xref: /openbmc/u-boot/drivers/mtd/ubi/fastmap.c (revision 3dc23f7852158fafde9eb736060f9e8131997f19)
1 /*
2  * Copyright (c) 2012 Linutronix GmbH
3  * Author: Richard Weinberger <richard@nod.at>
4  *
5  * SPDX-License-Identifier:	GPL-2.0+
6  *
7  */
8 
9 #ifndef __UBOOT__
10 #include <linux/crc32.h>
11 #else
12 #include <div64.h>
13 #include <malloc.h>
14 #include <ubi_uboot.h>
15 #endif
16 
17 #include <linux/compat.h>
18 #include <linux/math64.h>
19 #include "ubi.h"
20 
21 /**
22  * ubi_calc_fm_size - calculates the fastmap size in bytes for an UBI device.
23  * @ubi: UBI device description object
24  */
25 size_t ubi_calc_fm_size(struct ubi_device *ubi)
26 {
27 	size_t size;
28 
29 	size = sizeof(struct ubi_fm_hdr) + \
30 		sizeof(struct ubi_fm_scan_pool) + \
31 		sizeof(struct ubi_fm_scan_pool) + \
32 		(ubi->peb_count * sizeof(struct ubi_fm_ec)) + \
33 		(sizeof(struct ubi_fm_eba) + \
34 		(ubi->peb_count * sizeof(__be32))) + \
35 		sizeof(struct ubi_fm_volhdr) * UBI_MAX_VOLUMES;
36 	return roundup(size, ubi->leb_size);
37 }
38 
39 
40 /**
41  * new_fm_vhdr - allocate a new volume header for fastmap usage.
42  * @ubi: UBI device description object
43  * @vol_id: the VID of the new header
44  *
45  * Returns a new struct ubi_vid_hdr on success.
46  * NULL indicates out of memory.
47  */
48 static struct ubi_vid_hdr *new_fm_vhdr(struct ubi_device *ubi, int vol_id)
49 {
50 	struct ubi_vid_hdr *new;
51 
52 	new = ubi_zalloc_vid_hdr(ubi, GFP_KERNEL);
53 	if (!new)
54 		goto out;
55 
56 	new->vol_type = UBI_VID_DYNAMIC;
57 	new->vol_id = cpu_to_be32(vol_id);
58 
59 	/* UBI implementations without fastmap support have to delete the
60 	 * fastmap.
61 	 */
62 	new->compat = UBI_COMPAT_DELETE;
63 
64 out:
65 	return new;
66 }
67 
68 /**
69  * add_aeb - create and add a attach erase block to a given list.
70  * @ai: UBI attach info object
71  * @list: the target list
72  * @pnum: PEB number of the new attach erase block
73  * @ec: erease counter of the new LEB
74  * @scrub: scrub this PEB after attaching
75  *
76  * Returns 0 on success, < 0 indicates an internal error.
77  */
78 static int add_aeb(struct ubi_attach_info *ai, struct list_head *list,
79 		   int pnum, int ec, int scrub)
80 {
81 	struct ubi_ainf_peb *aeb;
82 
83 	aeb = kmem_cache_alloc(ai->aeb_slab_cache, GFP_KERNEL);
84 	if (!aeb)
85 		return -ENOMEM;
86 
87 	aeb->pnum = pnum;
88 	aeb->ec = ec;
89 	aeb->lnum = -1;
90 	aeb->scrub = scrub;
91 	aeb->copy_flag = aeb->sqnum = 0;
92 
93 	ai->ec_sum += aeb->ec;
94 	ai->ec_count++;
95 
96 	if (ai->max_ec < aeb->ec)
97 		ai->max_ec = aeb->ec;
98 
99 	if (ai->min_ec > aeb->ec)
100 		ai->min_ec = aeb->ec;
101 
102 	list_add_tail(&aeb->u.list, list);
103 
104 	return 0;
105 }
106 
107 /**
108  * add_vol - create and add a new volume to ubi_attach_info.
109  * @ai: ubi_attach_info object
110  * @vol_id: VID of the new volume
111  * @used_ebs: number of used EBS
112  * @data_pad: data padding value of the new volume
113  * @vol_type: volume type
114  * @last_eb_bytes: number of bytes in the last LEB
115  *
116  * Returns the new struct ubi_ainf_volume on success.
117  * NULL indicates an error.
118  */
119 static struct ubi_ainf_volume *add_vol(struct ubi_attach_info *ai, int vol_id,
120 				       int used_ebs, int data_pad, u8 vol_type,
121 				       int last_eb_bytes)
122 {
123 	struct ubi_ainf_volume *av;
124 	struct rb_node **p = &ai->volumes.rb_node, *parent = NULL;
125 
126 	while (*p) {
127 		parent = *p;
128 		av = rb_entry(parent, struct ubi_ainf_volume, rb);
129 
130 		if (vol_id > av->vol_id)
131 			p = &(*p)->rb_left;
132 		else if (vol_id > av->vol_id)
133 			p = &(*p)->rb_right;
134 	}
135 
136 	av = kmalloc(sizeof(struct ubi_ainf_volume), GFP_KERNEL);
137 	if (!av)
138 		goto out;
139 
140 	av->highest_lnum = av->leb_count = 0;
141 	av->vol_id = vol_id;
142 	av->used_ebs = used_ebs;
143 	av->data_pad = data_pad;
144 	av->last_data_size = last_eb_bytes;
145 	av->compat = 0;
146 	av->vol_type = vol_type;
147 	av->root = RB_ROOT;
148 
149 	dbg_bld("found volume (ID %i)", vol_id);
150 
151 	rb_link_node(&av->rb, parent, p);
152 	rb_insert_color(&av->rb, &ai->volumes);
153 
154 out:
155 	return av;
156 }
157 
158 /**
159  * assign_aeb_to_av - assigns a SEB to a given ainf_volume and removes it
160  * from it's original list.
161  * @ai: ubi_attach_info object
162  * @aeb: the to be assigned SEB
163  * @av: target scan volume
164  */
165 static void assign_aeb_to_av(struct ubi_attach_info *ai,
166 			     struct ubi_ainf_peb *aeb,
167 			     struct ubi_ainf_volume *av)
168 {
169 	struct ubi_ainf_peb *tmp_aeb;
170 	struct rb_node **p = &ai->volumes.rb_node, *parent = NULL;
171 
172 	p = &av->root.rb_node;
173 	while (*p) {
174 		parent = *p;
175 
176 		tmp_aeb = rb_entry(parent, struct ubi_ainf_peb, u.rb);
177 		if (aeb->lnum != tmp_aeb->lnum) {
178 			if (aeb->lnum < tmp_aeb->lnum)
179 				p = &(*p)->rb_left;
180 			else
181 				p = &(*p)->rb_right;
182 
183 			continue;
184 		} else
185 			break;
186 	}
187 
188 	list_del(&aeb->u.list);
189 	av->leb_count++;
190 
191 	rb_link_node(&aeb->u.rb, parent, p);
192 	rb_insert_color(&aeb->u.rb, &av->root);
193 }
194 
195 /**
196  * update_vol - inserts or updates a LEB which was found a pool.
197  * @ubi: the UBI device object
198  * @ai: attach info object
199  * @av: the volume this LEB belongs to
200  * @new_vh: the volume header derived from new_aeb
201  * @new_aeb: the AEB to be examined
202  *
203  * Returns 0 on success, < 0 indicates an internal error.
204  */
205 static int update_vol(struct ubi_device *ubi, struct ubi_attach_info *ai,
206 		      struct ubi_ainf_volume *av, struct ubi_vid_hdr *new_vh,
207 		      struct ubi_ainf_peb *new_aeb)
208 {
209 	struct rb_node **p = &av->root.rb_node, *parent = NULL;
210 	struct ubi_ainf_peb *aeb, *victim;
211 	int cmp_res;
212 
213 	while (*p) {
214 		parent = *p;
215 		aeb = rb_entry(parent, struct ubi_ainf_peb, u.rb);
216 
217 		if (be32_to_cpu(new_vh->lnum) != aeb->lnum) {
218 			if (be32_to_cpu(new_vh->lnum) < aeb->lnum)
219 				p = &(*p)->rb_left;
220 			else
221 				p = &(*p)->rb_right;
222 
223 			continue;
224 		}
225 
226 		/* This case can happen if the fastmap gets written
227 		 * because of a volume change (creation, deletion, ..).
228 		 * Then a PEB can be within the persistent EBA and the pool.
