| Age | Commit message (Collapse) | Author |
|---|
|
Prepare v2025.04-rc5
|
|
Ben reports a failure to boot the kernel on hardware that starts its
physical memory from 0x0.
The reason is that lmb_alloc_addr(), which is supposed to reserve a
specific address, takes the address as the first argument, but then also
returns the address for success or failure and treats 0 as a failure.
Since we already know the address change the prototype to return an int.
Reported-by: Ben Schneider <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
Tested-by: Ben Schneider <[email protected]>
Reviewed-by: Sughosh Ganu <[email protected]>
|
|
This uses Heinrich's merge of lib/efi_loader/efi_net.c which results in
no changes.
|
|
EFI_FILE_PROTOCOL.SetInfo()."
Gabriel Dalimonte <[email protected]> says:
This series adds support for file renaming to EFI_FILE_PROTOCOL.SetInfo().
One of the use cases for renaming in EFI is to facilitate boot loader
boot counting.
No existing filesystems in U-Boot currently include file renaming,
resulting in support for renaming at the filesystem level and a
concrete implementation for the FAT filesystem.
Link: https://lore.kernel.org/r/[email protected]
|
|
POSIX filesystem functions that create or remove directory entries contain
text along the lines of "[function] shall mark for update the last data
modification and last file status change timestamps of the parent
directory of each file." [1][2][3] The common theme is these timestamp
updates occur when a directory entry is added or removed. The
create_link() and delete_dentry_link() functions have been changed to
update the modification timestamp on the directory where the direntry
change occurs. This differs slightly from Linux in the case of rename(),
where Linux will not update `new_path`'s parent directory's timestamp if
it is replacing an existing file. (via `vfat_add_entry` [4])
The timestamps are not updated if the build configuration does not support
RTCs. This is an effort to minimize introducing erratic timestamps where
they would go from [current date] -> 2000-01-01 (error timestamp in the
FAT driver). I would assume an unchanged timestamp would be more valuable
than a default timestamp in these cases.
[1] https://pubs.opengroup.org/onlinepubs/9799919799/functions/rename.html
[2] https://pubs.opengroup.org/onlinepubs/9799919799/functions/unlink.html
[3] https://pubs.opengroup.org/onlinepubs/9799919799/functions/open.html
[4] https://elixir.bootlin.com/linux/v6.12.6/source/fs/fat/namei_vfat.c#L682
Signed-off-by: Gabriel Dalimonte <[email protected]>
|
|
The implementation roughly follows the POSIX specification for
rename() [1]. The ordering of operations attempting to minimize the chance
for data loss in unexpected circumstances.
The 'mv' command was implemented as a front end for the rename operation
as that is what most users are likely familiar with in terms of behavior.
The 'FAT_RENAME' Kconfig option was added to prevent code size increase on
size-oriented builds like SPL.
[1] https://pubs.opengroup.org/onlinepubs/9799919799/functions/rename.html
Signed-off-by: Gabriel Dalimonte <[email protected]>
|
|
The selection for *rename as the name for the rename/move operation
derives from the POSIX specification where they name the function
rename/renameat. [1] This aligns with Linux where the syscalls for
renaming/moving also use the rename/renameat naming.
[1] https://pubs.opengroup.org/onlinepubs/9799919799/functions/rename.html
Signed-off-by: Gabriel Dalimonte <[email protected]>
Acked-by: Ilias Apalodimas <[email protected]>
|
|
The create_link() code was previously duplicated in two existing functions.
The two functions will be used in a future commit to achieve renaming.
Signed-off-by: Gabriel Dalimonte <[email protected]>
|
|
In case MAX_SYMLINK_NEST is reached while determining the size
on a symlink node, the function returns immediately.
This would not free the resources after the free_strings: label
causing a memory leak.
Set the ret value and just break out of the switch to fix this.
Signed-off-by: Andrea della Porta <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>
|
|
The length of buffers used to read inode tables, directory tables, and
reading a file are calculated as: number of blocks * block size, and
such plain multiplication is prone to overflowing (thus unsafe).
Replace it by __builtin_mul_overflow, i.e. safe math.
Signed-off-by: Joao Marcos Costa <[email protected]>
|
|
See the original report [1], otherwise len + 1 will be overflowed.
Note that EROFS archive can record arbitary symlink sizes in principle,
so we don't assume a short number like 4096.
