When SPL_FS_LOADER is set to y and FS_LOADER is not enabled, the SPL build
fails with the following errors:
AR spl/boot/built-in.o
LD spl/u-boot-spl
arm-none-linux-gnueabihf-ld.bfd: drivers/misc/fs_loader.o: in function
`fw_get_filesystem_firmware':
/u-boot/drivers/misc/fs_loader.c:162: undefined reference to
`fs_set_blk_dev'
arm-none-linux-gnueabihf-ld.bfd: /home/frh/tdx/src/u-boot/drivers/misc/
fs_loader.c:185: undefined reference to `fs_read'
arm-none-linux-gnueabihf-ld.bfd: drivers/misc/fs_loader.o: in function
`select_fs_dev':
/u-boot/drivers/misc/fs_loader.c:89: undefined reference to
`fs_set_blk_dev_with_part'
make[1]: *** [scripts/Makefile.spl:527: spl/u-boot-spl] Error 1
make: *** [Makefile:2055: spl/u-boot-spl] Error 2
Fix it by replacing the FS_LOADER with SPL_FS_LOADER in the Makefile, so
the fs.c with the necessary function definitions are compiled.
Fixes: b071a07743 ("drivers: misc: Makefile: Enable fs_loader compilation at SPL Level")
Suggested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Signed-off-by: Hiago De Franco <hiago.franco@toradex.com>
Signed-off-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Move this header to include/u-boot/ so that it can be used by external
tools.
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Caleb Connolly <caleb.connolly@linaro.org>
Sughosh Ganu <sughosh.ganu@linaro.org> says:
This is a follow-up from an earlier RFC series [1] for making the LMB
and EFI memory allocations work together. This is a non-rfc version
with only the LMB part of the patches, for making the LMB memory map
global and persistent.
This is part one of a set of patches which aim to have the LMB and EFI
memory allocations work together. This requires making the LMB memory
map global and persistent, instead of having local, caller specific
maps. This is being done keeping in mind the usage of LMB memory by
platforms where the same memory region can be used to load multiple
different images. What is not allowed is to overwrite memory that has
been allocated by the other module, currently the EFI memory
module. This is being achieved by introducing a new flag,
LMB_NOOVERWRITE, which represents memory which cannot be re-requested
once allocated.
The data structures (alloced lists) required for maintaining the LMB
map are initialised during board init. The LMB module is enabled by
default for the main U-Boot image, while it needs to be enabled for
SPL. This version also uses a stack implementation, as suggested by
Simon Glass to temporarily store the lmb structure instance which is
used during normal operation when running lmb tests. This does away
with the need to run the lmb tests separately.
The tests have been tweaked where needed because of these changes.
The second part of the patches, to be sent subsequently, would work on
having the EFI allocations work with the LMB API's.
[1] - https://lore.kernel.org/u-boot/20240704073544.670249-1-sughosh.ganu@linaro.org/T/#t
Notes:
1) These patches are on next, as the alist patches have been
applied to that branch.
2) I have tested the boot on the ST DK2 board, but it would be good to
get a T-b/R-b from the ST maintainers.
3) It will be good to test these changes on a PowerPC platform
(ideally an 85xx, as I do not have one).
With the changes to make the LMB reservations persistent, the common
memory regions are being added during board init. Remove the
now superfluous lmb_init_and_reserve() function.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
With the introduction of separate config symbols for the SPL phase of
U-Boot, the condition checks need to be tweaked so that platforms that
enable the LMB module in SPL are also able to call the LMB API's. Use
the appropriate condition checks to achieve this.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The current LMB API's for allocating and reserving memory use a
per-caller based memory view. Memory allocated by a caller can then be
overwritten by another caller. Make these allocations and reservations
persistent using the alloced list data structure.
Two alloced lists are declared -- one for the available(free) memory,
and one for the used memory. Once full, the list can then be extended
at runtime.
[sjg: Use a stack to store pointer of lmb struct when running lmb tests]
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Signed-off-by: Simon Glass <sjg@chromium.org>
[sjg: Optimise the logic to add a region in lmb_add_region_flags()]
Use the API function list_count_nodes() to count the number of list
entries.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Currently, zalloc() calls uncondtionally memset(),
if the allocation failes, memset() will write to a null pointer.
Fix by using kzalloc().
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
While zalloc() takes a size_t type, adding 1 to the le32 variable
will overflow.
A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff
and as consequence zalloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <richard@nod.at>
res needs to be large enough to store both strings rem and target,
plus the path separator and the terminator.
Currently the space for the path separator is not accounted, so
the heap is corrupted by one byte.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
The squashfs driver blindly follows symlinks, and calls sqfs_size()
recursively. So an attacker can create a crafted filesystem and with
a deep enough nesting level a stack overflow can be achieved.
Fix by limiting the nesting level to 8.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
A carefully crafted squashfs filesystem can exhibit an extremly large
inode size and overflow the calculation in sqfs_inode_size().
As a consequence, the squashfs driver will read from wrong locations.
Fix by using __builtin_add_overflow() to detect the overflow.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
A carefully crafted squashfs filesystem can exhibit an inode size of 0xffffffff,
as a consequence malloc() will do a zero allocation.
Later in the function the inode size is again used for copying data.