229 		 */
230 		if (aeb->pnum == new_aeb->pnum) {
231 			ubi_assert(aeb->lnum == new_aeb->lnum);
232 			kmem_cache_free(ai->aeb_slab_cache, new_aeb);
233 
234 			return 0;
235 		}
236 
237 		cmp_res = ubi_compare_lebs(ubi, aeb, new_aeb->pnum, new_vh);
238 		if (cmp_res < 0)
239 			return cmp_res;
240 
241 		/* new_aeb is newer */
242 		if (cmp_res & 1) {
243 			victim = kmem_cache_alloc(ai->aeb_slab_cache,
244 				GFP_KERNEL);
245 			if (!victim)
246 				return -ENOMEM;
247 
248 			victim->ec = aeb->ec;
249 			victim->pnum = aeb->pnum;
250 			list_add_tail(&victim->u.list, &ai->erase);
251 
252 			if (av->highest_lnum == be32_to_cpu(new_vh->lnum))
253 				av->last_data_size = \
254 					be32_to_cpu(new_vh->data_size);
255 
256 			dbg_bld("vol %i: AEB %i's PEB %i is the newer",
257 				av->vol_id, aeb->lnum, new_aeb->pnum);
258 
259 			aeb->ec = new_aeb->ec;
260 			aeb->pnum = new_aeb->pnum;
261 			aeb->copy_flag = new_vh->copy_flag;
262 			aeb->scrub = new_aeb->scrub;
263 			kmem_cache_free(ai->aeb_slab_cache, new_aeb);
264 
265 		/* new_aeb is older */
266 		} else {
267 			dbg_bld("vol %i: AEB %i's PEB %i is old, dropping it",
268 				av->vol_id, aeb->lnum, new_aeb->pnum);
269 			list_add_tail(&new_aeb->u.list, &ai->erase);
270 		}
271 
272 		return 0;
273 	}
274 	/* This LEB is new, let's add it to the volume */
275 
276 	if (av->highest_lnum <= be32_to_cpu(new_vh->lnum)) {
277 		av->highest_lnum = be32_to_cpu(new_vh->lnum);
278 		av->last_data_size = be32_to_cpu(new_vh->data_size);
279 	}
280 
281 	if (av->vol_type == UBI_STATIC_VOLUME)
282 		av->used_ebs = be32_to_cpu(new_vh->used_ebs);
283 
284 	av->leb_count++;
285 
286 	rb_link_node(&new_aeb->u.rb, parent, p);
287 	rb_insert_color(&new_aeb->u.rb, &av->root);
288 
289 	return 0;
290 }
291 
292 /**
293  * process_pool_aeb - we found a non-empty PEB in a pool.
294  * @ubi: UBI device object
295  * @ai: attach info object
296  * @new_vh: the volume header derived from new_aeb
297  * @new_aeb: the AEB to be examined
298  *
299  * Returns 0 on success, < 0 indicates an internal error.
300  */
301 static int process_pool_aeb(struct ubi_device *ubi, struct ubi_attach_info *ai,
302 			    struct ubi_vid_hdr *new_vh,
303 			    struct ubi_ainf_peb *new_aeb)
304 {
305 	struct ubi_ainf_volume *av, *tmp_av = NULL;
306 	struct rb_node **p = &ai->volumes.rb_node, *parent = NULL;
307 	int found = 0;
308 
309 	if (be32_to_cpu(new_vh->vol_id) == UBI_FM_SB_VOLUME_ID ||
310 		be32_to_cpu(new_vh->vol_id) == UBI_FM_DATA_VOLUME_ID) {
311 		kmem_cache_free(ai->aeb_slab_cache, new_aeb);
312 
313 		return 0;
314 	}
315 
316 	/* Find the volume this SEB belongs to */
317 	while (*p) {
318 		parent = *p;
319 		tmp_av = rb_entry(parent, struct ubi_ainf_volume, rb);
320 
321 		if (be32_to_cpu(new_vh->vol_id) > tmp_av->vol_id)
322 			p = &(*p)->rb_left;
323 		else if (be32_to_cpu(new_vh->vol_id) < tmp_av->vol_id)
324 			p = &(*p)->rb_right;
325 		else {
326 			found = 1;
327 			break;
328 		}
329 	}
330 
331 	if (found)
332 		av = tmp_av;
333 	else {
334 		ubi_err("orphaned volume in fastmap pool!");
335 		return UBI_BAD_FASTMAP;
336 	}
337 
338 	ubi_assert(be32_to_cpu(new_vh->vol_id) == av->vol_id);
339 
340 	return update_vol(ubi, ai, av, new_vh, new_aeb);
341 }
342 
343 /**
344  * unmap_peb - unmap a PEB.
345  * If fastmap detects a free PEB in the pool it has to check whether
346  * this PEB has been unmapped after writing the fastmap.
347  *
348  * @ai: UBI attach info object
349  * @pnum: The PEB to be unmapped
350  */
351 static void unmap_peb(struct ubi_attach_info *ai, int pnum)
352 {
353 	struct ubi_ainf_volume *av;
354 	struct rb_node *node, *node2;
355 	struct ubi_ainf_peb *aeb;
356 
357 	for (node = rb_first(&ai->volumes); node; node = rb_next(node)) {
358 		av = rb_entry(node, struct ubi_ainf_volume, rb);
359 
360 		for (node2 = rb_first(&av->root); node2;
361 		     node2 = rb_next(node2)) {
362 			aeb = rb_entry(node2, struct ubi_ainf_peb, u.rb);
363 			if (aeb->pnum == pnum) {
364 				rb_erase(&aeb->u.rb, &av->root);
365 				kmem_cache_free(ai->aeb_slab_cache, aeb);
366 				return;
367 			}
368 		}
369 	}
370 }
371 
372 /**
373  * scan_pool - scans a pool for changed (no longer empty PEBs).
374  * @ubi: UBI device object
375  * @ai: attach info object
376  * @pebs: an array of all PEB numbers in the to be scanned pool
377  * @pool_size: size of the pool (number of entries in @pebs)
378  * @max_sqnum: pointer to the maximal sequence number
379  * @eba_orphans: list of PEBs which need to be scanned
380  * @free: list of PEBs which are most likely free (and go into @ai->free)
381  *
382  * Returns 0 on success, if the pool is unusable UBI_BAD_FASTMAP is returned.
383  * < 0 indicates an internal error.
384  */
385 #ifndef __UBOOT__
386 static int scan_pool(struct ubi_device *ubi, struct ubi_attach_info *ai,
387 		     int *pebs, int pool_size, unsigned long long *max_sqnum,
388 		     struct list_head *eba_orphans, struct list_head *freef)
389 #else
390 static int scan_pool(struct ubi_device *ubi, struct ubi_attach_info *ai,
391 		     __be32 *pebs, int pool_size, unsigned long long *max_sqnum,
392 		     struct list_head *eba_orphans, struct list_head *freef)
393 #endif
394 {
395 	struct ubi_vid_hdr *vh;
396 	struct ubi_ec_hdr *ech;
397 	struct ubi_ainf_peb *new_aeb, *tmp_aeb;
398 	int i, pnum, err, found_orphan, ret = 0;
399 
400 	ech = kzalloc(ubi->ec_hdr_alsize, GFP_KERNEL);
401 	if (!ech)
402 		return -ENOMEM;
403 
404 	vh = ubi_zalloc_vid_hdr(ubi, GFP_KERNEL);
405 	if (!vh) {
406 		kfree(ech);
407 		return -ENOMEM;
408 	}
409 
410 	dbg_bld("scanning fastmap pool: size = %i", pool_size);
411 
412 	/*
413 	 * Now scan all PEBs in the pool to find changes which have been made
414 	 * after the creation of the fastmap
415 	 */
416 	for (i = 0; i < pool_size; i++) {
417 		int scrub = 0;
418 		int image_seq;
419 
420 		pnum = be32_to_cpu(pebs[i]);
421 
422 		if (ubi_io_is_bad(ubi, pnum)) {
423 			ubi_err("bad PEB in fastmap pool!");
424 			ret = UBI_BAD_FASTMAP;
425 			goto out;
426 		}
427 
428 		err = ubi_io_read_ec_hdr(ubi, pnum, ech, 0);
429 		if (err && err != UBI_IO_BITFLIPS) {
430 			ubi_err("unable to read EC header! PEB:%i err:%i",
431 				pnum, err);
432 			ret = err > 0 ? UBI_BAD_FASTMAP : err;
433 			goto out;
434 		} else if (ret == UBI_IO_BITFLIPS)
435 			scrub = 1;
436 
437 		/*
438 		 * Older UBI implementations have image_seq set to zero, so
439 		 * we shouldn't fail if image_seq == 0.
