The function ubi_self_check_all_ff() is defined in file drivers/mtd/ubi/io.c. The comments of this function says that it "returns zero if only 0xFF bytes are present at offset". However, when its call to __vmalloc() returns a NULL pointer, it also returns 0. In this case, the contents are obviously not checked, and we cannot pronounce that "only 0xFF bytes are present at offset". So, return 0 when the __vmalloc() returns a NULL pointer seems improper. Codes related to this bug are summarised as follows.

ubi_self_check_all_ff @@ drivers/mtd/ubi/io.c
1392 /**
1393  * ubi_self_check_all_ff - check that a region of flash is empty.
1394  * @ubi: UBI device description object
1395  * @pnum: the physical eraseblock number to check
1396  * @offset: the starting offset within the physical eraseblock to check
1397  * @len: the length of the region to check
1398  *
1399  * This function returns zero if only 0xFF bytes are present at offset
1400  * @offset of the physical eraseblock @pnum, and a negative error code if not
1401  * or if an error occurred.
1402  */
1403 int ubi_self_check_all_ff(struct ubi_device *ubi, int pnum, int offset, int len)
1404 {
1405     size_t read;
1406     int err;
1407     void *buf;
1408     loff_t addr = (loff_t)pnum * ubi->peb_size + offset;
1409 
1410     if (!ubi_dbg_chk_io(ubi))
1411         return 0;
1412 
1413     buf = __vmalloc(len, GFP_NOFS, PAGE_KERNEL);
1414     if (!buf) {
1415         ubi_err(ubi, "cannot allocate memory to check for 0xFFs");
1416         return 0; // Bug. "return -ENOMEM;" ?
1417     }
         ...
1434     return 0;
1435
1436 fail:
1437     ubi_err(ubi, "self-check failed for PEB %d", pnum);
1438     ubi_msg(ubi, "hex dump of the %d-%d region", offset, offset + len);
1439     print_hex_dump(KERN_DEBUG, "", DUMP_PREFIX_OFFSET, 32, 1, buf, len, 1);
1440     err = -EINVAL;
1441 error:
1442     dump_stack();
1443     vfree(buf);
1444     return err;
1445 }

Thanks very much!