* [PATCH] ubi: prevent null pointer reference
@ 2019-01-21 16:29 Roland Hieber
2019-01-21 16:55 ` Roland Hieber
2019-01-21 16:56 ` [PATCH v2] " Roland Hieber
0 siblings, 2 replies; 4+ messages in thread
From: Roland Hieber @ 2019-01-21 16:29 UTC (permalink / raw)
To: Barebox Mailing List; +Cc: Roland Hieber
After flashing a bogus UBI image, e.g. an image that is larger than the
available flash size, it can happen that barebox hangs itself with a
stacktrace when the board code or the environment does a ubi_attach() on
boot:
ERROR: ubi0 error: init_volumes: not enough PEBs, required 7478, available 4024
<NULL>: destroying fastmap 0: 0x14972004
<NULL>: destroying fastmap 1: 0x14972218
<NULL>: destroying fastmap 2: 0x1497242c
<NULL>: destroying fastmap 3: 0x14970004
<NULL>: destroying fastmap 4: 0x14970218
<NULL>: destroying fastmap 5: 0x0
unable to handle NULL pointer dereference at address 0x00000204
pc : [<1fd1eaf2>] lr : [<1fd15aad>]
sp : 1feefd30 ip : 0000000a fp : 1fd5d1d7
r10: 00001d34 r9 : 00000000 r8 : 1fd5d540
r7 : 14983148 r6 : 00000006 r5 : ffffffe4 r4 : 14983004
r3 : 1fd82bfc r2 : 021f0000 r1 : 0000000a r0 : 00000000
Flags: nzcv IRQs off FIQs off Mode SVC_32
[<1fd1eaf2>] (ubi_fastmap_destroy_checkmap+0x8/0xa) from [<1fd15aad>] (ubi_read_volume_table+0x4d9/0x71c)
[<1fd15aad>] (ubi_read_volume_table+0x4d9/0x71c) from [<1fd1cbf7>] (ubi_attach+0x157/0x1f8)
[<1fd1cbf7>] (ubi_attach+0x157/0x1f8) from [<1fd16ec3>] (ubi_attach_mtd_dev+0x4a3/0x954)
[<1fd16ec3>] (ubi_attach_mtd_dev+0x4a3/0x954) from [<1fd3dca1>] (bosch_common_ubiattach.constprop.11+0x51/0x7c)
[<1fd3dca1>] (bosch_common_ubiattach.constprop.11+0x51/0x7c) from [<1fd3e79f>] (bosch_common_postenv_init+0x3cf/0x444)
[<1fd3e79f>] (bosch_common_postenv_init+0x3cf/0x444) from [<1fd00ba5>] (start_barebox+0x45/0x98)
[<1fd00ba5>] (start_barebox+0x45/0x98) from [<1fd529df>] (barebox_non_pbl_start+0xbb/0xf4)
[<1fd529df>] (barebox_non_pbl_start+0xbb/0xf4) from [<1fd00005>] (__bare_init_start+0x1/0xc)
[<1fd54191>] (unwind_backtrace+0x1/0x64) from [<1fd00e4d>] (panic+0x1d/0x34)
[<1fd00e4d>] (panic+0x1d/0x34) from [<1fd523fd>] (do_exception+0xd/0x10)
[<1fd523fd>] (do_exception+0xd/0x10) from [<1fd5245d>] (do_data_abort+0x21/0x2c)
[<1fd5245d>] (do_data_abort+0x21/0x2c) from [<1fd52074>] (do_abort_6+0x48/0x54)
With this patch, barebox at least boots to a prompt where the faulty
flash can be repaired:
ERROR: ubi0 error: init_volumes: not enough PEBs, required 7478, available 4024
<NULL>: destroying fastmap 0: 0x14972004
<NULL>: destroying fastmap 1: 0x14972218
<NULL>: destroying fastmap 2: 0x1497242c
<NULL>: destroying fastmap 3: 0x14970004
<NULL>: destroying fastmap 4: 0x14970218
<NULL>: destroying fastmap 5: 0x0
<NULL>: destroying fastmap 6: 0x0
<NULL>: destroying fastmap 7: 0x0
<NULL>: destroying fastmap 8: 0x0
<NULL>: destroying fastmap 9: 0x0
[... more 0x0 ...]
