]> bbs.cooldavid.org Git - net-next-2.6.git/blame - fs/jffs2/read.c
git://bbs.cooldavid.org / net-next-2.6.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
jffs2: Fix memory corruption in jffs2_read_inode_range()
[net-next-2.6.git] / fs / jffs2 / read.c
CommitLineData
1da177e4
LT		 1/*
2 * JFFS2 -- Journalling Flash File System, Version 2.
3 *
c00c310e 4 * Copyright © 2001-2007 Red Hat, Inc.
1da177e4
LT		 5 *
6 * Created by David Woodhouse <dwmw2@infradead.org>
7 *
8 * For licensing information, see the file 'LICENCE' in this directory.
9 *
1da177e4
LT		 10 */
11
12#include <linux/kernel.h>
13#include <linux/slab.h>
14#include <linux/crc32.h>
15#include <linux/pagemap.h>
16#include <linux/mtd/mtd.h>
17#include <linux/compiler.h>
18#include "nodelist.h"
19#include "compr.h"
20
21int jffs2_read_dnode(struct jffs2_sb_info *c, struct jffs2_inode_info *f,
22 struct jffs2_full_dnode *fd, unsigned char *buf,
23 int ofs, int len)
24{
25 struct jffs2_raw_inode *ri;
26 size_t readlen;
27 uint32_t crc;
28 unsigned char *decomprbuf = NULL;
29 unsigned char *readbuf = NULL;
30 int ret = 0;
31
32 ri = jffs2_alloc_raw_inode();
33 if (!ri)
34 return -ENOMEM;
35
36 ret = jffs2_flash_read(c, ref_offset(fd->raw), sizeof(*ri), &readlen, (char *)ri);
37 if (ret) {
38 jffs2_free_raw_inode(ri);
39 printk(KERN_WARNING "Error reading node from 0x%08x: %d\n", ref_offset(fd->raw), ret);
40 return ret;
41 }
42 if (readlen != sizeof(*ri)) {
43 jffs2_free_raw_inode(ri);
182ec4ee 44 printk(KERN_WARNING "Short read from 0x%08x: wanted 0x%zx bytes, got 0x%zx\n",
1da177e4
LT		 45 ref_offset(fd->raw), sizeof(*ri), readlen);
46 return -EIO;
47 }
48 crc = crc32(0, ri, sizeof(*ri)-8);
49
50 D1(printk(KERN_DEBUG "Node read from %08x: node_crc %08x, calculated CRC %08x. dsize %x, csize %x, offset %x, buf %p\n",
51 ref_offset(fd->raw), je32_to_cpu(ri->node_crc),
52 crc, je32_to_cpu(ri->dsize), je32_to_cpu(ri->csize),
53 je32_to_cpu(ri->offset), buf));
54 if (crc != je32_to_cpu(ri->node_crc)) {
55 printk(KERN_WARNING "Node CRC %08x != calculated CRC %08x for node at %08x\n",
56 je32_to_cpu(ri->node_crc), crc, ref_offset(fd->raw));
57 ret = -EIO;
58 goto out_ri;
59 }
60 /* There was a bug where we wrote hole nodes out with csize/dsize
61 swapped. Deal with it */
182ec4ee 62 if (ri->compr == JFFS2_COMPR_ZERO && !je32_to_cpu(ri->dsize) &&
1da177e4
LT		 63 je32_to_cpu(ri->csize)) {
64 ri->dsize = ri->csize;
65 ri->csize = cpu_to_je32(0);
66 }
67
68 D1(if(ofs + len > je32_to_cpu(ri->dsize)) {
69 printk(KERN_WARNING "jffs2_read_dnode() asked for %d bytes at %d from %d-byte node\n",
70 len, ofs, je32_to_cpu(ri->dsize));
71 ret = -EINVAL;
72 goto out_ri;
73 });
74
182ec4ee 75
1da177e4
LT		 76 if (ri->compr == JFFS2_COMPR_ZERO) {
77 memset(buf, 0, len);
78 goto out_ri;
79 }
80
81 /* Cases:
