From 957e1c4e1779bffda4aac7a28efa68012a6d4b53 Mon Sep 17 00:00:00 2001 From: Zhihao Cheng Date: Fri, 12 Jul 2024 14:36:24 +0800 Subject: [PATCH 01/25] ubifs: ubifs_jnl_write_inode: Only check once for the limitation of xattr count No need to check the limitation of xattr count every time in function ubifs_jnl_write_inode(), because the 'ui->xattr_cnt' won't be modified by others in the inode evicting process. Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/journal.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c index 4a35f9e8f668..8e98be642371 100644 --- a/fs/ubifs/journal.c +++ b/fs/ubifs/journal.c @@ -981,6 +981,12 @@ int ubifs_jnl_write_inode(struct ubifs_info *c, const struct inode *inode) dbg_jnl("ino %lu, nlink %u", inode->i_ino, inode->i_nlink); + if (kill_xattrs && ui->xattr_cnt > ubifs_xattr_max_cnt(c)) { + ubifs_err(c, "Cannot delete inode, it has too much xattrs!"); + ubifs_ro_mode(c, err); + return -EPERM; + } + /* * If the inode is being deleted, do not write the attached data. No * need to synchronize the write-buffer either. @@ -1012,12 +1018,6 @@ int ubifs_jnl_write_inode(struct ubifs_info *c, const struct inode *inode) struct inode *xino; struct ubifs_dent_node *xent, *pxent = NULL; - if (ui->xattr_cnt > ubifs_xattr_max_cnt(c)) { - err = -EPERM; - ubifs_err(c, "Cannot delete inode, it has too much xattrs!"); - goto out_release; - } - lowest_xent_key(c, &key, inode->i_ino); while (1) { xent = ubifs_tnc_next_ent(c, &key, &nm); From 3c50701fd37ffc265d28e7cb4db2ff0cd33241d7 Mon Sep 17 00:00:00 2001 From: Zhihao Cheng Date: Fri, 12 Jul 2024 14:36:25 +0800 Subject: [PATCH 02/25] ubifs: Remove ineffective function ubifs_evict_xattr_inode() Function ubifs_evict_xattr_inode() is imported by commit 272eda8298dc ("ubifs: Correctly evict xattr inodes") to reclaim xattr inode when the host inode is deleted. The xattr inode is evicted in the host inode deleting process since commit 7959cf3a7506 ("ubifs: journal: Handle xattrs like files"). So the ineffective function ubifs_evict_xattr_inode() can be deleted safely. Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/tnc.c | 2 -- fs/ubifs/ubifs.h | 3 --- fs/ubifs/xattr.c | 22 ---------------------- 3 files changed, 27 deletions(-) diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c index 45cacdcd4746..33946b518148 100644 --- a/fs/ubifs/tnc.c +++ b/fs/ubifs/tnc.c @@ -2930,8 +2930,6 @@ int ubifs_tnc_remove_ino(struct ubifs_info *c, ino_t inum) dbg_tnc("xent '%s', ino %lu", xent->name, (unsigned long)xattr_inum); - ubifs_evict_xattr_inode(c, xattr_inum); - fname_name(&nm) = xent->name; fname_len(&nm) = le16_to_cpu(xent->nlen); err = ubifs_tnc_remove_nm(c, &key1, &nm); diff --git a/fs/ubifs/ubifs.h b/fs/ubifs/ubifs.h index d69a5a42d693..3375bbe0508c 100644 --- a/fs/ubifs/ubifs.h +++ b/fs/ubifs/ubifs.h @@ -2040,13 +2040,10 @@ ssize_t ubifs_xattr_get(struct inode *host, const char *name, void *buf, #ifdef CONFIG_UBIFS_FS_XATTR extern const struct xattr_handler * const ubifs_xattr_handlers[]; ssize_t ubifs_listxattr(struct dentry *dentry, char *buffer, size_t size); -void ubifs_evict_xattr_inode(struct ubifs_info *c, ino_t xattr_inum); int ubifs_purge_xattrs(struct inode *host); #else #define ubifs_listxattr NULL #define ubifs_xattr_handlers NULL -static inline void ubifs_evict_xattr_inode(struct ubifs_info *c, - ino_t xattr_inum) { } static inline int ubifs_purge_xattrs(struct inode *host) { return 0; diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index f734588b224a..c673fd03d9b4 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -570,28 +570,6 @@ int ubifs_purge_xattrs(struct inode *host) return err; } -/** - * ubifs_evict_xattr_inode - Evict an xattr inode. - * @c: UBIFS file-system description object - * @xattr_inum: xattr inode number - * - * When an inode that hosts xattrs is being removed we have to make sure - * that cached inodes of the xattrs also get removed from the inode cache - * otherwise we'd waste memory. This function looks up an inode from the - * inode cache and clears the link counter such that iput() will evict - * the inode. - */ -void ubifs_evict_xattr_inode(struct ubifs_info *c, ino_t xattr_inum) -{ - struct inode *inode; - - inode = ilookup(c->vfs_sb, xattr_inum); - if (inode) { - clear_nlink(inode); - iput(inode); - } -} - static int ubifs_xattr_remove(struct inode *host, const char *name) { struct inode *inode; From d610020f030bec819f42de327c2bd5437d2766b3 Mon Sep 17 00:00:00 2001 From: Zhihao Cheng Date: Mon, 19 Aug 2024 11:26:21 +0800 Subject: [PATCH 03/25] ubi: wl: Put source PEB into correct list if trying locking LEB failed During wear-leveing work, the source PEB will be moved into scrub list when source LEB cannot be locked in ubi_eba_copy_leb(), which is wrong for non-scrub type source PEB. The problem could bring extra and ineffective wear-leveing jobs, which makes more or less negative effects for the life time of flash. Specifically, the process is divided 2 steps: 1. wear_leveling_worker // generate false scrub type PEB ubi_eba_copy_leb // MOVE_RETRY is returned leb_write_trylock // trylock failed scrubbing = 1; e1 is put into ubi->scrub 2. wear_leveling_worker // schedule false scrub type PEB for wl scrubbing = 1 e1 = rb_entry(rb_first(&ubi->scrub)) The problem can be reproduced easily by running fsstress on a small UBIFS partition(<64M, simulated by nandsim) for 5~10mins (CONFIG_MTD_UBI_FASTMAP=y,CONFIG_MTD_UBI_WL_THRESHOLD=50). Following message is shown: ubi0: scrubbed PEB 66 (LEB 0:10), data moved to PEB 165 Since scrub type source PEB has set variable scrubbing as '1', and variable scrubbing is checked before variable keep, so the problem can be fixed by setting keep variable as 1 directly if the source LEB cannot be locked. Fixes: e801e128b220 ("UBI: fix missing scrub when there is a bit-flip") CC: stable@vger.kernel.org Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- drivers/mtd/ubi/wl.