diff --git a/ntfsprogs/ntfsrecover.c b/ntfsprogs/ntfsrecover.c index aae96adf..dbcf977a 100644 --- a/ntfsprogs/ntfsrecover.c +++ b/ntfsprogs/ntfsrecover.c @@ -832,7 +832,7 @@ static BOOL likelyop(const struct LOG_RECORD *logr) { BOOL likely; - switch (le32_to_cpu(logr->record_type)) { + switch (logr->record_type) { case LOG_STANDARD : /* standard record */ /* Operations in range 0..LastAction-1, can be both null */ likely = ((unsigned int)le16_to_cpu(logr->redo_operation) @@ -1845,8 +1845,8 @@ static void detaillogr(CONTEXT *ctx, const struct LOG_RECORD *logr) unsigned int listsize; BOOL onmft; - switch (le32_to_cpu(logr->record_type)) { - case 1 : + switch (logr->record_type) { + case LOG_STANDARD : onmft = logr->cluster_index || acts_on_mft(le16_to_cpu(logr->redo_operation)) || acts_on_mft(le16_to_cpu(logr->undo_operation)); @@ -2068,7 +2068,7 @@ static void detaillogr(CONTEXT *ctx, const struct LOG_RECORD *logr) printf("* undo data overflows from record\n"); } break; - case 2 : + case LOG_CHECKPOINT : printf("---> checkpoint record\n"); printf("redo_operation %04x %s\n", (int)le16_to_cpu(logr->redo_operation), @@ -2117,8 +2117,8 @@ BOOL within_lcn_range(const struct LOG_RECORD *logr) BOOL within; within = FALSE; - switch (le32_to_cpu(logr->record_type)) { - case 1 : + switch (logr->record_type) { + case LOG_STANDARD : for (i=0; ilcns_to_follow); i++) { lcn = MREF(le64_to_cpu(logr->lcn_list[i])); if ((lcn >= firstlcn) && (lcn <= lastlcn)) @@ -2166,7 +2166,7 @@ static void showlogr(CONTEXT *ctx, int k, const struct LOG_RECORD *logr) if (optt) { const char *state; - if (logr->record_type == const_cpu_to_le32(2)) + if (logr->record_type == LOG_CHECKPOINT) state = "--checkpoint--"; else state = commitment(sle64_to_cpu(logr->this_lsn)); @@ -2290,7 +2290,7 @@ static TRISTATE enqueue_action(CONTEXT *ctx, const struct LOG_RECORD *logr, err = 0; state = T_OK; if ((optp || optu) - && (logr->record_type == const_cpu_to_le32(2))) { + && (logr->record_type == LOG_CHECKPOINT)) { /* if chkp process queue, and increment count */ playedactions++; if (playedactions <= playcount) { diff --git a/ntfsprogs/ntfsrecover.h b/ntfsprogs/ntfsrecover.h index 5da42c66..692aa178 100644 --- a/ntfsprogs/ntfsrecover.h +++ b/ntfsprogs/ntfsrecover.h @@ -40,16 +40,29 @@ #define feedle32(p,x) (*(const le32*)((const char*)(p) + (x))) #define feedle64(p,x) (*(const le64*)((const char*)(p) + (x))) -enum LOG_RECORD_TYPE { - LOG_STANDARD = 1, - LOG_CHECKPOINT = 2 -} ; +/* + * LOG_RECORD_TYPE : types of log records + */ - /* These flags were introduced in Vista in field attribute_flags */ -enum ATTRIBUTE_FLAGS { - ACTS_ON_MFT = 2, - ACTS_ON_INDX = 8 +enum { + LOG_STANDARD = const_cpu_to_le32(1), + LOG_CHECKPOINT = const_cpu_to_le32(2), + LOG_RECORD_TYPE_PLACE_HOLDER = 0xffffffffU } ; +typedef le32 LOG_RECORD_TYPE; + +/* + * ATTRIBUTE_FLAGS : flags describing the kind of NTFS record + * is being updated. + * These flags were introduced in Vista, only two flags are known? + */ + +enum { + ACTS_ON_MFT = const_cpu_to_le16(2), + ACTS_ON_INDX = const_cpu_to_le16(8), + ATTRIBUTE_FLAGS_PLACE_HOLDER = 0xffff, +} ; +typedef le16 ATTRIBUTE_FLAGS; enum ACTIONS { Noop, /* 0 */ @@ -93,14 +106,22 @@ enum ACTIONS { LastAction /* 38 */ } ; - /* Flags for field log_record_flags, their meaning is unclear */ -enum RECORD_FLAGS { - RECORD_UNKNOWN = 1, - /* The flags below were introduced in Windows 10 */ - RECORD_DELETING = 2, - RECORD_ADDING = 4 -} ; -typedef le16 LOG_RECORD_FLAGS; +/** + * enum LOG_RECORD_FLAGS - Possible 16-bit flags for log records. + * + * Some flags describe what kind of update is being logged. + * + * (Or is it log record pages?) + */ +typedef enum { + LOG_RECORD_MULTI_PAGE = const_cpu_to_le16(0x0001), /* ??? */ + /* The flags below were introduced in Windows 10 */ + LOG_RECORD_DELETING = const_cpu_to_le16(0x0002), + LOG_RECORD_ADDING = const_cpu_to_le16(0x0004), + LOG_RECORD_SIZE_PLACE_HOLDER = 0xffff, + /* This has nothing to do with the log record. It is only so + gcc knows to make the flags 16-bit. */ +} __attribute__((__packed__)) LOG_RECORD_FLAGS; #define LOGFILE_NO_CLIENT const_cpu_to_le16(0xffff) #define RESTART_VOLUME_IS_CLEAN const_cpu_to_le16(0x0002) @@ -200,7 +221,7 @@ typedef struct LOG_RECORD { /* size 80 */ le16 seq_number; le16 client_index; } __attribute__((__packed__)) client_id; - le32 record_type; + LOG_RECORD_TYPE record_type; le32 transaction_id; LOG_RECORD_FLAGS log_record_flags; le16 reserved1[3]; @@ -217,7 +238,7 @@ typedef struct LOG_RECORD { /* size 80 */ le16 record_offset; le16 attribute_offset; le16 cluster_index; - le16 attribute_flags; + ATTRIBUTE_FLAGS attribute_flags; le32 target_vcn; le32 reserved3; le64 lcn_list[0]; diff --git a/ntfsprogs/playlog.c b/ntfsprogs/playlog.c index d8ba333d..83d63071 100644 --- a/ntfsprogs/playlog.c +++ b/ntfsprogs/playlog.c @@ -3991,13 +3991,11 @@ static enum ACTION_KIND get_action_kind(const struct ACTION_RECORD *action) * the action was defined by Win10 (or subsequent). */ if (action->record.log_record_flags - & const_cpu_to_le16(RECORD_DELETING | RECORD_ADDING)) { - if (action->record.attribute_flags - & const_cpu_to_le16(ACTS_ON_INDX)) + & (LOG_RECORD_DELETING | LOG_RECORD_ADDING)) { + if (action->record.attribute_flags & ACTS_ON_INDX) kind = ON_INDX; else - if (action->record.attribute_flags - & const_cpu_to_le16(ACTS_ON_MFT)) + if (action->record.attribute_flags & ACTS_ON_MFT) kind = ON_MFT; else kind = ON_RAW; @@ -4325,7 +4323,7 @@ static int play_one_redo(ntfs_volume *vol, const struct ACTION_RECORD *action) case ON_MFT : /* the check below cannot be used on WinXP -if (!(action->record.attribute_flags & const_cpu_to_le16(ACTS_ON_MFT))) +if (!(action->record.attribute_flags & ACTS_ON_MFT)) printf("** %s (action %d) not acting on MFT\n",actionname(rop),(int)action->num); */ /* Check whether data is to be discarded */ @@ -4366,7 +4364,7 @@ printf("** %s (action %d) not acting on MFT\n",actionname(rop),(int)action->num) case ON_INDX : /* the check below cannot be used on WinXP -if (!(action->record.attribute_flags & const_cpu_to_le16(ACTS_ON_INDX))) +if (!(action->record.attribute_flags & ACTS_ON_INDX)) printf("** %s (action %d) not acting on INDX\n",actionname(rop),(int)action->num); */ xsize = vol->indx_record_size; @@ -4407,7 +4405,7 @@ printf("** %s (action %d) not acting on INDX\n",actionname(rop),(int)action->num break; case ON_RAW : if (action->record.attribute_flags - & (const_cpu_to_le16(ACTS_ON_INDX | ACTS_ON_MFT))) { + & (ACTS_ON_INDX | ACTS_ON_MFT)) { printf("** Error : action %s on MFT" " or INDX\n", actionname(rop)); @@ -4707,7 +4705,7 @@ static int play_one_undo(ntfs_volume *vol, const struct ACTION_RECORD *action) case ON_MFT : /* the check below cannot be used on WinXP -if (!(action->record.attribute_flags & const_cpu_to_le16(ACTS_ON_MFT))) +if (!(action->record.attribute_flags & ACTS_ON_MFT)) printf("** %s (action %d) not acting on MFT\n",actionname(rop),(int)action->num); */ buffer = read_protected(vol, &action->record, mftrecsz, TRUE); @@ -4746,7 +4744,7 @@ printf("record lsn 0x%llx is %s than action %d lsn 0x%llx\n", case ON_INDX : /* the check below cannot be used on WinXP -if (!(action->record.attribute_flags & const_cpu_to_le16(ACTS_ON_INDX))) +if (!(action->record.attribute_flags & ACTS_ON_INDX)) printf("** %s (action %d) not acting on INDX\n",actionname(rop),(int)action->num); */ xsize = vol->indx_record_size; @@ -4797,7 +4795,7 @@ printf("index lsn 0x%llx is %s than action %d lsn 0x%llx\n", break; case ON_RAW : if (action->record.attribute_flags - & (const_cpu_to_le16(ACTS_ON_INDX | ACTS_ON_MFT))) { + & (ACTS_ON_INDX | ACTS_ON_MFT)) { printf("** Error : action %s on MFT or INDX\n", actionname(rop)); err = 1;