440 		 */
441 		image_seq = be32_to_cpu(ech->image_seq);
442 
443 		if (image_seq && (image_seq != ubi->image_seq)) {
444 			ubi_err("bad image seq: 0x%x, expected: 0x%x",
445 				be32_to_cpu(ech->image_seq), ubi->image_seq);
446 			ret = UBI_BAD_FASTMAP;
447 			goto out;
448 		}
449 
450 		err = ubi_io_read_vid_hdr(ubi, pnum, vh, 0);
451 		if (err == UBI_IO_FF || err == UBI_IO_FF_BITFLIPS) {
452 			unsigned long long ec = be64_to_cpu(ech->ec);
453 			unmap_peb(ai, pnum);
454 			dbg_bld("Adding PEB to free: %i", pnum);
455 			if (err == UBI_IO_FF_BITFLIPS)
456 				add_aeb(ai, freef, pnum, ec, 1);
457 			else
458 				add_aeb(ai, freef, pnum, ec, 0);
459 			continue;
460 		} else if (err == 0 || err == UBI_IO_BITFLIPS) {
461 			dbg_bld("Found non empty PEB:%i in pool", pnum);
462 
463 			if (err == UBI_IO_BITFLIPS)
464 				scrub = 1;
465 
466 			found_orphan = 0;
467 			list_for_each_entry(tmp_aeb, eba_orphans, u.list) {
468 				if (tmp_aeb->pnum == pnum) {
469 					found_orphan = 1;
470 					break;
471 				}
472 			}
473 			if (found_orphan) {
474 				list_del(&tmp_aeb->u.list);
475 				kmem_cache_free(ai->aeb_slab_cache, tmp_aeb);
476 			}
477 
478 			new_aeb = kmem_cache_alloc(ai->aeb_slab_cache,
479 						   GFP_KERNEL);
480 			if (!new_aeb) {
481 				ret = -ENOMEM;
482 				goto out;
483 			}
484 
485 			new_aeb->ec = be64_to_cpu(ech->ec);
486 			new_aeb->pnum = pnum;
487 			new_aeb->lnum = be32_to_cpu(vh->lnum);
488 			new_aeb->sqnum = be64_to_cpu(vh->sqnum);
489 			new_aeb->copy_flag = vh->copy_flag;
490 			new_aeb->scrub = scrub;
491 
492 			if (*max_sqnum < new_aeb->sqnum)
493 				*max_sqnum = new_aeb->sqnum;
494 
495 			err = process_pool_aeb(ubi, ai, vh, new_aeb);
496 			if (err) {
497 				ret = err > 0 ? UBI_BAD_FASTMAP : err;
498 				goto out;
499 			}
500 		} else {
501 			/* We are paranoid and fall back to scanning mode */
502 			ubi_err("fastmap pool PEBs contains damaged PEBs!");
503 			ret = err > 0 ? UBI_BAD_FASTMAP : err;
504 			goto out;
505 		}
506 
507 	}
508 
509 out:
510 	ubi_free_vid_hdr(ubi, vh);
511 	kfree(ech);
512 	return ret;
513 }
514 
515 /**
516  * count_fastmap_pebs - Counts the PEBs found by fastmap.
517  * @ai: The UBI attach info object
518  */
519 static int count_fastmap_pebs(struct ubi_attach_info *ai)
520 {
521 	struct ubi_ainf_peb *aeb;
522 	struct ubi_ainf_volume *av;
523 	struct rb_node *rb1, *rb2;
524 	int n = 0;
525 
526 	list_for_each_entry(aeb, &ai->erase, u.list)
527 		n++;
528 
529 	list_for_each_entry(aeb, &ai->free, u.list)
530 		n++;
531 
532 	 ubi_rb_for_each_entry(rb1, av, &ai->volumes, rb)
533 		ubi_rb_for_each_entry(rb2, aeb, &av->root, u.rb)
534 			n++;
535 
536 	return n;
537 }
538 
539 /**
540  * ubi_attach_fastmap - creates ubi_attach_info from a fastmap.
541  * @ubi: UBI device object
542  * @ai: UBI attach info object
543  * @fm: the fastmap to be attached
544  *
545  * Returns 0 on success, UBI_BAD_FASTMAP if the found fastmap was unusable.
546  * < 0 indicates an internal error.
547  */
548 static int ubi_attach_fastmap(struct ubi_device *ubi,
549 			      struct ubi_attach_info *ai,
550 			      struct ubi_fastmap_layout *fm)
551 {
552 	struct list_head used, eba_orphans, freef;
553 	struct ubi_ainf_volume *av;
554 	struct ubi_ainf_peb *aeb, *tmp_aeb, *_tmp_aeb;
555 	struct ubi_ec_hdr *ech;
556 	struct ubi_fm_sb *fmsb;
557 	struct ubi_fm_hdr *fmhdr;
558 	struct ubi_fm_scan_pool *fmpl1, *fmpl2;
559 	struct ubi_fm_ec *fmec;
560 	struct ubi_fm_volhdr *fmvhdr;
561 	struct ubi_fm_eba *fm_eba;
562 	int ret, i, j, pool_size, wl_pool_size;
563 	size_t fm_pos = 0, fm_size = ubi->fm_size;
564 	unsigned long long max_sqnum = 0;
565 	void *fm_raw = ubi->fm_buf;
566 
567 	INIT_LIST_HEAD(&used);
568 	INIT_LIST_HEAD(&freef);
569 	INIT_LIST_HEAD(&eba_orphans);
570 	INIT_LIST_HEAD(&ai->corr);
571 	INIT_LIST_HEAD(&ai->free);
572 	INIT_LIST_HEAD(&ai->erase);
573 	INIT_LIST_HEAD(&ai->alien);
574 	ai->volumes = RB_ROOT;
575 	ai->min_ec = UBI_MAX_ERASECOUNTER;
576 
577 	ai->aeb_slab_cache = kmem_cache_create("ubi_ainf_peb_slab",
578 					       sizeof(struct ubi_ainf_peb),
579 					       0, 0, NULL);
580 	if (!ai->aeb_slab_cache) {
581 		ret = -ENOMEM;
582 		goto fail;
583 	}
584 
585 	fmsb = (struct ubi_fm_sb *)(fm_raw);
586 	ai->max_sqnum = fmsb->sqnum;
587 	fm_pos += sizeof(struct ubi_fm_sb);
588 	if (fm_pos >= fm_size)
589 		goto fail_bad;
590 
591 	fmhdr = (struct ubi_fm_hdr *)(fm_raw + fm_pos);
592 	fm_pos += sizeof(*fmhdr);
593 	if (fm_pos >= fm_size)
594 		goto fail_bad;
595 
596 	if (be32_to_cpu(fmhdr->magic) != UBI_FM_HDR_MAGIC) {
597 		ubi_err("bad fastmap header magic: 0x%x, expected: 0x%x",
598 			be32_to_cpu(fmhdr->magic), UBI_FM_HDR_MAGIC);
599 		goto fail_bad;
600 	}
601 
602 	fmpl1 = (struct ubi_fm_scan_pool *)(fm_raw + fm_pos);
603 	fm_pos += sizeof(*fmpl1);
604 	if (fm_pos >= fm_size)
605 		goto fail_bad;
606 	if (be32_to_cpu(fmpl1->magic) != UBI_FM_POOL_MAGIC) {
607 		ubi_err("bad fastmap pool magic: 0x%x, expected: 0x%x",
608 			be32_to_cpu(fmpl1->magic), UBI_FM_POOL_MAGIC);
609 		goto fail_bad;
610 	}
611 
612 	fmpl2 = (struct ubi_fm_scan_pool *)(fm_raw + fm_pos);
613 	fm_pos += sizeof(*fmpl2);
614 	if (fm_pos >= fm_size)
615 		goto fail_bad;
616 	if (be32_to_cpu(fmpl2->magic) != UBI_FM_POOL_MAGIC) {
617 		ubi_err("bad fastmap pool magic: 0x%x, expected: 0x%x",
618 			be32_to_cpu(fmpl2->magic), UBI_FM_POOL_MAGIC);
619 		goto fail_bad;
620 	}
621 
622 	pool_size = be16_to_cpu(fmpl1->size);
623 	wl_pool_size = be16_to_cpu(fmpl2->size);
624 	fm->max_pool_size = be16_to_cpu(fmpl1->max_size);
625 	fm->max_wl_pool_size = be16_to_cpu(fmpl2->max_size);
626 
627 	if (pool_size > UBI_FM_MAX_POOL_SIZE || pool_size < 0) {
628 		ubi_err("bad pool size: %i", pool_size);
629 		goto fail_bad;
630 	}
631 
632 	if (wl_pool_size > UBI_FM_MAX_POOL_SIZE || wl_pool_size < 0) {
633 		ubi_err("bad WL pool size: %i", wl_pool_size);
634 		goto fail_bad;
635 	}
636 
637 
638 	if (fm->max_pool_size > UBI_FM_MAX_POOL_SIZE ||
639 	    fm->max_pool_size < 0) {
640 		ubi_err("bad maximal pool size: %i", fm->max_pool_size);