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c index a357f3d27f2f..8a26968aba11 100644 --- a/drivers/mtd/ubi/wl.c +++ b/drivers/mtd/ubi/wl.c @@ -846,7 +846,14 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, goto out_not_moved; } if (err == MOVE_RETRY) { - scrubbing = 1; + /* + * For source PEB: + * 1. The scrubbing is set for scrub type PEB, it will + * be put back into ubi->scrub list. + * 2. Non-scrub type PEB will be put back into ubi->used + * list. + */ + keep = 1; dst_leb_clean = 1; goto out_not_moved; } From c4595fe394a289927077e3da561db27811919ee0 Mon Sep 17 00:00:00 2001 From: Zhihao Cheng Date: Mon, 19 Aug 2024 11:26:22 +0800 Subject: [PATCH 04/25] ubi: fastmap: wl: Schedule fm_work if wear-leveling pool is empty Since commit 14072ee33d5a ("ubi: fastmap: Check wl_pool for free peb before wear leveling"), wear_leveling_worker() won't schedule fm_work if wear-leveling pool is empty, which could temporarily disable the wear-leveling until the fastmap is updated(eg. pool becomes empty). Fix it by scheduling fm_work if wl_pool is empty during wear-leveing. Fixes: 14072ee33d5a ("ubi: fastmap: Check wl_pool for free peb before wear leveling") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- drivers/mtd/ubi/fastmap-wl.c | 19 ++++++++++++++++--- drivers/mtd/ubi/wl.c | 2 +- drivers/mtd/ubi/wl.h | 3 ++- 3 files changed, 19 insertions(+), 5 deletions(-) diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c index 2a9cc9413c42..9bdb6525f128 100644 --- a/drivers/mtd/ubi/fastmap-wl.c +++ b/drivers/mtd/ubi/fastmap-wl.c @@ -346,14 +346,27 @@ int ubi_wl_get_peb(struct ubi_device *ubi) * WL sub-system. * * @ubi: UBI device description object + * @need_fill: whether to fill wear-leveling pool when no PEBs are found */ -static struct ubi_wl_entry *next_peb_for_wl(struct ubi_device *ubi) +static struct ubi_wl_entry *next_peb_for_wl(struct ubi_device *ubi, + bool need_fill) { struct ubi_fm_pool *pool = &ubi->fm_wl_pool; int pnum; - if (pool->used == pool->size) + if (pool->used == pool->size) { + if (need_fill && !ubi->fm_work_scheduled) { + /* + * We cannot update the fastmap here because this + * function is called in atomic context. + * Let's fail here and refill/update it as soon as + * possible. + */ + ubi->fm_work_scheduled = 1; + schedule_work(&ubi->fm_work); + } return NULL; + } pnum = pool->pebs[pool->used]; return ubi->lookuptbl[pnum]; @@ -375,7 +388,7 @@ static bool need_wear_leveling(struct ubi_device *ubi) if (!ubi->used.rb_node) return false; - e = next_peb_for_wl(ubi); + e = next_peb_for_wl(ubi, false); if (!e) { if (!ubi->free.rb_node) return false; diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c index 8a26968aba11..fbd399cf6503 100644 --- a/drivers/mtd/ubi/wl.c +++ b/drivers/mtd/ubi/wl.c @@ -683,7 +683,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, ubi_assert(!ubi->move_to_put); #ifdef CONFIG_MTD_UBI_FASTMAP - if (!next_peb_for_wl(ubi) || + if (!next_peb_for_wl(ubi, true) || #else if (!ubi->free.rb_node || #endif diff --git a/drivers/mtd/ubi/wl.h b/drivers/mtd/ubi/wl.h index 7b6715ef6d4a..a69169c35e31 100644 --- a/drivers/mtd/ubi/wl.h +++ b/drivers/mtd/ubi/wl.h @@ -5,7 +5,8 @@ static void update_fastmap_work_fn(struct work_struct *wrk); static struct ubi_wl_entry *find_anchor_wl_entry(struct rb_root *root); static struct ubi_wl_entry *get_peb_for_wl(struct ubi_device *ubi); -static struct ubi_wl_entry *next_peb_for_wl(struct ubi_device *ubi); +static struct ubi_wl_entry *next_peb_for_wl(struct ubi_device *ubi, + bool need_fill); static bool need_wear_leveling(struct ubi_device *ubi); static void ubi_fastmap_close(struct ubi_device *ubi); static inline void ubi_fastmap_init(struct ubi_device *ubi, int *count) From d969811d45cc4133ca61212b2ac3d14f2bdfc0ac Mon Sep 17 00:00:00 2001 From: Liu Mingrui Date: Wed, 21 Aug 2024 06:30:59 +0000 Subject: [PATCH 05/25] ubifs: Display the inode number when orphan twice happens Display the inode number in error message when the same orphan inode is added twice, which could provide more information for debugging. Signed-off-by: Liu Mingrui Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/orphan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ubifs/orphan.c b/fs/ubifs/orphan.c index fb957d963ba6..5555dd740889 100644 --- a/fs/ubifs/orphan.c +++ b/fs/ubifs/orphan.c @@ -76,7 +76,7 @@ int ubifs_add_orphan(struct ubifs_info *c, ino_t inum) else if (inum > o->inum) p = &(*p)->rb_right; else { - ubifs_err(c, "orphaned twice"); + ubifs_err(c, "ino %lu orphaned twice", (unsigned long)inum); spin_unlock(&c->orphan_lock); kfree(orphan); return -EINVAL; From 919cc964abdb071f50c8f03e3b36fe0b5c60ef0d Mon Sep 17 00:00:00 2001 From: Hongbo Li Date: Mon, 26 Aug 2024 17:16:59 +0800 Subject: [PATCH 06/25] ubifs: remove unused ioctl flags GETFLAGS/SETFLAGS In the ubifs, ubifs_fileattr_get and ubifs_fileattr_set have been implemented, GETFLAGS and SETFLAGS ioctl are not handled in filesystem's own ioctl helper. Additionally, these flags' cases are not handled in ubifs's ioctl helper, so we can remove them. Signed-off-by: Hongbo Li Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/ioctl.