So an attacker can overwrite memory.
Avoid the overflow by using the __builtin_add_overflow() helper.
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Evaluate the filesystem incompat and ro_compat bit fields to judge
whether the filesystem can be read or written.
For the read side only a scary warning is shown so far.
I'd love to abort mounting too, but I fear this will break some setups
where the driver works by chance.
Signed-off-by: Richard Weinberger <richard@nod.at>
When kernel uses file system encryption, fscrypt on UBIFS v5,
after a hard power cycle UBIFS journal replay fails which results in mount failure.
Failure logs:
UBIFS: recovery needed
UBIFS error (pid 0): ubifs_validate_entry: bad directory entry node
UBIFS error (pid 0): replay_bud: bad node is at LEB 890:24576
UBIFS error (pid 0): ubifs_mount: Error reading superblock on volume 'ubi0:rootfs' errno=-22!
This change is ported from kernel:
commit id: 304790c038bc4af4f19774705409db27eafb09fc
Kernel commit description:
Kernel commit description:
ubifs: Relax checks in ubifs_validate_entry()
With encrypted filenames we store raw binary data, doing
string tests is no longer possible.
Signed-off-by: rminnikanti <rminnikanti@marvell.com>
Reviewed-by: Heiko Schocher <hs@denx.de>
Safety guard in the U-Boot filesystem glue code, because these functions
are called from different parts of the codebase. For generic filesystem
handling this should have been checked in blk_get_device_part_str()
already. Commands from cmd/ubifs.c should also check this before
calling those functions, but you never know?!
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Although kfree() is in fact only a slim wrapper to free() in U-Boot, use
kfree() here, because those structs where allocated with kalloc() or
kzalloc().
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Global superblock pointer 'ubifs_sb' and volume pointer 'ubi' of type
struct ubi_volume_desc in private member sb->s_fs_info of type struct
ubifs_info, can be allocated and freed at runtime, and allocated and
freed again, depending which console or script commands are run. In
some cases ubifs_sb is even tested to determine if the filesystem is
mounted. Reset those pointers to NULL after free to clearly mark them
as not valid. This avoids potential double free on invalid pointers.
(The ubifs_sb pointer was already reset, but that statement was moved
now to directly after the free() to make it easier to understand.)
Signed-off-by: Alexander Dahl <ada@thorsis.com>
When mounting ubifs e.g. through command 'ubifsmount' one global static
superblock 'ubifs_sb' is used _and_ the requested volume is opened (like
in Linux). The pointer returned by 'ubifs_open_volume()' is stored in
that superblock struct and freed later on cmd 'ubifsumount' or another
call to 'ubifsmount' with a different volume, through ubifs_umount() and
ubi_close_volume().
In ubifs_ls(), ubifs_exists(), ubifs_size(), and ubifs_read() the volume
was opened again, which is technically no problem with regard to
refcounting, but here the still valid pointer in sb was overwritten,
leading to a memory leak. Even worse, when using one of those
functions and calling ubifsumount later, ubi_close_volume() was called
again but now on an already freed pointer, leading to a double free.
This actually crashed with different invalid memory accesses on a board
using the old distro boot and a rather long script handling RAUC
updates.
Example:
> ubi part UBI
> ubifsmount ubi0:boot
> test -e ubi ubi0:boot /boot.scr.uimg
> ubifsumount
The ubifs specific commands 'ubifsls' and 'ubifsload' check for a
mounted volume by themselves, for the generic fs variants 'ls', 'load',
(and 'size', and 'test -e') this is covered by special ubifs handling in
fs_set_blk_dev() and deeper down blk_get_device_part_str() then. So for
ubifs_ls(), ubifs_exists(), ubifs_size(), and ubifs_read() we can be
sure the volume is opened and the necessary struct pointer in sb is
valid, so it is not needed to open volume again.
Fixes: 9eefe2a2b3 ("UBIFS: Implement read-only UBIFS support in U-Boot")
Fixes: 29cc5bcadf ("ubifs: Add functions for generic fs use")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
The existing API for these functions is different from the rest of
U-Boot, in that any error code must be obtained from the errno variable
on failure. This variable is part of the C library, so accessing it
outside of the special 'sandbox' shim-functions is not ideal.
Adjust the API to return an error code, to avoid this. Update existing
uses to check for any negative value, rather than just -1.
Signed-off-by: Simon Glass <sjg@chromium.org>
ZSTD can be a better tradeoff between NAND IO operations and decompression
speed giving a better boot time.
Signed-off-by: Piotr Wojtaszczyk <piotr.wojtaszczyk@timesys.com>
Reviewed-by: Heiko Schocher <hs@denx.de>
Fix btrfs_read/read_and_truncate_page write out of bounds of destination
buffer. Old behavior break bootstd malloc'd buffers of exact file size.
Previously this OOB write have not been noticed because distroboot usually
read files into huge static memory areas.
Signed-off-by: Alex Shumsky <alexthreed@gmail.com>
Fixes: e342718 ("fs: btrfs: Implement btrfs_file_read()")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Here the size should be `length - skip`, otherwise it could cause
the destination buffer overflow.
Reported-by: jianqiang wang <wjq.sec@gmail.com>
Fixes: 65cb73057b ("fs/erofs: add lz4 decompression support")
Signed-off-by: Jianan Huang <jnhuang95@gmail.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
As part of bringing the master branch back in to next, we need to allow
for all of these changes to exist here.