[1] https://lore.kernel.org/r/20250210164151.GN1233568@bill-the-cat
Fixes: 830613f8f5bb ("fs/erofs: add erofs filesystem support")
Signed-off-by: Gao Xiang <[email protected]>
|
|
Variable self assignment has been found by clang. But Linux kernel already
fixed this problem by commit 2a068daf5742 ("ubifs: Remove unnecessary
assignment") and commit ae4c8081eb77 ("ubifs: remove unnecessary
assignment").
Signed-off-by: Michal Simek <[email protected]>
Reviewed-by: Alexander Dahl <[email protected]>
Reviewed-by: Michael Trimarchi <[email protected]>
Reviewed-by: Heiko Schocher <[email protected]>
|
|
Upstream development stopped 2012.
Linux eliminated YAFFS2 in 2010.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Marek Vasut <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
A squashfs filesystem with extended attributes (xattrs) may have
inodes of type SQFS_LSYMLINK_TYPE. This might cause u-boot to fail to
handle the filesystem since it assumes a SYMLINK_TYPE and LSYMLINK_TYPE
inode are the same size. This is wrong, see:
https://github.com/plougher/squashfs-tools/blob/master/squashfs-tools/read_fs.c#L421
Using the mksquashfs '-no-xattrs' argument is probably best, but the
mksquashfs '-xattrs' argument is the default.
This patch fixes squashfs image handling by making sure parsing the
uncompressed inode_table (with sqfs_find_inode) succeeeds. The only change
needed is correctly determining the size of a SQFS_LSYMLINK_TYPE inode.
Signed-off-by: Norbert van Bolhuis <[email protected]>
|
|
lmb_alloc_addr() is just calling lmb_alloc_addr_flags() with LMB_NONE
There's not much we gain from this abstraction, so let's remove the
latter, add a flags argument to lmb_alloc_addr() and make the code a
bit easier to follow.
Reviewed-by: Sam Protsenko <[email protected]>
Tested-by: Sam Protsenko <[email protected]>
Signed-off-by: Ilias Apalodimas <[email protected]>
|
|
The comment above fs_read_alloc() explains:
@align: Alignment to use for memory allocation (0 for default)
However, in the actual implementation, there is no alignment when @align is
zero.
This current default is probably fine for most cases. But for some block
devices which transfer data via DMA, ARCH_DMA_MINALIGN is needed.
Change the default alignment to ARCH_DMA_MINALIGN.
Fixes: de7b5a8a1ac0 ("fs: Create functions to load and allocate a file")
Signed-off-by: Nam Cao <[email protected]>
Tested-by: Javier Fernandez Pastrana <[email protected]>
|
|
Running commands such as 'load mmc 2:1 $addr $path' when path does not
exists will print an error twice if the file does not exist, e.g.:
```
Cannot lookup file boot/boot.scr
Failed to load 'boot/boot.scr'
```
(where the first line is printed by btrfs and the second by common fs
code)
Historically other filesystems such as ext4 or fat have not been
printing a message here, so do the same here to avoid duplicate.
The other error messages in this function are also somewhat redundant,
but bring useful diagnostics if they happen somewhere, so have been left
as printf.
Note that if a user wants no message to be printed for optional file
loads, they have to check for file existence first with other commands
such as 'size'.
Signed-off-by: Dominique Martinet <[email protected]>
Reviewed-by: Qu Wenruo <[email protected]>
|
|
After calling strdup() check the returned pointer.
Avoid a memory leak if the directory is not found.
Reported-by: Michael Nazzareno Trimarchi <[email protected]>
Fixes: 22fdac381f98 ("fs: ext4: implement opendir, readdir, closedir")
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
|
|
Now that opendir, readir, closedir are implemented for ext4 we can use
fs_ls_generic() for implementing the ls command.
Adjust the unit tests:
* fs_ls_generic() produces more spaces between file size and name.
* The ext4 specific message "** Can not find directory. **\n" is not
written anymore.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
For accessing directories from the EFI sub-system a file system must
implement opendir, readdir, closedir. Provide the missing implementation.
With this patch the eficonfig command can be used to define load options
for the ext4 file system.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
The directory retrieved in ext4fs_exists() should be freed to avoid a
memory leak.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Michael Trimarchi <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
|
|
Remove copying a pointer with a cast to the very same type.
Signed-off-by: Heinrich Schuchardt <[email protected]>
Reviewed-by: Michael Trimarchi <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Prior to commit 29caf9305b6f ("cyclic: Use schedule() instead of
WATCHDOG_RESET()") we had
/* Currently only needed for fs/cramfs/uncompress.c */
static inline void watchdog_reset_func(void)
{
WATCHDOG_RESET();
}
and .outcb was set to that watchdog_reset_func(). Said commit changed
that .outcb to cyclic_run instead of schedule, which would otherwise
match all the other WATCHDOG_RESET replacements done. As the
HW_WATCHDOG case is not handled by cyclic_run, this seems to be an
oversight.