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/fs/ubifs/ioctl.c b/fs/ubifs/ioctl.c index d79cabe193c3..2c99349cf537 100644 --- a/fs/ubifs/ioctl.c +++ b/fs/ubifs/ioctl.c @@ -213,12 +213,6 @@ long ubifs_ioctl(struct file *file, unsigned int cmd, unsigned long arg) long ubifs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) { switch (cmd) { - case FS_IOC32_GETFLAGS: - cmd = FS_IOC_GETFLAGS; - break; - case FS_IOC32_SETFLAGS: - cmd = FS_IOC_SETFLAGS; - break; case FS_IOC_SET_ENCRYPTION_POLICY: case FS_IOC_GET_ENCRYPTION_POLICY: case FS_IOC_GET_ENCRYPTION_POLICY_EX: From 39ba2b9ac6fd61c67c83b8fd2a3ec6b0bea89490 Mon Sep 17 00:00:00 2001 From: Hongbo Li Date: Mon, 26 Aug 2024 17:17:00 +0800 Subject: [PATCH 07/25] ubifs: add support for FS_IOC_GETFSSYSFSPATH In commit ae8c51175730 ("fs: add FS_IOC_GETFSSYSFSPATH"), a new fs ioctl was introduced to standardize exporting data from sysfs across filesystems. The returned path will always be of the form "$FSTYP/$SYSFS_IDENTIFIER", where the sysfs identifier may be a UUID or a device name. The ubifs is a file system based on char device, and the common method to fill s_sysfs_name (super_set_sysfs_name_bdev) is unavialable. So in order to support FS_IOC_GETFSSYSFSPATH ioctl, we fill the s_sysfs_name with ubi_volume_info member which keeps the format defined in macro UBIFS_DFS_DIR_NAME by using super_set_sysfs_name_generic. That's for ubifs, it will output "ubifs/". ``` $ ./ioctl_getfssysfs_path /mnt/ubifs/testfile path: ubifs/ubi0_0 $ ls /sys/fs/ubifs/ubi0_0/ errors_crc errors_magic errors_node ``` Signed-off-by: Hongbo Li Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/super.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c index 291583005dd1..cb26b8b27ef6 100644 --- a/fs/ubifs/super.c +++ b/fs/ubifs/super.c @@ -2249,6 +2249,8 @@ static int ubifs_fill_super(struct super_block *sb, void *data, int silent) } super_set_uuid(sb, c->uuid, sizeof(c->uuid)); + super_set_sysfs_name_generic(sb, UBIFS_DFS_DIR_NAME, + c->vi.ubi_num, c->vi.vol_id); mutex_unlock(&c->umount_mutex); return 0; From 94f5b1571ec8d90224675dd27e921053ff4f2370 Mon Sep 17 00:00:00 2001 From: Shen Lichuan Date: Wed, 28 Aug 2024 16:59:08 +0800 Subject: [PATCH 08/25] ubifs: Convert to use ERR_CAST() As opposed to open-code, using the ERR_CAST macro clearly indicates that this is a pointer to an error value and a type conversion was performed. Signed-off-by: Shen Lichuan Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/lpt_commit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ubifs/lpt_commit.c b/fs/ubifs/lpt_commit.c index 07351fdce722..aa8837e6247c 100644 --- a/fs/ubifs/lpt_commit.c +++ b/fs/ubifs/lpt_commit.c @@ -577,7 +577,7 @@ static struct ubifs_pnode *next_pnode_to_dirty(struct ubifs_info *c, /* Go right */ nnode = ubifs_get_nnode(c, nnode, iip); if (IS_ERR(nnode)) - return (void *)nnode; + return ERR_CAST(nnode); /* Go down to level 1 */ while (nnode->level > 1) { @@ -594,7 +594,7 @@ static struct ubifs_pnode *next_pnode_to_dirty(struct ubifs_info *c, } nnode = ubifs_get_nnode(c, nnode, iip); if (IS_ERR(nnode)) - return (void *)nnode; + return ERR_CAST(nnode); } for (iip = 0; iip < UBIFS_LPT_FANOUT; iip++) From 84a2bee9c49769310efa19601157ef50a1df1267 Mon Sep 17 00:00:00 2001 From: Zhihao Cheng Date: Thu, 5 Sep 2024 09:09:09 +0800 Subject: [PATCH 09/25] ubifs: Correct the total block count by deducting journal reservation Since commit e874dcde1cbf ("ubifs: Reserve one leb for each journal head while doing budget"), available space is calulated by deducting reservation for all journal heads. However, the total block count ( which is only used by statfs) is not updated yet, which will cause the wrong displaying for used space(total - available). Fix it by deducting reservation for all journal heads from total block count. Fixes: e874dcde1cbf ("ubifs: Reserve one leb for each journal head while doing budget") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/super.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c index cb26b8b27ef6..57d051b9be1d 100644 --- a/fs/ubifs/super.c +++ b/fs/ubifs/super.c @@ -773,10 +773,10 @@ static void init_constants_master(struct ubifs_info *c) * necessary to report something for the 'statfs()' call. * * Subtract the LEB reserved for GC, the LEB which is reserved for - * deletions, minimum LEBs for the index, and assume only one journal - * head is available. + * deletions, minimum LEBs for the index, the LEBs which are reserved + * for each journal head. */ - tmp64 = c->main_lebs - 1 - 1 - MIN_INDEX_LEBS - c->jhead_cnt + 1; + tmp64 = c->main_lebs - 1 - 1 - MIN_INDEX_LEBS - c->jhead_cnt; tmp64 *= (long long)c->leb_size - c->leb_overhead; tmp64 = ubifs_reported_space(c, tmp64); c->block_cnt = tmp64 >> UBIFS_BLOCK_SHIFT; From cb33ade753a6e2d629b4f87d2375ee9063d21bc7 Mon Sep 17 00:00:00 2001 From: Zhang Zekun Date: Sat, 7 Sep 2024 16:00:25 +0800 Subject: [PATCH 10/25] mtd: ubi: Rmove unused declaration in header file The definition of ubi_destroy_ai() has been removed since commit dac6e2087a41 ("UBI: Add fastmap stuff to attach.c"). Remove the empty declaration in header file. Signed-off-by: Zhang Zekun Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- drivers/mtd/ubi/ubi.h | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/mtd/ubi/ubi.h b/drivers/mtd/ubi/ubi.h index 1c9e874e8ede..c792b9bcab9b 100644 --- a/drivers/mtd/ubi/ubi.h +++ b/drivers/mtd/ubi/ubi.h @@ -831,7 +831,6 @@ void ubi_remove_av(struct ubi_attach_info *ai, struct ubi_ainf_volume *av); struct ubi_ainf_peb *ubi_early_get_peb(struct ubi_device *ubi, struct ubi_attach_info *ai); int ubi_attach(struct ubi_device *ubi, int force_scan); -void ubi_destroy_ai(struct ubi_attach_info *ai); /* vtbl.c */ int ubi_change_vtbl_record(struct ubi_device *ubi, int idx, From 5580cdae05aefa96deebd7f5ade9d70c92adabd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A5rten=20Lindahl?