This pull request contains the following bug fixes for UBI and UBIFS:

- Fix for a stable patch: Fix failure attaching when vid_hdr offset equals to (sub)page size
 - Fix for a deadlock in UBI's worker thread
 -----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCAA0FiEEdgfidid8lnn52cLTZvlZhesYu8EFAmQ66wwWHHJpY2hhcmRA
 c2lnbWEtc3Rhci5hdAAKCRBm+VmF6xi7wUEdD/4j9N9vWsufIixVezlFZM60XAFK
 JmJZ+407gPlbDsmrBAu7u99UF9I6CYEthyKPeVIDwoMis+bR1f189WGGgWz7ImT5
 my3Uuq1WCklzJRdYxjCznaHa6XPCu/RnXYvbqPBFvgIK4fu2Lkem01uhw+7gaw/S
 tU8rwGfTfM8pNhv3LnwyJ8uAZ41uRv1Yaa3irfTZYbapmnCZeQ+XrXPntdOXfOyg
 nR2EdLP7JcnXM7Xemd47gx1AxsJk6Lzl/RTeA7zO+1JWLcz5Lprk0o/5aokz5HUO
 JXUaejhcvrtnDlXAWKhw4FGddGsJRmH3iM536J9It1UZgX5/XNHfYq9MtXhWdhjj
 pDlyEszrYn8LJR3f+uL/jjtc8CjUD0vqGfgCh//6yL3K7OoPRzC6oAxYob5Zxp7D
 xZv+FzWcgXbtqyirQivcY8Z82VAVoIDRPRkjPHzaMg4+8+0gCJ/fvT5nxD/t0t12
 UR9+7VHJ376KCWvYbAXKopOTe93sfWBdezX4z7sOcGRE9UnP35zwB/2cSQgkAXtq
 wtV5fJBTKxFXzG5LvnZVFdQJxe1cAtMBl+ochcRsGIbLy9sTZ7rVggiiGLmeYGEX
 NOxbVuupQHlffVYQ+XTXSQ6C/PCU4NmLmQap/rD5N+PjSMKfiPhnuklt9IWoKfzH
 HW6gFDuAMVUu/aWQmg==
 =s5M1
 -----END PGP SIGNATURE-----

Merge tag 'ubifs-for-linus-6.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs

Pull UBI fixes from Richard Weinberger:

 - Fix failure to attach when vid_hdr offset equals the (sub)page size

 - Fix for a deadlock in UBI's worker thread

* tag 'ubifs-for-linus-6.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs:
  ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
  ubi: Fix deadlock caused by recursively holding work_sem

drivers/mtd/ubi/build.c

@@ -666,12 +666,6 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024)
 	ubi->ec_hdr_alsize = ALIGN(UBI_EC_HDR_SIZE, ubi->hdrs_min_io_size);
 	ubi->vid_hdr_alsize = ALIGN(UBI_VID_HDR_SIZE, ubi->hdrs_min_io_size);
 
-	if (ubi->vid_hdr_offset && ((ubi->vid_hdr_offset + UBI_VID_HDR_SIZE) >
-	    ubi->vid_hdr_alsize)) {
-		ubi_err(ubi, "VID header offset %d too large.", ubi->vid_hdr_offset);
-		return -EINVAL;
-	}
-
 	dbg_gen("min_io_size      %d", ubi->min_io_size);
 	dbg_gen("max_write_size   %d", ubi->max_write_size);
 	dbg_gen("hdrs_min_io_size %d", ubi->hdrs_min_io_size);
@@ -689,6 +683,21 @@ static int io_init(struct ubi_device *ubi, int max_beb_per1024)
 						ubi->vid_hdr_aloffset;
 	}
 
+	/*
+	 * Memory allocation for VID header is ubi->vid_hdr_alsize
+	 * which is described in comments in io.c.
+	 * Make sure VID header shift + UBI_VID_HDR_SIZE not exceeds
+	 * ubi->vid_hdr_alsize, so that all vid header operations
+	 * won't access memory out of bounds.
+	 */
+	if ((ubi->vid_hdr_shift + UBI_VID_HDR_SIZE) > ubi->vid_hdr_alsize) {
+		ubi_err(ubi, "Invalid VID header offset %d, VID header shift(%d)"
+			" + VID header size(%zu) > VID header aligned size(%d).",
+			ubi->vid_hdr_offset, ubi->vid_hdr_shift,
+			UBI_VID_HDR_SIZE, ubi->vid_hdr_alsize);
+		return -EINVAL;
+	}
+
 	/* Similar for the data offset */
 	ubi->leb_start = ubi->vid_hdr_offset + UBI_VID_HDR_SIZE;
 	ubi->leb_start = ALIGN(ubi->leb_start, ubi->min_io_size);

drivers/mtd/ubi/wl.c

@@ -575,7 +575,7 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
  * @vol_id: the volume ID that last used this PEB
  * @lnum: the last used logical eraseblock number for the PEB
  * @torture: if the physical eraseblock has to be tortured
- * @nested: denotes whether the work_sem is already held in read mode
+ * @nested: denotes whether the work_sem is already held
  *
  * This function returns zero in case of success and a %-ENOMEM in case of
  * failure.
@@ -1131,7 +1131,7 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk)
 		int err1;
 
 		/* Re-schedule the LEB for erasure */
-		err1 = schedule_erase(ubi, e, vol_id, lnum, 0, false);
+		err1 = schedule_erase(ubi, e, vol_id, lnum, 0, true);
 		if (err1) {
 			spin_lock(&ubi->wl_lock);
 			wl_entry_destroy(ubi, e);