From 68fc449033732e7eb2aa022f9ef1b292f6871b8c Mon Sep 17 00:00:00 2001 From: Heiko Schocher Date: Tue, 2 Feb 2016 11:54:35 +0100 Subject: mtd, ubi: set free_count to zero before walking through erase list Set free_count to zero before walking through ai->erase list in wl_init(). As U-Boot has no workqueue/threads, it immediately calls erase_worker(), which increase for each erased block free_count. Without this patch, free_count gets after this initialized to zero in wl_init(), so the free_count variable always has the maybe wrong value 0. Detected this behaviour on the dxr2 board, where the UBI fastmap gets not written when attaching/dettaching on an empty NAND. It drops instead the error message: could not find any anchor PEB With this patch, fastmap gets written on dettach. Signed-off-by: Heiko Schocher Reviewed-by: Boris Brezillon diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c index 507b091..e823ca5 100644 --- a/drivers/mtd/ubi/wl.c +++ b/drivers/mtd/ubi/wl.c @@ -1528,6 +1528,7 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai) INIT_LIST_HEAD(&ubi->pq[i]); ubi->pq_head = 0; + ubi->free_count = 0; list_for_each_entry_safe(aeb, tmp, &ai->erase, u.list) { cond_resched(); @@ -1546,7 +1547,6 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai) found_pebs++; } - ubi->free_count = 0; list_for_each_entry(aeb, &ai->free, u.list) { cond_resched(); -- cgit v0.10.2 From b1d6590d357bde2332cb699e2fd2efc7a7c64f38 Mon Sep 17 00:00:00 2001 From: Heiko Schocher Date: Thu, 21 Apr 2016 12:16:58 +0200 Subject: ubifs: fix memory corruption in super.c In list "super_blocks" ubifs collects allocated super_block structs. U-Boot frees on unmount the allocated struct, so the pointer stored in this list is free after the umount. On a new ubifs mount, the new allocated super_block struct get inserted into the super_blocks list ... which contains now a freed pointer, and the list_add_tail() corrupts the freed memory ... 2 solutions are possible: - remove the super_block from the super_blocks list on umount - as U-Boot does not use the super_blocks list ... remove it complete for U-Boot. Both solutions should not introduce problems for porting to newer linux version, so this patch removes the unused super_blocks list, as it saves code size and execution time. Signed-off-by: Heiko Schocher diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c index dcf3a47..effa8d9 100644 --- a/fs/ubifs/super.c +++ b/fs/ubifs/super.c @@ -48,7 +48,6 @@ struct vfsmount; #define INODE_LOCKED_MAX 64 struct super_block *ubifs_sb; -LIST_HEAD(super_blocks); static struct inode *inodes_locked_down[INODE_LOCKED_MAX]; @@ -2425,10 +2424,10 @@ retry: s->s_type = type; #ifndef __UBOOT__ strlcpy(s->s_id, type->name, sizeof(s->s_id)); + list_add_tail(&s->s_list, &super_blocks); #else strncpy(s->s_id, type->name, sizeof(s->s_id)); #endif - list_add_tail(&s->s_list, &super_blocks); hlist_add_head(&s->s_instances, &type->fs_supers); #ifndef __UBOOT__ spin_unlock(&sb_lock); -- cgit v0.10.2