dbg_rcvry("could not find a dirty LEB");
1176                return grab_empty_leb(c);
1177        }
1178
1179        ubifs_assert(c, !(lp.flags & LPROPS_INDEX));
1180        ubifs_assert(c, lp.free + lp.dirty >= wbuf->offs);
1181
1182        /*
1183         * We run the commit before garbage collection otherwise subsequent
1184         * mounts will see the GC and orphan deletion in a different order.
1185         */
1186        dbg_rcvry("committing");
1187        err = ubifs_run_commit(c);
1188        if (err)
1189                return err;
1190
1191        dbg_rcvry("GC'ing LEB %d", lp.lnum);
1192        mutex_lock_nested(&wbuf->io_mutex, wbuf->jhead);
1193        err = ubifs_garbage_collect_leb(c, &lp);
1194        if (err >= 0) {
1195                int err2 = ubifs_wbuf_sync_nolock(wbuf);
1196
1197                if (err2)
1198                        err = err2;
1199        }
1200        mutex_unlock(&wbuf->io_mutex);
1201        if (err < 0) {
1202                ubifs_err(c, "GC failed, error %d", err);
1203                if (err == -EAGAIN)
1204                        err = -EINVAL;
1205                return err;
1206        }
1207
1208        ubifs_assert(c, err == LEB_RETAINED);
1209        if (err != LEB_RETAINED)
1210                return -EINVAL;
1211
1212        err = ubifs_leb_unmap(c, c->gc_lnum);
1213        if (err)
1214                return err;
1215
1216        dbg_rcvry("allocated LEB %d for GC", lp.lnum);
1217        return 0;
1218}
1219
1220/**
1221 * struct size_entry - inode size information for recovery.
1222 * @rb: link in the RB-tree of sizes
1223 * @inum: inode number
1224 * @i_size: size on inode
1225 * @d_size: maximum size based on data nodes
1226 * @exists: indicates whether the inode exists
1227 * @inode: inode if pinned in memory awaiting rw mode to fix it
1228 */
1229struct size_entry {
1230        struct rb_node rb;
1231        ino_t inum;
1232        loff_t i_size;
1233        loff_t d_size;
1234        int exists;
1235        struct inode *inode;
1236};
1237
1238/**
1239 * add_ino - add an entry to the size tree.
1240 * @c: UBIFS file-system description object
1241 * @inum: inode number
1242 * @i_size: size on inode
1243 * @d_size: maximum size based on data nodes
1244 * @exists: indicates whether the inode exists
1245 */
1246static int add_ino(struct ubifs_info *c, ino_t inum, loff_t i_size,
1247                   loff_t d_size, int exists)
1248{
1249        struct rb_node **p = &c->size_tree.rb_node, *parent = NULL;
1250        struct size_entry *e;
1251
1252        while (*p) {
1253                parent = *p;
1254                e = rb_entry(parent, struct size_entry, rb);
1255                if (inum < e->inum)
1256                        p = &(*p)->rb_left;
1257                else
1258                        p = &(*p)->rb_right;
1259        }
1260
1261        e = kzalloc(sizeof(struct size_entry), GFP_KERNEL);
1262        if (!e)
1263                return -ENOMEM;
1264
1265        e->inum = inum;
1266        e->i_size = i_size;
1267        e->d_size = d_size;
1268        e->exists = exists;
1269
1270        rb_link_node(&e->rb, parent, p);
1271        rb_insert_color(&e->rb, &c->size_tree);
1272
1273        return 0;
1274}
1275
1276/**
1277 * find_ino - find an entry on the size tree.
1278 * @c: UBIFS file-system description object
1279 * @inum: inode number
1280 */
1281static struct size_entry *find_ino(struct ubifs_info *c, ino_t inum)
1282{
1283        struct rb_node *p = c->size_tree.rb_node;
1284        struct size_entry *e;
1285
1286        while (p) {
1287                e = rb_entry(p, struct size_entry, rb);
1288                if (inum < e->inum)
1289                        p = p->rb_left;
1290                else if (inum > e->inum)
1291                        p = p->rb_right;
1292                else
1293                        return e;
1294        }
1295        return NULL;
1296}
1297
1298/**
1299 * remove_ino - remove an entry from the size tree.
1300 * @c: UBIFS file-system description object
1301 * @inum: inode number
1302 */
1303static void remove_ino(struct ubifs_info *c, ino_t inum)
1304{
1305        struct size_entry *e = find_ino(c, inum);
1306
1307        if (!e)
1308                return;
1309        rb_erase(&e->rb, &c->size_tree);
1310        kfree(e);
1311}
1312
1313/**
1314 * ubifs_destroy_size_tree - free resources related to the size tree.
