| Age | Commit message (Collapse) | Author |
|---|
|
Refactor the dirty flag handling a little bit so an inline
function is called instead of directly stuffing a value into
the variable.
This allows variable that holds the flag to be completely removed
if its not used i.e. CONFIG_FAT_WIRTE=n
Signed-off-by: Daniel Palmer <[email protected]>
|
|
Richard Genoud <[email protected]> says:
SquashFS has support in U-Boot, but not in SPL.
This series adds the possibility for the SPL to load files from SquashFS
partitions.
This is useful, for instance, when there's a SquashFS rootfs containing
U-Boot binary.
NB: falcon mode is not supported yet.
Link: https://lore.kernel.org/r/[email protected]
|
|
Implement spl_load_image_sqfs() in spl code.
This will be used in MMC to read a file from a squashfs partition.
Also, loosen squashfs read checks on file size by not failing when a
bigger size than the actual file size is requested. (Just read the file)
This is needed for FIT loading, because the length is ALIGNed.
Signed-off-by: Richard Genoud <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>
Reviewed-by: João Marcos Costa <[email protected]>
|
|
Switch to if (CONFIG_IS_ENABLED()) instead of #if when possible and
remove unnecessary cases.
Signed-off-by: Richard Genoud <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>
Reviewed-by: João Marcos Costa <[email protected]>
|
|
CONFIG_IS_ENABLED() must be used in place of IS_ENABLED() for config
options that have a _SPL_ counterpart.
Signed-off-by: Richard Genoud <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>
Reviewed-by: João Marcos Costa <[email protected]>
|
|
Varadarajan Narayanan <[email protected]> says:
The disk_read() and disk_write() functions of the FAT driver use the
blk_dread() and blk_dwrite() respectively. The blk_* APIs read and write
to the devices in terms of the device block size. However, the FAT
driver reads in terms of the device block size (from fat_set_blk_dev and
read_bootsectandvi) and sector size in the rest of the places.
This causes buffer overflows or partial reads when the FAT sector size
is not equal to device block size. Fix this by using blk_dread in
fat_set_blk_dev and read_bootsectandvi instead of disk_read. And update
disk_read/disk_write to handle FAT sector size and block size mismatch.
Tested on
blksz | FAT sector size
------+----------------
4096 | 4096
512 | 512
4096 | 512
512 | 4096
CI test results
---------------
https://github.com/u-boot/u-boot/pull/871
All checks have passed
93 successful checks
No conflicts with base branch
Code size change info
---------------------
arm: (for 1/1 boards) all +32.0 text +32.0
qemu_arm : all +32 text +32
u-boot: add: 0/0, grow: 2/0 bytes: 24/0 (24)
function old new delta
read_bootsectandvi 420 432 +12
fat_set_blk_dev 204 216 +12
aarch64: (for 1/1 boards) all +12.0 rodata -8.0 text +20.0
qemu_arm64 : all +12 rodata -8 text +20
u-boot: add: 0/0, grow: 2/0 bytes: 20/0 (20)
function old new delta
read_bootsectandvi 408 420 +12
fat_set_blk_dev 204 212 +8
aarch64: (for 1/1 boards) all -2.0 data -8.0 rodata +6.0
qcom_qcs9100 : all -2 data -8 rodata +6
u-boot: add: 1/-1, grow: 8/-1 bytes: 708/-224 (484)
function old new delta
disk_rw - 628 +628
read_bootsectandvi 408 428 +20
fat_itr_root 500 520 +20
get_cluster 376 388 +12
set_contents 2076 2084 +8
fat_set_blk_dev 204 212 +8
static.set_fatent_value 536 540 +4
get_fatent 420 424 +4
fat_next_cluster 368 372 +4
disk_read 100 - -100
disk_write 132 8 -124
Link: https://lore.kernel.org/r/[email protected]
|
|
The disk_read() and disk_write() functions of the FAT driver use the
blk_dread() and blk_dwrite() respectively. The blk_* APIs read and write
to the devices in terms of the device block size. However, the FAT
driver reads in terms of the device block size (from fat_set_blk_dev and
read_bootsectandvi) and sector size in the rest of the places.
This causes buffer overflows or partial reads when the FAT sector size
is not equal to device block size. Fix this by using blk_dread in
fat_set_blk_dev and read_bootsectandvi instead of disk_read. And update
disk_read/disk_write to handle FAT sector size and block size mismatch.