<NULL>: destroying fastmap 125: 0x0
<NULL>: destroying fastmap 126: 0x0
<NULL>: destroying fastmap 127: 0x0
<NULL>: destroying fastmap 128: 0x1497042c
ERROR: ubi0 error: ubi_attach_mtd_dev: failed to attach mtd0, error -28
[...]
running /env/bin/init...
barebox@boardname:/
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
drivers/mtd/ubi/vtbl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/mtd/ubi/vtbl.c b/drivers/mtd/ubi/vtbl.c
index 6959564a13..68302f4a33 100644
--- a/drivers/mtd/ubi/vtbl.c
+++ b/drivers/mtd/ubi/vtbl.c
@@ -850,6 +850,12 @@ int ubi_read_volume_table(struct ubi_device *ubi, struct ubi_attach_info *ai)
out_free:
vfree(ubi->vtbl);
for (i = 0; i < ubi->vtbl_slots + UBI_INT_VOL_COUNT; i++) {
+
+ dev_vdbg(&ubi->dev, "destroying fastmap %d: 0x%x\n", i, ubi->volumes[i]);
+
+ if (!ubi->volumes[i])
+ continue;
+
ubi_fastmap_destroy_checkmap(ubi->volumes[i]);
kfree(ubi->volumes[i]);
ubi->volumes[i] = NULL;
--
2.20.1
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] ubi: prevent null pointer reference
2019-01-21 16:29 [PATCH] ubi: prevent null pointer reference Roland Hieber
@ 2019-01-21 16:55 ` Roland Hieber
2019-01-21 16:56 ` [PATCH v2] " Roland Hieber
1 sibling, 0 replies; 4+ messages in thread
From: Roland Hieber @ 2019-01-21 16:55 UTC (permalink / raw)
To: Barebox Mailing List
On Mon, Jan 21, 2019 at 05:29:26PM +0100, Roland Hieber wrote:
> diff --git a/drivers/mtd/ubi/vtbl.c b/drivers/mtd/ubi/vtbl.c
> index 6959564a13..68302f4a33 100644
> --- a/drivers/mtd/ubi/vtbl.c
> +++ b/drivers/mtd/ubi/vtbl.c
> @@ -850,6 +850,12 @@ int ubi_read_volume_table(struct ubi_device *ubi, struct ubi_attach_info *ai)
> out_free:
> vfree(ubi->vtbl);
> for (i = 0; i < ubi->vtbl_slots + UBI_INT_VOL_COUNT; i++) {
> +
> + dev_vdbg(&ubi->dev, "destroying fastmap %d: 0x%x\n", i, ubi->volumes[i]);
> +
> + if (!ubi->volumes[i])
> + continue;
> +
> ubi_fastmap_destroy_checkmap(ubi->volumes[i]);
No wait. I should rather check in ubi_fastmap_destroy_checkmap(). Will
send v2.
- Roland
> kfree(ubi->volumes[i]);
> ubi->volumes[i] = NULL;
> --
> 2.20.1
>
>
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
>
--
Roland Hieber | r.hieber@pengutronix.de |
Pengutronix e.K. | https://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim | Phone: +49-5121-206917-5086 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH v2] ubi: prevent null pointer reference
2019-01-21 16:29 [PATCH] ubi: prevent null pointer reference Roland Hieber
2019-01-21 16:55 ` Roland Hieber
@ 2019-01-21 16:56 ` Roland Hieber
2019-01-22 7:12 ` Sascha Hauer
1 sibling, 1 reply; 4+ messages in thread
From: Roland Hieber @ 2019-01-21 16:56 UTC (permalink / raw)
To: Barebox Mailing List; +Cc: Roland Hieber
After flashing a bogus UBI image, e.g. when the UBI is bigger than the
available flash size, it can happen that barebox hangs itself with a
stacktrace when the board code or the environment does a ubi_attach() on
boot:
ERROR: ubi0 error: init_volumes: not enough PEBs, required 7478, available 4024
unable to handle NULL pointer dereference at address 0x00000204
pc : [<1fd1eaf2>] lr : [<1fd15aad>]
sp : 1feefd30 ip : 0000000a fp : 1fd5d1d7
r10: 00001d34 r9 : 00000000 r8 : 1fd5d540
r7 : 14983148 r6 : 00000006 r5 : ffffffe4 r4 : 14983004
r3 : 1fd82bfc r2 : 021f0000 r1 : 0000000a r0 : 00000000
Flags: nzcv IRQs off FIQs off Mode SVC_32
[<1fd1eaf2>] (ubi_fastmap_destroy_checkmap+0x8/0xa) from [<1fd15aad>] (ubi_read_volume_table+0x4d9/0x71c)
[<1fd15aad>] (ubi_read_volume_table+0x4d9/0x71c) from [<1fd1cbf7>] (ubi_attach+0x157/0x1f8)
[<1fd1cbf7>] (ubi_attach+0x157/0x1f8) from [<1fd16ec3>] (ubi_attach_mtd_dev+0x4a3/0x954)
[...]
