[MTD] [OneNAND] Fix access the past of the real oobfree array
Linux-MTD Mailing List
linux-mtd at lists.infradead.org
Wed Apr 25 06:59:01 EDT 2007
Gitweb: http://git.infradead.org/?p=mtd-2.6.git;a=commit;h=ad286343665cad2135792bcf53117d8344f64b03
Commit: ad286343665cad2135792bcf53117d8344f64b03
Parent: c19df27ec7f8b184db867c4490d87f997fdc6e4e
Author: Kyungmin Park <kyungmin.park at samsung.com>
AuthorDate: Fri Mar 23 10:19:52 2007 +0900
Committer: David Woodhouse <dwmw2 at infradead.org>
CommitDate: Wed Apr 25 11:09:23 2007 +0100
[MTD] [OneNAND] Fix access the past of the real oobfree array
Here it's not the case: all the entries are occupied by
OOB chunks. Therefore, once we get into a loop like
for (free = this->ecclayout->oobfree; free->length; ++free) {
}
we might end up scanning past the real oobfree array.
Probably the best way out, as the same thing might happen for common NAND
as well, is to check index against MTD_MAX_OOBFREE_ENTRIES.
Signed-off-by: Kyungmin Park <kyungmin.park at samsung.com>
Signed-off-by: David Woodhouse <dwmw2 at infradead.org>
---
drivers/mtd/onenand/onenand_base.c | 17 ++++++++++++-----
1 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c
index 9e14a26..b8535ad 100644
--- a/drivers/mtd/onenand/onenand_base.c
+++ b/drivers/mtd/onenand/onenand_base.c
@@ -836,9 +836,11 @@ static int onenand_transfer_auto_oob(struct mtd_info *mtd, uint8_t *buf, int col
int readcol = column;
int readend = column + thislen;
int lastgap = 0;
+ unsigned int i;
uint8_t *oob_buf = this->oob_buf;
- for (free = this->ecclayout->oobfree; free->length; ++free) {
+ free = this->ecclayout->oobfree;
+ for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) {
if (readcol >= lastgap)
readcol += free->offset - lastgap;
if (readend >= lastgap)
@@ -846,7 +848,8 @@ static int onenand_transfer_auto_oob(struct mtd_info *mtd, uint8_t *buf, int col
lastgap = free->offset + free->length;
}
this->read_bufferram(mtd, ONENAND_SPARERAM, oob_buf, 0, mtd->oobsize);
- for (free = this->ecclayout->oobfree; free->length; ++free) {
+ free = this->ecclayout->oobfree;
+ for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) {
int free_end = free->offset + free->length;
if (free->offset < readend && free_end > readcol) {
int st = max_t(int,free->offset,readcol);
@@ -1280,15 +1283,18 @@ static int onenand_fill_auto_oob(struct mtd_info *mtd, u_char *oob_buf,
int writecol = column;
int writeend = column + thislen;
int lastgap = 0;
+ unsigned int i;
- for (free = this->ecclayout->oobfree; free->length; ++free) {
+ free = this->ecclayout->oobfree;
+ for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) {
if (writecol >= lastgap)
writecol += free->offset - lastgap;
if (writeend >= lastgap)
writeend += free->offset - lastgap;
lastgap = free->offset + free->length;
}
- for (free = this->ecclayout->oobfree; free->length; ++free) {
+ free = this->ecclayout->oobfree;
+ for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) {
int free_end = free->offset + free->length;
if (free->offset < writeend && free_end > writecol) {
int st = max_t(int,free->offset,writecol);
@@ -2386,7 +2392,8 @@ int onenand_scan(struct mtd_info *mtd, int maxchips)
* the out of band area
*/
this->ecclayout->oobavail = 0;
- for (i = 0; this->ecclayout->oobfree[i].length; i++)
+ for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES &&
+ this->ecclayout->oobfree[i].length; i++)
this->ecclayout->oobavail +=
this->ecclayout->oobfree[i].length;
mtd->oobavail = this->ecclayout->oobavail;
More information about the linux-mtd-cvs
mailing list