On devices without metadata encryption, we use loop devices rather than
device-mapper + dm-linear + FIEMAP. Devices without metadata encryption
should not exist, since libfiemap was introduced with Android R, which
requires metadata encryption.
It is possible to retrofit an Android Q device with Virtual A/B, which
is what Pixel 4 did. However those devices can only upgrade to
Android T, and they had metadata encryption anyway.
If there are any Android Q devices that retrofitted Virtual A/B in R,
didn't have metadata encryption, and need to upgrade all the way to V,
then we can recommend they make WrapUserdataIfNeeded() unconditional.
Bug: N/A
Test: fiemap_image_test, vts_libsnapshot_test
Change-Id: I7be0507527b967166676c8b136b8758f5e69ba6b
We have seen multiple OTA failures with invalid geometry magic
signature. Make partition metadata write atomic by writing to a tmpfile
first and then do a rename.
Test: th
Bug: 303770065
Bug: 298149189
Change-Id: Id1d565de73439b95b665144c2f02fc97273d341c
We don't need this on the host, since the host will not be running
snapuserd as a server. Rename it for clarity and remove it where we can.
Bug: 288273605
Test: snapuserd_test
Change-Id: I679ef668a89411c670fea8d3b758bde589623548
This will cut down on the binary sizes of update_engine, snapshotctl,
and lpdumpd.
Bug: 291688516
Test: treehugger
Change-Id: Idae5ea075ab21c2bd4fdb839eb065d865cb07d58
These tests are still giving us trouble. Move them to libfiemap, which
(1) is closer to the source of implementation, and (2) allows us to
re-use the temporary filesystem code. This won't perturb the state of
the actual device.
The new test creates a 64MB ext4 or f2fs mount point as a sandbox, which
should be much safer.
Bug: 285197715
Test: fiemap_writer_test
Change-Id: I33502d49613be4f269a80e5c632514fc56a0246a
When we changed our ENOSPC tests, it exposed a path in F2FS were
fallocate can return EAGAIN. This is expected if F2FS attempts GC to
acquire more chunks, and it can leave the file in a partially allocated
state.
As a fix, keep attempting fallocate() as long as (1) it returns EAGAIN,
and (2) the allocated size keeps growing. If (2) fails we return ENOSPC.
Bug: N/A
Test: treehugger
Change-Id: I5f867b5a200b9260e486985f203f9872a949b3f9
Powerloss of OS failure occurs when super is merging,
then the device can't bring up again for no lp_metadata sync,
so make lp_metadata sync in time.
Change-Id: I1ea31662b838e35022a566b614796f2d5e05df4b
Signed-off-by: Jia Jia <jia.jia@zte.com.cn>
This patch eliminates errno as part of the return contract for
fs_mgr_overlayfs_teardown().
The non-standard use of implicit errno makes it extremely difficult to
reason about how these functions can fail. As it turns out,
fs_mgr_overlayfs_teardown has been consistently failing for a long time,
but in a place where errno isn't set, which meant "enable-verity" never
saw the failure.
The failure was originating from umount2(MNT_DETACH) which guaranteed
that DeleteBackingImage would fail with EBUSY, and DeleteBackingImage is
a binder call that doesn't set errno.
This patch switches to umount() and returns a "busy" status if the
unmount fails with EBUSY. In this case it will also disable the scratch
partition. There is a long-standing existing bug where, for non-VAB
devices, it will delete the underlying scratch partition off super. This
is pretty risky with MNT_DETACH, but that path is left unchanged here.
Some duplicated code in set-verity-state was refactored as well, since
the return value of fs_mgr_overlayfs_teardown is now more complex.
Bug: 241179247
Test: adb-remount-test.sh
Change-Id: I2ca75332b75a302622ba9b86d122a6f2accdda3e
This adds a test case for filesystems with larger than 4KiB alignment.
It creates a temporary FAT filesystem and attempts to create a backing
image. The actual size of the block device should be the requested size.
Test: fiemap_image_test
Bug: N/A
Change-Id: I8ef574b22dbf6d47f4855b7de681c927cf81f2b7
Certain code in libfiemap should be unreachable in recovery/ramdisk
builds, but whether intentionally or not, __ANDROID_RECOVERY__ is not
working in vendor_boot.
To make sure this is doing exactly what we want, use __ANDROID_RAMDISK__
instead.
Bug: 205987817
Test: build boot, vendor_boot, recovery
Change-Id: Id419f7d9068e791427a896c22569ae4543548df7
This ensures that the dynamic "scratch" partition is removed when doing
a flashall operation.
If "scratch" is on /data, disable the partition. Add IsImageDisabled to
ImageManager so EnsureScratchMapped can skip mapping it. Also, fix
"scratch" not getting unmapped if on /data.
