aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorArtem Bityutskiy <artem.bityutskiy@linux.intel.com>2012-02-03 09:23:52 -0500
committerDavid Woodhouse <David.Woodhouse@intel.com>2012-03-26 19:28:18 -0400
commit5def48982b778aaebe201f85af7170b7d0a6619f (patch)
tree2920f1b524698877fab8521ee04349a5e285e47d /drivers
parent8273a0c911d8e068297ef70aa7241ee78db4c712 (diff)
mtd: do not duplicate length and offset checks in drivers
We already verify that offset and length are within the MTD device size in the MTD API functions. Let's remove the duplicated checks in drivers. This patch only affects the following API's: 'mtd_erase()' 'mtd_point()' 'mtd_unpoint()' 'mtd_get_unmapped_area()' 'mtd_read()' 'mtd_write()' 'mtd_panic_write()' 'mtd_lock()' 'mtd_unlock()' 'mtd_is_locked()' 'mtd_block_isbad()' 'mtd_block_markbad()' This patch adds a bit of noise by removing too sparse empty lines, but this is not too bad. Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/mtd/chips/cfi_cmdset_0001.c2
-rw-r--r--drivers/mtd/chips/cfi_cmdset_0020.c9
-rw-r--r--drivers/mtd/chips/cfi_util.c6
-rw-r--r--drivers/mtd/devices/block2mtd.c9
-rw-r--r--drivers/mtd/devices/doc2000.c8
-rw-r--r--drivers/mtd/devices/doc2001.c8
-rw-r--r--drivers/mtd/devices/doc2001plus.c8
-rw-r--r--drivers/mtd/devices/lart.c5
-rw-r--r--drivers/mtd/devices/m25p80.c12
-rw-r--r--drivers/mtd/devices/ms02-nv.c8
-rw-r--r--drivers/mtd/devices/mtd_dataflash.c7
-rw-r--r--drivers/mtd/devices/mtdram.c17
-rw-r--r--drivers/mtd/devices/phram.c23
-rw-r--r--drivers/mtd/devices/pmc551.c38
-rw-r--r--drivers/mtd/devices/slram.c23
-rw-r--r--drivers/mtd/devices/spear_smi.c12
-rw-r--r--drivers/mtd/devices/sst25l.c9
-rw-r--r--drivers/mtd/lpddr/lpddr_cmds.c5
-rw-r--r--drivers/mtd/mtdconcat.c26
-rw-r--r--drivers/mtd/mtdpart.c30
-rw-r--r--drivers/mtd/nand/nand_base.c28
-rw-r--r--drivers/mtd/onenand/onenand_base.c20
-rw-r--r--drivers/mtd/ubi/gluebi.c11
23 files changed, 3 insertions, 321 deletions
diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c
index 4d04551cffd7..27008ae8f695 100644
--- a/drivers/mtd/chips/cfi_cmdset_0001.c
+++ b/drivers/mtd/chips/cfi_cmdset_0001.c
@@ -1324,7 +1324,7 @@ static int cfi_intelext_point(struct mtd_info *mtd, loff_t from, size_t len,
1324 int chipnum; 1324 int chipnum;
1325 int ret = 0; 1325 int ret = 0;
1326 1326
1327 if (!map->virt || (from + len > mtd->size)) 1327 if (!map->virt)
1328 return -EINVAL; 1328 return -EINVAL;
1329 1329
1330 /* Now lock the chip(s) to POINT state */ 1330 /* Now lock the chip(s) to POINT state */
diff --git a/drivers/mtd/chips/cfi_cmdset_0020.c b/drivers/mtd/chips/cfi_cmdset_0020.c
index 3861cca97bb0..160402fb65d1 100644
--- a/drivers/mtd/chips/cfi_cmdset_0020.c
+++ b/drivers/mtd/chips/cfi_cmdset_0020.c
@@ -904,12 +904,6 @@ static int cfi_staa_erase_varsize(struct mtd_info *mtd,
904 int i, first; 904 int i, first;
905 struct mtd_erase_region_info *regions = mtd->eraseregions; 905 struct mtd_erase_region_info *regions = mtd->eraseregions;
906 906
907 if (instr->addr > mtd->size)
908 return -EINVAL;
909
910 if ((instr->len + instr->addr) > mtd->size)
911 return -EINVAL;
912
913 /* Check that both start and end of the requested erase are 907 /* Check that both start and end of the requested erase are
914 * aligned with the erasesize at the appropriate addresses. 908 * aligned with the erasesize at the appropriate addresses.
