target/linux/generic/backport-5.15/430-v6.3-ubi-Fix-failure-attaching-when-vid_hdr-offset-equals.patch

   1 From 1e020e1b96afdecd20680b5b5be2a6ffc3d27628 Mon Sep 17 00:00:00 2001
   2 From: Zhihao Cheng <chengzhihao1@huawei.com>
   3 Date: Mon, 6 Mar 2023 09:33:08 +0800
   4 Subject: [PATCH] ubi: Fix failure attaching when vid_hdr offset equals to
   5  (sub)page size
   6
   7 Following process will make ubi attaching failed since commit
   8 1b42b1a36fc946 ("ubi: ensure that VID header offset ... size"):
   9
  10 ID="0xec,0xa1,0x00,0x15" # 128M 128KB 2KB
  11 modprobe nandsim id_bytes=$ID
  12 flash_eraseall /dev/mtd0
  13 modprobe ubi mtd="0,2048"  # set vid_hdr offset as 2048 (one page)
  14 (dmesg):
  15   ubi0 error: ubi_attach_mtd_dev [ubi]: VID header offset 2048 too large.
  16   UBI error: cannot attach mtd0
  17   UBI error: cannot initialize UBI, error -22
  18
  19 Rework original solution, the key point is making sure
  20 'vid_hdr_shift + UBI_VID_HDR_SIZE < ubi->vid_hdr_alsize',
  21 so we should check vid_hdr_shift rather not vid_hdr_offset.
  22 Then, ubi still support (sub)page aligined VID header offset.
  23
  24 Fixes: 1b42b1a36fc946 ("ubi: ensure that VID header offset ... size")
  25 Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
  26 Tested-by: Nicolas Schichan <nschichan@freebox.fr>
  27 Tested-by: Miquel Raynal <miquel.raynal@bootlin.com> # v5.10, v4.19
  28 Signed-off-by: Richard Weinberger <richard@nod.at>
  29 ---
  30  drivers/mtd/ubi/build.c | 21 +++++++++++++++------
  31  1 file changed, 15 insertions(+), 6 deletions(-)
  32
  33 --- a/drivers/mtd/ubi/build.c
  34 +++ b/drivers/mtd/ubi/build.c
  35 @@ -664,12 +664,6 @@ static int io_init(struct ubi_device *ub
  36         ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size);
  37         ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size);
  38
  39 -       if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) >
  40 -           ubi->vid_hdr_alsize)) {
  41 -               ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset);
  42 -               return -EINVAL;
  43 -       }
  44 -
  45         dbg_gen("min_io_size      %d", ubi->min_io_size);
  46         dbg_gen("max_write_size   %d", ubi->max_write_size);
  47         dbg_gen("hdrs_min_io_size %d", ubi->hdrs_min_io_size);
  48 @@ -687,6 +681,21 @@ static int io_init(struct ubi_device *ub
  49                                                 ubi->vid_hdr_aloffset;
  50         }
  51
  52 +       /*
  53 +        * Memory allocation for VID header is ubi->vid_hdr_alsize
  54 +        * which is described in comments in io.c.
  55 +        * Make sure VID header shift + UBI_VID_HDR_SIZE not exceeds
  56 +        * ubi->vid_hdr_alsize, so that all vid header operations
  57 +        * won't access memory out of bounds.
  58 +        */
  59 +       if ((ubi->vid_hdr_shift + UBI_VID_HDR_SIZE) > ubi->vid_hdr_alsize) {
  60 +               ubi_err(ubi, "Invalid VID header offset %d, VID header shift(%d)"
  61 +                       " + VID header size(%zu) > VID header aligned size(%d).",
  62 +                       ubi->vid_hdr_offset, ubi->vid_hdr_shift,
  63 +                       UBI_VID_HDR_SIZE, ubi->vid_hdr_alsize);
  64 +               return -EINVAL;
  65 +       }
  66 +
  67         /* Similar for the data offset */
  68         ubi->leb_start = ubi->vid_hdr_offset + UBI_VID_HDR_SIZE;
  69         ubi->leb_start = ALIGN(ubi->leb_start, ubi->min_io_size);