Reported-by: Jonas Karlman <jonas@kwiboo.se>
Signed-off-by: Tom Rini <trini@konsulko.com>
When bringing in the series 'arm: dts: am62-beagleplay: Fix Beagleplay
Ethernet"' I failed to notice that b4 noticed it was based on next and
so took that as the base commit and merged that part of next to master.
This reverts commit c8ffd1356d, reversing
changes made to 2ee6f3a5f7.
Reported-by: Jonas Karlman <jonas@kwiboo.se>
Signed-off-by: Tom Rini <trini@konsulko.com>
In order to prevent crashing due to infinite recursion and actually
decompress the requested data, call the zlib function 'uncompress'
instead.
Signed-off-by: WHR <msl0000023508@gmail.com>
Currently no features are implemented, only the zpool version 5000 that
indicating the features support, is recognized. Since it is possible for
OpenZFS to create a pool with features support enabled, but without
enabling any actual feature, this change enables U-Boot to read such
pools.
Signed-off-by: WHR <msl0000023508@gmail.com>
This patch adds DEFLATE compression algorithm support. It's a good choice
to trade off between compression ratios and performance compared to LZ4.
Alternatively, DEFLATE could be used for some specific files since EROFS
supports multiple compression algorithms in one image.
Signed-off-by: Jianan Huang <jnhuang95@gmail.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
The FAT specification requires that the change date is set.
If a DM RTC device exists, set the creation and change date to the current
date when updating the directory entry. Otherwise use the date 2020-01-01.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The month is stored in 5 - 8. We need to shift it by 5 bits.
Cf. Microsoft FAT Specification, 2005-08-30
Fixes: 13c11c6653 ("fs: fat: add file attributes to struct fs_dirent")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Alexander Dahl <ada@thorsis.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
mwleeds@mailtundra.com <mwleeds@mailtundra.com> says:
This patch series is needed to get U-Boot to boot from a ZFS filesystem
on an aarch64 computer. Some of the patches are not architecture specific
and would be needed to boot ZFS on other platforms as well. The ZFS
support in U-Boot hasn't been substantively touched in several years and
to me it seems like it must have been broken for a long time on all
platforms, but I have only tested on aarch64.
Since there doesn't seem to be a mantainer for this area who I can cc,
I'm hoping these patches get seen and pulled in by a general U-Boot
maintainer.
[trini: Per Igor's comment and Phaedrus agreement, dropped his Tested-by
on the patches themselves]
Without this patch, the while loop being modified goes on infinitely,
but with the patch I am able to boot linux on zfs on a jetson tx2 nx.
It seems like this code was never tested because the logic is clearly
wrong. The function do_div(a,b) does a division that modifies the first
parameter to have a = a / b, and returns the remainder of the division.
So clearly in the usual case when file->offset = 0, the line
"blkid = do_div(blkid, blksz);" just results in blkid being set to zero
on every iteration of the loop, rather than being incremented as blocks
are read. Hence the zeroth block is read over and over and this becomes
an infinite loop.
So instead capture the remainder of the division in a "blkoff" variable,
and use that to properly calculate the memory address to move from in
memmove() below.
For example, if file->offset were 1337, on the first iteration of the
loop blkid would be 0 and blkoff would be 1337. If the blksz is 131072
(as it was for me), that amount of data would be copied into
data->file_buf. movesize would be 131072 - 1337 = 129735 so 129735 bytes
would be moved into buf. On the second iteration of the loop (assuming
there is one), red would be 129735, blkid would be 1, blkoff would be 0,
and 131072 bytes would be copied into buf. And so on...
Signed-off-by: Phaedrus Leeds <mwleeds@mailtundra.com>
As evidenced by how other filesystems handle it, a return value of 0
from fs_devread() means failure; nonzero means success. The opposite
assumption was being made in zfs.c for the use of zfs_devread() so fix
the confusion by making zfs_devread() return 0 on success.
It probably doesn't make sense to change the handling of zfs_devread()
in zfs.c instead, because as it is it matches the semantics of the other
functions there.
Signed-off-by: Phaedrus Leeds <mwleeds@mailtundra.com>
Without this patch, when trying to boot zfs using U-Boot on a Jetson TX2
NX (which is aarch64), I get a CPU reset error like so:
"Synchronous Abort" handler, esr 0x96000021
elr: 00000000800c9000 lr : 00000000800c8ffc (reloc)
elr: 00000000fff77000 lr : 00000000fff76ffc
x0 : 00000000ffb40f04 x1 : 0000000000000000
x2 : 000000000000000a x3 : 0000000003100000
x4 : 0000000003100000 x5 : 0000000000000034
x6 : 00000000fff9cc6e x7 : 000000000000000f
x8 : 00000000ff7f84a0 x9 : 0000000000000008
x10: 00000000ffb40f04 x11: 0000000000000006
x12: 000000000001869f x13: 0000000000000001
x14: 00000000ff7f84bc x15: 0000000000000010
x16: 0000000000002080 x17: 00000000001fffff
x18: 00000000ff7fbdd8 x19: 00000000ffb405f8
x20: 00000000ffb40dd0 x21: 00000000fffabe5e
x22: 000000ea77940000 x23: 00000000ffb42090
x24: 0000000000000000 x25: 0000000000000000
x26: 0000000000000000 x27: 0000000000000000
x28: 0000000000bab10c x29: 00000000ff7f85f0
Code: d00001a0 9103a000 94006ac6 f9401ba0 (f9400000)
Resetting CPU ...