82 Reading whole node and it's uncompressed - read directly to buffer provided, check CRC.
182ec4ee
TG		 83 Reading whole node and it's compressed - read into comprbuf, check CRC and decompress to buffer provided
84 Reading partial node and it's uncompressed - read into readbuf, check CRC, and copy
1da177e4
LT		 85 Reading partial node and it's compressed - read into readbuf, check checksum, decompress to decomprbuf and copy
86 */
87 if (ri->compr == JFFS2_COMPR_NONE && len == je32_to_cpu(ri->dsize)) {
88 readbuf = buf;
89 } else {
90 readbuf = kmalloc(je32_to_cpu(ri->csize), GFP_KERNEL);
91 if (!readbuf) {
92 ret = -ENOMEM;
93 goto out_ri;
94 }
95 }
96 if (ri->compr != JFFS2_COMPR_NONE) {
97 if (len < je32_to_cpu(ri->dsize)) {
98 decomprbuf = kmalloc(je32_to_cpu(ri->dsize), GFP_KERNEL);
99 if (!decomprbuf) {
100 ret = -ENOMEM;
101 goto out_readbuf;
102 }
103 } else {
104 decomprbuf = buf;
105 }
106 } else {
107 decomprbuf = readbuf;
108 }
109
110 D2(printk(KERN_DEBUG "Read %d bytes to %p\n", je32_to_cpu(ri->csize),
111 readbuf));
112 ret = jffs2_flash_read(c, (ref_offset(fd->raw)) + sizeof(*ri),
113 je32_to_cpu(ri->csize), &readlen, readbuf);
114
115 if (!ret && readlen != je32_to_cpu(ri->csize))
116 ret = -EIO;
117 if (ret)
118 goto out_decomprbuf;
119
120 crc = crc32(0, readbuf, je32_to_cpu(ri->csize));
121 if (crc != je32_to_cpu(ri->data_crc)) {
122 printk(KERN_WARNING "Data CRC %08x != calculated CRC %08x for node at %08x\n",
123 je32_to_cpu(ri->data_crc), crc, ref_offset(fd->raw));
124 ret = -EIO;
125 goto out_decomprbuf;
126 }
127 D2(printk(KERN_DEBUG "Data CRC matches calculated CRC %08x\n", crc));
128 if (ri->compr != JFFS2_COMPR_NONE) {
129 D2(printk(KERN_DEBUG "Decompress %d bytes from %p to %d bytes at %p\n",
182ec4ee 130 je32_to_cpu(ri->csize), readbuf, je32_to_cpu(ri->dsize), decomprbuf));
1da177e4
LT		 131 ret = jffs2_decompress(c, f, ri->compr | (ri->usercompr << 8), readbuf, decomprbuf, je32_to_cpu(ri->csize), je32_to_cpu(ri->dsize));
132 if (ret) {
133 printk(KERN_WARNING "Error: jffs2_decompress returned %d\n", ret);
134 goto out_decomprbuf;
135 }
136 }
137
138 if (len < je32_to_cpu(ri->dsize)) {
139 memcpy(buf, decomprbuf+ofs, len);
140 }
141 out_decomprbuf:
142 if(decomprbuf != buf && decomprbuf != readbuf)
143 kfree(decomprbuf);
144 out_readbuf:
145 if(readbuf != buf)
146 kfree(readbuf);
147 out_ri:
148 jffs2_free_raw_inode(ri);
149
150 return ret;
151}
152
153int jffs2_read_inode_range(struct jffs2_sb_info *c, struct jffs2_inode_info *f,
154 unsigned char *buf, uint32_t offset, uint32_t len)
155{
156 uint32_t end = offset + len;
157 struct jffs2_node_frag *frag;
158 int ret;
159
160 D1(printk(KERN_DEBUG "jffs2_read_inode_range: ino #%u, range 0x%08x-0x%08x\n",
161 f->inocache->ino, offset, offset+len));
162
163 frag = jffs2_lookup_node_frag(&f->fragtree, offset);
164
165 /* XXX FIXME: Where a single physical node actually shows up in two
166 frags, we read it twice. Don't do that. */
199bc9ff
DW		 167 /* Now we're pointing at the first frag which overlaps our page
168 * (or perhaps is before it, if we've been asked to read off the
169 * end of the file). */
1da177e4
LT		 170 while(offset < end) {
171 D2(printk(KERN_DEBUG "jffs2_read_inode_range: offset %d, end %d\n", offset, end));
199bc9ff
DW		 172 if (unlikely(!frag || frag->ofs > offset ||
173 frag->ofs + frag->size <= offset)) {
1da177e4 174 uint32_t holesize = end - offset;
199bc9ff 175 if (frag && frag->ofs > offset) {
1da177e4
LT		 176 D1(printk(KERN_NOTICE "Eep. Hole in ino #%u fraglist. frag->ofs = 0x%08x, offset = 0x%08x\n", f->inocache->ino, frag->ofs, offset));
177 holesize = min(holesize, frag->ofs - offset);
1da177e4
LT		 178 }
179 D1(printk(KERN_DEBUG "Filling non-frag hole from %d-%d\n", offset, offset+holesize));
180 memset(buf, 0, holesize);
181 buf += holesize;
182 offset += holesize;
183 continue;
184 } else if (unlikely(!frag->node)) {
185 uint32_t holeend = min(end, frag->ofs + frag->size);
186 D1(printk(KERN_DEBUG "Filling frag hole from %d-%d (frag 0x%x 0x%x)\n", offset, holeend, frag->ofs, frag->ofs + frag->size));
187 memset(buf, 0, holeend - offset);
188 buf += holeend - offset;
189 offset = holeend;
190 frag = frag_next(frag);
191 continue;
192 } else {
193 uint32_t readlen;
194 uint32_t fragofs; /* offset within the frag to start reading */
182ec4ee 195
1da177e4
LT		 196 fragofs = offset - frag->ofs;
197 readlen = min(frag->size - fragofs, end - offset);
198 D1(printk(KERN_DEBUG "Reading %d-%d from node at 0x%08x (%d)\n",
199 frag->ofs+fragofs, frag->ofs+fragofs+readlen,
200 ref_offset(frag->node->raw), ref_flags(frag->node->raw)));
201 ret = jffs2_read_dnode(c, f, frag->node, buf, fragofs + frag->ofs - frag->node->ofs, readlen);
202 D2(printk(KERN_DEBUG "node read done\n"));
203 if (ret) {
204 D1(printk(KERN_DEBUG"jffs2_read_inode_range error %d\n",ret));
205 memset(buf, 0, readlen);
206 return ret;
207 }
208 buf += readlen;
209 offset += readlen;
210 frag = frag_next(frag);
211 D2(printk(KERN_DEBUG "node read was OK. Looping\n"));
212 }
213 }
214 return 0;
215}
216
Clone of davem's net-next-2.6 tree