641 		goto fail_bad;
642 	}
643 
644 	if (fm->max_wl_pool_size > UBI_FM_MAX_POOL_SIZE ||
645 	    fm->max_wl_pool_size < 0) {
646 		ubi_err("bad maximal WL pool size: %i", fm->max_wl_pool_size);
647 		goto fail_bad;
648 	}
649 
650 	/* read EC values from free list */
651 	for (i = 0; i < be32_to_cpu(fmhdr->free_peb_count); i++) {
652 		fmec = (struct ubi_fm_ec *)(fm_raw + fm_pos);
653 		fm_pos += sizeof(*fmec);
654 		if (fm_pos >= fm_size)
655 			goto fail_bad;
656 
657 		add_aeb(ai, &ai->free, be32_to_cpu(fmec->pnum),
658 			be32_to_cpu(fmec->ec), 0);
659 	}
660 
661 	/* read EC values from used list */
662 	for (i = 0; i < be32_to_cpu(fmhdr->used_peb_count); i++) {
663 		fmec = (struct ubi_fm_ec *)(fm_raw + fm_pos);
664 		fm_pos += sizeof(*fmec);
665 		if (fm_pos >= fm_size)
666 			goto fail_bad;
667 
668 		add_aeb(ai, &used, be32_to_cpu(fmec->pnum),
669 			be32_to_cpu(fmec->ec), 0);
670 	}
671 
672 	/* read EC values from scrub list */
673 	for (i = 0; i < be32_to_cpu(fmhdr->scrub_peb_count); i++) {
674 		fmec = (struct ubi_fm_ec *)(fm_raw + fm_pos);
675 		fm_pos += sizeof(*fmec);
676 		if (fm_pos >= fm_size)
677 			goto fail_bad;
678 
679 		add_aeb(ai, &used, be32_to_cpu(fmec->pnum),
680 			be32_to_cpu(fmec->ec), 1);
681 	}
682 
683 	/* read EC values from erase list */
684 	for (i = 0; i < be32_to_cpu(fmhdr->erase_peb_count); i++) {
685 		fmec = (struct ubi_fm_ec *)(fm_raw + fm_pos);
686 		fm_pos += sizeof(*fmec);
687 		if (fm_pos >= fm_size)
688 			goto fail_bad;
689 
690 		add_aeb(ai, &ai->erase, be32_to_cpu(fmec->pnum),
691 			be32_to_cpu(fmec->ec), 1);
692 	}
693 
694 	ai->mean_ec = div_u64(ai->ec_sum, ai->ec_count);
695 	ai->bad_peb_count = be32_to_cpu(fmhdr->bad_peb_count);
696 
697 	/* Iterate over all volumes and read their EBA table */
698 	for (i = 0; i < be32_to_cpu(fmhdr->vol_count); i++) {
699 		fmvhdr = (struct ubi_fm_volhdr *)(fm_raw + fm_pos);
700 		fm_pos += sizeof(*fmvhdr);
701 		if (fm_pos >= fm_size)
702 			goto fail_bad;
703 
704 		if (be32_to_cpu(fmvhdr->magic) != UBI_FM_VHDR_MAGIC) {
705 			ubi_err("bad fastmap vol header magic: 0x%x, " \
706 				"expected: 0x%x",
707 				be32_to_cpu(fmvhdr->magic), UBI_FM_VHDR_MAGIC);
708 			goto fail_bad;
709 		}
710 
711 		av = add_vol(ai, be32_to_cpu(fmvhdr->vol_id),
712 			     be32_to_cpu(fmvhdr->used_ebs),
713 			     be32_to_cpu(fmvhdr->data_pad),
714 			     fmvhdr->vol_type,
715 			     be32_to_cpu(fmvhdr->last_eb_bytes));
716 
717 		if (!av)
718 			goto fail_bad;
719 
720 		ai->vols_found++;
721 		if (ai->highest_vol_id < be32_to_cpu(fmvhdr->vol_id))
722 			ai->highest_vol_id = be32_to_cpu(fmvhdr->vol_id);
723 
724 		fm_eba = (struct ubi_fm_eba *)(fm_raw + fm_pos);
725 		fm_pos += sizeof(*fm_eba);
726 		fm_pos += (sizeof(__be32) * be32_to_cpu(fm_eba->reserved_pebs));
727 		if (fm_pos >= fm_size)
728 			goto fail_bad;
729 
730 		if (be32_to_cpu(fm_eba->magic) != UBI_FM_EBA_MAGIC) {
731 			ubi_err("bad fastmap EBA header magic: 0x%x, " \
732 				"expected: 0x%x",
733 				be32_to_cpu(fm_eba->magic), UBI_FM_EBA_MAGIC);
734 			goto fail_bad;
735 		}
736 
737 		for (j = 0; j < be32_to_cpu(fm_eba->reserved_pebs); j++) {
738 			int pnum = be32_to_cpu(fm_eba->pnum[j]);
739 
740 			if ((int)be32_to_cpu(fm_eba->pnum[j]) < 0)
741 				continue;
742 
743 			aeb = NULL;
744 			list_for_each_entry(tmp_aeb, &used, u.list) {
745 				if (tmp_aeb->pnum == pnum) {
746 					aeb = tmp_aeb;
747 					break;
748 				}
749 			}
750 
751 			/* This can happen if a PEB is already in an EBA known
752 			 * by this fastmap but the PEB itself is not in the used
753 			 * list.
754 			 * In this case the PEB can be within the fastmap pool
755 			 * or while writing the fastmap it was in the protection
756 			 * queue.
757 			 */
758 			if (!aeb) {
759 				aeb = kmem_cache_alloc(ai->aeb_slab_cache,
760 						       GFP_KERNEL);
761 				if (!aeb) {
762 					ret = -ENOMEM;
763 
764 					goto fail;
765 				}
766 
767 				aeb->lnum = j;
768 				aeb->pnum = be32_to_cpu(fm_eba->pnum[j]);
769 				aeb->ec = -1;
770 				aeb->scrub = aeb->copy_flag = aeb->sqnum = 0;
771 				list_add_tail(&aeb->u.list, &eba_orphans);
772 				continue;
773 			}
774 
775 			aeb->lnum = j;
776 
777 			if (av->highest_lnum <= aeb->lnum)
778 				av->highest_lnum = aeb->lnum;
779 
780 			assign_aeb_to_av(ai, aeb, av);
781 
782 			dbg_bld("inserting PEB:%i (LEB %i) to vol %i",
783 				aeb->pnum, aeb->lnum, av->vol_id);
784 		}
785 
786 		ech = kzalloc(ubi->ec_hdr_alsize, GFP_KERNEL);
787 		if (!ech) {
788 			ret = -ENOMEM;
789 			goto fail;
790 		}
791 
792 		list_for_each_entry_safe(tmp_aeb, _tmp_aeb, &eba_orphans,
793 					 u.list) {
794 			int err;
795 
796 			if (ubi_io_is_bad(ubi, tmp_aeb->pnum)) {
797 				ubi_err("bad PEB in fastmap EBA orphan list");
798 				ret = UBI_BAD_FASTMAP;
799 				kfree(ech);
800 				goto fail;
801 			}
802 
803 			err = ubi_io_read_ec_hdr(ubi, tmp_aeb->pnum, ech, 0);
804 			if (err && err != UBI_IO_BITFLIPS) {
805 				ubi_err("unable to read EC header! PEB:%i " \
806 					"err:%i", tmp_aeb->pnum, err);
807 				ret = err > 0 ? UBI_BAD_FASTMAP : err;
808 				kfree(ech);
809 
810 				goto fail;
811 			} else if (err == UBI_IO_BITFLIPS)
812 				tmp_aeb->scrub = 1;
813 
814 			tmp_aeb->ec = be64_to_cpu(ech->ec);
815 			assign_aeb_to_av(ai, tmp_aeb, av);
816 		}
817 
818 		kfree(ech);
819 	}
820 
821 	ret = scan_pool(ubi, ai, fmpl1->pebs, pool_size, &max_sqnum,
822 			&eba_orphans, &freef);
823 	if (ret)
824 		goto fail;
825 
826 	ret = scan_pool(ubi, ai, fmpl2->pebs, wl_pool_size, &max_sqnum,
827 			&eba_orphans, &freef);
828 	if (ret)
829 		goto fail;
830 
831 	if (max_sqnum > ai->max_sqnum)
832 		ai->max_sqnum = max_sqnum;
833 
834 	list_for_each_entry_safe(tmp_aeb, _tmp_aeb, &freef, u.list)
835 		list_move_tail(&tmp_aeb->u.list, &ai->free);
836 
837 	ubi_assert(list_empty(&used));
838 	ubi_assert(list_empty(&eba_orphans));
839 	ubi_assert(list_empty(&freef));
840 
841 	/*
842 	 * If fastmap is leaking PEBs (must not happen), raise a
843 	 * fat warning and fall back to scanning mode.
