In [1] Sam points out an assertion does not hold true for 32-bit
platforms, which only impacts Large File Support (LFS) API usage
in erofs-utils according to Xiang [2]. We don't think these APIs
are used in u-boot and this restriction could be safely removed.
[1] https://lists.denx.de/pipermail/u-boot/2023-July/524679.html
[2] https://lists.denx.de/pipermail/u-boot/2023-July/524727.html
Fixes: 3a21e92fc2 ("fs/erofs: Introduce new features including ztailpacking, fragments and dedupe")
Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
Tested-by: Sam Edwards <CFSworks@gmail.com>
The FAT file systems uses character '\xe5' to mark a deleted directory
entry. If a file name starts with this character, it is substituted by
'\x05' in the directory entry.
While (signed char)'\xe5' is a negative number 0xe5 is a positive integer
number. We therefore have define a constant DELETED_MARK which matches the
signedness of the characters in the directory entry.
Correct a comparison where we used the constant 0xe5 with the wrong sign.
Use the constant aRING instead of 0x05 like in the rest of the code.
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Fixes: 57b745e238 ("fs: fat: call set_name() only once")
Fixes: 28cef9ca2e ("fs: fat: create correct short names")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This patch updates erofs driver code to catch up with the latest code of
erofs_utils (commit e4939f9eaa177e05d697ace85d8dc283e25dc2ed).
LZMA will be supported in the separate patch later.
Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
Reviewed-by: Huang Jianan <jnhuang95@gmail.com>
To save a few bytes, replace Error with ** and try to use the same string
for multiple messages where possible.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
It seems better to call this a 'bootdev' since this is name used in the
documentation. The older 'Bootdevice' name is no-longer used and may cause
confusion with the 'bootdevice' environment variable.
Update throughout to use bootdev.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
This functionality current sits in bootstd, but it is more generally
useful. Add a function to load a file into memory, allocating it as
needed. Adjust bootstd to use this version.
Note: Tests are added in the subsequent patch which converts the 'cat'
command to use this function.
Signed-off-by: Simon Glass <sjg@chromium.org>
The ubifsload command is truncating any address above 4GiB as it casts
this address to an u32, instead of using an unsigned long which most of
the other load commands do. Change this to an unsigned long to allow
loading into high memory for boards which use these areas.
Fixes the following error:
=> ubifsload 0x2100000000 /boot/Image.lzma
Loading file '/boot/Image.lzma' to addr 0x00000000...
Unhandled exception: Store/AMO access fault
Signed-off-by: Ben Dooks <ben.dooks@sifive.com>
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
If a file does not exist, it should be created.
Fixes: f676b45151 ("fs: Add semihosting filesystem")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Use asm/unaligned.h instead of linux/unaligned/access_ok.h for unaligned
access. This is needed on architectures that doesn't handle unaligned
accesses directly.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
btrfs_read_extent_reg correctly computed the extent offset in the
BTRFS_COMPRESS_NONE case, but did not account for the 'offset - key.offset'
part correctly in the compressed case, making the function read
incorrect data.
In the case I examined, the last 4k of a file was corrupted and
contained data from a few blocks prior, e.g. reading a 10k file with a
single extent:
btrfs_file_read()
-> btrfs_read_extent_reg
(aligned part loop, until 8k)
-> read_and_truncate_page
-> btrfs_read_extent_reg
(re-reads the last extent from 8k to the end,
incorrectly reading the first 2k of data)
This can be reproduced as follow:
$ truncate -s 200M btr
$ mount btr -o compress /mnt
$ pat() { dd if=/dev/zero bs=1M count=$1 iflag=count_bytes status=none | tr '\0' "\\$2"; }
$ { pat 4K 1; pat 4K 2; pat 2K 3; } > /mnt/file
$ sync
$ filefrag -v /mnt/file
File size of /mnt/file is 10240 (3 blocks of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 2: 3328.. 3330: 3: last,encoded,eof
$ umount /mnt
Then in u-boot:
=> load scsi 0 2000000 file
10240 bytes read in 3 ms (3.3 MiB/s)
=> md 2001ff0
02001ff0: 02020202 02020202 02020202 02020202 ................
02002000: 01010101 01010101 01010101 01010101 ................
02002010: 01010101 01010101 01010101 01010101 ................