Signed-off-by: Rasmus Villemoes <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Stefan Roese <[email protected]>
|
|
Simon Glass <[email protected]> says:
When the SPL build-phase was first created it was designed to solve a
particular problem (the need to init SDRAM so that U-Boot proper could
be loaded). It has since expanded to become an important part of U-Boot,
with three phases now present: TPL, VPL and SPL
Due to this history, the term 'SPL' is used to mean both a particular
phase (the one before U-Boot proper) and all the non-proper phases.
This has become confusing.
For a similar reason CONFIG_SPL_BUILD is set to 'y' for all 'SPL'
phases, not just SPL. So code which can only be compiled for actual SPL,
for example, must use something like this:
#if defined(CONFIG_SPL_BUILD) && !defined(CONFIG_TPL_BUILD)
In Makefiles we have similar issues. SPL_ has been used as a variable
which expands to either SPL_ or nothing, to chose between options like
CONFIG_BLK and CONFIG_SPL_BLK. When TPL appeared, a new SPL_TPL variable
was created which expanded to 'SPL_', 'TPL_' or nothing. Later it was
updated to support 'VPL_' as well.
This series starts a change in terminology and usage to resolve the
above issues:
- The word 'xPL' is used instead of 'SPL' to mean a non-proper build
- A new CONFIG_XPL_BUILD define indicates that the current build is an
'xPL' build
- The existing CONFIG_SPL_BUILD is changed to mean SPL; it is not now
defined for TPL and VPL phases
- The existing SPL_ Makefile variable is renamed to SPL_
- The existing SPL_TPL Makefile variable is renamed to PHASE_
It should be noted that xpl_phase() can generally be used instead of
the above CONFIGs without a code-space or run-time penalty.
This series does not attempt to convert all of U-Boot to use this new
terminology but it makes a start. In particular, renaming spl.h and
common/spl seems like a bridge too far at this point.
The series is fully bisectable. It has also been checked to ensure there
are no code-size changes on any commit.
|
|
Use PHASE_ as the symbol to select a particular XPL build. This means
that SPL_TPL_ is no-longer set.
Update the comment in bootstage to refer to this symbol, instead of
SPL_
Signed-off-by: Simon Glass <[email protected]>
|
|
Use XPL_ as the symbol to indicate an SPL build. This means that SPL_ is
no-longer set.
Signed-off-by: Simon Glass <[email protected]>
|
|
Complete this rename for all directories outside arch/ board/ drivers/
and include/
Use the new symbol to refer to any 'SPL' build, including TPL and VPL
Signed-off-by: Simon Glass <[email protected]>
|
|
When SPL_FS_LOADER is set to y and FS_LOADER is not enabled, the SPL build
fails with the following errors:
AR spl/boot/built-in.o
LD spl/u-boot-spl
arm-none-linux-gnueabihf-ld.bfd: drivers/misc/fs_loader.o: in function
`fw_get_filesystem_firmware':
/u-boot/drivers/misc/fs_loader.c:162: undefined reference to
`fs_set_blk_dev'
arm-none-linux-gnueabihf-ld.bfd: /home/frh/tdx/src/u-boot/drivers/misc/
fs_loader.c:185: undefined reference to `fs_read'
arm-none-linux-gnueabihf-ld.bfd: drivers/misc/fs_loader.o: in function
`select_fs_dev':
/u-boot/drivers/misc/fs_loader.c:89: undefined reference to
`fs_set_blk_dev_with_part'
make[1]: *** [scripts/Makefile.spl:527: spl/u-boot-spl] Error 1
make: *** [Makefile:2055: spl/u-boot-spl] Error 2
Fix it by replacing the FS_LOADER with SPL_FS_LOADER in the Makefile, so
the fs.c with the necessary function definitions are compiled.
Fixes: b071a07743d4 ("drivers: misc: Makefile: Enable fs_loader compilation at SPL Level")
Suggested-by: Francesco Dolcini <[email protected]>
Signed-off-by: Hiago De Franco <[email protected]>
Signed-off-by: Francesco Dolcini <[email protected]>
|
|
Move this header to include/u-boot/ so that it can be used by external
tools.