Tested on
blksz | FAT sector size
------+----------------
4096 | 4096
512 | 512
4096 | 512
512 | 4096
Signed-off-by: Varadarajan Narayanan <[email protected]>
|
|
Prepare v2026.04-rc3
|
|
sqfs_frag_lookup() reads a 16-bit metadata block header whose lower
15 bits encode the data size. Unlike sqfs_read_metablock() in
sqfs_inode.c, this function does not validate that the decoded size is
within SQFS_METADATA_BLOCK_SIZE (8192). A malformed SquashFS image can
set the size field to any value up to 32767, causing memcpy to write
past the 8192-byte 'entries' heap buffer.
Add the same bounds check used by sqfs_read_metablock(): reject any
metadata block header with SQFS_METADATA_SIZE(header) exceeding
SQFS_METADATA_BLOCK_SIZE.
Found by fuzzing with libFuzzer + AddressSanitizer.
Signed-off-by: Eric Kilmer <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>
|
|
Remove DECLARE_GLOBAL_DATA_PTR from files where gd is not used, and
drop the unnecessary inclusion of asm/global_data.h.
Headers should be included directly by the files that need them,
rather than indirectly via global_data.h.
Reviewed-by: Patrice Chotard <[email protected]> #STMicroelectronics boards and STM32MP1 ram test driver
Tested-by: Anshul Dalal <[email protected]> #TI boards
Acked-by: Yao Zi <[email protected]> #TH1520
Signed-off-by: Peng Fan <[email protected]>
|
|
This series from Timo tp Preißl <[email protected]> fixes some
(potential) interger overflows in some filesystems by using
__builtin_XXX_overflow helps to catch issues.
Link: https://lore.kernel.org/r/[email protected]
|
|
An integer overflow in gdsize_total calculation could lead
to under-allocation and heap buffer overflow.
Signed-off-by: Timo tp Preißl <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
An integer overflow in length calculation could lead to
under-allocation and buffer overcopy.
Signed-off-by: Timo tp Preißl <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: João Marcos Costa <[email protected]>
|
|
An integer overflow in nvlist size calculation could lead
to under-allocation and heap buffer overflow.
Signed-off-by: Timo tp Preißl <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
An integer overflow in size calculations could lead to
under-allocation and potential heap buffer overflow.
Signed-off-by: Timo tp Preißl <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
If zalloc fails, one needs to free memory previously
allocated in the function. This commit makes sure that
we do not leak any memory.
Signed-off-by: Francois Berder <[email protected]>
Fixes: ed34f34dbaf2 ("ext4fs write support")
Acked-by: Quentin Schulz <[email protected]>
|
|
https://source.denx.de/u-boot/custodians/u-boot-socfpga into next
This pull request brings together a set of fixes and enhancements across
the SoCFPGA platform family, with a focus on MMC/SPL robustness, EFI
boot enablement, and Agilex5 SD/eMMC support.
CI: https://source.denx.de/u-boot/custodians/u-boot-socfpga/-/pipelines/28776
Highlights:
*
SPL / MMC:
o
Fix Kconfig handling for
SYS_MMCSD_RAW_MODE_U_BOOT_USE_PARTITION_TYPE
o
Correct raw sector calculations and respect explicit sector values
when loading U-Boot from MMC in SPL
o
Adjust raw MMC loading logic for SoCFPGA platforms
*
EFI boot:
o
Permit EFI booting on SoCFPGA platforms
o
Disable mkeficapsule tool build for Arria 10 where unsupported
*
Agilex5:
o
Upgrade SDHCI controller from SD4HC to SD6HC
o
Enable MMC and Cadence SDHCI support in defconfig
o
Add dedicated eMMC device tree and defconfig for Agilex5 SoCDK
o
Revert incorrect GPIO configuration for SDIO_SEL
o
Refine U-Boot DT handling for SD and eMMC boot variants
*
SPI:
o
Allow disabling the DesignWare SPI driver in SPL via Kconfig
*
Board / configuration fixes:
o
Enable random MAC address generation for Cyclone V
o
Fix DE0-Nano-SoC boot configuration
o
Remove obsolete or conflicting options from multiple legacy
SoCFPGA defconfigs
|
|
We do not perform a check on the value of getsize in get_fatent to
ensure that it will fit within the allocated buffer. For safety sake,
add a check now and if the value exceeds FATBUFBLOCKS use that value
instead. While not currently actively exploitable, it was in the past so
adding this check is worthwhile.