915 */ 909 */
@@ -1155,9 +1149,6 @@ static int cfi_staa_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
1155 if (len & (mtd->erasesize -1)) 1149 if (len & (mtd->erasesize -1))
1156 return -EINVAL; 1150 return -EINVAL;
1157 1151
1158 if ((len + ofs) > mtd->size)
1159 return -EINVAL;
1160
1161 chipnum = ofs >> cfi->chipshift; 1152 chipnum = ofs >> cfi->chipshift;
1162 adr = ofs - (chipnum << cfi->chipshift); 1153 adr = ofs - (chipnum << cfi->chipshift);
1163 1154
diff --git a/drivers/mtd/chips/cfi_util.c b/drivers/mtd/chips/cfi_util.c
index 8e464054a631..f992418f40a8 100644
--- a/drivers/mtd/chips/cfi_util.c
+++ b/drivers/mtd/chips/cfi_util.c
@@ -173,12 +173,6 @@ int cfi_varsize_frob(struct mtd_info *mtd, varsize_frob_t frob,
173 int i, first; 173 int i, first;
174 struct mtd_erase_region_info *regions = mtd->eraseregions; 174 struct mtd_erase_region_info *regions = mtd->eraseregions;
175 175
176 if (ofs > mtd->size)
177 return -EINVAL;
178
179 if ((len + ofs) > mtd->size)
180 return -EINVAL;
181
182 /* Check that both start and end of the requested erase are 176 /* Check that both start and end of the requested erase are
183 * aligned with the erasesize at the appropriate addresses. 177 * aligned with the erasesize at the appropriate addresses.
184 */ 178 */
diff --git a/drivers/mtd/devices/block2mtd.c b/drivers/mtd/devices/block2mtd.c
index 0fccf149f5aa..4c2f84c2a7c7 100644
--- a/drivers/mtd/devices/block2mtd.c
+++ b/drivers/mtd/devices/block2mtd.c
@@ -104,11 +104,6 @@ static int block2mtd_read(struct mtd_info *mtd, loff_t from, size_t len,
104 int offset = from & (PAGE_SIZE-1); 104 int offset = from & (PAGE_SIZE-1);
105 int cpylen; 105 int cpylen;
106 106
107 if (from > mtd->size)
108 return -EINVAL;
109 if (from + len > mtd->size)
110 len = mtd->size - from;
111
112 if (retlen) 107 if (retlen)
113 *retlen = 0; 108 *retlen = 0;
114 109
@@ -190,10 +185,6 @@ static int block2mtd_write(struct mtd_info *mtd, loff_t to, size_t len,
190 185
191 if (!len) 186 if (!len)
192 return 0; 187 return 0;
193 if (to >= mtd->size)
194 return -ENOSPC;
195 if (to + len > mtd->size)
196 len = mtd->size - to;
197 188
198 mutex_lock(&dev->write_mutex); 189 mutex_lock(&dev->write_mutex);
199 err = _block2mtd_write(dev, buf, to, len, retlen); 190 err = _block2mtd_write(dev, buf, to, len, retlen);
diff --git a/drivers/mtd/devices/doc2000.c b/drivers/mtd/devices/doc2000.c
index 115d890e9919..ee4ee0b8440d 100644
--- a/drivers/mtd/devices/doc2000.c
+++ b/drivers/mtd/devices/doc2000.c
@@ -602,10 +602,6 @@ static int doc_read(struct mtd_info *mtd, loff_t from, size_t len,
602 int i, len256 = 0, ret=0; 602 int i, len256 = 0, ret=0;
603 size_t left = len; 603 size_t left = len;
604 604
605 /* Don't allow read past end of device */
606 if (from >= this->totlen)
607 return -EINVAL;
608
609 mutex_lock(&this->lock); 605 mutex_lock(&this->lock);
610 606
611 *retlen = 0; 607 *retlen = 0;
@@ -748,10 +744,6 @@ static int doc_write(struct mtd_info *mtd, loff_t to, size_t len,
748 size_t left = len; 744 size_t left = len;
749 int status; 745 int status;
750 746
751 /* Don't allow write past end of device */
752 if (to >= this->totlen)
753 return -EINVAL;
754
755 mutex_lock(&this->lock); 747 mutex_lock(&this->lock);
756 748
757 *retlen = 0; 749 *retlen = 0;
diff --git a/drivers/mtd/devices/doc2001.c b/drivers/mtd/devices/doc2001.c
index b1185f938711..17844155a685 100644
--- a/drivers/mtd/devices/doc2001.c
+++ b/drivers/mtd/devices/doc2001.c
@@ -383,10 +383,6 @@ static int doc_read (struct mtd_info *mtd, loff_t from, size_t len,
383 void __iomem *docptr = this->virtadr; 383 void __iomem *docptr = this->virtadr;