Reviewed-by: Ilias Apalodimas <[email protected]>
Signed-off-by: Caleb Connolly <[email protected]>
|
|
Sughosh Ganu <[email protected]> says:
This is a follow-up from an earlier RFC series [1] for making the LMB
and EFI memory allocations work together. This is a non-rfc version
with only the LMB part of the patches, for making the LMB memory map
global and persistent.
This is part one of a set of patches which aim to have the LMB and EFI
memory allocations work together. This requires making the LMB memory
map global and persistent, instead of having local, caller specific
maps. This is being done keeping in mind the usage of LMB memory by
platforms where the same memory region can be used to load multiple
different images. What is not allowed is to overwrite memory that has
been allocated by the other module, currently the EFI memory
module. This is being achieved by introducing a new flag,
LMB_NOOVERWRITE, which represents memory which cannot be re-requested
once allocated.
The data structures (alloced lists) required for maintaining the LMB
map are initialised during board init. The LMB module is enabled by
default for the main U-Boot image, while it needs to be enabled for
SPL. This version also uses a stack implementation, as suggested by
Simon Glass to temporarily store the lmb structure instance which is
used during normal operation when running lmb tests. This does away
with the need to run the lmb tests separately.
The tests have been tweaked where needed because of these changes.
The second part of the patches, to be sent subsequently, would work on
having the EFI allocations work with the LMB API's.
[1] - https://lore.kernel.org/u-boot/[email protected]/T/#t
Notes:
1) These patches are on next, as the alist patches have been
applied to that branch.
2) I have tested the boot on the ST DK2 board, but it would be good to
get a T-b/R-b from the ST maintainers.
3) It will be good to test these changes on a PowerPC platform
(ideally an 85xx, as I do not have one).
|
|
With the changes to make the LMB reservations persistent, the common
memory regions are being added during board init. Remove the
now superfluous lmb_init_and_reserve() function.
Signed-off-by: Sughosh Ganu <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
|
|
With the introduction of separate config symbols for the SPL phase of
U-Boot, the condition checks need to be tweaked so that platforms that
enable the LMB module in SPL are also able to call the LMB API's. Use
the appropriate condition checks to achieve this.
Signed-off-by: Sughosh Ganu <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Ilias Apalodimas <[email protected]>
|
|
The current LMB API's for allocating and reserving memory use a
per-caller based memory view. Memory allocated by a caller can then be
overwritten by another caller. Make these allocations and reservations
persistent using the alloced list data structure.
Two alloced lists are declared -- one for the available(free) memory,
and one for the used memory. Once full, the list can then be extended
at runtime.
[sjg: Use a stack to store pointer of lmb struct when running lmb tests]
Signed-off-by: Sughosh Ganu <[email protected]>
Signed-off-by: Simon Glass <[email protected]>
[sjg: Optimise the logic to add a region in lmb_add_region_flags()]
|
|
Use the API function list_count_nodes() to count the number of list
entries.
Signed-off-by: Sughosh Ganu <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Prepare v2024.10-rc3
|
|
Currently, zalloc() calls uncondtionally memset(),
if the allocation failes, memset() will write to a null pointer.
Fix by using kzalloc().
Signed-off-by: Richard Weinberger <[email protected]>
Reviewed-by: Heinrich Schuchardt <[email protected]>
|
|
While zalloc() takes a size_t type, adding 1 to the le32 variable
will overflow.
A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
and as consequence zalloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <[email protected]>
|
|
res needs to be large enough to store both strings rem and target,
plus the path separator and the terminator.
Currently the space for the path separator is not accounted, so
the heap is corrupted by one byte.
Signed-off-by: Richard Weinberger <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>
|
|
The squashfs driver blindly follows symlinks, and calls sqfs_size()
recursively. So an attacker can create a crafted filesystem and with
a deep enough nesting level a stack overflow can be achieved.
Fix by limiting the nesting level to 8.
Signed-off-by: Richard Weinberger <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>
|
|
The function can fail and return NULL.
Signed-off-by: Richard Weinberger <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>
|
|
A carefully crafted squashfs filesystem can exhibit an extremly large
inode size and overflow the calculation in sqfs_inode_size().
As a consequence, the squashfs driver will read from wrong locations.
Fix by using __builtin_add_overflow() to detect the overflow.
Signed-off-by: Richard Weinberger <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>
|
|
A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
as a consequence malloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>
|
|
Evaluate the filesystem incompat and ro_compat bit fields to judge
whether the filesystem can be read or written.
For the read side only a scary warning is shown so far.
I'd love to abort mounting too, but I fear this will break some setups
where the driver works by chance.
