NAND buffer overflow

John Lenz jelenz at
Sun Jun 27 04:46:06 EDT 2004

I was getting some wierd errors accessing NAND flash.  I eventually  
traced the problem back to a buffer overflow in nand_read_raw.  This is  
using the current mtd CVS linked into a 2.6.7 kernel.

Here is the senerio.

in nand_bbt.c:nand_memory_bbt function calls create_bbt with
mtd->data_buf.  mtd->data_buf is of size 528

in create_bbt it calls nand_read_raw with the same buffer pointer and a
readlen of 1024. Whups!

nand_read_raw drops into a loop and reads chuncks of pagesize into the  
buffer.  pagesize is 528, but the length to read is 1056, so it calls  
read_buf twice.  The problem is, the second call to read_buf will  
overflow and trash some memory since the buffer it is reading into is  
only 528 bytes.

I have attached the hardware driver I am using in case I am doing  
something wrong...

The actual flash device is a Toshiba NAND 64MiB 3v3, 8-bit.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sharp_sl.c
Type: text/x-csrc
Size: 4968 bytes
Desc: not available
Url : 

More information about the linux-mtd mailing list