aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/mtd
diff options
context:
space:
mode:
authorBrian Norris <computersforpeace@gmail.com>2013-07-24 21:32:07 -0400
committerBrian Norris <computersforpeace@gmail.com>2013-11-07 02:33:04 -0500
commit778d226a1462572b51d6777cdb1d611543410cb4 (patch)
treefe6d42396a545b02ee8b8ab7713c55ec9cccd061 /drivers/mtd
parent7caa4fd29068cccaa7be20914af6d23f261be3eb (diff)
mtd: m25p80: fix allocation size
This patch fixes two memory errors: 1. During a probe failure (in mtd_device_parse_register?) the command buffer would not be freed. 2. The command buffer's size is determined based on the 'fast_read' boolean, but the assignment of fast_read is made after this allocation. Thus, the buffer may be allocated "too small". To fix the first, just switch to the devres version of kzalloc. To fix the second, increase MAX_CMD_SIZE unconditionally. It's not worth saving a byte to fiddle around with the conditions here. This problem was reported by Yuhang Wang a while back. Signed-off-by: Brian Norris <computersforpeace@gmail.com> Reported-by: Yuhang Wang <wangyuhang2014@gmail.com> Reviewed-by: Sourav Poddar <sourav.poddar@ti.com> Cc: <stable@vger.kernel.org>
Diffstat (limited to 'drivers/mtd')
-rw-r--r--drivers/mtd/devices/m25p80.c20
1 files changed, 7 insertions, 13 deletions
diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c
index 8d6c87be9598..63a95ac89f18 100644
--- a/drivers/mtd/devices/m25p80.c
+++ b/drivers/mtd/devices/m25p80.c
@@ -78,7 +78,7 @@
78 78
79/* Define max times to check status register before we give up. */ 79/* Define max times to check status register before we give up. */
80#define MAX_READY_WAIT_JIFFIES (40 * HZ) /* M25P16 specs 40s max chip erase */ 80#define MAX_READY_WAIT_JIFFIES (40 * HZ) /* M25P16 specs 40s max chip erase */
81#define MAX_CMD_SIZE 5 81#define MAX_CMD_SIZE 6
82 82
83#define JEDEC_MFR(_jedec_id) ((_jedec_id) >> 16) 83#define JEDEC_MFR(_jedec_id) ((_jedec_id) >> 16)
84 84
@@ -996,15 +996,13 @@ static int m25p_probe(struct spi_device *spi)
996 } 996 }
997 } 997 }
998 998
999 flash = kzalloc(sizeof *flash, GFP_KERNEL); 999 flash = devm_kzalloc(&spi->dev, sizeof(*flash), GFP_KERNEL);
1000 if (!flash) 1000 if (!flash)
1001 return -ENOMEM; 1001 return -ENOMEM;
1002 flash->command = kmalloc(MAX_CMD_SIZE + (flash->fast_read ? 1 : 0), 1002
1003 GFP_KERNEL); 1003 flash->command = devm_kzalloc(&spi->dev, MAX_CMD_SIZE, GFP_KERNEL);
1004 if (!flash->command) { 1004 if (!flash->command)
1005 kfree(flash);
1006 return -ENOMEM; 1005 return -ENOMEM;
1007 }
1008 1006
1009 flash->spi = spi; 1007 flash->spi = spi;
1010 mutex_init(&flash->lock); 1008 mutex_init(&flash->lock);
@@ -1137,14 +1135,10 @@ static int m25p_probe(struct spi_device *spi)
1137static int m25p_remove(struct spi_device *spi) 1135static int m25p_remove(struct spi_device *spi)
1138{ 1136{
1139 struct m25p *flash = spi_get_drvdata(spi); 1137 struct m25p *flash = spi_get_drvdata(spi);
1140 int status;
1141 1138
1142 /* Clean up MTD stuff. */ 1139 /* Clean up MTD stuff. */
1143 status = mtd_device_unregister(&flash->mtd); 1140 mtd_device_unregister(&flash->mtd);
1144 if (status == 0) { 1141
1145 kfree(flash->command);
1146 kfree(flash);
1147 }
1148 return 0; 1142 return 0;
1149} 1143}
1150 1144