Received: by 2002:a05:6358:53a8:b0:117:f937:c515 with SMTP id z40csp4192115rwe; Mon, 17 Apr 2023 09:08:25 -0700 (PDT) X-Google-Smtp-Source: AKy350YDc5EDMW/prIX/6LsiN2zPVXRQkAjwyk7bsw5Oa5JtQh9jMw8JG4Mnn/m/6nKyg4yXuNkz X-Received: by 2002:a05:6a20:72a4:b0:f0:4dbf:5f9f with SMTP id o36-20020a056a2072a400b000f04dbf5f9fmr1812911pzk.29.1681747705605; Mon, 17 Apr 2023 09:08:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681747705; cv=none; d=google.com; s=arc-20160816; b=0x/w2IQtjl7lXYPvG4zSl2DJqu2ABsXYB8SHwAD1siE31TpELe4r7TZ0gSbFKqXdgR eEEtGyJSbIfN79KrwXBIJmHK7fbzYafeydf2isLUVM9e0wzQhCFybZxe9gceOOQJnBuQ FFZqgX/vq6ezr52vAndbFCHuKDQYD/sYX8KmL37Svsla+Eincl8i5M9Uisff801+RQ+6 z2dtuNH1/dMGy721BczLoK04aqYXB+aAwqSgBbVlcZLc32Rh2CF+hYvEWtOkxLpdvUHV XOz+Mt+7t+DRR0n0A5PbuIwAT3SfZMGwvce1WBQvaEb5mLz484hr8926tJIA1TOZeRsL fWuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:thread-index:thread-topic :content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date; bh=cKhpNKpHMsz+UJdTckYt+FRg1OGGGWfo3epUoM3aKS8=; b=TDIYrJyS8DM++sgelpZtHsgqdKMrkO8UF13Gq8XMYRvAhJyqhoC/Rd3XmC+pNhT58t Il6RZUrJ7VoP448uAs92LEw+iHYnNZw96uPOfV5qvIlrpzXhs9/pViHzzGOdekFJF+F6 ojfN4M+SBUsa8LRaEUXcH8aerUbQ7N+zVPiPDUDU2Sl1km/HCg0U5eqmPUEnuGdsflfp PHTnujAPqPXDiLZ7kPZP4i8pbGYzsvesKPD3QrO/N6I0ntmToZ3ACJMj60VEl2txkI3J OMHyXXEUUvK26kX7wRbR0vY6ZWXViOow6TFE4jNHriKl1VjABEm+9ax6KOE1WWGIR/ag ZXYg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a21-20020a63e855000000b004fb33a76e2csi12474007pgk.834.2023.04.17.09.08.13; Mon, 17 Apr 2023 09:08:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229717AbjDQQHo convert rfc822-to-8bit (ORCPT + 99 others); Mon, 17 Apr 2023 12:07:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229896AbjDQQHn (ORCPT ); Mon, 17 Apr 2023 12:07:43 -0400 Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FB4E659D; Mon, 17 Apr 2023 09:07:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id F33EA64551BD; Mon, 17 Apr 2023 18:07:37 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id n1W0Qrtyq6yM; Mon, 17 Apr 2023 18:07:37 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 913E76431C58; Mon, 17 Apr 2023 18:07:37 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Ln_Xl0bMsm8o; Mon, 17 Apr 2023 18:07:37 +0200 (CEST) Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lithops.sigma-star.at (Postfix) with ESMTP id 3DEF464551BD; Mon, 17 Apr 2023 18:07:37 +0200 (CEST) Date: Mon, 17 Apr 2023 18:07:37 +0200 (CEST) From: Richard Weinberger To: Uwe =?utf-8?Q?Kleine-K=C3=B6nig?= Cc: George Kennedy , Miquel Raynal , Vignesh Raghavendra , eorge kennedy , linux-mtd , syzkaller , linux-kernel , harshit m mogalapalli , kernel , stable Message-ID: <1791587113.113210.1681747656999.JavaMail.zimbra@nod.at> In-Reply-To: <20230417160102.lw6n7bdxwrlkluwj@pengutronix.de> References: <20230417160102.lw6n7bdxwrlkluwj@pengutronix.de> Subject: Re: [Regression] Cannot overwrite VID header offset any more [Was: [PATCH] ubi: ensure that VID header offset + VID header size <= alloc, size] MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-Originating-IP: [195.201.40.130] X-Mailer: Zimbra 8.8.12_GA_3807 (ZimbraWebClient - FF97 (Linux)/8.8.12_GA_3809) Thread-Topic: Cannot overwrite VID header offset any more [Was: [PATCH] ubi: ensure that VID header offset + VID header size <= alloc, size] Thread-Index: QZS7NxF6po442+3+qhw1upzn2ik3iw== X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,PDS_BAD_THREAD_QP_64, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE,T_SPF_PERMERROR autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Uwe, ----- Ursprüngliche Mail ----- > Von: "Uwe Kleine-König" > This patch is in mainline as 1b42b1a36fc946f0d7088425b90d491b4257ca3e, > and backported to various stable releases. > > For me this breaks > > ubiattach -m 0 -O 2048 > > I think the check > > ubi->vid_hdr_offset + UBI_VID_HDR_SIZE > ubi->vid_hdr_alsize > > is wrong. Without -O passed to ubiattach (and dynamic debug enabled) I > get: > > [ 5294.936762] UBI DBG gen (pid 9619): sizeof(struct ubi_ainf_peb) 56 > [ 5294.936769] UBI DBG gen (pid 9619): sizeof(struct ubi_wl_entry) 32 > [ 5294.936774] UBI DBG gen (pid 9619): min_io_size 2048 > [ 5294.936779] UBI DBG gen (pid 9619): max_write_size 2048 > [ 5294.936783] UBI DBG gen (pid 9619): hdrs_min_io_size 512 > [ 5294.936787] UBI DBG gen (pid 9619): ec_hdr_alsize 512 > [ 5294.936791] UBI DBG gen (pid 9619): vid_hdr_alsize 512 > [ 5294.936796] UBI DBG gen (pid 9619): vid_hdr_offset 512 > [ 5294.936800] UBI DBG gen (pid 9619): vid_hdr_aloffset 512 > [ 5294.936804] UBI DBG gen (pid 9619): vid_hdr_shift 0 > [ 5294.936808] UBI DBG gen (pid 9619): leb_start 2048 > [ 5294.936812] UBI DBG gen (pid 9619): max_erroneous 409 > > So the check would only pass for vid_hdr_offset <= 512 - > UBI_VID_HDR_SIZE; note that even specifying the default value 512 (i.e. > > ubiattach -m 0 -O 512 > > ) fails the check. > > A less strong check would be: > > diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c > index 0904eb40c95f..69c28a862430 100644 > --- a/drivers/mtd/ubi/build.c > +++ b/drivers/mtd/ubi/build.c > @@ -666,8 +666,8 @@ static int io_init(struct ubi_device *ubi, int > max_beb_per1024) > ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size); > ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size); > > - if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) > > - ubi->vid_hdr_alsize)) { > + if (ubi->vid_hdr_offset && > + ubi->vid_hdr_offset + UBI_VID_HDR_SIZE > ubi->peb_size) { > ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset); > return -EINVAL; > } > > But I'm unsure if this would be too lax?! As written on IRC, 1e020e1b96af ("ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size") is supposed to fix that and on it's way into stable. Thanks, //richard