Bug: 205987817
Test: adb remount
adb sync
adb reboot fastboot
fastboot flashall --skip-reboot # no errors
Test: adb-remount-test.sh
Change-Id: I4b9702e1dac15fb663635506fb50a8274e1e10d1
clean_scratch_files.rc seems to never work as intended due to
missing domain transition rules.
Add a 'remount' domain to the platform policies to allow
remount-related operations, including clean_scratch_files.
Merge remount and clean_scratch_files binary to simplify the added
policies.
Bug: 204836146
Test: 1. Use a VAB device, for example bramble-userdebug
2. adb remount system
3. adb reboot fastboot && fastboot flash system system.img
4. recovery (fastbootd) should mark the remount scratch as disabled
5. fastboot reboot && adb shell mount | grep scratch => nothing
6. adb logcat | grep 'clean_scratch_files|gsid' => shows that
disabled image "scratch" is removed during boot
Change-Id: I18d543868d1f37d43b483eae7517b707e46df1bd
Ensure we have at least one element before we try to access the last
element. Else the array index of the last element may underflow,
0ull - 1 == ~0ull == UINT64_MAX.
Bug: 204536075
Test: atest fiemap_writer_test
Change-Id: Ic390d108bf789cfe136fb5dfe2983f3c7d6f7e48
The kernel can return different compatible ranges on each call, depending on
how it decides to merge contiguous extents in the results. To avoid the
complexity of requerying the ioctl, just do one query up to the maximum
allowed extent size.
Bug: 204536075
Test: install DSU on cuttlefish
fiemap_test
Change-Id: I4d569e3e6feed14c91a5f500296623888060dcad
Test options for the api levels are moved to test_options.
test_min_api_level property will be removed with this change.
Bug: 187258404
Test: build
Change-Id: Id943566de2ac693b5955bd84a8463e5013a8bb0f
If a split fiemap header gets corrupted, we could get ENAMETOOLONG and
removal fails. Handle this gracefully.
Bug: N/A
Test: fiemap_writer_test
Change-Id: I4af9ca7ad4b4fa87a91ff05b8fadac4258006ab6
If device abnormal restart during upgrade, update_engine just
created split cow image file and wrote the name to xxx-cow-img.img.
After restart, update_engine will report following err:
06-30 08:48:06.466 root 8918 8920 E gsid : Error removing image
product_b-cow-img: File name too long
That is because SplitFiemap::Create->DetermineMaximumFileSize
open xxx-cow-img.img to get some info, then fsync and unlink this
file.
On device use f2fs, after restart, f2fs_recover_fsync_data will
recover this file with inode block sync to ufs in following path:
DetermineMaximumFileSize
->FiemapWriter::Open
->AllocateFile
This make xxx-cow-img.img file content corruption.
Update_engine call TryCancelUpdate to clean up the residual files
of last upgrade, cannot read valid split file name from
xxx-cow-img.img, then report err log mentioned above.
Add fsync, f2fs can use correct inode to recover related files.
This can reduce the probability of this issue.
Test: abnormal restart when upgrade
Change-Id: Iceb3e5604d90495350c5fb1fb3433732372f3fec
Signed-off-by: lijiazi <lijiazi@xiaomi.com>
adb_debug.prop is migrated too. And ramdisk_available is added to all
dependencies.
Bug: 187196593
Test: boot
Change-Id: I59cd149e0021211b8fd59c44b93bbf18dc8637bf
Do not use the implicit cast from unique_fd to int so
that it is clearer to the reader what the ownership model
is.
Test: pass
Change-Id: I66563eb2bd06f6a712a5afd4c6009f9b25a55de6
libsnapshot supports dependency injection for whether or not we use
recovery-specific code paths. Extend this to libfiemap.
Bug: 179006671
Test: vts_libsnapshot_test
Change-Id: Ief5a16d105cb51bc2593ebc2317a99c939371775
QuerySnapshotStatus assumes IsSnapshotDevice() would return true.
Additionally, recovery does not have access to /dev/loop-control, which
cannot be used by libfiemap anyway. Access it on-demand instead of
preemptively.
Bug: N/A
Test: manual test
Change-Id: I0f746870d7a8ec6d666f0bdd2fef3464b214928b
F2FS starts to give a hint, FIEMAP_EXTENT_MERGED, in fiemap, so please allow it.
Bug: 180137825
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Ic4e3f573e385d248627da1a2ad64fbbd4a74e679
This fix is to keep the dm line in the status file and let the
UnmapImageDevice to clean up correctly.