384 struct Nand *mychip = &this->chips[from >> (this->chipshift)]; 384 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
385 385
386 /* Don't allow read past end of device */
387 if (from >= this->totlen)
388 return -EINVAL;
389
390 /* Don't allow a single read to cross a 512-byte block boundary */ 386 /* Don't allow a single read to cross a 512-byte block boundary */
391 if (from + len > ((from | 0x1ff) + 1)) 387 if (from + len > ((from | 0x1ff) + 1))
392 len = ((from | 0x1ff) + 1) - from; 388 len = ((from | 0x1ff) + 1) - from;
@@ -494,10 +490,6 @@ static int doc_write (struct mtd_info *mtd, loff_t to, size_t len,
494 void __iomem *docptr = this->virtadr; 490 void __iomem *docptr = this->virtadr;
495 struct Nand *mychip = &this->chips[to >> (this->chipshift)]; 491 struct Nand *mychip = &this->chips[to >> (this->chipshift)];
496 492
497 /* Don't allow write past end of device */
498 if (to >= this->totlen)
499 return -EINVAL;
500
501#if 0 493#if 0
502 /* Don't allow a single write to cross a 512-byte block boundary */ 494 /* Don't allow a single write to cross a 512-byte block boundary */
503 if (to + len > ( (to | 0x1ff) + 1)) 495 if (to + len > ( (to | 0x1ff) + 1))
diff --git a/drivers/mtd/devices/doc2001plus.c b/drivers/mtd/devices/doc2001plus.c
index c9fbadd3303e..a472bab7ef2b 100644
--- a/drivers/mtd/devices/doc2001plus.c
+++ b/drivers/mtd/devices/doc2001plus.c
@@ -581,10 +581,6 @@ static int doc_read(struct mtd_info *mtd, loff_t from, size_t len,
581 void __iomem * docptr = this->virtadr; 581 void __iomem * docptr = this->virtadr;
582 struct Nand *mychip = &this->chips[from >> (this->chipshift)]; 582 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
583 583
584 /* Don't allow read past end of device */
585 if (from >= this->totlen)
586 return -EINVAL;
587
588 /* Don't allow a single read to cross a 512-byte block boundary */ 584 /* Don't allow a single read to cross a 512-byte block boundary */
589 if (from + len > ((from | 0x1ff) + 1)) 585 if (from + len > ((from | 0x1ff) + 1))
590 len = ((from | 0x1ff) + 1) - from; 586 len = ((from | 0x1ff) + 1) - from;
@@ -700,10 +696,6 @@ static int doc_write(struct mtd_info *mtd, loff_t to, size_t len,
700 void __iomem * docptr = this->virtadr; 696 void __iomem * docptr = this->virtadr;
701 struct Nand *mychip = &this->chips[to >> (this->chipshift)]; 697 struct Nand *mychip = &this->chips[to >> (this->chipshift)];
702 698
703 /* Don't allow write past end of device */
704 if (to >= this->totlen)
705 return -EINVAL;
706
707 /* Don't allow writes which aren't exactly one block (512 bytes) */ 699 /* Don't allow writes which aren't exactly one block (512 bytes) */
708 if ((to & 0x1ff) || (len != 0x200)) 700 if ((to & 0x1ff) || (len != 0x200))
709 return -EINVAL; 701 return -EINVAL;
diff --git a/drivers/mtd/devices/lart.c b/drivers/mtd/devices/lart.c
index 6d6502c2ec35..c9ae60112a90 100644
--- a/drivers/mtd/devices/lart.c
+++ b/drivers/mtd/devices/lart.c
@@ -367,9 +367,6 @@ static int flash_erase (struct mtd_info *mtd,struct erase_info *instr)
367 printk (KERN_DEBUG "%s(addr = 0x%.8x, len = %d)\n", __func__, instr->addr, instr->len); 367 printk (KERN_DEBUG "%s(addr = 0x%.8x, len = %d)\n", __func__, instr->addr, instr->len);
368#endif 368#endif
369 369
370 /* sanity checks */
371 if (instr->addr + instr->len > mtd->size) return (-EINVAL);
372
373 /* 370 /*
374 * check that both start and end of the requested erase are 371 * check that both start and end of the requested erase are
375 * aligned with the erasesize at the appropriate addresses. 372 * aligned with the erasesize at the appropriate addresses.
