From ad286343665cad2135792bcf53117d8344f64b03 Mon Sep 17 00:00:00 2001 From: Kyungmin Park Date: Fri, 23 Mar 2007 10:19:52 +0900 Subject: [MTD] [OneNAND] Fix access the past of the real oobfree array Here it's not the case: all the entries are occupied by OOB chunks. Therefore, once we get into a loop like for (free = this->ecclayout->oobfree; free->length; ++free) { } we might end up scanning past the real oobfree array. Probably the best way out, as the same thing might happen for common NAND as well, is to check index against MTD_MAX_OOBFREE_ENTRIES. Signed-off-by: Kyungmin Park Signed-off-by: David Woodhouse --- drivers/mtd/onenand/onenand_base.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'drivers/mtd/onenand/onenand_base.c') diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c index 9e14a26ca4e..b8535ad3b61 100644 --- a/drivers/mtd/onenand/onenand_base.c +++ b/drivers/mtd/onenand/onenand_base.c @@ -836,9 +836,11 @@ static int onenand_transfer_auto_oob(struct mtd_info *mtd, uint8_t *buf, int col int readcol = column; int readend = column + thislen; int lastgap = 0; + unsigned int i; uint8_t *oob_buf = this->oob_buf; - for (free = this->ecclayout->oobfree; free->length; ++free) { + free = this->ecclayout->oobfree; + for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) { if (readcol >= lastgap) readcol += free->offset - lastgap; if (readend >= lastgap) @@ -846,7 +848,8 @@ static int onenand_transfer_auto_oob(struct mtd_info *mtd, uint8_t *buf, int col lastgap = free->offset + free->length; } this->read_bufferram(mtd, ONENAND_SPARERAM, oob_buf, 0, mtd->oobsize); - for (free = this->ecclayout->oobfree; free->length; ++free) { + free = this->ecclayout->oobfree; + for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) { int free_end = free->offset + free->length; if (free->offset < readend && free_end > readcol) { int st = max_t(int,free->offset,readcol); @@ -1280,15 +1283,18 @@ static int onenand_fill_auto_oob(struct mtd_info *mtd, u_char *oob_buf, int writecol = column; int writeend = column + thislen; int lastgap = 0; + unsigned int i; - for (free = this->ecclayout->oobfree; free->length; ++free) { + free = this->ecclayout->oobfree; + for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) { if (writecol >= lastgap) writecol += free->offset - lastgap; if (writeend >= lastgap) writeend += free->offset - lastgap; lastgap = free->offset + free->length; } - for (free = this->ecclayout->oobfree; free->length; ++free) { + free = this->ecclayout->oobfree; + for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) { int free_end = free->offset + free->length; if (free->offset < writeend && free_end > writecol) { int st = max_t(int,free->offset,writecol); @@ -2386,7 +2392,8 @@ int onenand_scan(struct mtd_info *mtd, int maxchips) * the out of band area */ this->ecclayout->oobavail = 0; - for (i = 0; this->ecclayout->oobfree[i].length; i++) + for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && + this->ecclayout->oobfree[i].length; i++) this->ecclayout->oobavail += this->ecclayout->oobfree[i].length; mtd->oobavail = this->ecclayout->oobavail; -- cgit v1.2.3 From c36c46d53b2f95bfcbe992cfb541a78ab92310a4 Mon Sep 17 00:00:00 2001 From: Adrian Hunter Date: Fri, 23 Mar 2007 17:16:22 +0900 Subject: [MTD] [OneNAND] Exit loop only when column start with 0 The JFFS2 requests OOB function from column 0. But the oobtest in nand-tests doesn't. So we only exit loop only when column start with 0. Signed-off-by: Adrian Hunter Signed-off-by: Kyungmin Park Signed-off-by: David Woodhouse --- drivers/mtd/onenand/onenand_base.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/mtd/onenand/onenand_base.c') diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c index b8535ad3b61..000794c6caf 100644 --- a/drivers/mtd/onenand/onenand_base.c +++ b/drivers/mtd/onenand/onenand_base.c @@ -857,7 +857,7 @@ static int onenand_transfer_auto_oob(struct mtd_info *mtd, uint8_t *buf, int col int n = ed - st; memcpy(buf, oob_buf + st, n); buf += n; - } else + } else if (column == 0) break; } return 0; @@ -1302,7 +1302,7 @@ static int onenand_fill_auto_oob(struct mtd_info *mtd, u_char *oob_buf, int n = ed - st; memcpy(oob_buf + st, buf, n); buf += n; - } else + } else if (column == 0) break; } return 0; -- cgit v1.2.3