* returning custom error codes in ubi_eba_read_leb()
@ 2014-11-06 8:19 Dan Carpenter
2014-11-25 13:25 ` Artem Bityutskiy
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2014-11-06 8:19 UTC (permalink / raw)
To: Artem.Bityutskiy; +Cc: linux-mtd
Hello Artem Bityutskiy,
The patch 1e51764a3c2a: "UBIFS: add new flash file system" from Jul
14, 2008, leads to the following static checker warning:
fs/ubifs/scan.c:158 ubifs_start_scan()
error: passing non negative 2 to ERR_PTR
The problem is really in ubi_eba_read_leb().
drivers/mtd/ubi/eba.c
412 err = ubi_io_read_vid_hdr(ubi, pnum, vid_hdr, 1);
413 if (err && err != UBI_IO_BITFLIPS) {
414 if (err > 0) {
415 /*
416 * The header is either absent or corrupted.
417 * The former case means there is a bug -
418 * switch to read-only mode just in case.
419 * The latter case means a real corruption - we
420 * may try to recover data. FIXME: but this is
421 * not implemented.
422 */
423 if (err == UBI_IO_BAD_HDR_EBADMSG ||
424 err == UBI_IO_BAD_HDR) {
425 ubi_warn("corrupted VID header at PEB %d, LEB %d:%d",
426 pnum, vol_id, lnum);
427 err = -EBADMSG;
428 } else
429 ubi_ro_mode(ubi);
On this path we return UBI_IO_FF and UBI_IO_FF_BITFLIPS and it
eventually gets passed to ERR_PTR(). We probably dereference the bad
pointer and oops. At that point we've gone read only so it was already
a bad situation...
430 }
431 goto out_free;
432 } else if (err == UBI_IO_BITFLIPS)
433 scrub = 1;
434
regards,
dan carpenter
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: returning custom error codes in ubi_eba_read_leb()
2014-11-06 8:19 returning custom error codes in ubi_eba_read_leb() Dan Carpenter
@ 2014-11-25 13:25 ` Artem Bityutskiy
0 siblings, 0 replies; 2+ messages in thread
From: Artem Bityutskiy @ 2014-11-25 13:25 UTC (permalink / raw)
To: Dan Carpenter; +Cc: linux-mtd
On Thu, 2014-11-06 at 11:19 +0300, Dan Carpenter wrote:
> Hello Artem Bityutskiy,
>
> The patch 1e51764a3c2a: "UBIFS: add new flash file system" from Jul
> 14, 2008, leads to the following static checker warning:
Thanks, I guess something like this would be the fix.
>From fcef9b2f2fdbff0b61e7de4e32f7ce4d2dce7772 Mon Sep 17 00:00:00 2001
From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Date: Tue, 25 Nov 2014 11:34:02 +0200
Subject: [PATCH] UBI: do propagate positive error codes up
UBI uses positive function return codes internally, and should not propagate
them up, except in the place this path fixes. Here is the original bug report
from Dan Carpenter:
The problem is really in ubi_eba_read_leb().
drivers/mtd/ubi/eba.c
412 err = ubi_io_read_vid_hdr(ubi, pnum, vid_hdr, 1);
413 if (err && err != UBI_IO_BITFLIPS) {
414 if (err > 0) {
415 /*
416 * The header is either absent or corrupted.
417 * The former case means there is a bug -
418 * switch to read-only mode just in case.
419 * The latter case means a real corruption - we
420 * may try to recover data. FIXME: but this is
421 * not implemented.
422 */
423 if (err == UBI_IO_BAD_HDR_EBADMSG ||
424 err == UBI_IO_BAD_HDR) {
425 ubi_warn("corrupted VID header at PEB %d, LEB %d:%d",
426 pnum, vol_id, lnum);
427 err = -EBADMSG;
428 } else
429 ubi_ro_mode(ubi);
On this path we return UBI_IO_FF and UBI_IO_FF_BITFLIPS and it
eventually gets passed to ERR_PTR(). We probably dereference the bad
pointer and oops. At that point we've gone read only so it was already
a bad situation...
430 }
431 goto out_free;
432 } else if (err == UBI_IO_BITFLIPS)
433 scrub = 1;
434
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
---
drivers/mtd/ubi/eba.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
index a40020c..b698534 100644
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -426,6 +426,7 @@ retry:
pnum, vol_id, lnum);
err = -EBADMSG;
} else
+ err = -EINVAL;
ubi_ro_mode(ubi);
}
goto out_free;
--
1.9.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-11-25 13:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-06 8:19 returning custom error codes in ubi_eba_read_leb() Dan Carpenter
2014-11-25 13:25 ` Artem Bityutskiy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).