This happens when be64_to_cpu() is called on a value that exists at a
memory address that's 4 byte aligned but not 8 byte aligned (e.g. an
address ending in 04). The call stack where that happens is:
check_pool_label() ->
zfs_nvlist_lookup_uint64(vdevnvlist, ZPOOL_CONFIG_ASHIFT,...) ->
be64_to_cpu()
Signed-off-by: Phaedrus Leeds <mwleeds@mailtundra.com>
Fixes: 4d3c95f5ea ("zfs: Add ZFS filesystem support")
This code was hitting the error code path whenever malloc() succeeded
rather than when it failed, so presumably this part of the code hasn't
been tested. I had to apply this fix (and others) to get U-Boot to boot
from ZFS on an Nvidia Jetson TX2 NX SoM (an aarch64 computer).
Signed-off-by: Phaedrus Leeds <mwleeds@mailtundra.com>
U-Boot only knows absolute file paths. It is inconsistent to require that
saving to an ext4 file system should use a leading '/' while reading does
not. Remove the superfluous check.
Reported-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Tested-by: Patrice Chotard <patrice.chotard@foss.st.com>
When accessing an ext2 system the message "File System is consistent\n" is
shown after each write. This is superfluous noise. Only write a debug
message.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
When a file is created in the linux and corresponding file permission
is set, if the file needs to be modified in uboot during the startup
process, the modified file permission will be reset to 755. Therefore,
when the ext4fs_write() function is called, if the file already exists,
the file permission of the new file is equal to the file permission of
the existing file.
While fat_exists() reports directories and files as existing
ext4fs_exists() only recognizes files. This lead to errors
when using systemd-boot with an ext4 file-system.
Change ext4fs_exists() to find any type of inode:
files, directories, symbolic links.
Fixes: a1596438a6 ("ext4fs ls load support")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
It was only included by a single board which doesn't appear to have
ever used it for any default use cases so drop the filesystem now
that isn't used by any in-tree configurations.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Now it is clear that the feature actually depends on efi interfaces,
not "bootefi" command. efi_set_bootdev() will automatically be nullified
if necessary efi component is disabled.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
If FS_LOADER is enabled for the SPL then the build fails with the error:
fs/fs.o:(.data.rel.fstypes+0x128):
undefined reference to `smh_fs_set_blk_dev'
fs/fs.o:(.data.rel.fstypes+0x140):
undefined reference to `smh_fs_size'
fs/fs.o:(.data.rel.fstypes+0x148):
undefined reference to `smh_fs_read'
fs/fs.o:(.data.rel.fstypes+0x150):
undefined reference to `smh_fs_write'
Fix the error by populating the semihosting entry in the fs_types array
only for non-SPL builds.
Signed-off-by: Mayuresh Chitale <mchitale@ventanamicro.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Sean Anderson <seanga2@gmail.com>
In order to make it easier to move on to dropping common.h from code
directly, remove common.h inclusion from the rest of the header file
which had been including it.
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
To quote the author:
It would be useful to be able to boot an OS when CONFIG_CMDLINE is
disabled. This could allow reduced code size.
Standard boot provides a way to handle programmatic boot, without
scripts, so such a feature is possible. The main impediment is the
inability to use the booting features of U-Boot without a command line.
So the solution is to avoid passing command arguments and the like to
code in boot/
A similar process has taken place with filesystems, for example, where
we have (somewhat) separate Kconfig options for the filesystem commands
and the filesystems themselves.
This series starts the process of refactoring the bootm logic so that
it can be called from standard boot without using the command line.
Mostly it removes the use of argc, argv and cmdtbl from the internal
logic.
Some limited tidy-up is included, but this is kept to smaller patches,
rather than trying to remove all #ifdefs etc. Some function comments
are added, however.
A simple programmatic boot is provided as a starting point.
This work will likely take many series, so this is just the start.
Size growth with this series for firefly-rk3288 (Thumb2) is:
arm: (for 1/1 boards) all +23.0 rodata -49.0 text +72.0
This should be removed by:
https://source.denx.de/u-boot/custodians/u-boot-dm/-/issues/11
but it is not included in this series as it is already large enough.
No functional change is intended in this series.
Changes in v3:
- Add a panic if programmatic boot fails
- Drop RFC tag
Changes in v2:
- Add new patch to adjust position of unmap_sysmem() in boot_get_kernel()
- Add new patch to obtain command arguments
- Fix 'boot_find_os' typo
- Pass in the command name
- Use the command table to provide the command name, instead of "bootm"
Add some functions which provide an argument to a command, or NULL if
the argument does not exist.
Use the same numbering as argv[] since it seems less confusing than the
previous idea.
Signed-off-by: Simon Glass <sjg@chromium.org>
Suggested-by: Tom Rini <trini@konsulko.com>
To quote the author:
This series fixes an issue where the FAT type (FAT12, FAT16) is not
correctly detected, e.g. when the BPB field BS_FilSysType contains the
valid value "FAT ".