844 	 * We do this here because in ubi_wl_init() it's too late
845 	 * and we cannot fall back to scanning.
846 	 */
847 #ifndef __UBOOT__
848 	if (WARN_ON(count_fastmap_pebs(ai) != ubi->peb_count -
849 		    ai->bad_peb_count - fm->used_blocks))
850 		goto fail_bad;
851 #else
852 	if (count_fastmap_pebs(ai) != ubi->peb_count -
853 		    ai->bad_peb_count - fm->used_blocks) {
854 		WARN_ON(1);
855 		goto fail_bad;
856 	}
857 #endif
858 
859 	return 0;
860 
861 fail_bad:
862 	ret = UBI_BAD_FASTMAP;
863 fail:
864 	list_for_each_entry_safe(tmp_aeb, _tmp_aeb, &used, u.list) {
865 		list_del(&tmp_aeb->u.list);
866 		kmem_cache_free(ai->aeb_slab_cache, tmp_aeb);
867 	}
868 	list_for_each_entry_safe(tmp_aeb, _tmp_aeb, &eba_orphans, u.list) {
869 		list_del(&tmp_aeb->u.list);
870 		kmem_cache_free(ai->aeb_slab_cache, tmp_aeb);
871 	}
872 	list_for_each_entry_safe(tmp_aeb, _tmp_aeb, &freef, u.list) {
873 		list_del(&tmp_aeb->u.list);
874 		kmem_cache_free(ai->aeb_slab_cache, tmp_aeb);
875 	}
876 
877 	return ret;
878 }
879 
880 /**
881  * ubi_scan_fastmap - scan the fastmap.
882  * @ubi: UBI device object
883  * @ai: UBI attach info to be filled
884  * @fm_anchor: The fastmap starts at this PEB
885  *
886  * Returns 0 on success, UBI_NO_FASTMAP if no fastmap was found,
887  * UBI_BAD_FASTMAP if one was found but is not usable.
888  * < 0 indicates an internal error.
889  */
890 int ubi_scan_fastmap(struct ubi_device *ubi, struct ubi_attach_info *ai,
891 		     int fm_anchor)
892 {
893 	struct ubi_fm_sb *fmsb, *fmsb2;
894 	struct ubi_vid_hdr *vh;
895 	struct ubi_ec_hdr *ech;
896 	struct ubi_fastmap_layout *fm;
897 	int i, used_blocks, pnum, ret = 0;
898 	size_t fm_size;
899 	__be32 crc, tmp_crc;
900 	unsigned long long sqnum = 0;
901 
902 	mutex_lock(&ubi->fm_mutex);
903 	memset(ubi->fm_buf, 0, ubi->fm_size);
904 
905 	fmsb = kmalloc(sizeof(*fmsb), GFP_KERNEL);
906 	if (!fmsb) {
907 		ret = -ENOMEM;
908 		goto out;
909 	}
910 
911 	fm = kzalloc(sizeof(*fm), GFP_KERNEL);
912 	if (!fm) {
913 		ret = -ENOMEM;
914 		kfree(fmsb);
915 		goto out;
916 	}
917 
918 	ret = ubi_io_read(ubi, fmsb, fm_anchor, ubi->leb_start, sizeof(*fmsb));
919 	if (ret && ret != UBI_IO_BITFLIPS)
920 		goto free_fm_sb;
921 	else if (ret == UBI_IO_BITFLIPS)
922 		fm->to_be_tortured[0] = 1;
923 
924 	if (be32_to_cpu(fmsb->magic) != UBI_FM_SB_MAGIC) {
925 		ubi_err("bad super block magic: 0x%x, expected: 0x%x",
926 			be32_to_cpu(fmsb->magic), UBI_FM_SB_MAGIC);
927 		ret = UBI_BAD_FASTMAP;
928 		goto free_fm_sb;
929 	}
930 
931 	if (fmsb->version != UBI_FM_FMT_VERSION) {
932 		ubi_err("bad fastmap version: %i, expected: %i",
933 			fmsb->version, UBI_FM_FMT_VERSION);
934 		ret = UBI_BAD_FASTMAP;
935 		goto free_fm_sb;
936 	}
937 
938 	used_blocks = be32_to_cpu(fmsb->used_blocks);
939 	if (used_blocks > UBI_FM_MAX_BLOCKS || used_blocks < 1) {
940 		ubi_err("number of fastmap blocks is invalid: %i", used_blocks);
941 		ret = UBI_BAD_FASTMAP;
942 		goto free_fm_sb;
943 	}
944 
945 	fm_size = ubi->leb_size * used_blocks;
946 	if (fm_size != ubi->fm_size) {
947 		ubi_err("bad fastmap size: %zi, expected: %zi", fm_size,
948 			ubi->fm_size);
949 		ret = UBI_BAD_FASTMAP;
950 		goto free_fm_sb;
951 	}
952 
953 	ech = kzalloc(ubi->ec_hdr_alsize, GFP_KERNEL);
954 	if (!ech) {
955 		ret = -ENOMEM;
956 		goto free_fm_sb;
957 	}
958 
959 	vh = ubi_zalloc_vid_hdr(ubi, GFP_KERNEL);
960 	if (!vh) {
961 		ret = -ENOMEM;
962 		goto free_hdr;
963 	}
964 
965 	for (i = 0; i < used_blocks; i++) {
966 		int image_seq;
967 
968 		pnum = be32_to_cpu(fmsb->block_loc[i]);
969 
970 		if (ubi_io_is_bad(ubi, pnum)) {
971 			ret = UBI_BAD_FASTMAP;
972 			goto free_hdr;
973 		}
974 
975 		ret = ubi_io_read_ec_hdr(ubi, pnum, ech, 0);
976 		if (ret && ret != UBI_IO_BITFLIPS) {
977 			ubi_err("unable to read fastmap block# %i EC (PEB: %i)",
978 				i, pnum);
979 			if (ret > 0)
980 				ret = UBI_BAD_FASTMAP;
981 			goto free_hdr;
982 		} else if (ret == UBI_IO_BITFLIPS)
983 			fm->to_be_tortured[i] = 1;
984 
985 		image_seq = be32_to_cpu(ech->image_seq);
986 		if (!ubi->image_seq)
987 			ubi->image_seq = image_seq;
988 
989 		/*
990 		 * Older UBI implementations have image_seq set to zero, so
991 		 * we shouldn't fail if image_seq == 0.
992 		 */
993 		if (image_seq && (image_seq != ubi->image_seq)) {
994 			ubi_err("wrong image seq:%d instead of %d",
995 				be32_to_cpu(ech->image_seq), ubi->image_seq);
996 			ret = UBI_BAD_FASTMAP;
997 			goto free_hdr;
998 		}
999 
1000 		ret = ubi_io_read_vid_hdr(ubi, pnum, vh, 0);
1001 		if (ret && ret != UBI_IO_BITFLIPS) {
1002 			ubi_err("unable to read fastmap block# %i (PEB: %i)",
1003 				i, pnum);
1004 			goto free_hdr;
1005 		}
1006 
1007 		if (i == 0) {
1008 			if (be32_to_cpu(vh->vol_id) != UBI_FM_SB_VOLUME_ID) {
1009 				ubi_err("bad fastmap anchor vol_id: 0x%x," \
1010 					" expected: 0x%x",
1011 					be32_to_cpu(vh->vol_id),
1012 					UBI_FM_SB_VOLUME_ID);
1013 				ret = UBI_BAD_FASTMAP;
1014 				goto free_hdr;
1015 			}
1016 		} else {
1017 			if (be32_to_cpu(vh->vol_id) != UBI_FM_DATA_VOLUME_ID) {
1018 				ubi_err("bad fastmap data vol_id: 0x%x," \
1019 					" expected: 0x%x",
1020 					be32_to_cpu(vh->vol_id),
1021 					UBI_FM_DATA_VOLUME_ID);
1022 				ret = UBI_BAD_FASTMAP;
1023 				goto free_hdr;
1024 			}
1025 		}
1026 
1027 		if (sqnum < be64_to_cpu(vh->sqnum))
1028 			sqnum = be64_to_cpu(vh->sqnum);
1029 
1030 		ret = ubi_io_read(ubi, ubi->fm_buf + (ubi->leb_size * i), pnum,
1031 				  ubi->leb_start, ubi->leb_size);
1032 		if (ret && ret != UBI_IO_BITFLIPS) {
1033 			ubi_err("unable to read fastmap block# %i (PEB: %i, " \
1034 				"err: %i)", i, pnum, ret);
1035 			goto free_hdr;
1036 		}
1037 	}
1038 
1039 	kfree(fmsb);
1040 	fmsb = NULL;
1041 
1042 	fmsb2 = (struct ubi_fm_sb *)(ubi->fm_buf);
1043 	tmp_crc = be32_to_cpu(fmsb2->data_crc);
1044 	fmsb2->data_crc = 0;
1045 	crc = crc32(UBI_CRC32_INIT, ubi->fm_buf, fm_size);
1046 	if (crc != tmp_crc) {
1047 		ubi_err("fastmap data CRC is invalid");
1048 		ubi_err("CRC should be: 0x%x, calc: 0x%x", tmp_crc, crc);
1049 		ret = UBI_BAD_FASTMAP;
1050 		goto free_hdr;
1051 	}
1052 
1053 	fmsb2->sqnum = sqnum;
1054 
1055 	fm->used_blocks = used_blocks;
1056 
1057 	ret = ubi_attach_fastmap(ubi, ai, fm);
1058 	if (ret) {
1059 		if (ret > 0)
1060 			ret = UBI_BAD_FASTMAP;
1061 		goto free_hdr;
1062 	}
1063 
1064 	for (i = 0; i < used_blocks; i++) {
1065 		struct ubi_wl_entry *e;
1066 
1067 		e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
1068 		if (!e) {
1069 			while (i--)
1070 				kfree(fm->e[i]);
1071 
1072 			ret = -ENOMEM;
1073 			goto free_hdr;
1074 		}
1075 
1076 		e->pnum = be32_to_cpu(fmsb2->block_loc[i]);
1077 		e->ec = be32_to_cpu(fmsb2->block_ec[i]);
1078 		fm->e[i] = e;
1079 	}
1080 
1081 	ubi->fm = fm;
1082 	ubi->fm_pool.max_size = ubi->fm->max_pool_size;
1083 	ubi->fm_wl_pool.max_size = ubi->fm->max_wl_pool_size;
1084 	ubi_msg("attached by fastmap");
1085 	ubi_msg("fastmap pool size: %d", ubi->fm_pool.max_size);
1086 	ubi_msg("fastmap WL pool size: %d", ubi->fm_wl_pool.max_size);
1087 	ubi->fm_disabled = 0;
1088 
1089 	ubi_free_vid_hdr(ubi, vh);
1090 	kfree(ech);
1091 out:
1092 	mutex_unlock(&ubi->fm_mutex);
1093 	if (ret == UBI_BAD_FASTMAP)
1094 		ubi_err("Attach by fastmap failed, doing a full scan!");
1095 	return ret;
1096 
1097 free_hdr:
1098 	ubi_free_vid_hdr(ubi, vh);
1099 	kfree(ech);
1100 free_fm_sb:
1101 	kfree(fmsb);
1102 	kfree(fm);
1103 	goto out;
1104 }
1105 
1106 /**
1107  * ubi_write_fastmap - writes a fastmap.
1108  * @ubi: UBI device object
1109  * @new_fm: the to be written fastmap
1110  *
1111  * Returns 0 on success, < 0 indicates an internal error.
1112  */
1113 static int ubi_write_fastmap(struct ubi_device *ubi,
1114 			     struct ubi_fastmap_layout *new_fm)
1115 {
1116 	size_t fm_pos = 0;
1117 	void *fm_raw;
1118 	struct ubi_fm_sb *fmsb;
1119 	struct ubi_fm_hdr *fmh;
1120 	struct ubi_fm_scan_pool *fmpl1, *fmpl2;
1121 	struct ubi_fm_ec *fec;
1122 	struct ubi_fm_volhdr *fvh;
1123 	struct ubi_fm_eba *feba;
1124 	struct rb_node *node;
1125 	struct ubi_wl_entry *wl_e;
1126 	struct ubi_volume *vol;
1127 	struct ubi_vid_hdr *avhdr, *dvhdr;
1128 	struct ubi_work *ubi_wrk;
1129 	int ret, i, j, free_peb_count, used_peb_count, vol_count;
1130 	int scrub_peb_count, erase_peb_count;
1131 
1132 	fm_raw = ubi->fm_buf;
1133 	memset(ubi->fm_buf, 0, ubi->fm_size);
1134 
1135 	avhdr = new_fm_vhdr(ubi, UBI_FM_SB_VOLUME_ID);
1136 	if (!avhdr) {
1137 		ret = -ENOMEM;
1138 		goto out;
1139 	}
1140 
1141 	dvhdr = new_fm_vhdr(ubi, UBI_FM_DATA_VOLUME_ID);
1142 	if (!dvhdr) {
1143 		ret = -ENOMEM;
1144 		goto out_kfree;
1145 	}
1146 
1147 	spin_lock(&ubi->volumes_lock);
1148 	spin_lock(&ubi->wl_lock);
1149 
1150 	fmsb = (struct ubi_fm_sb *)fm_raw;
1151 	fm_pos += sizeof(*fmsb);
1152 	ubi_assert(fm_pos <= ubi->fm_size);
1153 
1154 	fmh = (struct ubi_fm_hdr *)(fm_raw + fm_pos);
1155 	fm_pos += sizeof(*fmh);
1156 	ubi_assert(fm_pos <= ubi->fm_size);
1157 
1158 	fmsb->magic = cpu_to_be32(UBI_FM_SB_MAGIC);
1159 	fmsb->version = UBI_FM_FMT_VERSION;
1160 	fmsb->used_blocks = cpu_to_be32(new_fm->used_blocks);
1161 	/* the max sqnum will be filled in while *reading* the fastmap */
1162 	fmsb->sqnum = 0;
1163 
1164 	fmh->magic = cpu_to_be32(UBI_FM_HDR_MAGIC);
1165 	free_peb_count = 0;
1166 	used_peb_count = 0;
1167 	scrub_peb_count = 0;
1168 	erase_peb_count = 0;
1169 	vol_count = 0;
1170 
1171 	fmpl1 = (struct ubi_fm_scan_pool *)(fm_raw + fm_pos);
1172 	fm_pos += sizeof(*fmpl1);
1173 	fmpl1->magic = cpu_to_be32(UBI_FM_POOL_MAGIC);
1174 	fmpl1->size = cpu_to_be16(ubi->fm_pool.size);
1175 	fmpl1->max_size = cpu_to_be16(ubi->fm_pool.max_size);
1176 
1177 	for (i = 0; i < ubi->fm_pool.size; i++)
