diff options
author | Brian Norris <computersforpeace@gmail.com> | 2013-07-24 21:32:07 -0400 |
---|---|---|
committer | Brian Norris <computersforpeace@gmail.com> | 2013-11-07 02:33:04 -0500 |
commit | 778d226a1462572b51d6777cdb1d611543410cb4 (patch) | |
tree | fe6d42396a545b02ee8b8ab7713c55ec9cccd061 /drivers/mtd | |
parent | 7caa4fd29068cccaa7be20914af6d23f261be3eb (diff) |
mtd: m25p80: fix allocation size
This patch fixes two memory errors:
1. During a probe failure (in mtd_device_parse_register?) the command
buffer would not be freed.
2. The command buffer's size is determined based on the 'fast_read'
boolean, but the assignment of fast_read is made after this
allocation. Thus, the buffer may be allocated "too small".
To fix the first, just switch to the devres version of kzalloc.
To fix the second, increase MAX_CMD_SIZE unconditionally. It's not worth
saving a byte to fiddle around with the conditions here.
This problem was reported by Yuhang Wang a while back.
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Reported-by: Yuhang Wang <wangyuhang2014@gmail.com>
Reviewed-by: Sourav Poddar <sourav.poddar@ti.com>
Cc: <stable@vger.kernel.org>
Diffstat (limited to 'drivers/mtd')
-rw-r--r-- | drivers/mtd/devices/m25p80.c | 20 |
1 files changed, 7 insertions, 13 deletions
diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c index 8d6c87be9598..63a95ac89f18 100644 --- a/drivers/mtd/devices/m25p80.c +++ b/drivers/mtd/devices/m25p80.c | |||
@@ -78,7 +78,7 @@ | |||
78 | 78 | ||
79 | /* Define max times to check status register before we give up. */ | 79 | /* Define max times to check status register before we give up. */ |
80 | #define MAX_READY_WAIT_JIFFIES (40 * HZ) /* M25P16 specs 40s max chip erase */ | 80 | #define MAX_READY_WAIT_JIFFIES (40 * HZ) /* M25P16 specs 40s max chip erase */ |
81 | #define MAX_CMD_SIZE 5 | 81 | #define MAX_CMD_SIZE 6 |
82 | 82 | ||
83 | #define JEDEC_MFR(_jedec_id) ((_jedec_id) >> 16) | 83 | #define JEDEC_MFR(_jedec_id) ((_jedec_id) >> 16) |
84 | 84 | ||
@@ -996,15 +996,13 @@ static int m25p_probe(struct spi_device *spi) | |||
996 | } | 996 | } |
997 | } | 997 | } |
998 | 998 | ||
999 | flash = kzalloc(sizeof *flash, GFP_KERNEL); | 999 | flash = devm_kzalloc(&spi->dev, sizeof(*flash), GFP_KERNEL); |
1000 | if (!flash) | 1000 | if (!flash) |
1001 | return -ENOMEM; | 1001 | return -ENOMEM; |
1002 | flash->command = kmalloc(MAX_CMD_SIZE + (flash->fast_read ? 1 : 0), | 1002 | |
1003 | GFP_KERNEL); | 1003 | flash->command = devm_kzalloc(&spi->dev, MAX_CMD_SIZE, GFP_KERNEL); |
1004 | if (!flash->command) { | 1004 | if (!flash->command) |
1005 | kfree(flash); | ||
1006 | return -ENOMEM; | 1005 | return -ENOMEM; |
1007 | } | ||
1008 | 1006 | ||
1009 | flash->spi = spi; | 1007 | flash->spi = spi; |
1010 | mutex_init(&flash->lock); | 1008 | mutex_init(&flash->lock); |
@@ -1137,14 +1135,10 @@ static int m25p_probe(struct spi_device *spi) | |||
1137 | static int m25p_remove(struct spi_device *spi) | 1135 | static int m25p_remove(struct spi_device *spi) |
1138 | { | 1136 | { |
1139 | struct m25p *flash = spi_get_drvdata(spi); | 1137 | struct m25p *flash = spi_get_drvdata(spi); |
1140 | int status; | ||
1141 | 1138 | ||
1142 | /* Clean up MTD stuff. */ | 1139 | /* Clean up MTD stuff. */ |
1143 | status = mtd_device_unregister(&flash->mtd); | 1140 | mtd_device_unregister(&flash->mtd); |
1144 | if (status == 0) { | 1141 | |
1145 | kfree(flash->command); | ||
1146 | kfree(flash); | ||
1147 | } | ||
1148 | return 0; | 1142 | return 0; |
1149 | } | 1143 | } |
1150 | 1144 | ||