1315 * @c: UBIFS file-system description object
1316 */
1317void ubifs_destroy_size_tree(struct ubifs_info *c)
1318{
1319        struct size_entry *e, *n;
1320
1321        rbtree_postorder_for_each_entry_safe(e, n, &c->size_tree, rb) {
1322                iput(e->inode);
1323                kfree(e);
1324        }
1325
1326        c->size_tree = RB_ROOT;
1327}
1328
1329/**
1330 * ubifs_recover_size_accum - accumulate inode sizes for recovery.
1331 * @c: UBIFS file-system description object
1332 * @key: node key
1333 * @deletion: node is for a deletion
1334 * @new_size: inode size
1335 *
1336 * This function has two purposes:
1337 *     1) to ensure there are no data nodes that fall outside the inode size
1338 *     2) to ensure there are no data nodes for inodes that do not exist
1339 * To accomplish those purposes, a rb-tree is constructed containing an entry
1340 * for each inode number in the journal that has not been deleted, and recording
1341 * the size from the inode node, the maximum size of any data node (also altered
1342 * by truncations) and a flag indicating a inode number for which no inode node
1343 * was present in the journal.
1344 *
1345 * Note that there is still the possibility that there are data nodes that have
1346 * been committed that are beyond the inode size, however the only way to find
1347 * them would be to scan the entire index. Alternatively, some provision could
1348 * be made to record the size of inodes at the start of commit, which would seem
1349 * very cumbersome for a scenario that is quite unlikely and the only negative
1350 * consequence of which is wasted space.
1351 *
1352 * This functions returns %0 on success and a negative error code on failure.
1353 */
1354int ubifs_recover_size_accum(struct ubifs_info *c, union ubifs_key *key,
1355                             int deletion, loff_t new_size)
1356{
1357        ino_t inum = key_inum(c, key);
1358        struct size_entry *e;
1359        int err;
1360
1361        switch (key_type(c, key)) {
1362        case UBIFS_INO_KEY:
1363                if (deletion)
1364                        remove_ino(c, inum);
1365                else {
1366                        e = find_ino(c, inum);
1367                        if (e) {
1368                                e->i_size = new_size;
1369                                e->exists = 1;
1370                        } else {
1371                                err = add_ino(c, inum, new_size, 0, 1);
1372                                if (err)
1373                                        return err;
1374                        }
1375                }
1376                break;
1377        case UBIFS_DATA_KEY:
1378                e = find_ino(c, inum);
1379                if (e) {
1380                        if (new_size > e->d_size)
1381                                e->d_size = new_size;
1382                } else {
1383                        err = add_ino(c, inum, 0, new_size, 0);
1384                        if (err)
1385                                return err;
1386                }
1387                break;
1388        case UBIFS_TRUN_KEY:
1389                e = find_ino(c, inum);
1390                if (e)
1391                        e->d_size = new_size;
1392                break;
1393        }
1394        return 0;
1395}
1396
1397/**
1398 * fix_size_in_place - fix inode size in place on flash.
1399 * @c: UBIFS file-system description object
1400 * @e: inode size information for recovery
1401 */
1402static int fix_size_in_place(struct ubifs_info *c, struct size_entry *e)
1403{
1404        struct ubifs_ino_node *ino = c->sbuf;
1405        unsigned char *p;
1406        union ubifs_key key;
1407        int err, lnum, offs, len;
1408        loff_t i_size;
1409        uint32_t crc;
1410
1411        /* Locate the inode node LEB number and offset */
1412        ino_key_init(c, &key, e->inum);
1413        err = ubifs_tnc_locate(c, &key, ino, &lnum, &offs);
1414        if (err)
1415                goto out;
1416        /*
1417         * If the size recorded on the inode node is greater than the size that
1418         * was calculated from nodes in the journal then don't change the inode.