= Date: Sat, 7 Sep 2024 21:28:26 +0200 Subject: [PATCH 11/25] ubi: wl: Close down wear-leveling before nand is suspended MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a reboot/shutdown signal with double force (-ff) is triggered when the erase worker or wear-leveling worker function runs we may end up in a race condition since the MTD device gets a reboot notification and suspends the nand flash before the erase or wear-leveling is done. This will reject all accesses to the flash with -EBUSY. Sequence for the erase worker function: systemctl reboot -ff ubi_thread do_work __do_sys_reboot blocking_notifier_call_chain mtd_reboot_notifier nand_shutdown nand_suspend __erase_worker ubi_sync_erase mtd_erase nand_erase_nand # Blocked by suspended chip nand_get_device => EBUSY Similar sequence for the wear-leveling function: systemctl reboot -ff ubi_thread do_work __do_sys_reboot blocking_notifier_call_chain mtd_reboot_notifier nand_shutdown nand_suspend wear_leveling_worker ubi_eba_copy_leb ubi_io_write mtd_write nand_write_oob # Blocked by suspended chip nand_get_device => EBUSY systemd-shutdown[1]: Rebooting. ubi0 error: ubi_io_write: error -16 while writing 2048 bytes to PEB CPU: 1 PID: 82 Comm: ubi_bgt0d Kdump: loaded Tainted: G O (unwind_backtrace) from [<80107b9f>] (show_stack+0xb/0xc) (show_stack) from [<8033641f>] (dump_stack_lvl+0x2b/0x34) (dump_stack_lvl) from [<803b7f3f>] (ubi_io_write+0x3ab/0x4a8) (ubi_io_write) from [<803b817d>] (ubi_io_write_vid_hdr+0x71/0xb4) (ubi_io_write_vid_hdr) from [<803b6971>] (ubi_eba_copy_leb+0x195/0x2f0) (ubi_eba_copy_leb) from [<803b939b>] (wear_leveling_worker+0x2ff/0x738) (wear_leveling_worker) from [<803b86ef>] (do_work+0x5b/0xb0) (do_work) from [<803b9ee1>] (ubi_thread+0xb1/0x11c) (ubi_thread) from [<8012c113>] (kthread+0x11b/0x134) (kthread) from [<80100139>] (ret_from_fork+0x11/0x38) Exception stack(0x80c43fb0 to 0x80c43ff8) ... ubi0 error: ubi_dump_flash: err -16 while reading 2048 bytes from PEB ubi0 error: wear_leveling_worker: error -16 while moving PEB 246 to PEB ubi0 warning: ubi_ro_mode.part.0: switch to read-only mode ... ubi0 error: do_work: work failed with error code -16 ubi0 error: ubi_thread: ubi_bgt0d: work failed with error code -16 ... Kernel panic - not syncing: Software Watchdog Timer expired Add a reboot notification for the ubi/wear-leveling to shutdown any potential flash work actions before the nand is suspended. Signed-off-by: Mårten Lindahl Signed-off-by: Richard Weinberger --- drivers/mtd/ubi/ubi.h | 2 ++ drivers/mtd/ubi/wl.c | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/drivers/mtd/ubi/ubi.h b/drivers/mtd/ubi/ubi.h index c792b9bcab9b..26cc53ad34ec 100644 --- a/drivers/mtd/ubi/ubi.h +++ b/drivers/mtd/ubi/ubi.h @@ -549,6 +549,7 @@ struct ubi_debug_info { * @peb_buf: a buffer of PEB size used for different purposes * @buf_mutex: protects @peb_buf * @ckvol_mutex: serializes static volume checking when opening + * @wl_reboot_notifier: close all wear-leveling work before reboot * * @dbg: debugging information for this UBI device */ @@ -651,6 +652,7 @@ struct ubi_device { void *peb_buf; struct mutex buf_mutex; struct mutex ckvol_mutex; + struct notifier_block wl_reboot_notifier; struct ubi_debug_info dbg; }; diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c index fbd399cf6503..4f6f339d8fb8 100644 --- a/drivers/mtd/ubi/wl.c +++ b/drivers/mtd/ubi/wl.c @@ -89,6 +89,7 @@ #include #include #include +#include #include "ubi.h" #include "wl.h" @@ -127,6 +128,8 @@ static int self_check_in_wl_tree(const struct ubi_device *ubi, struct ubi_wl_entry *e, struct rb_root *root); static int self_check_in_pq(const struct ubi_device *ubi, struct ubi_wl_entry *e); +static int ubi_wl_reboot_notifier(struct notifier_block *n, + unsigned long state, void *cmd); /** * wl_tree_add - add a wear-leveling entry to a WL RB-tree. @@ -1950,6 +1953,13 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai) if (!ubi->ro_mode && !ubi->fm_disabled) ubi_ensure_anchor_pebs(ubi); #endif + + if (!ubi->wl_reboot_notifier.notifier_call) { + ubi->wl_reboot_notifier.notifier_call = ubi_wl_reboot_notifier; + ubi->wl_reboot_notifier.priority = 1; /* Higher than MTD */ + register_reboot_notifier(&ubi->wl_reboot_notifier); + } + return 0; out_free: @@ -1995,6 +2005,17 @@ void ubi_wl_close(struct ubi_device *ubi) kfree(ubi->lookuptbl); } +static int ubi_wl_reboot_notifier(struct notifier_block *n, + unsigned long state, void *cmd) +{ + struct ubi_device *ubi; + + ubi = container_of(n, struct ubi_device, wl_reboot_notifier); + ubi_wl_close(ubi); + + return NOTIFY_DONE; +} + /** * self_check_ec - make sure that the erase counter of a PEB is correct. * @ubi: UBI device description object From c6fa76da34ae4f2eb95ce3fb6c939285082515de Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Thu, 26 Sep 2024 11:05:29 +0200 Subject: [PATCH 12/25] ubifs: Call iput(xino) only once in ubifs_purge_xattrs() An iput(xino) call was immediately used after a return value check for a remove_xattr() call in this function implementation. Thus call such a function only once instead directly before the check. This issue was transformed by using the Coccinelle software. Signed-off-by: Markus Elfring Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/xattr.