Signed-off-by: Richard Weinberger <[email protected]>
|
|
The inode should be freed after a reference is get to avoid
memory leak
Tested-by: Alexander Dahl <[email protected]>
Link: https://lore.kernel.org/u-boot/[email protected]/T/#t
Link: https://lore.kernel.org/all/[email protected]/T/
Co-developed-by: Heiko Schocher <[email protected]>
Signed-off-by: Michael Trimarchi <[email protected]>
|
|
When kernel uses file system encryption, fscrypt on UBIFS v5,
after a hard power cycle UBIFS journal replay fails which results in mount failure.
Failure logs:
UBIFS: recovery needed
UBIFS error (pid 0): ubifs_validate_entry: bad directory entry node
UBIFS error (pid 0): replay_bud: bad node is at LEB 890:24576
UBIFS error (pid 0): ubifs_mount: Error reading superblock on volume 'ubi0:rootfs' errno=-22!
This change is ported from kernel:
commit id: 304790c038bc4af4f19774705409db27eafb09fc
Kernel commit description:
Kernel commit description:
ubifs: Relax checks in ubifs_validate_entry()
With encrypted filenames we store raw binary data, doing
string tests is no longer possible.
Signed-off-by: rminnikanti <[email protected]>
Reviewed-by: Heiko Schocher <[email protected]>
|
|
Safety guard in the U-Boot filesystem glue code, because these functions
are called from different parts of the codebase. For generic filesystem
handling this should have been checked in blk_get_device_part_str()
already. Commands from cmd/ubifs.c should also check this before
calling those functions, but you never know?!
Signed-off-by: Alexander Dahl <[email protected]>
|
|
Although kfree() is in fact only a slim wrapper to free() in U-Boot, use
kfree() here, because those structs where allocated with kalloc() or
kzalloc().
Signed-off-by: Alexander Dahl <[email protected]>
|
|
Global superblock pointer 'ubifs_sb' and volume pointer 'ubi' of type
struct ubi_volume_desc in private member sb->s_fs_info of type struct
ubifs_info, can be allocated and freed at runtime, and allocated and
freed again, depending which console or script commands are run. In
some cases ubifs_sb is even tested to determine if the filesystem is
mounted. Reset those pointers to NULL after free to clearly mark them
as not valid. This avoids potential double free on invalid pointers.
(The ubifs_sb pointer was already reset, but that statement was moved
now to directly after the free() to make it easier to understand.)
Signed-off-by: Alexander Dahl <[email protected]>
|
|
When mounting ubifs e.g. through command 'ubifsmount' one global static
superblock 'ubifs_sb' is used _and_ the requested volume is opened (like
in Linux). The pointer returned by 'ubifs_open_volume()' is stored in
that superblock struct and freed later on cmd 'ubifsumount' or another
call to 'ubifsmount' with a different volume, through ubifs_umount() and
ubi_close_volume().
In ubifs_ls(), ubifs_exists(), ubifs_size(), and ubifs_read() the volume
was opened again, which is technically no problem with regard to
refcounting, but here the still valid pointer in sb was overwritten,
leading to a memory leak. Even worse, when using one of those
functions and calling ubifsumount later, ubi_close_volume() was called
again but now on an already freed pointer, leading to a double free.
This actually crashed with different invalid memory accesses on a board
using the old distro boot and a rather long script handling RAUC
updates.
Example:
> ubi part UBI
> ubifsmount ubi0:boot
> test -e ubi ubi0:boot /boot.scr.uimg
> ubifsumount
The ubifs specific commands 'ubifsls' and 'ubifsload' check for a
mounted volume by themselves, for the generic fs variants 'ls', 'load',
(and 'size', and 'test -e') this is covered by special ubifs handling in
fs_set_blk_dev() and deeper down blk_get_device_part_str() then. So for
ubifs_ls(), ubifs_exists(), ubifs_size(), and ubifs_read() we can be
sure the volume is opened and the necessary struct pointer in sb is
valid, so it is not needed to open volume again.
Fixes: 9eefe2a2b37 ("UBIFS: Implement read-only UBIFS support in U-Boot")
Fixes: 29cc5bcadfc ("ubifs: Add functions for generic fs use")
Signed-off-by: Alexander Dahl <[email protected]>
|
|
The existing API for these functions is different from the rest of
U-Boot, in that any error code must be obtained from the errno variable
on failure. This variable is part of the C library, so accessing it
outside of the special 'sandbox' shim-functions is not ideal.
Adjust the API to return an error code, to avoid this. Update existing
uses to check for any negative value, rather than just -1.
Signed-off-by: Simon Glass <[email protected]>
|
