mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-18 17:54:13 +08:00
0e707ae79b
UBI uses positive function return codes internally, and should not propagate
them up, except in the place this path fixes. Here is the original bug report
from Dan Carpenter:
The problem is really in ubi_eba_read_leb().
drivers/mtd/ubi/eba.c
412 err = ubi_io_read_vid_hdr(ubi, pnum, vid_hdr, 1);
413 if (err && err != UBI_IO_BITFLIPS) {
414 if (err > 0) {
415 /*
416 * The header is either absent or corrupted.
417 * The former case means there is a bug -
418 * switch to read-only mode just in case.
419 * The latter case means a real corruption - we
420 * may try to recover data. FIXME: but this is
421 * not implemented.
422 */
423 if (err == UBI_IO_BAD_HDR_EBADMSG ||
424 err == UBI_IO_BAD_HDR) {
425 ubi_warn("corrupted VID header at PEB %d, LEB %d:%d",
426 pnum, vol_id, lnum);
427 err = -EBADMSG;
428 } else
429 ubi_ro_mode(ubi);
On this path we return UBI_IO_FF and UBI_IO_FF_BITFLIPS and it
eventually gets passed to ERR_PTR(). We probably dereference the bad
pointer and oops. At that point we've gone read only so it was already
a bad situation...
430 }
431 goto out_free;
432 } else if (err == UBI_IO_BITFLIPS)
433 scrub = 1;
434
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
|
||
|---|---|---|
| .. | ||
| chips | ||
| devices | ||
| lpddr | ||
| maps | ||
| nand | ||
| onenand | ||
| spi-nor | ||
| tests | ||
| ubi | ||
| afs.c | ||
| ar7part.c | ||
| bcm47xxpart.c | ||
| bcm63xxpart.c | ||
| cmdlinepart.c | ||
| ftl.c | ||
| inftlcore.c | ||
| inftlmount.c | ||
| Kconfig | ||
| Makefile | ||
| mtd_blkdevs.c | ||
| mtdblock_ro.c | ||
| mtdblock.c | ||
| mtdchar.c | ||
| mtdconcat.c | ||
| mtdcore.c | ||
| mtdcore.h | ||
| mtdoops.c | ||
| mtdpart.c | ||
| mtdsuper.c | ||
| mtdswap.c | ||
| nftlcore.c | ||
| nftlmount.c | ||
| ofpart.c | ||
| redboot.c | ||
| rfd_ftl.c | ||
| sm_ftl.c | ||
| sm_ftl.h | ||
| ssfdc.c | ||