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index c673fd03d9b4..cf77fb2074df 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -541,16 +541,14 @@ int ubifs_purge_xattrs(struct inode *host) clear_nlink(xino); err = remove_xattr(c, host, xino, &nm); + iput(xino); if (err) { kfree(pxent); kfree(xent); - iput(xino); ubifs_err(c, "cannot remove xattr, error %d", err); goto out_err; } - iput(xino); - kfree(pxent); pxent = xent; key_read(c, &xent->key, &key); From 79d3e562cb47864a10851328cbdfa0ee2177d9f6 Mon Sep 17 00:00:00 2001 From: Markus Elfring Date: Thu, 26 Sep 2024 11:28:48 +0200 Subject: [PATCH 13/25] ubifs: Reduce kfree() calls in ubifs_purge_xattrs() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move a pair of kfree() calls behind the label “out_err” so that two statements can be better reused at the end of this function implementation. Signed-off-by: Markus Elfring Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/xattr.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index cf77fb2074df..77ba172b6dea 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -532,8 +532,6 @@ int ubifs_purge_xattrs(struct inode *host) ubifs_err(c, "dead directory entry '%s', error %d", xent->name, err); ubifs_ro_mode(c, err); - kfree(pxent); - kfree(xent); goto out_err; } @@ -543,8 +541,6 @@ int ubifs_purge_xattrs(struct inode *host) err = remove_xattr(c, host, xino, &nm); iput(xino); if (err) { - kfree(pxent); - kfree(xent); ubifs_err(c, "cannot remove xattr, error %d", err); goto out_err; } @@ -564,6 +560,8 @@ int ubifs_purge_xattrs(struct inode *host) return 0; out_err: + kfree(pxent); + kfree(xent); up_write(&ubifs_inode(host)->xattr_sem); return err; } From 8214951280a25e1260ee6dbf472b261b63b29af2 Mon Sep 17 00:00:00 2001 From: Pascal Eberhard Date: Fri, 27 Sep 2024 16:57:56 +0200 Subject: [PATCH 14/25] ubifs: xattr: remove unused anonymous enum commit 2b88fc21cae9 ("ubifs: Switch to generic xattr handlers") removes usage of this anonymous enum. Delete the enum as well. Signed-off-by: Pascal Eberhard Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/xattr.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/fs/ubifs/xattr.c b/fs/ubifs/xattr.c index 77ba172b6dea..c21a0c2b3e90 100644 --- a/fs/ubifs/xattr.c +++ b/fs/ubifs/xattr.c @@ -48,19 +48,6 @@ #include #include -/* - * Extended attribute type constants. - * - * USER_XATTR: user extended attribute ("user.*") - * TRUSTED_XATTR: trusted extended attribute ("trusted.*) - * SECURITY_XATTR: security extended attribute ("security.*") - */ -enum { - USER_XATTR, - TRUSTED_XATTR, - SECURITY_XATTR, -}; - static const struct inode_operations empty_iops; static const struct file_operations empty_fops; From bcddf52b7a17adcebc768d26f4e27cf79adb424c Mon Sep 17 00:00:00 2001 From: Zhihao Cheng Date: Fri, 11 Oct 2024 12:50:02 +0800 Subject: [PATCH 15/25] ubi: fastmap: Fix duplicate slab cache names while attaching Since commit 4c39529663b9 ("slab: Warn on duplicate cache names when DEBUG_VM=y"), the duplicate slab cache names can be detected and a kernel WARNING is thrown out. In UBI fast attaching process, alloc_ai() could be invoked twice with the same slab cache name 'ubi_aeb_slab_cache', which will trigger following warning messages: kmem_cache of name 'ubi_aeb_slab_cache' already exists WARNING: CPU: 0 PID: 7519 at mm/slab_common.c:107 __kmem_cache_create_args+0x100/0x5f0 Modules linked in: ubi(+) nandsim [last unloaded: nandsim] CPU: 0 UID: 0 PID: 7519 Comm: modprobe Tainted: G 6.12.0-rc2 RIP: 0010:__kmem_cache_create_args+0x100/0x5f0 Call Trace: __kmem_cache_create_args+0x100/0x5f0 alloc_ai+0x295/0x3f0 [ubi] ubi_attach+0x3c3/0xcc0 [ubi] ubi_attach_mtd_dev+0x17cf/0x3fa0 [ubi] ubi_init+0x3fb/0x800 [ubi] do_init_module+0x265/0x7d0 __x64_sys_finit_module+0x7a/0xc0 The problem could be easily reproduced by loading UBI device by fastmap with CONFIG_DEBUG_VM=y. Fix it by using different slab names for alloc_ai() callers. Fixes: d2158f69a7d4 ("UBI: Remove alloc_ai() slab name from parameter list") Fixes: fdf10ed710c0 ("ubi: Rework Fastmap attach base code") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- drivers/mtd/ubi/attach.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/mtd/ubi/attach.c b/drivers/mtd/ubi/attach.c index ae5abe492b52..adc47b87b38a 100644 --- a/drivers/mtd/ubi/attach.c +++ b/drivers/mtd/ubi/attach.c @@ -1447,7 +1447,7 @@ static int scan_all(struct ubi_device *ubi, struct ubi_attach_info *ai, return err; } -static struct ubi_attach_info *alloc_ai(void) +static struct ubi_attach_info *alloc_ai(const char *slab_name) { struct ubi_attach_info *ai; @@ -1461,7 +1461,7 @@ static struct ubi_attach_info *alloc_ai(void) INIT_LIST_HEAD(&ai->alien); INIT_LIST_HEAD(&ai->fastmap); ai->volumes = RB_ROOT; - ai->aeb_slab_cache = kmem_cache_create("ubi_aeb_slab_cache", + ai->aeb_slab_cache = kmem_cache_create(slab_name, sizeof(struct ubi_ainf_peb), 0, 0, NULL); if (!ai->aeb_slab_cache) { @@ -1491,7 +1491,7 @@ static int scan_fast(struct ubi_device *ubi, struct ubi_attach_info **ai) err = -ENOMEM; - scan_ai = alloc_ai(); + scan_ai = alloc_ai("ubi_aeb_slab_cache_fastmap"); if (!scan_ai) goto out; @@ -1557,7 +1557,7 @@ int ubi_attach(struct ubi_device *ubi, int force_scan) int err; struct ubi_attach_info *ai; - ai = alloc_ai(); + ai = alloc_ai("ubi_aeb_slab_cache"); if (!ai) return -ENOMEM; @@ -1575,7 +1575,7 @@ int ubi_attach(struct ubi_device *ubi, int force_scan) if (err > 0 || mtd_is_eccerr(err)) { if (err != UBI_NO_FASTMAP) { destroy_ai(ai); - ai = alloc_ai(); + ai = alloc_ai("ubi_aeb_slab_cache"); if (!ai) return -ENOMEM; @@ -1614,7 +1614,7 @@ int ubi_attach(struct ubi_device *ubi, int force_scan) if (ubi->fm && ubi_dbg_chk_fastmap(ubi)) { struct ubi_attach_info *scan_ai; - scan_ai = alloc_ai(); + scan_ai = alloc_ai("ubi_aeb_slab_cache_dbg_chk_fastmap"); if (!scan_ai) { err = -ENOMEM; goto out_wl; From 4617fb8fc15effe8eda4dd898d4e33eb537a7140 Mon Sep 17 00:00:00 2001 From: Waqar Hameed Date: Wed, 9 Oct 2024 16:46:59 +0200 Subject: [PATCH 16/25] ubifs: authentication: Fix use-after-free in ubifs_tnc_end_commit After an insertion in TNC, the tree might split and cause a node to change its `znode->parent`. A further deletion of other nodes in the tree (which also could free the nodes), the aforementioned node's `znode->cparent` could still point to a freed node. This `znode->cparent` may not be updated when getting nodes to commit in `ubifs_tnc_start_commit()`. This could then trigger a use-after-free when accessing the `znode->cparent` in `write_index()` in `ubifs_tnc_end_commit()`. This can be triggered by running rm -f /etc/test-file.bin dd if=/dev/urandom of=/etc/test-file.bin bs=1M count=60 conv=fsync in a loop, and with `CONFIG_UBIFS_FS_AUTHENTICATION`. KASAN then reports: BUG: KASAN: use-after-free in ubifs_tnc_end_commit+0xa5c/0x1950 Write of size 32 at addr ffffff800a3af86c by task ubifs_bgt0_20/153 Call trace: dump_backtrace+0x0/0x340 show_stack+0x18/0x24 dump_stack_lvl+0x9c/0xbc print_address_description.constprop.0+0x74/0x2b0 kasan_report+0x1d8/0x1f0 kasan_check_range+0xf8/0x1a0 memcpy+0x84/0xf4 ubifs_tnc_end_commit+0xa5c/0x1950 do_commit+0x4e0/0x1340 ubifs_bg_thread+0x234/0x2e0 kthread+0x36c/0x410 ret_from_fork+0x10/0x20 Allocated by task 401: kasan_save_stack+0x38/0x70 __kasan_kmalloc+0x8c/0xd0 __kmalloc+0x34c/0x5bc tnc_insert+0x140/0x16a4 ubifs_tnc_add+0x370/0x52c ubifs_jnl_write_data+0x5d8/0x870 do_writepage+0x36c/0x510 ubifs_writepage+0x190/0x4dc __writepage+0x58/0x154 write_cache_pages+0x394/0x830 do_writepages+0x1f0/0x5b0 filemap_fdatawrite_wbc+0x170/0x25c file_write_and_wait_range+0x140/0x190 ubifs_fsync+0xe8/0x290 vfs_fsync_range+0xc0/0x1e4 do_fsync+0x40/0x90 __arm64_sys_fsync+0x34/0x50 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 Freed by task 403: kasan_save_stack+0x38/0x70 kasan_set_track+0x28/0x40 kasan_set_free_info+0x28/0x4c __kasan_slab_free+0xd4/0x13c kfree+0xc4/0x3a0 tnc_delete+0x3f4/0xe40 ubifs_tnc_remove_range+0x368/0x73c ubifs_tnc_remove_ino+0x29c/0x2e0 ubifs_jnl_delete_inode+0x150/0x260 ubifs_evict_inode+0x1d4/0x2e4 evict+0x1c8/0x450 iput+0x2a0/0x3c4 do_unlinkat+0x2cc/0x490 __arm64_sys_unlinkat+0x90/0x100 invoke_syscall.constprop.0+0xa8/0x260 do_el0_svc+0xc8/0x1f0 el0_svc+0x34/0x70 el0t_64_sync_handler+0x108/0x114 el0t_64_sync+0x1a4/0x1a8 The offending `memcpy()` in `ubifs_copy_hash()` has a use-after-free when a node becomes root in TNC but still has a `cparent` to an already freed node. More specifically, consider the following TNC: zroot / / zp1 / / zn Inserting a new node `zn_new` with a key smaller then `zn` will trigger a split in `tnc_insert()` if `zp1` is full: zroot / \ / \ zp1 zp2 / \ / \ zn_new zn `zn->parent` has now been moved to `zp2`, *but* `zn->cparent` still points to `zp1`. Now, consider a removal of all the nodes _except_ `zn`. Just when `tnc_delete()` is about to delete `zroot` and `zp2`: zroot \ \ zp2 \ \ zn `zroot` and `zp2` get freed and the tree collapses: zn `zn` now becomes the new `zroot`. `get_znodes_to_commit()` will now only find `zn`, the new `zroot`, and `write_index()` will check its `znode->cparent` that wrongly points to the already freed `zp1`. `ubifs_copy_hash()` thus gets wrongly called with `znode->cparent->zbranch[znode->iip].hash` that triggers the use-after-free! Fix this by explicitly setting `znode->cparent` to `NULL` in `get_znodes_to_commit()` for the root node. The search for the dirty nodes is bottom-up in the tree. Thus, when `find_next_dirty(znode)` returns NULL, the current `znode` _is_ the root node. Add an assert for this. Fixes: 16a26b20d2af ("ubifs: authentication: Add hashes to index nodes") Tested-by: Waqar Hameed Co-developed-by: Zhihao Cheng Signed-off-by: Zhihao Cheng Signed-off-by: Waqar Hameed Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/ubifs/tnc_commit.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/ubifs/tnc_commit.c b/fs/ubifs/tnc_commit.c index a55e04822d16..7c43e0ccf6d4 100644 --- a/fs/ubifs/tnc_commit.c +++ b/fs/ubifs/tnc_commit.c @@ -657,6 +657,8 @@ static int get_znodes_to_commit(struct ubifs_info *c) znode->alt = 0; cnext = find_next_dirty(znode); if (!cnext) { + ubifs_assert(c, !znode->parent); + znode->cparent = NULL; znode->cnext = c->cnext; break; } From 07593293ffabba14125c8998525adde5a832bfa3 Mon Sep 17 00:00:00 2001 From: Javier Carrasco Date: Sat, 19 Oct 2024 22:27:03 +0200 Subject: [PATCH 17/25] mtd: ubi: fix unreleased fwnode_handle in find_volume_fwnode() The 'fw_vols' fwnode_handle initialized via device_get_named_child_node() requires explicit calls to fwnode_handle_put() when the variable is no longer required. Add the missing calls to fwnode_handle_put() before the function returns. Cc: stable@vger.kernel.org Fixes: 51932f9fc487 ("mtd: ubi: populate ubi volume fwnode") Signed-off-by: Javier Carrasco Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- drivers/mtd/ubi/vmt.