(02002000 onwards should contain '03' pattern but went back to 01,
start of the extent)
After patch, data is read properly:
=> md 2001ff0
02001ff0: 02020202 02020202 02020202 02020202 ................
02002000: 03030303 03030303 03030303 03030303 ................
02002010: 03030303 03030303 03030303 03030303 ................
Note that the code previously (before commit e3427184f3 ("fs: btrfs:
Implement btrfs_file_read()")) did not split that read in two, so
this is a regression even if the previous code might not have been
handling offsets correctly either (something that booted now fails to
boot)
Fixes: a26a6bedaf ("fs: btrfs: Introduce btrfs_read_extent_inline() and btrfs_read_extent_reg()")
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
The deletion process handles special case for symlinks whose target are
small enough that it fits in struct ext2_inode.b.symlink. So no block had
been allocated. But the check of file type wrongly considered regular
files as symlink. So, no block was freed. So, the EXT4 partition could be
corrupted because of no free block available.
Signed-off-by: Corentin GUILLEVIC <corentin.guillevic@smile.fr>
Do not mangle lower or mixed case filenames which fit into the upper
case 8.3 short filename. This ensures FAT standard compatible short
filenames (SFN) to support systems without long filename (LFN) support
like boot roms (ex. SFN BOOT.BIN instead of BOOT~1.BIN for LFN
boot.bin).
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
No need to mount a too small partition to handle a EXT4 file system.
This patch add a test on partition size before to read the
SUPERBLOCK_SIZE buffer and avoid error latter in fs_devread() function.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
[BUG]
There is a bug report that btrfs driver caused hang during file read:
This breaks btrfs on the HiFive Unmatched.
=> pci enum
PCIE-0: Link up (Gen1-x8, Bus0)
=> nvme scan
=> load nvme 0:2 0x8c000000 /boot/dtb/sifive/hifive-unmatched-a00.dtb
[hangs]
[CAUSE]
The reporter provided some debug output:
read_extent_data: cur=615817216, orig_len=16384, cur_len=16384
read_extent_data: btrfs_map_block: cur_len=479944704; ret=0
read_extent_data: ret=0
read_extent_data: cur=615833600, orig_len=4096, cur_len=4096
read_extent_data: btrfs_map_block: cur_len=479928320; ret=0
Note the second and the last line, the @cur_len is 450+MiB, which is
almost a chunk size.
And inside __btrfs_map_block(), we limits the returned value to stripe
length, but that's depending on the chunk type:
if (map->type & (BTRFS_BLOCK_GROUP_RAID0 | BTRFS_BLOCK_GROUP_RAID1 |
BTRFS_BLOCK_GROUP_RAID1C3 | BTRFS_BLOCK_GROUP_RAID1C4 |
BTRFS_BLOCK_GROUP_RAID5 | BTRFS_BLOCK_GROUP_RAID6 |
BTRFS_BLOCK_GROUP_RAID10 |
BTRFS_BLOCK_GROUP_DUP)) {
/* we limit the length of each bio to what fits in a stripe */
*length = min_t(u64, ce->size - offset,
map->stripe_len - stripe_offset);
} else {
*length = ce->size - offset;
}
This means, if the chunk is SINGLE profile, then we don't limit the
returned length at all, and even for other profiles, we can still return
a length much larger than the requested one.
[FIX]
Properly clamp the returned length, preventing it from returning a much
larger range than expected.
Reported-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Qu Wenruo <wqu@suse.com>
This converts 1 usage of this option to the non-SPL form, since there is
no SPL_FS_EROFS defined in Kconfig
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Huang Jianan <jnhuang95@gmail.com>
Sometimes it is useful to log things related to filesystems. Add a new
category and place it at the top of one of the FAT files.
Signed-off-by: Simon Glass <sjg@chromium.org>
UEFI applications call file system functions to determine if a file exists.
The return codes are evaluated to show appropriate messages.
U-Boot's file system layer should not interfere with the output.
Rename file_fat_read_at() to fat_read_file() adjusting the parameter
sequence and names and eliminate the old wrapper function.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Update the zstd implementation to match Linux zstd 1.5.2 from commit
2aa14b1ab2.
This was motivated by running into decompression corruption issues when
trying to uncompress files compressed with newer versions of zstd. zstd
users also claim significantly improved decompression times with newer
zstd versions which is a side benefit.