This issue occures, for example, if a partition is formatted by
swupdate using its diskformat handler. swupdate uses the FAT library
from http://elm-chan.org/fsw/ff/ internally.
See https://groups.google.com/g/swupdate/c/7Yc3NupjXx8 for a
discussion in the swupdate mailing list.
Please refer to the commit messages for more details.
1. Added bootsector checks
Most tests from https://www.win.tue.nl/~aeb/linux/fs/fat/fat-2.html
are added in the commit 'fs: fat: add bootsector validity check'.
Only the tests VIII, IX and X are not implemented.
I also checked the Linux kernel code (v6.6) and did not find any
checks on 'vistart->fs_type'. This is the reason why is skipped them
here.
See section '2. Size comparisons' for the impact on the binary size.
2. Size comparisons
I executed bloat-o-meter from the Linux kernel for an arm64
target (config xilinx_zynqmp_mini_emmc0_defconfig):
Comparison of the binary spl/u-boot-spl between master (rev
e17d174773) and this patch
series (including the added validity checks of the boot sector):
add/remove: 0/0 grow/shrink: 1/1 up/down: 100/-12 (88)
Function old new delta
read_bootsectandvi 308 408 +100
fat_itr_root 444 432 -12
Total: Before=67977, After=68065, chg +0.13%
When compare the size of the binary spl/u-boot-spl between master this
series without the the validity checks of the boot sector:
add/remove: 0/0 grow/shrink: 0/2 up/down: 0/-24 (-24)
Function old new delta
read_bootsectandvi 308 296 -12
fat_itr_root 444 432 -12
Total: Before=67977, After=67953, chg -0.04%
So the size of the spl on this arm64 target increases by 88 bytes for
this series. When i remove the validity check the size decreases by 24 bytes.
The performed checks are similar to the checks performed by the Linux
kernel in the function fat_read_bpb() in the file fs/fat/inode.c.
Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com>
This fixes an issue where the FAT type (FAT12, FAT16) is not
correctly detected, e.g. when the BPB field BS_FilSysType contains the
valid value "FAT ".
According to the FAT spec the field BS_FilSysType has only
informational character and does not determine the FAT type.
The logic of this code is based on the linux kernel implementation
from the file fs/fat/inode.c function fat_fill_super().
For details about FAT see http://elm-chan.org/docs/fat_e.html
Signed-off-by: Christian Taedcke <christian.taedcke@weidmueller.com>
The btrfs read function limits the read length to ensure that it
and the read offset do not together exceed the size of the file.
However, this size was only being queried if the read length was
passed a value of zero (meaning "whole file"), and the size is
defaulted to 0 otherwise. This means the clamp will just zero out
the length if one is specified, preventing reading of the file.
Fix this by checking the file size unconditionally, and unifying
the default length and clamping logic as a single range check instead.
This bug was discovered when trying to boot Linux with initrd= via
'bootefi' from a btrfs partition. The EFI stub entered an infinite
loop of zero-length reads while trying to read the initrd, and the
boot process stalled indefinitely.
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Now that we have time conversion defines from in time.h there is no need
for each driver to define their own version.
Signed-off-by: Igor Prusov <ivprusov@salutedevices.com>
Reviewed-by: Svyatoslav Ryhel <clamor95@gmail.com> # tegra
Reviewed-by: Eugen Hristev <eugen.hristev@collabora.com> #at91
Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org> #qcom geni
Reviewed-by: Stefan Bosch <stefan_b@posteo.net> #nanopi2
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The structure is identical to the existing compressor implementations,
trivially adding lz4 decompression to sqfs_decompress.
The changes were tested using a sandbox build. An LZ4 compressed
squashfs image was bound as a host block device.
Signed-off-by: David Oberhollenzer <goliath@infraroot.at>
Reviewed-by: Joao Marcos Costa <jmcosta944@gmail.com>
This patch removes a number of struct and macro declaration that
were found through `git-grep` to be unused. Most of those are
related to compressor options and super block flags.
For reading a SquashFS image, we do not need the compressor options
or the flags. Those only encode settings used for packing the image,
mksquashfs uses them when appending data to an existing image. The
kernel implementation does not touch those, and we don't need them
either.
Signed-off-by: David Oberhollenzer <goliath@infraroot.at>
Similar change was done by commit b4c2c151b1 ("Kconfig: Remove all
default n/no options") and again sync is required.
default n/no doesn't need to be specified. It is default option anyway.
Signed-off-by: Michal Simek <michal.simek@amd.com>
Reviewed-by: Svyatoslav Ryhel <clamor95@gmail.com> # tegra
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Angelo Dureghello <angelo@kernel-space.org>
Don't bother compiling the sandbox filesystem in SPL for now, as it is not
needed.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This check breaks small partitions (under 1024 blocks) because part_length
is in units of part.blksz and not bytes. Given the purpose of this
function, we really want to make sure the partition is SUPERBLOCK_START +
SUPERBLOCK_SIZE (2048) bytes so we can call ext4_read_superblock without
error.
The obvious solution is to convert callers from things like
ext4fs_mount(part_info.size)
to
ext4fs_mount(part_info.size * part_info.blksz);
However, I'm not really a fan of the bloat that would cause, especially
since the error is now suppressed. I think the best course of action here
is to just revert the patch.