After this change, barebox at least boots to a prompt where the faulty
flash can be repaired:
ERROR: ubi0 error: init_volumes: not enough PEBs, required 7478, available 4024
ERROR: ubi0 error: ubi_attach_mtd_dev: failed to attach mtd0, error -28
[...]
running /env/bin/init...
barebox@boardname:/
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
v1 -> v2: better check for NULLness in ubi_fastmap_destroy_checkmap()
instead of the calling code, same effect but more elegant.
---
drivers/mtd/ubi/fastmap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c
index 84c2912bf5..32b60ccad8 100644
--- a/drivers/mtd/ubi/fastmap.c
+++ b/drivers/mtd/ubi/fastmap.c
@@ -1051,7 +1051,8 @@ int ubi_fastmap_init_checkmap(struct ubi_volume *vol, int leb_count)
void ubi_fastmap_destroy_checkmap(struct ubi_volume *vol)
{
- kfree(vol->checkmap);
+ if (vol)
+ kfree(vol->checkmap);
}
/**
--
2.20.1
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH v2] ubi: prevent null pointer reference
2019-01-21 16:56 ` [PATCH v2] " Roland Hieber
@ 2019-01-22 7:12 ` Sascha Hauer
0 siblings, 0 replies; 4+ messages in thread
From: Sascha Hauer @ 2019-01-22 7:12 UTC (permalink / raw)
To: Roland Hieber; +Cc: Barebox Mailing List
On Mon, Jan 21, 2019 at 05:56:16PM +0100, Roland Hieber wrote:
> After flashing a bogus UBI image, e.g. when the UBI is bigger than the
> available flash size, it can happen that barebox hangs itself with a
> stacktrace when the board code or the environment does a ubi_attach() on
> boot:
>
> ERROR: ubi0 error: init_volumes: not enough PEBs, required 7478, available 4024
> unable to handle NULL pointer dereference at address 0x00000204
> pc : [<1fd1eaf2>] lr : [<1fd15aad>]
> sp : 1feefd30 ip : 0000000a fp : 1fd5d1d7
> r10: 00001d34 r9 : 00000000 r8 : 1fd5d540
> r7 : 14983148 r6 : 00000006 r5 : ffffffe4 r4 : 14983004
> r3 : 1fd82bfc r2 : 021f0000 r1 : 0000000a r0 : 00000000
> Flags: nzcv IRQs off FIQs off Mode SVC_32
> [<1fd1eaf2>] (ubi_fastmap_destroy_checkmap+0x8/0xa) from [<1fd15aad>] (ubi_read_volume_table+0x4d9/0x71c)
> [<1fd15aad>] (ubi_read_volume_table+0x4d9/0x71c) from [<1fd1cbf7>] (ubi_attach+0x157/0x1f8)
> [<1fd1cbf7>] (ubi_attach+0x157/0x1f8) from [<1fd16ec3>] (ubi_attach_mtd_dev+0x4a3/0x954)
> [...]
I just had a look at the kernel and it seems to have the same problem.
Anyway, applied, thanks
Sascha
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-01-22 7:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-21 16:29 [PATCH] ubi: prevent null pointer reference Roland Hieber
2019-01-21 16:55 ` Roland Hieber
2019-01-21 16:56 ` [PATCH v2] " Roland Hieber
2019-01-22 7:12 ` Sascha Hauer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox