From 4673a0bffc890b5137d6c20664efad5d01791782 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Thu, 12 Apr 2018 08:25:17 +0200 Subject: [PATCH] kernel: mtd: bcm47xxpart: improve handling TRX partition size MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This is important fix for flash parsing in some corner cases. In case of TRX subpartition with rootfs being aligned to the flash block size it was incorrectly registered twice. Detecting & registering it as a standalone partition was resulting in an incorrect "firmware" partition size and possibly broken sysupgrade. It wasn't noticed before because "rootfs" alignment depends on a kernel size. It can happen though - depending on the configuration and the kernel size. Signed-off-by: Rafał Miłecki (cherry picked from commit f5195e72c0fcf2949f7d6296a5db081eb58f8e32) --- ...-improve-handling-TRX-partition-size.patch | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 target/linux/generic/patches-4.4/141-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch diff --git a/target/linux/generic/patches-4.4/141-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch b/target/linux/generic/patches-4.4/141-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch new file mode 100644 index 0000000000..31acebf50f --- /dev/null +++ b/target/linux/generic/patches-4.4/141-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch @@ -0,0 +1,65 @@ +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Subject: [PATCH] mtd: bcm47xxpart: improve handling TRX partition size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When bcm47xxpart finds a TRX partition (container) it's supposed to jump +to the end of it and keep looking for more partitions. TRX and its +subpartitions are handled be a separated parser. + +The problem with old code was relying on the length specified in a TRX +header. That isn't reliable as TRX is commonly modified to have checksum +cover only non-changing subpartitions. Otherwise modifying e.g. a rootfs +would result in CRC32 mismatch and bootloader refusing to boot a +firmware. + +Fix it by trying better to figure out a real TRX size. We can securely +assume that TRX has to cover all subpartitions and the last one is at +least of a block size in size. Then compare it with a length field. + +This makes code more optimal & reliable thanks to skipping data that +shouldn't be parsed. + +Signed-off-by: Rafał Miłecki +--- + +--- a/drivers/mtd/bcm47xxpart.c ++++ b/drivers/mtd/bcm47xxpart.c +@@ -268,6 +268,8 @@ static int bcm47xxpart_parse(struct mtd_ + /* TRX */ + if (buf[0x000 / 4] == TRX_MAGIC) { + struct trx_header *trx; ++ uint32_t last_subpart; ++ uint32_t trx_size; + + if (trx_num >= ARRAY_SIZE(trx_parts)) + pr_warn("No enough space to store another TRX found at 0x%X\n", +@@ -277,11 +279,23 @@ static int bcm47xxpart_parse(struct mtd_ + bcm47xxpart_add_part(&parts[curr_part++], "firmware", + offset, 0); + +- /* Jump to the end of TRX */ ++ /* ++ * Try to find TRX size. The "length" field isn't fully ++ * reliable as it could be decreased to make CRC32 cover ++ * only part of TRX data. It's commonly used as checksum ++ * can't cover e.g. ever-changing rootfs partition. ++ * Use offsets as helpers for assuming min TRX size. ++ */ + trx = (struct trx_header *)buf; +- offset = roundup(offset + trx->length, blocksize); +- /* Next loop iteration will increase the offset */ +- offset -= blocksize; ++ last_subpart = max3(trx->offset[0], trx->offset[1], ++ trx->offset[2]); ++ trx_size = max(trx->length, last_subpart + blocksize); ++ ++ /* ++ * Skip the TRX data. Decrease offset by block size as ++ * the next loop iteration will increase it. ++ */ ++ offset += roundup(trx_size, blocksize) - blocksize; + continue; + } + -- 2.30.2