This reverts commit 9905cae65e.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
This old patch was marked as deferred. Bring it back to life, to continue
towards the removal of common.h
Move this out of the common header and include it only where needed.
Signed-off-by: Simon Glass <sjg@chromium.org>
The last user of the NEEDS_MANUAL_RELOC has been removed in commit
26af162ac8 ("arch: m68k: Implement relocation")
Remove now unused NEEDS_MANUAL_RELOC code.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
The last user of the NEEDS_MANUAL_RELOC has been removed in commit
26af162ac8 ("arch: m68k: Implement relocation")
Remove now unused NEEDS_MANUAL_RELOC code.
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
This field is only present when a CONFIG is set. To avoid annoying #ifdefs
in the source code, add accessors. Update all code to use it.
Note that the accessor is optional. It can be omitted if it is known that
the option is enabled.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present listing a partition produces lots of errors about this
filesystem:
=> part list mmc 4
cannot find valid erofs superblock
cannot find valid erofs superblock
cannot read erofs superblock: -5
[9 more similar lines]
Use debugging rather than errors when unable to find a signature, as is
done with other filesystems.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The product of two 32 bit integers is a 32 bit integer. Hence
clustcount * bytesperclust may overflow on > 4 GiB devices.
Change the type of clustcount.
Fixes: cb8af8af5b ("fs: fat: support write with non-zero offset")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The btrfs_decompress() function mostly (u32)-1 on error but it can
also return -EPERM or other kernel error codes from zstd_decompress().
The "ret" variable is an int, so we could just check for negatives.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Qu Wenruo <wqu@suse.com>
This line break is not done correctly. We don't want to have all those
tabs in the printed output.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
If btrfs_read_fs_root() fails with -ENOENT, then we go to the next
entry. Fine. But if it fails for a different reason then we need
to clean up and return an error code. In the current code it
doesn't clean up but instead dereferences "root" and crashes.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Marek Behún <kabel@kernel.org>
Reviewed-by: Qu Wenruo <wqu@suse.com>
In [1] Sam points out an assertion does not hold true for 32-bit
platforms, which only impacts Large File Support (LFS) API usage
in erofs-utils according to Xiang [2]. We don't think these APIs
are used in u-boot and this restriction could be safely removed.
[1] https://lists.denx.de/pipermail/u-boot/2023-July/524679.html
[2] https://lists.denx.de/pipermail/u-boot/2023-July/524727.html
Fixes: 3a21e92fc2 ("fs/erofs: Introduce new features including ztailpacking, fragments and dedupe")
Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
Tested-by: Sam Edwards <CFSworks@gmail.com>
The FAT file systems uses character '\xe5' to mark a deleted directory
entry. If a file name starts with this character, it is substituted by
'\x05' in the directory entry.
While (signed char)'\xe5' is a negative number 0xe5 is a positive integer
number. We therefore have define a constant DELETED_MARK which matches the
signedness of the characters in the directory entry.
Correct a comparison where we used the constant 0xe5 with the wrong sign.
Use the constant aRING instead of 0x05 like in the rest of the code.
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Fixes: 57b745e238 ("fs: fat: call set_name() only once")
Fixes: 28cef9ca2e ("fs: fat: create correct short names")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This patch updates erofs driver code to catch up with the latest code of
erofs_utils (commit e4939f9eaa177e05d697ace85d8dc283e25dc2ed).
LZMA will be supported in the separate patch later.
Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
Reviewed-by: Huang Jianan <jnhuang95@gmail.com>
To save a few bytes, replace Error with ** and try to use the same string
for multiple messages where possible.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
It seems better to call this a 'bootdev' since this is name used in the
documentation. The older 'Bootdevice' name is no-longer used and may cause
confusion with the 'bootdevice' environment variable.
Update throughout to use bootdev.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
This functionality current sits in bootstd, but it is more generally
useful. Add a function to load a file into memory, allocating it as
needed. Adjust bootstd to use this version.
Note: Tests are added in the subsequent patch which converts the 'cat'
command to use this function.
Signed-off-by: Simon Glass <sjg@chromium.org>
The ubifsload command is truncating any address above 4GiB as it casts
this address to an u32, instead of using an unsigned long which most of
the other load commands do. Change this to an unsigned long to allow
loading into high memory for boards which use these areas.
Fixes the following error:
=> ubifsload 0x2100000000 /boot/Image.lzma
Loading file '/boot/Image.lzma' to addr 0x00000000...
Unhandled exception: Store/AMO access fault
Signed-off-by: Ben Dooks <ben.dooks@sifive.com>
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
If a file does not exist, it should be created.
Fixes: f676b45151 ("fs: Add semihosting filesystem")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Use asm/unaligned.h instead of linux/unaligned/access_ok.h for unaligned
access. This is needed on architectures that doesn't handle unaligned
accesses directly.
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
btrfs_read_extent_reg correctly computed the extent offset in the
BTRFS_COMPRESS_NONE case, but did not account for the 'offset - key.offset'
part correctly in the compressed case, making the function read
incorrect data.
