Bug in jffs2/scan.c re: incorrect assumption of "all clean" block
Steven J. Magnani
steve at digidescorp.com
Thu Feb 10 17:44:12 EST 2005
Hello MTD folk,
I'm not hooked into the MTD list so please cc: me on any replies. Also
please note that this is my first experience with this code, so excuse
me if I've gone off base.
I believe there is a bug in fs/jffs2/scan.c that causes it to
incorrectly assume a block with a cleanmarker is "all clean". This
causes an "Eep. Block 0xXXXXXXXX taken from free_list had free_size of
0xXXXXXXXX!!" to go off when jffs2_do_reserve_space() is called later.
There are 4 conditions that have to be met in a particular block for the
bug to surface:
* The block has a cleanmarker
* The end of the block has to be free space (0xFF)
* The block has JFFS2_NODETYPE_INODEs
* The block does NOT have any JFFS2_NODETYPE_DIRENTs
The test that governs the "all clean" assumption is as follows (cf.
scan.c 1.118 line 435)
if (buf_ofs == jeb->offset && jeb->used_size ==
PAD(c->cleanmarker_size) &&
c->cleanmarker_size && !jeb->dirty_size &&
!jeb->first_node->next_in_ino) {
The bug is that there is no test that checks whether any
JFFS2_NODETYPE_INODEs have been seen. Since only JFFS2_NODETYPE_DIRENTs
are counted as used, and JFFS2_NODETYPE_INODEs are counted as unchecked,
I think that the correction should look like this:
if (buf_ofs == jeb->offset && ((jeb->used_size +
jeb->unchecked_size) == PAD(c->cleanmarker_size)) &&
c->cleanmarker_size && !jeb->dirty_size &&
!jeb->first_node->next_in_ino) {
This seems consistent with what is done at line 631:
if ((jeb->used_size + jeb->unchecked_size) ==
PAD(c->cleanmarker_size) && !jeb->dirty_size
&& (!jeb->first_node || !jeb->first_node->next_in_ino) )
...although the two are still not checking quite the same set of
conditions.
Comments? I can provide a JFFS2 image that triggers the problem if
someone is interested in stepping through it.
Steve Magnani
Digital Design Corporation
www.digidescorp.com
More information about the linux-mtd
mailing list