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c index 5a3558bbb903..e5cf3bdca3b0 100644 --- a/drivers/mtd/ubi/vmt.c +++ b/drivers/mtd/ubi/vmt.c @@ -143,8 +143,10 @@ static struct fwnode_handle *find_volume_fwnode(struct ubi_volume *vol) vol->vol_id != volid) continue; + fwnode_handle_put(fw_vols); return fw_vol; } + fwnode_handle_put(fw_vols); return NULL; } From 67efb77cb0692ec40c416eae2dfbc70116e8ea4e Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Thu, 7 Nov 2024 15:23:57 +0000 Subject: [PATCH 18/25] mtd: ubi: remove redundant check on bytes_left at end of function In function ubi_nvmem_reg_read the while-loop can only be exiting of bytes_left is zero or an error has occurred. There is an exit return path if an error occurs, so the bytes_left can only be zero after that point. Hence the check for a non-zero bytes_left at the end of the function is redundant and can be removed. Remove the check and just return 0. Signed-off-by: Colin Ian King Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- drivers/mtd/ubi/nvmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/nvmem.c b/drivers/mtd/ubi/nvmem.c index a94a1a9aaec1..34f8c1d3cdee 100644 --- a/drivers/mtd/ubi/nvmem.c +++ b/drivers/mtd/ubi/nvmem.c @@ -55,7 +55,7 @@ static int ubi_nvmem_reg_read(void *priv, unsigned int from, if (err) return err; - return bytes_left == 0 ? 0 : -EIO; + return 0; } static int ubi_nvmem_add(struct ubi_volume_info *vi) From 3c90e90029f11cc1cb6b01542ee5f6892963bce1 Mon Sep 17 00:00:00 2001 From: Thorsten Blum Date: Tue, 12 Nov 2024 19:31:11 +0100 Subject: [PATCH 19/25] jffs2: Use str_yes_no() helper function Remove hard-coded strings by using the str_yes_no() helper function. Reviewed-by: Zhihao Cheng Signed-off-by: Thorsten Blum Signed-off-by: Richard Weinberger --- fs/jffs2/nodemgmt.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/fs/jffs2/nodemgmt.c b/fs/jffs2/nodemgmt.c index bbab2bdc71b6..69569864630e 100644 --- a/fs/jffs2/nodemgmt.c +++ b/fs/jffs2/nodemgmt.c @@ -15,6 +15,7 @@ #include #include #include +#include #include "nodelist.h" #include "debug.h" @@ -317,9 +318,9 @@ static int jffs2_find_nextblock(struct jffs2_sb_info *c) And there's no space left. At all. */ pr_crit("Argh. No free space left for GC. nr_erasing_blocks is %d. nr_free_blocks is %d. (erasableempty: %s, erasingempty: %s, erasependingempty: %s)\n", c->nr_erasing_blocks, c->nr_free_blocks, - list_empty(&c->erasable_list) ? "yes" : "no", - list_empty(&c->erasing_list) ? "yes" : "no", - list_empty(&c->erase_pending_list) ? "yes" : "no"); + str_yes_no(list_empty(&c->erasable_list)), + str_yes_no(list_empty(&c->erasing_list)), + str_yes_no(list_empty(&c->erase_pending_list))); return -ENOSPC; } @@ -883,7 +884,7 @@ int jffs2_thread_should_wake(struct jffs2_sb_info *c) jffs2_dbg(1, "%s(): nr_free_blocks %d, nr_erasing_blocks %d, dirty_size 0x%x, vdirty_blocks %d: %s\n", __func__, c->nr_free_blocks, c->nr_erasing_blocks, - c->dirty_size, nr_very_dirty, ret ? "yes" : "no"); + c->dirty_size, nr_very_dirty, str_yes_no(ret)); return ret; } From 3ba44ee966bc3c41dd8a944f963466c8fcc60dc8 Mon Sep 17 00:00:00 2001 From: Qingfang Deng Date: Mon, 1 Jul 2024 12:52:05 +0800 Subject: [PATCH 20/25] jffs2: fix use of uninitialized variable When building the kernel with -Wmaybe-uninitialized, the compiler reports this warning: In function 'jffs2_mark_erased_block', inlined from 'jffs2_erase_pending_blocks' at fs/jffs2/erase.c:116:4: fs/jffs2/erase.c:474:9: warning: 'bad_offset' may be used uninitialized [-Wmaybe-uninitialized] 474 | jffs2_erase_failed(c, jeb, bad_offset); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ fs/jffs2/erase.c: In function 'jffs2_erase_pending_blocks': fs/jffs2/erase.c:402:18: note: 'bad_offset' was declared here 402 | uint32_t bad_offset; | ^~~~~~~~~~ When mtd->point() is used, jffs2_erase_pending_blocks can return -EIO without initializing bad_offset, which is later used at the filebad label in jffs2_mark_erased_block. Fix it by initializing this variable. Fixes: 8a0f572397ca ("[JFFS2] Return values of jffs2_block_check_erase error paths") Signed-off-by: Qingfang Deng Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/jffs2/erase.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c index acd32f05b519..ef3a1e1b6cb0 100644 --- a/fs/jffs2/erase.c +++ b/fs/jffs2/erase.c @@ -338,10 +338,9 @@ static int jffs2_block_check_erase(struct jffs2_sb_info *c, struct jffs2_erasebl } while(--retlen); mtd_unpoint(c->mtd, jeb->offset, c->sector_size); if (retlen) { - pr_warn("Newly-erased block contained word 0x%lx at offset 0x%08tx\n", - *wordebuf, - jeb->offset + - c->sector_size-retlen * sizeof(*wordebuf)); + *bad_offset = jeb->offset + c->sector_size - retlen * sizeof(*wordebuf); + pr_warn("Newly-erased block contained word 0x%lx at offset 0x%08x\n", + *wordebuf, *bad_offset); return -EIO; } return 0; From 1eb4a820791ea1b7d65d86516218cded4e01b79c Mon Sep 17 00:00:00 2001 From: Shen Lichuan Date: Mon, 23 Sep 2024 16:33:22 +0800 Subject: [PATCH 21/25] jffs2: Correct some typos in comments Fixed some confusing spelling errors, the details are as follows: -in the code comments: wating -> waiting succefully -> successfully Signed-off-by: Shen Lichuan Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/jffs2/gc.c | 2 +- fs/jffs2/readinode.