Patch "ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size" has been added to the 4.19-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ubi-fix-failure-attaching-when-vid_hdr-offset-equals.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 441db01cd471e26a4865c0c3b426f4fcdd531329
Author: Zhihao Cheng <chengzhihao1@xxxxxxxxxx>
Date:   Mon Mar 6 09:33:08 2023 +0800

    ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
    
    [ Upstream commit 1e020e1b96afdecd20680b5b5be2a6ffc3d27628 ]
    
    Following process will make ubi attaching failed since commit
    1b42b1a36fc946 ("ubi: ensure that VID header offset ... size"):
    
    ID="0xec,0xa1,0x00,0x15" # 128M 128KB 2KB
    modprobe nandsim id_bytes=$ID
    flash_eraseall /dev/mtd0
    modprobe ubi mtd="0,2048"  # set vid_hdr offset as 2048 (one page)
    (dmesg):
      ubi0 error: ubi_attach_mtd_dev [ubi]: VID header offset 2048 too large.
      UBI error: cannot attach mtd0
      UBI error: cannot initialize UBI, error -22
    
    Rework original solution, the key point is making sure
    'vid_hdr_shift + UBI_VID_HDR_SIZE < ubi->vid_hdr_alsize',
    so we should check vid_hdr_shift rather not vid_hdr_offset.
    Then, ubi still support (sub)page aligined VID header offset.
    
    Fixes: 1b42b1a36fc946 ("ubi: ensure that VID header offset ... size")
    Signed-off-by: Zhihao Cheng <chengzhihao1@xxxxxxxxxx>
    Tested-by: Nicolas Schichan <nschichan@xxxxxxxxxx>
    Tested-by: Miquel Raynal <miquel.raynal@xxxxxxxxxxx> # v5.10, v4.19
    Signed-off-by: Richard Weinberger <richard@xxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c
index 3d0241f8f3ec7..3eb14c68cb9b2 100644
--- a/drivers/mtd/ubi/build.c
+++ b/drivers/mtd/ubi/build.c
@@ -657,12 +657,6 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024)
 	ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size);
 	ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size);
 
-	if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) >
-	    ubi->vid_hdr_alsize)) {
-		ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset);
-		return -EINVAL;
-	}
-
 	dbg_gen("min_io_size      %d", ubi->min_io_size);
 	dbg_gen("max_write_size   %d", ubi->max_write_size);
 	dbg_gen("hdrs_min_io_size %d", ubi->hdrs_min_io_size);
@@ -680,6 +674,21 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024)
 						ubi->vid_hdr_aloffset;
 	}
 
+	/*
+	 * Memory allocation for VID header is ubi->vid_hdr_alsize
+	 * which is described in comments in io.c.
+	 * Make sure VID header shift + UBI_VID_HDR_SIZE not exceeds
+	 * ubi->vid_hdr_alsize, so that all vid header operations
+	 * won't access memory out of bounds.
+	 */
+	if ((ubi->vid_hdr_shift + UBI_VID_HDR_SIZE) > ubi->vid_hdr_alsize) {
+		ubi_err(ubi, "Invalid VID header offset %d, VID header shift(%d)"
+			" + VID header size(%zu) > VID header aligned size(%d).",
+			ubi->vid_hdr_offset, ubi->vid_hdr_shift,
+			UBI_VID_HDR_SIZE, ubi->vid_hdr_alsize);
+		return -EINVAL;
+	}
+
 	/* Similar for the data offset */
 	ubi->leb_start = ubi->vid_hdr_offset + UBI_VID_HDR_SIZE;
 	ubi->leb_start = ALIGN(ubi->leb_start, ubi->min_io_size);



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux