Bug in jffs2/scan.c re: incorrect assumption of "all clean" block
Artem B. Bityuckiy
dedekind at infradead.org
Mon Feb 14 08:24:24 EST 2005
Could you please send your JFFS2 dbg L1 output?
Is your flash NOR or NAND?
On Thu, 2005-02-10 at 16:44 -0600, Steven J. Magnani wrote:
> Hello MTD folk,
>
> I'm not hooked into the MTD list so please cc: me on any replies. Also
> please note that this is my first experience with this code, so excuse
> me if I've gone off base.
>
> I believe there is a bug in fs/jffs2/scan.c that causes it to
> incorrectly assume a block with a cleanmarker is "all clean". This
> causes an "Eep. Block 0xXXXXXXXX taken from free_list had free_size of
> 0xXXXXXXXX!!" to go off when jffs2_do_reserve_space() is called later.
>
> There are 4 conditions that have to be met in a particular block for the
> bug to surface:
>
> * The block has a cleanmarker
> * The end of the block has to be free space (0xFF)
> * The block has JFFS2_NODETYPE_INODEs
> * The block does NOT have any JFFS2_NODETYPE_DIRENTs
>
> The test that governs the "all clean" assumption is as follows (cf.
> scan.c 1.118 line 435)
>
> if (buf_ofs == jeb->offset && jeb->used_size ==
> PAD(c->cleanmarker_size) &&
> c->cleanmarker_size && !jeb->dirty_size &&
> !jeb->first_node->next_in_ino) {
>
> The bug is that there is no test that checks whether any
> JFFS2_NODETYPE_INODEs have been seen. Since only JFFS2_NODETYPE_DIRENTs
> are counted as used, and JFFS2_NODETYPE_INODEs are counted as unchecked,
> I think that the correction should look like this:
>
> if (buf_ofs == jeb->offset && ((jeb->used_size +
> jeb->unchecked_size) == PAD(c->cleanmarker_size)) &&
> c->cleanmarker_size && !jeb->dirty_size &&
> !jeb->first_node->next_in_ino) {
>
>
> This seems consistent with what is done at line 631:
>
> if ((jeb->used_size + jeb->unchecked_size) ==
> PAD(c->cleanmarker_size) && !jeb->dirty_size
> && (!jeb->first_node || !jeb->first_node->next_in_ino) )
>
> ...although the two are still not checking quite the same set of
> conditions.
>
> Comments? I can provide a JFFS2 image that triggers the problem if
> someone is interested in stepping through it.
>
> Steve Magnani
> Digital Design Corporation
> www.digidescorp.com
>
>
>
>
> ______________________________________________________
> Linux MTD discussion mailing list
> http://lists.infradead.org/mailman/listinfo/linux-mtd/
More information about the linux-mtd
mailing list