In the case I examined, the last 4k of a file was corrupted and
contained data from a few blocks prior, e.g. reading a 10k file with a
single extent:
btrfs_file_read()
-> btrfs_read_extent_reg
(aligned part loop, until 8k)
-> read_and_truncate_page
-> btrfs_read_extent_reg
(re-reads the last extent from 8k to the end,
incorrectly reading the first 2k of data)
This can be reproduced as follow:
$ truncate -s 200M btr
$ mount btr -o compress /mnt
$ pat() { dd if=/dev/zero bs=1M count=$1 iflag=count_bytes status=none | tr '\0' "\\$2"; }
$ { pat 4K 1; pat 4K 2; pat 2K 3; } > /mnt/file
$ sync
$ filefrag -v /mnt/file
File size of /mnt/file is 10240 (3 blocks of 4096 bytes)
ext: logical_offset: physical_offset: length: expected: flags:
0: 0.. 2: 3328.. 3330: 3: last,encoded,eof
$ umount /mnt
Then in u-boot:
=> load scsi 0 2000000 file
10240 bytes read in 3 ms (3.3 MiB/s)
=> md 2001ff0
02001ff0: 02020202 02020202 02020202 02020202 ................
02002000: 01010101 01010101 01010101 01010101 ................
02002010: 01010101 01010101 01010101 01010101 ................
(02002000 onwards should contain '03' pattern but went back to 01,
start of the extent)
After patch, data is read properly:
=> md 2001ff0
02001ff0: 02020202 02020202 02020202 02020202 ................
02002000: 03030303 03030303 03030303 03030303 ................
02002010: 03030303 03030303 03030303 03030303 ................
Note that the code previously (before commit e3427184f3 ("fs: btrfs:
Implement btrfs_file_read()")) did not split that read in two, so
this is a regression even if the previous code might not have been
handling offsets correctly either (something that booted now fails to
boot)
Fixes: a26a6bedaf ("fs: btrfs: Introduce btrfs_read_extent_inline() and btrfs_read_extent_reg()")
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
The deletion process handles special case for symlinks whose target are
small enough that it fits in struct ext2_inode.b.symlink. So no block had
been allocated. But the check of file type wrongly considered regular
files as symlink. So, no block was freed. So, the EXT4 partition could be
corrupted because of no free block available.
Signed-off-by: Corentin GUILLEVIC <corentin.guillevic@smile.fr>
Do not mangle lower or mixed case filenames which fit into the upper
case 8.3 short filename. This ensures FAT standard compatible short
filenames (SFN) to support systems without long filename (LFN) support
like boot roms (ex. SFN BOOT.BIN instead of BOOT~1.BIN for LFN
boot.bin).
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
No need to mount a too small partition to handle a EXT4 file system.
This patch add a test on partition size before to read the
SUPERBLOCK_SIZE buffer and avoid error latter in fs_devread() function.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
[BUG]
There is a bug report that btrfs driver caused hang during file read:
This breaks btrfs on the HiFive Unmatched.
=> pci enum
PCIE-0: Link up (Gen1-x8, Bus0)
=> nvme scan
=> load nvme 0:2 0x8c000000 /boot/dtb/sifive/hifive-unmatched-a00.dtb
[hangs]
[CAUSE]
The reporter provided some debug output:
read_extent_data: cur=615817216, orig_len=16384, cur_len=16384
read_extent_data: btrfs_map_block: cur_len=479944704; ret=0
read_extent_data: ret=0
read_extent_data: cur=615833600, orig_len=4096, cur_len=4096
read_extent_data: btrfs_map_block: cur_len=479928320; ret=0
Note the second and the last line, the @cur_len is 450+MiB, which is
almost a chunk size.
And inside __btrfs_map_block(), we limits the returned value to stripe
length, but that's depending on the chunk type:
if (map->type & (BTRFS_BLOCK_GROUP_RAID0 | BTRFS_BLOCK_GROUP_RAID1 |
BTRFS_BLOCK_GROUP_RAID1C3 | BTRFS_BLOCK_GROUP_RAID1C4 |
BTRFS_BLOCK_GROUP_RAID5 | BTRFS_BLOCK_GROUP_RAID6 |
BTRFS_BLOCK_GROUP_RAID10 |
BTRFS_BLOCK_GROUP_DUP)) {
/* we limit the length of each bio to what fits in a stripe */
*length = min_t(u64, ce->size - offset,
map->stripe_len - stripe_offset);
} else {
*length = ce->size - offset;
}
This means, if the chunk is SINGLE profile, then we don't limit the
returned length at all, and even for other profiles, we can still return
a length much larger than the requested one.
[FIX]
Properly clamp the returned length, preventing it from returning a much
larger range than expected.
Reported-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Qu Wenruo <wqu@suse.com>
This converts 1 usage of this option to the non-SPL form, since there is
no SPL_FS_EROFS defined in Kconfig
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Huang Jianan <jnhuang95@gmail.com>
Sometimes it is useful to log things related to filesystems. Add a new
category and place it at the top of one of the FAT files.
Signed-off-by: Simon Glass <sjg@chromium.org>
UEFI applications call file system functions to determine if a file exists.
The return codes are evaluated to show appropriate messages.
U-Boot's file system layer should not interfere with the output.