1178 		fmpl1->pebs[i] = cpu_to_be32(ubi->fm_pool.pebs[i]);
1179 
1180 	fmpl2 = (struct ubi_fm_scan_pool *)(fm_raw + fm_pos);
1181 	fm_pos += sizeof(*fmpl2);
1182 	fmpl2->magic = cpu_to_be32(UBI_FM_POOL_MAGIC);
1183 	fmpl2->size = cpu_to_be16(ubi->fm_wl_pool.size);
1184 	fmpl2->max_size = cpu_to_be16(ubi->fm_wl_pool.max_size);
1185 
1186 	for (i = 0; i < ubi->fm_wl_pool.size; i++)
1187 		fmpl2->pebs[i] = cpu_to_be32(ubi->fm_wl_pool.pebs[i]);
1188 
1189 	for (node = rb_first(&ubi->free); node; node = rb_next(node)) {
1190 		wl_e = rb_entry(node, struct ubi_wl_entry, u.rb);
1191 		fec = (struct ubi_fm_ec *)(fm_raw + fm_pos);
1192 
1193 		fec->pnum = cpu_to_be32(wl_e->pnum);
1194 		fec->ec = cpu_to_be32(wl_e->ec);
1195 
1196 		free_peb_count++;
1197 		fm_pos += sizeof(*fec);
1198 		ubi_assert(fm_pos <= ubi->fm_size);
1199 	}
1200 	fmh->free_peb_count = cpu_to_be32(free_peb_count);
1201 
1202 	for (node = rb_first(&ubi->used); node; node = rb_next(node)) {
1203 		wl_e = rb_entry(node, struct ubi_wl_entry, u.rb);
1204 		fec = (struct ubi_fm_ec *)(fm_raw + fm_pos);
1205 
1206 		fec->pnum = cpu_to_be32(wl_e->pnum);
1207 		fec->ec = cpu_to_be32(wl_e->ec);
1208 
1209 		used_peb_count++;
1210 		fm_pos += sizeof(*fec);
1211 		ubi_assert(fm_pos <= ubi->fm_size);
1212 	}
1213 	fmh->used_peb_count = cpu_to_be32(used_peb_count);
1214 
1215 	for (node = rb_first(&ubi->scrub); node; node = rb_next(node)) {
1216 		wl_e = rb_entry(node, struct ubi_wl_entry, u.rb);
1217 		fec = (struct ubi_fm_ec *)(fm_raw + fm_pos);
1218 
1219 		fec->pnum = cpu_to_be32(wl_e->pnum);
1220 		fec->ec = cpu_to_be32(wl_e->ec);
1221 
1222 		scrub_peb_count++;
1223 		fm_pos += sizeof(*fec);
1224 		ubi_assert(fm_pos <= ubi->fm_size);
1225 	}
1226 	fmh->scrub_peb_count = cpu_to_be32(scrub_peb_count);
1227 
1228 
1229 	list_for_each_entry(ubi_wrk, &ubi->works, list) {
1230 		if (ubi_is_erase_work(ubi_wrk)) {
1231 			wl_e = ubi_wrk->e;
1232 			ubi_assert(wl_e);
1233 
1234 			fec = (struct ubi_fm_ec *)(fm_raw + fm_pos);
1235 
1236 			fec->pnum = cpu_to_be32(wl_e->pnum);
1237 			fec->ec = cpu_to_be32(wl_e->ec);
1238 
1239 			erase_peb_count++;
1240 			fm_pos += sizeof(*fec);
1241 			ubi_assert(fm_pos <= ubi->fm_size);
1242 		}
1243 	}
1244 	fmh->erase_peb_count = cpu_to_be32(erase_peb_count);
1245 
1246 	for (i = 0; i < UBI_MAX_VOLUMES + UBI_INT_VOL_COUNT; i++) {
1247 		vol = ubi->volumes[i];
1248 
1249 		if (!vol)
1250 			continue;
1251 
1252 		vol_count++;
1253 
1254 		fvh = (struct ubi_fm_volhdr *)(fm_raw + fm_pos);
1255 		fm_pos += sizeof(*fvh);
1256 		ubi_assert(fm_pos <= ubi->fm_size);
1257 
1258 		fvh->magic = cpu_to_be32(UBI_FM_VHDR_MAGIC);
1259 		fvh->vol_id = cpu_to_be32(vol->vol_id);
1260 		fvh->vol_type = vol->vol_type;
1261 		fvh->used_ebs = cpu_to_be32(vol->used_ebs);
1262 		fvh->data_pad = cpu_to_be32(vol->data_pad);
1263 		fvh->last_eb_bytes = cpu_to_be32(vol->last_eb_bytes);
1264 
1265 		ubi_assert(vol->vol_type == UBI_DYNAMIC_VOLUME ||
1266 			vol->vol_type == UBI_STATIC_VOLUME);
1267 
1268 		feba = (struct ubi_fm_eba *)(fm_raw + fm_pos);
1269 		fm_pos += sizeof(*feba) + (sizeof(__be32) * vol->reserved_pebs);
1270 		ubi_assert(fm_pos <= ubi->fm_size);
1271 
1272 		for (j = 0; j < vol->reserved_pebs; j++)
1273 			feba->pnum[j] = cpu_to_be32(vol->eba_tbl[j]);
1274 
1275 		feba->reserved_pebs = cpu_to_be32(j);
1276 		feba->magic = cpu_to_be32(UBI_FM_EBA_MAGIC);
1277 	}
1278 	fmh->vol_count = cpu_to_be32(vol_count);
1279 	fmh->bad_peb_count = cpu_to_be32(ubi->bad_peb_count);
1280 
1281 	avhdr->sqnum = cpu_to_be64(ubi_next_sqnum(ubi));
1282 	avhdr->lnum = 0;
1283 
1284 	spin_unlock(&ubi->wl_lock);
1285 	spin_unlock(&ubi->volumes_lock);
1286 
1287 	dbg_bld("writing fastmap SB to PEB %i", new_fm->e[0]->pnum);
1288 	ret = ubi_io_write_vid_hdr(ubi, new_fm->e[0]->pnum, avhdr);
1289 	if (ret) {
1290 		ubi_err("unable to write vid_hdr to fastmap SB!");
1291 		goto out_kfree;
1292 	}
1293 
1294 	for (i = 0; i < new_fm->used_blocks; i++) {
1295 		fmsb->block_loc[i] = cpu_to_be32(new_fm->e[i]->pnum);
1296 		fmsb->block_ec[i] = cpu_to_be32(new_fm->e[i]->ec);
1297 	}
1298 
1299 	fmsb->data_crc = 0;
1300 	fmsb->data_crc = cpu_to_be32(crc32(UBI_CRC32_INIT, fm_raw,
1301 					   ubi->fm_size));
1302 
1303 	for (i = 1; i < new_fm->used_blocks; i++) {
1304 		dvhdr->sqnum = cpu_to_be64(ubi_next_sqnum(ubi));
1305 		dvhdr->lnum = cpu_to_be32(i);
1306 		dbg_bld("writing fastmap data to PEB %i sqnum %llu",
1307 			new_fm->e[i]->pnum, be64_to_cpu(dvhdr->sqnum));
1308 		ret = ubi_io_write_vid_hdr(ubi, new_fm->e[i]->pnum, dvhdr);
1309 		if (ret) {
1310 			ubi_err("unable to write vid_hdr to PEB %i!",
1311 				new_fm->e[i]->pnum);
1312 			goto out_kfree;
1313 		}
1314 	}
1315 
1316 	for (i = 0; i < new_fm->used_blocks; i++) {
1317 		ret = ubi_io_write(ubi, fm_raw + (i * ubi->leb_size),
1318 			new_fm->e[i]->pnum, ubi->leb_start, ubi->leb_size);
1319 		if (ret) {
1320 			ubi_err("unable to write fastmap to PEB %i!",
1321 				new_fm->e[i]->pnum);
1322 			goto out_kfree;
1323 		}
1324 	}
1325 
1326 	ubi_assert(new_fm);
1327 	ubi->fm = new_fm;
1328 
1329 	dbg_bld("fastmap written!");
1330 
1331 out_kfree:
1332 	ubi_free_vid_hdr(ubi, avhdr);
1333 	ubi_free_vid_hdr(ubi, dvhdr);
1334 out:
1335 	return ret;
1336 }
1337 
1338 /**
1339  * erase_block - Manually erase a PEB.
1340  * @ubi: UBI device object
1341  * @pnum: PEB to be erased
1342  *
1343  * Returns the new EC value on success, < 0 indicates an internal error.
