diff options
author | Kyungmin Park <kyungmin.park@samsung.com> | 2007-03-22 21:19:52 -0400 |
---|---|---|
committer | David Woodhouse <dwmw2@infradead.org> | 2007-04-25 06:09:23 -0400 |
commit | ad286343665cad2135792bcf53117d8344f64b03 (patch) | |
tree | b318886702e697d7f1fbd476851ee03e28ebebc9 /drivers/mtd/onenand/onenand_base.c | |
parent | c19df27ec7f8b184db867c4490d87f997fdc6e4e (diff) |
[MTD] [OneNAND] Fix access the past of the real oobfree array
Here it's not the case: all the entries are occupied by
OOB chunks. Therefore, once we get into a loop like
for (free = this->ecclayout->oobfree; free->length; ++free) {
}
we might end up scanning past the real oobfree array.
Probably the best way out, as the same thing might happen for common NAND
as well, is to check index against MTD_MAX_OOBFREE_ENTRIES.
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat (limited to 'drivers/mtd/onenand/onenand_base.c')
-rw-r--r-- | drivers/mtd/onenand/onenand_base.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c index 9e14a26ca4e8..b8535ad3b614 100644 --- a/drivers/mtd/onenand/onenand_base.c +++ b/drivers/mtd/onenand/onenand_base.c | |||
@@ -836,9 +836,11 @@ static int onenand_transfer_auto_oob(struct mtd_info *mtd, uint8_t *buf, int col | |||
836 | int readcol = column; | 836 | int readcol = column; |
837 | int readend = column + thislen; | 837 | int readend = column + thislen; |
838 | int lastgap = 0; | 838 | int lastgap = 0; |
839 | unsigned int i; | ||
839 | uint8_t *oob_buf = this->oob_buf; | 840 | uint8_t *oob_buf = this->oob_buf; |
840 | 841 | ||
841 | for (free = this->ecclayout->oobfree; free->length; ++free) { | 842 | free = this->ecclayout->oobfree; |
843 | for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) { | ||
842 | if (readcol >= lastgap) | 844 | if (readcol >= lastgap) |
843 | readcol += free->offset - lastgap; | 845 | readcol += free->offset - lastgap; |
844 | if (readend >= lastgap) | 846 | if (readend >= lastgap) |
@@ -846,7 +848,8 @@ static int onenand_transfer_auto_oob(struct mtd_info *mtd, uint8_t *buf, int col | |||
846 | lastgap = free->offset + free->length; | 848 | lastgap = free->offset + free->length; |
847 | } | 849 | } |
848 | this->read_bufferram(mtd, ONENAND_SPARERAM, oob_buf, 0, mtd->oobsize); | 850 | this->read_bufferram(mtd, ONENAND_SPARERAM, oob_buf, 0, mtd->oobsize); |
849 | for (free = this->ecclayout->oobfree; free->length; ++free) { | 851 | free = this->ecclayout->oobfree; |
852 | for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) { | ||
850 | int free_end = free->offset + free->length; | 853 | int free_end = free->offset + free->length; |
851 | if (free->offset < readend && free_end > readcol) { | 854 | if (free->offset < readend && free_end > readcol) { |
852 | int st = max_t(int,free->offset,readcol); | 855 | int st = max_t(int,free->offset,readcol); |
@@ -1280,15 +1283,18 @@ static int onenand_fill_auto_oob(struct mtd_info *mtd, u_char *oob_buf, | |||
1280 | int writecol = column; | 1283 | int writecol = column; |
1281 | int writeend = column + thislen; | 1284 | int writeend = column + thislen; |
1282 | int lastgap = 0; | 1285 | int lastgap = 0; |
1286 | unsigned int i; | ||
1283 | 1287 | ||
1284 | for (free = this->ecclayout->oobfree; free->length; ++free) { | 1288 | free = this->ecclayout->oobfree; |
1289 | for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) { | ||
1285 | if (writecol >= lastgap) | 1290 | if (writecol >= lastgap) |
1286 | writecol += free->offset - lastgap; | 1291 | writecol += free->offset - lastgap; |
1287 | if (writeend >= lastgap) | 1292 | if (writeend >= lastgap) |
1288 | writeend += free->offset - lastgap; | 1293 | writeend += free->offset - lastgap; |
1289 | lastgap = free->offset + free->length; | 1294 | lastgap = free->offset + free->length; |
1290 | } | 1295 | } |
1291 | for (free = this->ecclayout->oobfree; free->length; ++free) { | 1296 | free = this->ecclayout->oobfree; |
1297 | for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) { | ||
1292 | int free_end = free->offset + free->length; | 1298 | int free_end = free->offset + free->length; |
1293 | if (free->offset < writeend && free_end > writecol) { | 1299 | if (free->offset < writeend && free_end > writecol) { |
1294 | int st = max_t(int,free->offset,writecol); | 1300 | int st = max_t(int,free->offset,writecol); |
@@ -2386,7 +2392,8 @@ int onenand_scan(struct mtd_info *mtd, int maxchips) | |||
2386 | * the out of band area | 2392 | * the out of band area |
2387 | */ | 2393 | */ |
2388 | this->ecclayout->oobavail = 0; | 2394 | this->ecclayout->oobavail = 0; |
2389 | for (i = 0; this->ecclayout->oobfree[i].length; i++) | 2395 | for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && |
2396 | this->ecclayout->oobfree[i].length; i++) | ||
2390 | this->ecclayout->oobavail += | 2397 | this->ecclayout->oobavail += |
2391 | this->ecclayout->oobfree[i].length; | 2398 | this->ecclayout->oobfree[i].length; |
2392 | mtd->oobavail = this->ecclayout->oobavail; | 2399 | mtd->oobavail = this->ecclayout->oobavail; |