Bug: 171861574
Test: execute following command on a device with a SD card inserted
adb shell am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity \
-a android.os.image.action.START_INSTALL \
-d file:///storage/emulated/0/Download/system.raw.gz \
--el KEY_SYSTEM_SIZE $(du -b system.raw|cut -f1) \
--el KEY_USERDATA_SIZE 4294967296
Change-Id: Ia56f8f724f04e7e20586e088c89b62a1068766e4
When checking IsUnreliablePinningAllowed, the existing code calls
IsTestDir on a value starts with "/data", but IsTestDir expects
metadata_dir_. Fix it.
Also, make subdir checks more robust and add test cases for IsSubdir.
Fixes: 162557082
Test: vts_libsnapshot_test
Test: fiemap_image_test
Change-Id: I495cfae3da11d1e0800b8abf520df10dd9a29dce
Because DSUs mount userdata via a fiemap, libfiemap has trouble creating
additional fiemaps on top of it. The complex stacking of dm-linear is
not supported. For other libfiemap tests we've hacked around this
limitation. If LpMetadata is in a folder named "test", we allow the
backing device search to stop at a dm node, whereas otherwise it would
need to stop at a physical device.
However this was not quite enough for vts_libsnapshot_test, because (1)
the test folder was not included in the pattern match, and (2)
CreateLogicalPartition() could not handle device-mapper names, as it
expects a named physical partition. Addressing both of these allows the
tests to pass on DSUs.
Bug: 156713441
Test: vts_libsnapshot_test on DSU
Change-Id: Ie7ee70e31dff0809a5f0c402ed132d80dd03d9b1
libfiemap functionality is extensively tested via libsnapshot, gsid, and
fiemap_writer_test. However those tests rely on the configuration of the
device, and libfiemap has fairly different behavior based on whether FBE
or metadata encryption is in use. (The former will use loop devices, the
latter uses dm-linear).
To expand coverage, we added tests with very complicated nesting,
creating fiemaps on a rw partition mounted off a device backed by a
fiemap. Unsurprisingly, this was brittle to begin with, and now
consistently fails due to the intermediate partition not having
sepolicy.
Given the preference toward metadata encryption, and the fact that the
FBE mode will still be properly tested via VTS, let's just remove these
tests.
Bug: 148874852
Test: fiemap_image_test
Change-Id: I7be7d44dea81508505c050ed995b3b78086ad35f
libcrypto_utils is not available as 32 bit library in 64 bit devices.
Import the library as static.
Bug: 148878078
Test: nativetest/fiemap_image_test
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I2b8cd69d06607f4216e4e2220dd8561e6eff323c
The test is guaranteed to fail because userdata is itself a fiemap-backed device.
Bug: 154447105
Test: fiemap_writer_test on DSU
Change-Id: Ied35da0eb7aba3daca7ed430f006bf1e90e21dca
Bug: 151896491
Test: local build
Exempt-From-Owner-Approval: This CL moves all tests in vts-core to vts.
It won't change test logic or behavior.
Change-Id: I24779951257ce37fc18929f214d3cf5f76c23a19
Merged-In: I24779951257ce37fc18929f214d3cf5f76c23a19
GetGsiService() is defined in libgsid, let libfs_mgr_binder link to
libgsid instead of duplicating the logic.
Test: Build and boot
Change-Id: I28d0c92b432a53770a3bdc5f4c5cd91e3466151c
Replace the original on demand start mechanism with the new dynamic
AIDL service infrastructure to resolve a possible race condition.
Bug: 149130673
Test: gsi_tool status
Change-Id: Ia5f32579a8dcf62d700d974c7f4e3c65647f3b8b
Add fiemap_image_test and fiemap_writer_test to TEST_MAPPING to be run
by TH as presubmits.
Because of a bug under investigation, the actual
fiemap_image_test_presubmit is used instead of the original, that has
one test case disabled.
Bug: none
Test: TH, fiemap_image_test, fiemap_writer_test
Change-Id: I63b5e69b5c245a18eceb1e5896df7bd0577f289b
Signed-off-by: Alessio Balsini <balsini@google.com>
Fix the total fiemap struct plus extents size allocation.
Fix also the logging in IsLastExtent, that was printing error messages
every time.
Bug: none
Test: fiemap_*_test
Change-Id: I85c6af63ba3a75b993a5e8ad7d7170dc7af59582
Signed-off-by: Alessio Balsini <balsini@google.com>
Currently, this is only enabled for Virtual A/B devices. When /data uses
F2FS, then proper pinning support must be enabled.
Because /data cannot be mounted in recovery, we can't delete the scratch
image backed by /data while in fastbootd. Instead, we mark it as
disabled in /metadata. The remount command now has an init script that
checks for and removes a disabled scratch partition.
Bug: 134949511
Test: adb remount on V A/B device with patched F2FS
Change-Id: Ifc8720378259654472d3822e97059b6c366f601d