Original zstd code was copied from Linux commit 2aa14b1ab2 which is a
custom-built implementation based on zstd 1.3.1. Linux switched to an
implementation that is a copy of the upstream zstd code in Linux commit
e0c1b49f5b, this results in a large code diff. However this should make
future updates easier along with other benefits[1].
This commit is a straight mirror of the Linux zstd code, except to:
- update a few #include that do not translate cleanly
- linux/swab.h -> asm/byteorder.h
- linux/limits.h -> linux/kernel.h
- linux/module.h -> linux/compat.h
- remove assert() from debug.h so it doesn't conflict with u-boot's
assert()
- strip out the compressor code as was done in the previous u-boot zstd
- update existing zstd users to the new Linux zstd API
- change the #define for MEM_STATIC to use INLINE_KEYWORD for codesize
- add a new KConfig option that sets zstd build options to minify code
based on zstd's ZSTD_LIB_MINIFY[2].
These changes were tested by booting a zstd 1.5.2 compressed kernel inside a
FIT. And the squashfs changes by loading a file from zstd compressed squashfs
with sqfsload. buildman was used to compile test other boards and check for
binary bloat, as follows:
> $ buildman -b zstd2 --boards dh_imx6,m53menlo,mvebu_espressobin-88f3720,sandbox,sandbox64,stm32mp15_dhcom_basic,stm32mp15_dhcor_basic,turris_mox,turris_omnia -sS
> Summary of 6 commits for 9 boards (8 threads, 1 job per thread)
> 01: Merge branch '2023-01-10-platform-updates'
> arm: w+ m53menlo dh_imx6
> 02: lib: zstd: update to latest Linux zstd 1.5.2
> aarch64: (for 2/2 boards) all -3186.0 rodata +920.0 text -4106.0
> arm: (for 5/5 boards) all +1254.4 rodata +940.0 text +314.4
> sandbox: (for 2/2 boards) all -4452.0 data -16.0 rodata +640.0 text -5076.0
[1] e0c1b49f5b
[2] f302ad8811/lib/libzstd.mk (L31)
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
[trini: Set ret to -EINVAL for the error of "failed to detect
compressed" to fix warning, drop ZSTD_SRCSIZEHINT_MAX for non-Linux host
tool builds]
Signed-off-by: Tom Rini <trini@konsulko.com>
[BUG]
Since btrfs supports single device RAID0 at mkfs time after btrfs-progs
v5.14, if we create a single device raid0 btrfs, and created a file
crossing stripe boundary:
# mkfs.btrfs -m dup -d raid0 test.img
# mount test.img mnt
# xfs_io -f -c "pwrite 0 128K" mnt/file
# umount mnt
Since btrfs is using 64K as stripe length, above 128K data write is
definitely going to cross at least one stripe boundary.
Then u-boot would fail to read above 128K file:
=> host bind 0 /home/adam/test.img
=> ls host 0
< > 131072 Fri Dec 30 00:18:25 2022 file
=> load host 0 0 file
BTRFS: An error occurred while reading file file
Failed to load 'file'
[CAUSE]
Unlike tree blocks read, data extent reads doesn't consider cases in which
one data extent can cross stripe boundary.
In read_data_extent(), we just call btrfs_map_block() once and read the
first mapped range.
And if the first mapped range is smaller than the desired range, it
would return error.
But since even single device btrfs can utilize RAID0 profiles, the first
mapped range can only be at most 64K for RAID0 profiles, and cause false
error.
[FIX]
Just like read_whole_eb(), we should call btrfs_map_block() in a loop
until we read all data.
Since we're here, also add extra error messages for the following cases:
- btrfs_map_block() failure
We already have the error message for it.
- Missing device
This should not happen, as we only support single device for now.
- __btrfs_devread() failure
With this bug fixed, btrfs driver of u-boot can properly read the above
128K file, and have the correct content:
=> host bind 0 /home/adam/test.img
=> ls host 0
< > 131072 Fri Dec 30 00:18:25 2022 file
=> load host 0 0 file
131072 bytes read in 0 ms
=> md5sum 0 0x20000
md5 for 00000000 ... 0001ffff ==> d48858312a922db7eb86377f638dbc9f
^^^ Above md5sum also matches.
