diff --git a/target/linux/generic/patches-4.4/141-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch b/target/linux/generic/patches-4.4/141-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch new file mode 100644 index 00000000000..31acebf50fb --- /dev/null +++ b/target/linux/generic/patches-4.4/141-mtd-bcm47xxpart-improve-handling-TRX-partition-size.patch @@ -0,0 +1,65 @@ +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Subject: [PATCH] mtd: bcm47xxpart: improve handling TRX partition size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When bcm47xxpart finds a TRX partition (container) it's supposed to jump +to the end of it and keep looking for more partitions. TRX and its +subpartitions are handled be a separated parser. + +The problem with old code was relying on the length specified in a TRX +header. That isn't reliable as TRX is commonly modified to have checksum +cover only non-changing subpartitions. Otherwise modifying e.g. a rootfs +would result in CRC32 mismatch and bootloader refusing to boot a +firmware. + +Fix it by trying better to figure out a real TRX size. We can securely +assume that TRX has to cover all subpartitions and the last one is at +least of a block size in size. Then compare it with a length field. + +This makes code more optimal & reliable thanks to skipping data that +shouldn't be parsed. + +Signed-off-by: Rafał Miłecki +--- + +--- a/drivers/mtd/bcm47xxpart.c ++++ b/drivers/mtd/bcm47xxpart.c +@@ -268,6 +268,8 @@ static int bcm47xxpart_parse(struct mtd_ + /* TRX */ + if (buf[0x000 / 4] == TRX_MAGIC) { + struct trx_header *trx; ++ uint32_t last_subpart; ++ uint32_t trx_size; + + if (trx_num >= ARRAY_SIZE(trx_parts)) + pr_warn("No enough space to store another TRX found at 0x%X\n", +@@ -277,11 +279,23 @@ static int bcm47xxpart_parse(struct mtd_ + bcm47xxpart_add_part(&parts[curr_part++], "firmware", + offset, 0); + +- /* Jump to the end of TRX */ ++ /* ++ * Try to find TRX size. The "length" field isn't fully ++ * reliable as it could be decreased to make CRC32 cover ++ * only part of TRX data. It's commonly used as checksum ++ * can't cover e.g. ever-changing rootfs partition. ++ * Use offsets as helpers for assuming min TRX size. ++ */ + trx = (struct trx_header *)buf; +- offset = roundup(offset + trx->length, blocksize); +- /* Next loop iteration will increase the offset */ +- offset -= blocksize; ++ last_subpart = max3(trx->offset[0], trx->offset[1], ++ trx->offset[2]); ++ trx_size = max(trx->length, last_subpart + blocksize); ++ ++ /* ++ * Skip the TRX data. Decrease offset by block size as ++ * the next loop iteration will increase it. ++ */ ++ offset += roundup(trx_size, blocksize) - blocksize; + continue; + } +