This addresses CVE-2025-24857 and was originally reported by Harvey
Phillips of Amazon Element55.
Signed-off-by: Tom Rini <[email protected]>
|
|
Building this code on 64bit platforms leads to warnings (and so errors
in CI). Rather than rework the code, as this is a deprecated filesystem,
don't try and disallow building on 64bit hosts.
Signed-off-by: Tom Rini <[email protected]>
|
|
If realloc failed, raw was not freed and thus memory
was leaked.
Signed-off-by: Francois Berder <[email protected]>
|
|
After calling a function that can return an error, the test to detect
that error should use the return value not a different variable. Fix it.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
Reviewed-by: Sean Anderson <[email protected]>
Fixes: f676b45151c3 ("fs: Add semihosting filesystem")
|
|
Testing an unsigned variable to be >= 0 will always be true so remove
this redundant test.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
Reviewed-by: Quentin Schulz <[email protected]>
|
|
Returning immediately from sqfs_read_nest is not consistent with other
error checks in this function and can lead to memory leaks. Instead use
the unwind goto used elsewhere to ensure that the memory is freed.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
Acked-by: Quentin Schulz <[email protected]>
Reviewed-by: Joao Marcos Costa <[email protected]>
|
|
When adding filesystems to the table in fs/fs.c we need to use
CONFIG_IS_ENABLED(FS_xxx) so that we only include references to a given
filesystem when CONFIG_FS_xxx or CONFIG_SPL_FS_xxx or similar are
enabled. Update the filesystems which weren't doing this to follow that
pattern.
Signed-off-by: Tom Rini <[email protected]>
|
|
Add a null check for 'file' before dereferencing it and also rework the
error handling to be a bit more sane.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
The return value from alloc_super can be an error pointer so the error
check needs to detect this as well as checking the pointer for being
NULL.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
Returning directly after buf has been allocated will result in a memory
leak. Instead set the error code and goto the common unwind code to
ensure that buf will be freed before returning.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
Add maximum ext4 journal entries to Kconfig. It is necessary since the
number of journal entries is proportional to disk capacity. For example,
an ext4 4TB HDD partition could require approximately 500 entries.
Signed-off-by: Tony Dinh <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
Don't invoke ext4fs_deinit() in ext4fs_write() if the failure occurs
during initialization. It would result in a crash since ext4fs_init()
has already done that.
Signed-off-by: Tony Dinh <[email protected]>
Reviewed-by: Tom Rini <[email protected]>
|
|
Smatch reported a possible buffer overflow in exfat_set_label but it
turns out that this code is unused so just guard the function with
'#ifndef __UBOOT__' as well as exfat_get_label that is also unused and
the helper static find_label.
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
Andrew Goodbody <[email protected]> says:
Smatch reported issues with variables being dereferenced before NULL
checks and also testing an unsigned variable for being negative.
Link: https://lore.kernel.org/r/[email protected]
|
|
In exfat_generic_pread and exfat_generic_pwrite offset is passed in as a
off_t type which is defined as 'unsigned long long' so there is no need
to create the variable uoffset as a uint64_t as this is just a direct
copy of offset. Also remove the impossible test of 'offset < 0' as this
is always false due to offset being unsigned.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
In the functions exfat_pread and exfat_pwrite there is a NULL check for
ctxt.cur_dev but this has already been derefenced twice before this
happens.
Refactor the code a bit to put the NULL check first.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
multi is guaranteed to be NULL in the first two error exit paths so the
attempt to free it is not needed. Remove those calls.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
The assignments to sect and off use the pointer from ctxt.cur_dev but
that has not been NULL checked before this is done. So instead move the
assignments after the NULL check.
This issue found by Smatch
Signed-off-by: Andrew Goodbody <[email protected]>
Reviewed-by: Gao Xiang <[email protected]>
|
|
Andrew Goodbody <[email protected]> says:
Smatch reported some issues in the ext4fs code. This includes a
suggestion to use an unwind goto, to not negate a return value and to
ensure that a NULL check happens before the pointer is dereferenced.