Reported-by: Sam Winchenbach <swichenbach@tethers.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
For a squashfs filesystem, the fragment table is followed by
the following tables: NFS export table, ID table, xattr table.
The export and xattr tables are both completely optional, but
the ID table is mandatory. The Linux implementation refuses to
mount the image if the ID table is missing. Tables that are no
present have their location in the super block set
to 0xFFFFFFFFFFFFFFFF.
The u-boot implementation previously assumed that it can always
rely on the export table location as an upper bound for the fragment
table, trying (and failing) to read past filesystem bounds if it
is not present.
This patch changes the driver to use the ID table instead and only
use the export table location if it lies between the two.
Signed-off-by: David Oberhollenzer <goliath@infraroot.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
When compling for x86:
u-boot/fs/squashfs/sqfs.c:90: undefined reference to `__udivmoddi4'
Signed-off-by: Kasper Revsbech <kasper.revsbech.ext@siemensgamesa.com>
Tested-by: Sean Nyekjaer <sean@geanix.com>
The 'depth_dirname', 'ptr', 'parent_inode' and 'first_inode' pointers
may be null. Thus, it is necessary to check them before using free() to
avoid free(NULL) cases.
Fixes: 934b14f2bb ("ext4: free allocations by parse_path()")
Signed-off-by: Mikhail Ilin <ilin.mikhail.ol@gmail.com>
Debug dump logs are not always required. Add a new config option
UBIFS_SILENCE_DEBUG_DUMP to silence all debug dumps. On powerpc/mpc85xx
when enabled this will decrease size of U-Boot binary by 11 kB.
Signed-off-by: Pali Rohár <pali@kernel.org>
Tested-by: Tony Dinh <mibodhi@gmail.com>
Move the symbol SYS_JFFS2_SORT_FRAGMENTS to Kconfig and use the only
remaining part of doc/README.JFFS2 that is still relevant and useful to
the help for this option.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When looking for a filesystem on a partition we should do so quietly. At
present if the filesystem is very small (e.g. 512 bytes) we get a host of
messages.
Update these to only show when debugging.
Signed-off-by: Simon Glass <sjg@chromium.org>
This line probably got in by mistake as there is no fs_mutex member in
the btrfs_fs_info struct.
Signed-off-by: Pankaj Raghav <p.raghav@samsung.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Globally replace all occurances of WATCHDOG_RESET() with schedule(),
which handles the HW_WATCHDOG functionality and the cyclic
infrastructure.
Signed-off-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Tom Rini <trini@konsulko.com> [am335x_evm, mx6cuboxi, rpi_3,dra7xx_evm, pine64_plus, am65x_evm, j721e_evm]
At present we use HAVE_BLOCK_DEVICE to indicate when block devices are
available.
This is a very strange option, since it partially duplicates the BLK
option used by driver model. It also covers both U-Boot proper and SPL,
even though one might have block devices and another not.
As a first step towards correcting this, create a new inline function
called blk_enabled() which indicates if block devices are available.
This cannot be used in Makefiles, or #if clauses, but can be used in C
code.
A function is useful because we cannot use CONFIG_IS_ENABLED(BLK) to
decide if block devices are needed, since we must consider the legacy
block interface, enabled by HAVE_BLOCK_DEVICE
Update a few places where it can be used and drop some unnecessary #if
checks around some functions in disk/part.c - rely on the compiler's
dead-code elimination instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
This patch integrates the main function responsible for calling all
registered cyclic functions cyclic_run() into the common WATCHDOG_RESET
macro. This guarantees that cyclic_run() is executed very often, which
is necessary for the cyclic functions to get scheduled and executed at
their configured periods.
If CONFIG_WATCHDOG is not enabled, only cyclic_run() without calling
watchdog_reset(). This guarantees that the cyclic functionality does not
rely on CONFIG_WATCHDOG being enabled.
Signed-off-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
fs_set_blk_dev() probes all file-systems until it finds one that matches
the volume. We do not expect any console output for non-matching
file-systems.
Convert error messages in erofs_read_superblock() to debug output.
Fixes: 830613f8f5 ("fs/erofs: add erofs filesystem support")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Huang Jianan <jnhuang95@gmail.com>
A large number of files include <flash.h> as it used to be how various
SPI flash related functions were found, or for other reasons entirely.