Rename file_fat_read_at() to fat_read_file() adjusting the parameter
sequence and names and eliminate the old wrapper function.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Update the zstd implementation to match Linux zstd 1.5.2 from commit
2aa14b1ab2.
This was motivated by running into decompression corruption issues when
trying to uncompress files compressed with newer versions of zstd. zstd
users also claim significantly improved decompression times with newer
zstd versions which is a side benefit.
Original zstd code was copied from Linux commit 2aa14b1ab2 which is a
custom-built implementation based on zstd 1.3.1. Linux switched to an
implementation that is a copy of the upstream zstd code in Linux commit
e0c1b49f5b, this results in a large code diff. However this should make
future updates easier along with other benefits[1].
This commit is a straight mirror of the Linux zstd code, except to:
- update a few #include that do not translate cleanly
- linux/swab.h -> asm/byteorder.h
- linux/limits.h -> linux/kernel.h
- linux/module.h -> linux/compat.h
- remove assert() from debug.h so it doesn't conflict with u-boot's
assert()
- strip out the compressor code as was done in the previous u-boot zstd
- update existing zstd users to the new Linux zstd API
- change the #define for MEM_STATIC to use INLINE_KEYWORD for codesize
- add a new KConfig option that sets zstd build options to minify code
based on zstd's ZSTD_LIB_MINIFY[2].
These changes were tested by booting a zstd 1.5.2 compressed kernel inside a
FIT. And the squashfs changes by loading a file from zstd compressed squashfs
with sqfsload. buildman was used to compile test other boards and check for
binary bloat, as follows:
> $ buildman -b zstd2 --boards dh_imx6,m53menlo,mvebu_espressobin-88f3720,sandbox,sandbox64,stm32mp15_dhcom_basic,stm32mp15_dhcor_basic,turris_mox,turris_omnia -sS
> Summary of 6 commits for 9 boards (8 threads, 1 job per thread)
> 01: Merge branch '2023-01-10-platform-updates'
> arm: w+ m53menlo dh_imx6
> 02: lib: zstd: update to latest Linux zstd 1.5.2
> aarch64: (for 2/2 boards) all -3186.0 rodata +920.0 text -4106.0
> arm: (for 5/5 boards) all +1254.4 rodata +940.0 text +314.4
> sandbox: (for 2/2 boards) all -4452.0 data -16.0 rodata +640.0 text -5076.0
[1] e0c1b49f5b
[2] f302ad8811/lib/libzstd.mk (L31)
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
[trini: Set ret to -EINVAL for the error of "failed to detect
compressed" to fix warning, drop ZSTD_SRCSIZEHINT_MAX for non-Linux host
tool builds]
Signed-off-by: Tom Rini <trini@konsulko.com>
[BUG]
Since btrfs supports single device RAID0 at mkfs time after btrfs-progs
v5.14, if we create a single device raid0 btrfs, and created a file
crossing stripe boundary:
# mkfs.btrfs -m dup -d raid0 test.img
# mount test.img mnt
# xfs_io -f -c "pwrite 0 128K" mnt/file
# umount mnt
Since btrfs is using 64K as stripe length, above 128K data write is
definitely going to cross at least one stripe boundary.
Then u-boot would fail to read above 128K file:
=> host bind 0 /home/adam/test.img
=> ls host 0
< > 131072 Fri Dec 30 00:18:25 2022 file
=> load host 0 0 file
BTRFS: An error occurred while reading file file
Failed to load 'file'
[CAUSE]
Unlike tree blocks read, data extent reads doesn't consider cases in which
one data extent can cross stripe boundary.
In read_data_extent(), we just call btrfs_map_block() once and read the
first mapped range.
And if the first mapped range is smaller than the desired range, it
would return error.
But since even single device btrfs can utilize RAID0 profiles, the first
mapped range can only be at most 64K for RAID0 profiles, and cause false
error.
[FIX]
Just like read_whole_eb(), we should call btrfs_map_block() in a loop
until we read all data.
Since we're here, also add extra error messages for the following cases:
- btrfs_map_block() failure
We already have the error message for it.
- Missing device
This should not happen, as we only support single device for now.
- __btrfs_devread() failure
With this bug fixed, btrfs driver of u-boot can properly read the above
128K file, and have the correct content:
=> host bind 0 /home/adam/test.img
=> ls host 0
< > 131072 Fri Dec 30 00:18:25 2022 file
=> load host 0 0 file
131072 bytes read in 0 ms
=> md5sum 0 0x20000
md5 for 00000000 ... 0001ffff ==> d48858312a922db7eb86377f638dbc9f
^^^ Above md5sum also matches.
Reported-by: Sam Winchenbach <swichenbach@tethers.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
For a squashfs filesystem, the fragment table is followed by
the following tables: NFS export table, ID table, xattr table.
The export and xattr tables are both completely optional, but
the ID table is mandatory. The Linux implementation refuses to
mount the image if the ID table is missing. Tables that are no
present have their location in the super block set
to 0xFFFFFFFFFFFFFFFF.
The u-boot implementation previously assumed that it can always
rely on the export table location as an upper bound for the fragment
table, trying (and failing) to read past filesystem bounds if it
is not present.
This patch changes the driver to use the ID table instead and only
use the export table location if it lies between the two.
Signed-off-by: David Oberhollenzer <goliath@infraroot.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