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/jffs2/gc.c b/fs/jffs2/gc.c index 822949d0eb00..1b833bbffcf5 100644 --- a/fs/jffs2/gc.c +++ b/fs/jffs2/gc.c @@ -82,7 +82,7 @@ static struct jffs2_eraseblock *jffs2_find_gc_block(struct jffs2_sb_info *c) nextlist = &c->erasable_list; } else if (!list_empty(&c->erasable_pending_wbuf_list)) { - /* There are blocks are wating for the wbuf sync */ + /* There are blocks are waiting for the wbuf sync */ jffs2_dbg(1, "Synching wbuf in order to reuse erasable_pending_wbuf_list blocks\n"); spin_unlock(&c->erase_completion_lock); jffs2_flush_wbuf_pad(c); diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c index 03b4f99614be..f987f78a894e 100644 --- a/fs/jffs2/readinode.c +++ b/fs/jffs2/readinode.c @@ -72,7 +72,7 @@ static int check_node_data(struct jffs2_sb_info *c, struct jffs2_tmp_dnode_info if (err != -EOPNOTSUPP) JFFS2_WARNING("MTD point failed: error code %d.\n", err); } else - pointed = 1; /* succefully pointed to device */ + pointed = 1; /* successfully pointed to device */ #endif if (!pointed) { From ef027aca2961b5b60ec9e91e3758af751396ad3d Mon Sep 17 00:00:00 2001 From: Suraj Sonawane Date: Tue, 8 Oct 2024 23:54:11 +0530 Subject: [PATCH 22/25] fs: jffs2: Fix inconsistent indentation in jffs2_mark_node_obsolete Fix the indentation to ensure consistent code style and improve readability, and to fix this warnings: fs/jffs2/nodemgmt.c:635 jffs2_mark_node_obsolete() warn: inconsistent indenting fs/jffs2/nodemgmt.c:646 jffs2_mark_node_obsolete() warn: inconsistent indenting Signed-off-by: Suraj Sonawane Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger --- fs/jffs2/nodemgmt.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/jffs2/nodemgmt.c b/fs/jffs2/nodemgmt.c index 69569864630e..3fb9f9807b66 100644 --- a/fs/jffs2/nodemgmt.c +++ b/fs/jffs2/nodemgmt.c @@ -631,8 +631,8 @@ void jffs2_mark_node_obsolete(struct jffs2_sb_info *c, struct jffs2_raw_node_ref ref->flash_offset, jeb->used_size); BUG(); }) - jffs2_dbg(1, "Obsoleting previously unchecked node at 0x%08x of len %x\n", - ref_offset(ref), freed_len); + jffs2_dbg(1, "Obsoleting previously unchecked node at 0x%08x of len %x\n", + ref_offset(ref), freed_len); jeb->unchecked_size -= freed_len; c->unchecked_size -= freed_len; } else { @@ -642,8 +642,8 @@ void jffs2_mark_node_obsolete(struct jffs2_sb_info *c, struct jffs2_raw_node_ref ref->flash_offset, jeb->used_size); BUG(); }) - jffs2_dbg(1, "Obsoleting node at 0x%08x of len %#x: ", - ref_offset(ref), freed_len); + jffs2_dbg(1, "Obsoleting node at 0x%08x of len %#x: ", + ref_offset(ref), freed_len); jeb->used_size -= freed_len; c->used_size -= freed_len; } From 7c8e694bdb7ba75d13854b59f3af6d66f0ea6df2 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Tue, 29 Oct 2024 22:20:15 +0000 Subject: [PATCH 23/25] jffs2: remove redundant check on outpos > pos The check for outpos > pos is always false because outpos is zero and pos is at least zero; outpos can never be greater than pos. The check is redundant and can be removed. Signed-off-by: Colin Ian King Signed-off-by: Richard Weinberger --- fs/jffs2/compr_rubin.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/fs/jffs2/compr_rubin.c b/fs/jffs2/compr_rubin.c index 556de100ebd5..9854253d0108 100644 --- a/fs/jffs2/compr_rubin.c +++ b/fs/jffs2/compr_rubin.c @@ -276,11 +276,6 @@ static int rubin_do_compress(int bit_divider, int *bits, unsigned char *data_in, end_rubin(&rs); - if (outpos > pos) { - /* We failed */ - return -1; - } - /* Tell the caller how much we managed to compress, * and how much space it took */ From fe051552f5078fa02d593847529a3884305a6ffe Mon Sep 17 00:00:00 2001 From: Kinsey Moore Date: Tue, 23 Jul 2024 15:58:05 -0500 Subject: [PATCH 24/25] jffs2: Prevent rtime decompress memory corruption The rtime decompression routine does not fully check bounds during the entirety of the decompression pass and can corrupt memory outside the decompression buffer if the compressed data is corrupted. This adds the required check to prevent this failure mode. Cc: stable@vger.kernel.org Signed-off-by: Kinsey Moore Signed-off-by: Richard Weinberger --- fs/jffs2/compr_rtime.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/jffs2/compr_rtime.c b/fs/jffs2/compr_rtime.c index 79e771ab624f..2b9ef713b844 100644 --- a/fs/jffs2/compr_rtime.c +++ b/fs/jffs2/compr_rtime.c @@ -95,6 +95,9 @@ static int jffs2_rtime_decompress(unsigned char *data_in, positions[value]=outpos; if (repeat) { + if ((outpos + repeat) >= destlen) { + return 1; + } if (backoffs + repeat >= outpos) { while(repeat) { cpage_out[outpos++] = cpage_out[backoffs++]; From bcdcb115eaed5e988cf37cc9a1dd5f5dd200e927 Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Fri, 15 Nov 2024 09:10:04 -0700 Subject: [PATCH 25/25] ubifs: Fix uninitialized use of err in ubifs_jnl_write_inode() Clang warns (or errors with CONFIG_WERROR=y): fs/ubifs/journal.c:986:20: error: variable 'err' is uninitialized when used here [-Werror,-Wuninitialized] 986 | ubifs_ro_mode(c, err); | ^~~ Set err to -EPERM before the call to ubifs_ro_mode() and reuse it in the return statement to resolve the warning. Fixes: 957e1c4e1779 ("ubifs: ubifs_jnl_write_inode: Only check once for the limitation of xattr count") Signed-off-by: Nathan Chancellor Signed-off-by: Richard Weinberger --- fs/ubifs/journal.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/ubifs/journal.c b/fs/ubifs/journal.c index 8e98be642371..36ba79fbd2ff 100644 --- a/fs/ubifs/journal.c +++ b/fs/ubifs/journal.c @@ -983,8 +983,9 @@ int ubifs_jnl_write_inode(struct ubifs_info *c, const struct inode *inode) if (kill_xattrs && ui->xattr_cnt > ubifs_xattr_max_cnt(c)) { ubifs_err(c, "Cannot delete inode, it has too much xattrs!"); + err = -EPERM; ubifs_ro_mode(c, err); - return -EPERM; + return err; } /*