Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3877f0b6 authored by David Woodhouse's avatar David Woodhouse
Browse files

[JFFS2] Don't trust node headers before the CRC is checked. 



Especially when summary code is used, we can have in-memory data
structures referencing certain nodes without them actually being readable
on the flash. Discard the nodes gracefully in that case, rather than
triggering a BUG().

Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
parent 21c8db9e

fs/jffs2/readinode.c

+34 −28
Original line number Diff line number Diff line
@@ -343,7 +343,7 @@ free_out: 
 * Helper function for jffs2_get_inode_nodes().

 * It is called every time an unknown node is found.

 *

 * Returns: 0 on succes;

 * Returns: 0 on success;

 * 	    1 if the node should be marked obsolete;

 * 	    negative error code on failure.

 */
@@ -354,12 +354,6 @@ static inline int read_unknown(struct jffs2_sb_info *c, struct jffs2_raw_node_re 


	un->nodetype = cpu_to_je16(JFFS2_NODE_ACCURATE | je16_to_cpu(un->nodetype));



	if (crc32(0, un, sizeof(struct jffs2_unknown_node) - 4) != je32_to_cpu(un->hdr_crc)) {

		/* Hmmm. This should have been caught at scan time. */

		JFFS2_NOTICE("node header CRC failed at %#08x. But it must have been OK earlier.\n", ref_offset(ref));

		jffs2_dbg_dump_node(c, ref_offset(ref));

		return 1;

	} else {

	switch(je16_to_cpu(un->nodetype) & JFFS2_COMPAT_MASK) {



	case JFFS2_FEATURE_INCOMPAT:
@@ -385,7 +379,6 @@ static inline int read_unknown(struct jffs2_sb_info *c, struct jffs2_raw_node_re 
			     je16_to_cpu(un->nodetype), ref_offset(ref));

		return 1;

	}

	}



	return 0;

}
@@ -549,6 +542,18 @@ static int jffs2_get_inode_nodes(struct jffs2_sb_info *c, struct jffs2_inode_inf 


		node = (union jffs2_node_union *)bufstart;



		/* No need to mask in the valid bit; it shouldn't be invalid */

		if (je32_to_cpu(node->u.hdr_crc) != crc32(0, node, sizeof(node->u)-4)) {

			JFFS2_NOTICE("Node header CRC failed at %#08x. {%04x,%04x,%08x,%08x}\n",

				     ref_offset(ref), je16_to_cpu(node->u.magic),

				     je16_to_cpu(node->u.nodetype),

				     je32_to_cpu(node->u.totlen),

				     je32_to_cpu(node->u.hdr_crc));

			jffs2_dbg_dump_node(c, ref_offset(ref));

			jffs2_mark_node_obsolete(c, ref);

			goto cont;

		}



		switch (je16_to_cpu(node->u.nodetype)) {



		case JFFS2_NODETYPE_DIRENT:
@@ -606,6 +611,7 @@ static int jffs2_get_inode_nodes(struct jffs2_sb_info *c, struct jffs2_inode_inf 
				goto free_out;



		}

	cont:

		spin_lock(&c->erase_completion_lock);

	}