In order to migrate some further CONFIG symbols to Kconfig we need to
not include flash.h in cases where we don't have a NOR flash of some
sort enabled. Furthermore, in cases where we are in common code and it
doesn't make sense to try and further refactor the code itself in to new
files we need to guard this inclusion.
Signed-off-by: Tom Rini <trini@konsulko.com>
Fix diacritics in some instances of my name and change my e-mail address
to kabel@kernel.org.
Add corresponding .mailmap entries.
Signed-off-by: Marek Behún <kabel@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
U-Boot does not implement down_write_trylock() and its stub always returns
true that lock was acquired. Therefore ubifs_assert_cmt_locked() assert
currently always fails.
Fix this issue by redefining ubifs_assert_cmt_locked() to just empty stub
as there is nothing to assert.
Signed-off-by: Pali Rohár <pali@kernel.org>
Original ubifs code was designed that after ubifs_umount() call it is
required to also call ubi_close_volume() which closes underlying UBI
volume. But U-Boot ubifs modification have not implemented it properly
which caused that ubifsumount command contains resource leak. It can be
observed by calling simple sequence of commands:
=> ubi part mtd2
ubi0: attaching mtd2
...
=> ubifsmount ubi0
=> ubifsumount
Unmounting UBIFS volume rootfs!
=> ubi detach
ubi0 error: ubi_detach_mtd_dev: ubi0 reference count 1, destroy anyway
ubi0: detaching mtd2
ubi0: mtd2 is detached
Fix this issue by calling ubi_close_volume() and mutex_unlock() in
directly in ubifs_umount() function before freeing U-Boot's global
ubifs_sb. And remove duplicate calls of these two functions in remaining
places. Note that when ubifs_umount() is not called then during error
handling is still needed to call ubi_close_volume() and mutex_unlock.
With this change ubifsumount command does not throw that error anymore:
=> ubi part rootfs
ubi0: attaching mtd2
...
=> ubifsmount ubi0
=> ubifsumount
Unmounting UBIFS volume rootfs!
=> ubi detach
ubi0: detaching mtd2
ubi0: mtd2 is detached
Signed-off-by: Pali Rohár <pali@kernel.org>
Tighten up symbol dependencies in a number of places. Ensure that a SPL
specific option has at least a direct dependency on SPL. In places
where it's clear that we depend on something more specific, use that
dependency instead. This means in a very small number of places we can
drop redundant dependencies.
Reported-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
A crafted squashfs image could embed a huge number of empty metadata
blocks in order to make the amount of malloc()'d memory overflow and be
much smaller than expected. Because of this flaw, any random code
positioned at the right location in the squashfs image could be memcpy'd
from the squashfs structures into U-Boot code location while trying to
access the rearmost blocks, before being executed.
In order to prevent this vulnerability from being exploited in eg. a
secure boot environment, let's add a check over the amount of data
that is going to be allocated. Such a check could look like:
if (!elem_size || n > SIZE_MAX / elem_size)
return NULL;
The right way to do it would be to enhance the calloc() implementation
but this is quite an impacting change for such a small fix. Another
solution would be to add the check before the malloc call in the
squashfs implementation, but this does not look right. So for now, let's
use the kcalloc() compatibility function from Linux, which has this
check.
Fixes: c510061303 ("fs/squashfs: new filesystem")
Reported-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Tatsuhiko Yasumatsu <Tatsuhiko.Yasumatsu@sony.com>
Following Jincheng's report, an out-of-band write leading to arbitrary
code execution is possible because on one side the squashfs logic
accepts directory names up to 65535 bytes (u16), while U-Boot fs logic
accepts directory names up to 255 bytes long.
Prevent such an exploit from happening by capping directory name sizes
to 255. Use a define for this purpose so that developers can link the
limitation to its source and eventually kill it some day by dynamically
allocating this array (if ever desired).
Link: https://lore.kernel.org/all/CALO=DHFB+yBoXxVr5KcsK0iFdg+e7ywko4-e+72kjbcS8JBfPw@mail.gmail.com
Reported-by: Jincheng Wang <jc.w4ng@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Jincheng Wang <jc.w4ng@gmail.com>
Setting sblk = NULL has no effect on the caller.
We want to set *sblk = NULL if an error occurrs to avoid usage after free.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
After returning if ret <= 0 we know that ret > 0. No need to check it.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Anand Jain <anand.jain>