Link: https://lore.kernel.org/r/[email protected]
|
|
In the function put_ext4 there is a NULL check for fs->dev_desc but this
has already been derefenced twice before this happens. Refactor the code
a bit to put the NULL check first.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
Ensure that allocated memory is freed on error exit replace the direct
return calls with 'goto fail'.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
In ext4fs_readdir it calls ext4fs_read_file and checks the return value
for non-zero to detect an error. This return value should be returned as
is rather than being negated.
This issue found by Smatch
Signed-off-by: Andrew Goodbody <[email protected]>
|
|
Return ENOMEM in ext4fs_log_gdt when number of blocks per gdt is more than
number of allocated journal entries.
Signed-off-by: Tony Dinh <[email protected]>
|
|
There currently are multiple allocation API's in the LMB module. There
are a couple of API's for allocating memory(lmb_alloc() and
lmb_alloc_base()), and then there are two for requesting a reservation
for a particular memory region (lmb_reserve() and
lmb_alloc_addr()). Introduce a single API lmb_alloc_mem() which will
cater to all types of allocation requests and replace lmb_reserve()
and lmb_alloc_addr() with the new API.
Moreover, the lmb_reserve() API is pretty similar to the
lmb_alloc_addr() API, with the one difference being that the
lmb_reserve() API allows for reserving any address passed to it --
the address need not be part of the LMB memory map. The
lmb_alloc_addr() does check that the address being requested is
actually part of the LMB memory map.
There is no need to support reserving memory regions which are outside
the LMB memory map. Remove the lmb_reserve() API functionality and use
the functionality provided by lmb_alloc_addr() instead. The
lmb_alloc_addr() will check if the requested address is part of the
LMB memory map and return an error if not.
Signed-off-by: Sughosh Ganu <[email protected]>
Acked-by: Ilias Apalodimas <[email protected]>
|
|
Use lbaint_t for blknr to avoid overflow in ext4fs_read_file().
Background:
blknr (block number) used in ext4fs_read_file() could be increased to a
very large value and causes a wrap around at 32 bit signed integer max,
thus becomes negative. This results in an out-of-normal range for sector
number (during the assignment delayed_start = blknr) where delayed_start
sector is typed uint64 lbaint_t. This causes the "Read outside partition"
error.
Looks like we also have this overflown problem in ext4_write.c that needs
to be addressed.
This patch was tested on the Synology DS116 (Armada 385) board, and a
4TB Seagate HDD.
Signed-off-by: Tony Dinh <[email protected]>
|
|
Prepare v2025.07-rc4
|
|
The issue here is that the function read_allocated_block() will report
problems via a negative return value. If we say the return value is
stored in an lbaint_t that can no longer happen (and Coverity discovered
this by reporting a no effect comparison and then dead code). The
problem being fixed by allowing for storing a larger block number will
have to be solved in some other manner.
This reverts commit df2ed552f0b05591090369a7fe7ddc92439dea5c.
Addresses-Coverity-ID: 131183
Signed-off-by: Tom Rini <[email protected]>
|
|
Prepare v2025.07-rc3
|
|
Use lbaint_t for blknr to avoid overflow in ext4fs_read_file().
Background:
blknr (block number) used in ext4fs_read_file() could be increased to a
very large value and causes a wrap around at 32 bit signed integer max,
thus becomes negative. This results in an out-of-normal range for sector
number (during the assignment delayed_start = blknr) where delayed_start
sector is typed uint64 lbaint_t. This causes the "Read outside partition"
error.
This patch was tested on the Synology DS116 (Armada 385) board, and a
4TB Seagate HDD.
Signed-off-by: Tony Dinh <[email protected]>
|
|
Log the error if fs_devread() fails when trying to reading outside
partition. This will make bug reporting easier.
Signed-off-by: Tony Dinh <[email protected]>
|
|
CRC16 is used in ext4_common.c. Build fails without it.
PS:
This is my first patch sent to a mailing list.
If there is anything wrong with it (email format, whitespace, etc.)
please let me know.
Signed-off-by: Marius Dinu <[email protected]>
|
|
This file references rtc functions and implicitly includes <rtc.h>
today. Add this explicitly.
Signed-off-by: Tom Rini <[email protected]>
|
|
This file references rtc functions and implicitly includes <rtc.h>
today. Add this explicitly.
Signed-off-by: Tom Rini <[email protected]>
|
