aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/mtd/onenand/onenand_base.c
diff options
context:
space:
mode:
authorKyungmin Park <kyungmin.park@samsung.com>2007-03-22 21:19:52 -0400
committerDavid Woodhouse <dwmw2@infradead.org>2007-04-25 06:09:23 -0400
commitad286343665cad2135792bcf53117d8344f64b03 (patch)
treeb318886702e697d7f1fbd476851ee03e28ebebc9 /drivers/mtd/onenand/onenand_base.c
parentc19df27ec7f8b184db867c4490d87f997fdc6e4e (diff)
[MTD] [OneNAND] Fix access the past of the real oobfree array
Here it's not the case: all the entries are occupied by OOB chunks. Therefore, once we get into a loop like for (free = this->ecclayout->oobfree; free->length; ++free) { } we might end up scanning past the real oobfree array. Probably the best way out, as the same thing might happen for common NAND as well, is to check index against MTD_MAX_OOBFREE_ENTRIES. Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat (limited to 'drivers/mtd/onenand/onenand_base.c')
-rw-r--r--drivers/mtd/onenand/onenand_base.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c
index 9e14a26ca4e8..b8535ad3b614 100644
--- a/drivers/mtd/onenand/onenand_base.c
+++ b/drivers/mtd/onenand/onenand_base.c
@@ -836,9 +836,11 @@ static int onenand_transfer_auto_oob(struct mtd_info *mtd, uint8_t *buf, int col
836 int readcol = column; 836 int readcol = column;
837 int readend = column + thislen; 837 int readend = column + thislen;
838 int lastgap = 0; 838 int lastgap = 0;
839 unsigned int i;
839 uint8_t *oob_buf = this->oob_buf; 840 uint8_t *oob_buf = this->oob_buf;
840 841
841 for (free = this->ecclayout->oobfree; free->length; ++free) { 842 free = this->ecclayout->oobfree;
843 for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) {
842 if (readcol >= lastgap) 844 if (readcol >= lastgap)
843 readcol += free->offset - lastgap; 845 readcol += free->offset - lastgap;
844 if (readend >= lastgap) 846 if (readend >= lastgap)
@@ -846,7 +848,8 @@ static int onenand_transfer_auto_oob(struct mtd_info *mtd, uint8_t *buf, int col
846 lastgap = free->offset + free->length; 848 lastgap = free->offset + free->length;
847 } 849 }
848 this->read_bufferram(mtd, ONENAND_SPARERAM, oob_buf, 0, mtd->oobsize); 850 this->read_bufferram(mtd, ONENAND_SPARERAM, oob_buf, 0, mtd->oobsize);
849 for (free = this->ecclayout->oobfree; free->length; ++free) { 851 free = this->ecclayout->oobfree;
852 for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) {
850 int free_end = free->offset + free->length; 853 int free_end = free->offset + free->length;
851 if (free->offset < readend && free_end > readcol) { 854 if (free->offset < readend && free_end > readcol) {
852 int st = max_t(int,free->offset,readcol); 855 int st = max_t(int,free->offset,readcol);
@@ -1280,15 +1283,18 @@ static int onenand_fill_auto_oob(struct mtd_info *mtd, u_char *oob_buf,
1280 int writecol = column; 1283 int writecol = column;
1281 int writeend = column + thislen; 1284 int writeend = column + thislen;
1282 int lastgap = 0; 1285 int lastgap = 0;
1286 unsigned int i;
1283 1287
1284 for (free = this->ecclayout->oobfree; free->length; ++free) { 1288 free = this->ecclayout->oobfree;
1289 for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) {
1285 if (writecol >= lastgap) 1290 if (writecol >= lastgap)
1286 writecol += free->offset - lastgap; 1291 writecol += free->offset - lastgap;
1287 if (writeend >= lastgap) 1292 if (writeend >= lastgap)
1288 writeend += free->offset - lastgap; 1293 writeend += free->offset - lastgap;
1289 lastgap = free->offset + free->length; 1294 lastgap = free->offset + free->length;
1290 } 1295 }
1291 for (free = this->ecclayout->oobfree; free->length; ++free) { 1296 free = this->ecclayout->oobfree;
1297 for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES && free->length; i++, free++) {
1292 int free_end = free->offset + free->length; 1298 int free_end = free->offset + free->length;
1293 if (free->offset < writeend && free_end > writecol) { 1299 if (free->offset < writeend && free_end > writecol) {
1294 int st = max_t(int,free->offset,writecol); 1300 int st = max_t(int,free->offset,writecol);
@@ -2386,7 +2392,8 @@ int onenand_scan(struct mtd_info *mtd, int maxchips)
2386 * the out of band area 2392 * the out of band area
2387 */ 2393 */
2388 this->ecclayout->oobavail = 0; 2394 this->ecclayout->oobavail = 0;
2389 for (i = 0; this->ecclayout->oobfree[i].length; i++) 2395 for (i = 0; i < MTD_MAX_OOBFREE_ENTRIES &&
2396 this->ecclayout->oobfree[i].length; i++)
2390 this->ecclayout->oobavail += 2397 this->ecclayout->oobavail +=
2391 this->ecclayout->oobfree[i].length; 2398 this->ecclayout->oobfree[i].length;
2392 mtd->oobavail = this->ecclayout->oobavail; 2399 mtd->oobavail = this->ecclayout->oobavail;