1344  */
1345 static int erase_block(struct ubi_device *ubi, int pnum)
1346 {
1347 	int ret;
1348 	struct ubi_ec_hdr *ec_hdr;
1349 	long long ec;
1350 
1351 	ec_hdr = kzalloc(ubi->ec_hdr_alsize, GFP_KERNEL);
1352 	if (!ec_hdr)
1353 		return -ENOMEM;
1354 
1355 	ret = ubi_io_read_ec_hdr(ubi, pnum, ec_hdr, 0);
1356 	if (ret < 0)
1357 		goto out;
1358 	else if (ret && ret != UBI_IO_BITFLIPS) {
1359 		ret = -EINVAL;
1360 		goto out;
1361 	}
1362 
1363 	ret = ubi_io_sync_erase(ubi, pnum, 0);
1364 	if (ret < 0)
1365 		goto out;
1366 
1367 	ec = be64_to_cpu(ec_hdr->ec);
1368 	ec += ret;
1369 	if (ec > UBI_MAX_ERASECOUNTER) {
1370 		ret = -EINVAL;
1371 		goto out;
1372 	}
1373 
1374 	ec_hdr->ec = cpu_to_be64(ec);
1375 	ret = ubi_io_write_ec_hdr(ubi, pnum, ec_hdr);
1376 	if (ret < 0)
1377 		goto out;
1378 
1379 	ret = ec;
1380 out:
1381 	kfree(ec_hdr);
1382 	return ret;
1383 }
1384 
1385 /**
1386  * invalidate_fastmap - destroys a fastmap.
1387  * @ubi: UBI device object
1388  * @fm: the fastmap to be destroyed
1389  *
1390  * Returns 0 on success, < 0 indicates an internal error.
1391  */
1392 static int invalidate_fastmap(struct ubi_device *ubi,
1393 			      struct ubi_fastmap_layout *fm)
1394 {
1395 	int ret;
1396 	struct ubi_vid_hdr *vh;
1397 
1398 	ret = erase_block(ubi, fm->e[0]->pnum);
1399 	if (ret < 0)
1400 		return ret;
1401 
1402 	vh = new_fm_vhdr(ubi, UBI_FM_SB_VOLUME_ID);
1403 	if (!vh)
1404 		return -ENOMEM;
1405 
1406 	/* deleting the current fastmap SB is not enough, an old SB may exist,
1407 	 * so create a (corrupted) SB such that fastmap will find it and fall
1408 	 * back to scanning mode in any case */
1409 	vh->sqnum = cpu_to_be64(ubi_next_sqnum(ubi));
1410 	ret = ubi_io_write_vid_hdr(ubi, fm->e[0]->pnum, vh);
1411 
1412 	return ret;
1413 }
1414 
1415 /**
1416  * ubi_update_fastmap - will be called by UBI if a volume changes or
1417  * a fastmap pool becomes full.
1418  * @ubi: UBI device object
1419  *
1420  * Returns 0 on success, < 0 indicates an internal error.
1421  */
1422 int ubi_update_fastmap(struct ubi_device *ubi)
1423 {
1424 	int ret, i;
1425 	struct ubi_fastmap_layout *new_fm, *old_fm;
1426 	struct ubi_wl_entry *tmp_e;
1427 
1428 	mutex_lock(&ubi->fm_mutex);
1429 
1430 	ubi_refill_pools(ubi);
1431 
1432 	if (ubi->ro_mode || ubi->fm_disabled) {
1433 		mutex_unlock(&ubi->fm_mutex);
1434 		return 0;
1435 	}
1436 
1437 	ret = ubi_ensure_anchor_pebs(ubi);
1438 	if (ret) {
1439 		mutex_unlock(&ubi->fm_mutex);
1440 		return ret;
1441 	}
1442 
1443 	new_fm = kzalloc(sizeof(*new_fm), GFP_KERNEL);
1444 	if (!new_fm) {
1445 		mutex_unlock(&ubi->fm_mutex);
1446 		return -ENOMEM;
1447 	}
1448 
1449 	new_fm->used_blocks = ubi->fm_size / ubi->leb_size;
1450 
1451 	for (i = 0; i < new_fm->used_blocks; i++) {
1452 		new_fm->e[i] = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
1453 		if (!new_fm->e[i]) {
1454 			while (i--)
1455 				kfree(new_fm->e[i]);
1456 
1457 			kfree(new_fm);
1458 			mutex_unlock(&ubi->fm_mutex);
1459 			return -ENOMEM;
1460 		}
1461 	}
1462 
1463 	old_fm = ubi->fm;
1464 	ubi->fm = NULL;
1465 
1466 	if (new_fm->used_blocks > UBI_FM_MAX_BLOCKS) {
1467 		ubi_err("fastmap too large");
1468 		ret = -ENOSPC;
1469 		goto err;
1470 	}
1471 
1472 	for (i = 1; i < new_fm->used_blocks; i++) {
1473 		spin_lock(&ubi->wl_lock);
1474 		tmp_e = ubi_wl_get_fm_peb(ubi, 0);
1475 		spin_unlock(&ubi->wl_lock);
1476 
1477 		if (!tmp_e && !old_fm) {
1478 			int j;
1479 			ubi_err("could not get any free erase block");
1480 
1481 			for (j = 1; j < i; j++)
1482 				ubi_wl_put_fm_peb(ubi, new_fm->e[j], j, 0);
1483 
1484 			ret = -ENOSPC;
1485 			goto err;
1486 		} else if (!tmp_e && old_fm) {
1487 			ret = erase_block(ubi, old_fm->e[i]->pnum);
1488 			if (ret < 0) {
1489 				int j;
1490 
1491 				for (j = 1; j < i; j++)
1492 					ubi_wl_put_fm_peb(ubi, new_fm->e[j],
1493 							  j, 0);
1494 
1495 				ubi_err("could not erase old fastmap PEB");
1496 				goto err;
1497 			}
1498 
1499 			new_fm->e[i]->pnum = old_fm->e[i]->pnum;
1500 			new_fm->e[i]->ec = old_fm->e[i]->ec;
1501 		} else {
1502 			new_fm->e[i]->pnum = tmp_e->pnum;
1503 			new_fm->e[i]->ec = tmp_e->ec;
1504 
1505 			if (old_fm)
1506 				ubi_wl_put_fm_peb(ubi, old_fm->e[i], i,
1507 						  old_fm->to_be_tortured[i]);
1508 		}
1509 	}
1510 
1511 	spin_lock(&ubi->wl_lock);
1512 	tmp_e = ubi_wl_get_fm_peb(ubi, 1);
1513 	spin_unlock(&ubi->wl_lock);
1514 
1515 	if (old_fm) {
1516 		/* no fresh anchor PEB was found, reuse the old one */
1517 		if (!tmp_e) {
1518 			ret = erase_block(ubi, old_fm->e[0]->pnum);
1519 			if (ret < 0) {
1520 				int i;
1521 				ubi_err("could not erase old anchor PEB");
1522 
1523 				for (i = 1; i < new_fm->used_blocks; i++)
1524 					ubi_wl_put_fm_peb(ubi, new_fm->e[i],
1525 							  i, 0);
1526 				goto err;
1527 			}
1528 
1529 			new_fm->e[0]->pnum = old_fm->e[0]->pnum;
1530 			new_fm->e[0]->ec = ret;
1531 		} else {
1532 			/* we've got a new anchor PEB, return the old one */
1533 			ubi_wl_put_fm_peb(ubi, old_fm->e[0], 0,
1534 					  old_fm->to_be_tortured[0]);
1535 
1536 			new_fm->e[0]->pnum = tmp_e->pnum;
1537 			new_fm->e[0]->ec = tmp_e->ec;
1538 		}
1539 	} else {
1540 		if (!tmp_e) {
1541 			int i;
1542 			ubi_err("could not find any anchor PEB");
1543 
1544 			for (i = 1; i < new_fm->used_blocks; i++)
1545 				ubi_wl_put_fm_peb(ubi, new_fm->e[i], i, 0);
1546 
1547 			ret = -ENOSPC;
1548 			goto err;
1549 		}
1550 
1551 		new_fm->e[0]->pnum = tmp_e->pnum;
1552 		new_fm->e[0]->ec = tmp_e->ec;
1553 	}
1554 
1555 	down_write(&ubi->work_sem);
1556 	down_write(&ubi->fm_sem);
1557 	ret = ubi_write_fastmap(ubi, new_fm);
1558 	up_write(&ubi->fm_sem);
1559 	up_write(&ubi->work_sem);
1560 
1561 	if (ret)
1562 		goto err;
1563 
1564 out_unlock:
1565 	mutex_unlock(&ubi->fm_mutex);
1566 	kfree(old_fm);
1567 	return ret;
1568 
1569 err:
1570 	kfree(new_fm);
1571 
1572 	ubi_warn("Unable to write new fastmap, err=%i", ret);
1573 
1574 	ret = 0;
1575 	if (old_fm) {
1576 		ret = invalidate_fastmap(ubi, old_fm);
1577 		if (ret < 0)
1578 			ubi_err("Unable to invalidiate current fastmap!");
1579 		else if (ret)
1580 			ret = 0;
1581 	}
1582 	goto out_unlock;
1583 }
1584