1419         */
1420        i_size = le64_to_cpu(ino->size);
1421        if (i_size >= e->d_size)
1422                return 0;
1423        /* Read the LEB */
1424        err = ubifs_leb_read(c, lnum, c->sbuf, 0, c->leb_size, 1);
1425        if (err)
1426                goto out;
1427        /* Change the size field and recalculate the CRC */
1428        ino = c->sbuf + offs;
1429        ino->size = cpu_to_le64(e->d_size);
1430        len = le32_to_cpu(ino->ch.len);
1431        crc = crc32(UBIFS_CRC32_INIT, (void *)ino + 8, len - 8);
1432        ino->ch.crc = cpu_to_le32(crc);
1433        /* Work out where data in the LEB ends and free space begins */
1434        p = c->sbuf;
1435        len = c->leb_size - 1;
1436        while (p[len] == 0xff)
1437                len -= 1;
1438        len = ALIGN(len + 1, c->min_io_size);
1439        /* Atomically write the fixed LEB back again */
1440        err = ubifs_leb_change(c, lnum, c->sbuf, len);
1441        if (err)
1442                goto out;
1443        dbg_rcvry("inode %lu at %d:%d size %lld -> %lld",
1444                  (unsigned long)e->inum, lnum, offs, i_size, e->d_size);
1445        return 0;
1446
1447out:
1448        ubifs_warn(c, "inode %lu failed to fix size %lld -> %lld error %d",
1449                   (unsigned long)e->inum, e->i_size, e->d_size, err);
1450        return err;
1451}
1452
1453/**
1454 * inode_fix_size - fix inode size
1455 * @c: UBIFS file-system description object
1456 * @e: inode size information for recovery
1457 */
1458static int inode_fix_size(struct ubifs_info *c, struct size_entry *e)
1459{
1460        struct inode *inode;
1461        struct ubifs_inode *ui;
1462        int err;
1463
1464        if (c->ro_mount)
1465                ubifs_assert(c, !e->inode);
1466
1467        if (e->inode) {
1468                /* Remounting rw, pick up inode we stored earlier */
1469                inode = e->inode;
1470        } else {
1471                inode = ubifs_iget(c->vfs_sb, e->inum);
1472                if (IS_ERR(inode))
1473                        return PTR_ERR(inode);
1474
1475                if (inode->i_size >= e->d_size) {
1476                        /*
1477                         * The original inode in the index already has a size
1478                         * big enough, nothing to do
1479                         */
1480                        iput(inode);
1481                        return 0;
1482                }
1483
1484                dbg_rcvry("ino %lu size %lld -> %lld",
1485                          (unsigned long)e->inum,
1486                          inode->i_size, e->d_size);
1487
1488                ui = ubifs_inode(inode);
1489
1490                inode->i_size = e->d_size;
1491                ui->ui_size = e->d_size;
1492                ui->synced_i_size = e->d_size;
1493
1494                e->inode = inode;
1495        }
1496
1497        /*
1498         * In readonly mode just keep the inode pinned in memory until we go
1499         * readwrite. In readwrite mode write the inode to the journal with the
1500         * fixed size.
1501         */
1502        if (c->ro_mount)
1503                return 0;
1504
1505        err = ubifs_jnl_write_inode(c, inode);
1506
1507        iput(inode);
1508
1509        if (err)
1510                return err;
1511
1512        rb_erase(&e->rb, &c->size_tree);
1513        kfree(e);
1514
1515        return 0;
1516}
1517
1518/**
1519 * ubifs_recover_size - recover inode size.
1520 * @c: UBIFS file-system description object
1521 * @in_place: If true, do a in-place size fixup
1522 *
1523 * This function attempts to fix inode size discrepancies identified by the
1524 * 'ubifs_recover_size_accum()' function.
1525 *
1526 * This functions returns %0 on success and a negative error code on failure.
1527 */
1528int ubifs_recover_size(struct ubifs_info *c, bool in_place)
1529{
1530        struct rb_node *this = rb_first(&c->size_tree);
1531
1532        while (this) {
1533                struct size_entry *e;
1534                int err;
1535
1536                e = rb_entry(this, struct size_entry, rb);
1537
1538                this = rb_next(this);
1539
1540                if (!e->exists) {
1541                        union ubifs_key key;
1542
1543                        ino_key_init(c, &key, e->inum);
1544                        err = ubifs_tnc_lookup(c, &key, c->sbuf);
1545                        if (err && err != -ENOENT)
1546                                return err;
1547                        if (err == -ENOENT) {
1548                                /* Remove data nodes that have no inode */
1549                                dbg_rcvry("removing ino %lu",
1550                                          (unsigned long)e->inum);
1551                                err = ubifs_tnc_remove_ino(c, e->inum);
1552                                if (err)
1553                                        return err;
1554                        } else {
1555                                struct ubifs_ino_node *ino = c->sbuf;
1556
1557                                e->exists = 1;
1558                                e->i_size = le64_to_cpu(ino->size);
1559                        }
1560                }
1561
1562                if (e->exists && e->i_size < e->d_size) {
1563                        ubifs_assert(c, !(c->ro_mount && in_place));
1564
1565                        /*
1566                         * We found data that is outside the found inode size,
1567                         * fixup the inode size
1568                         */
1569
1570                        if (in_place) {
1571                                err = fix_size_in_place(c, e);
1572                                if (err)
1573                                        return err;
1574                                iput(e->inode);
1575                        } else {
1576                                err = inode_fix_size(c, e);
1577                                if (err)
1578                                        return err;
1579                                continue;
1580                        }
1581                }
1582
1583                rb_erase(&e->rb, &c->size_tree);
1584                kfree(e);
1585        }
1586
1587        return 0;
1588}
1589