@@ -442,7 +439,6 @@ static int flash_read (struct mtd_info *mtd,loff_t from,size_t len,size_t *retle
442 439
443 /* sanity checks */ 440 /* sanity checks */
444 if (!len) return (0); 441 if (!len) return (0);
445 if (from + len > mtd->size) return (-EINVAL);
446 442
447 /* we always read len bytes */ 443 /* we always read len bytes */
448 *retlen = len; 444 *retlen = len;
@@ -526,7 +522,6 @@ static int flash_write (struct mtd_info *mtd,loff_t to,size_t len,size_t *retlen
526 522
527 /* sanity checks */ 523 /* sanity checks */
528 if (!len) return (0); 524 if (!len) return (0);
529 if (to + len > mtd->size) return (-EINVAL);
530 525
531 /* first, we write a 0xFF.... padded byte until we reach a dword boundary */ 526 /* first, we write a 0xFF.... padded byte until we reach a dword boundary */
532 if (to & (BUSWIDTH - 1)) 527 if (to & (BUSWIDTH - 1))
diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c
index 8808da9ee31f..0955a8f4fd25 100644
--- a/drivers/mtd/devices/m25p80.c
+++ b/drivers/mtd/devices/m25p80.c
@@ -288,9 +288,6 @@ static int m25p80_erase(struct mtd_info *mtd, struct erase_info *instr)
288 __func__, (long long)instr->addr, 288 __func__, (long long)instr->addr,
289 (long long)instr->len); 289 (long long)instr->len);
290 290
291 /* sanity checks */
292 if (instr->addr + instr->len > flash->mtd.size)
293 return -EINVAL;
294 div_u64_rem(instr->len, mtd->erasesize, &rem); 291 div_u64_rem(instr->len, mtd->erasesize, &rem);
295 if (rem) 292 if (rem)
296 return -EINVAL; 293 return -EINVAL;
@@ -353,9 +350,6 @@ static int m25p80_read(struct mtd_info *mtd, loff_t from, size_t len,
353 if (!len) 350 if (!len)
354 return 0; 351 return 0;
355 352
356 if (from + len > flash->mtd.size)
357 return -EINVAL;
358
359 spi_message_init(&m); 353 spi_message_init(&m);
360 memset(t, 0, (sizeof t)); 354 memset(t, 0, (sizeof t));
361 355
@@ -423,9 +417,6 @@ static int m25p80_write(struct mtd_info *mtd, loff_t to, size_t len,
423 if (!len) 417 if (!len)
424 return(0); 418 return(0);
425 419
426 if (to + len > flash->mtd.size)
427 return -EINVAL;
428
429 spi_message_init(&m); 420 spi_message_init(&m);
430 memset(t, 0, (sizeof t)); 421 memset(t, 0, (sizeof t));
431 422
@@ -515,9 +506,6 @@ static int sst_write(struct mtd_info *mtd, loff_t to, size_t len,
515 if (!len) 506 if (!len)
516 return 0; 507 return 0;
517 508
518 if (to + len > flash->mtd.size)
519 return -EINVAL;
520
521 spi_message_init(&m); 509 spi_message_init(&m);
522 memset(t, 0, (sizeof t)); 510 memset(t, 0, (sizeof t));
523 511
diff --git a/drivers/mtd/devices/ms02-nv.c b/drivers/mtd/devices/ms02-nv.c
index 3a05af529e7d..182849d39c61 100644
--- a/drivers/mtd/devices/ms02-nv.c
+++ b/drivers/mtd/devices/ms02-nv.c
@@ -59,12 +59,8 @@ static int ms02nv_read(struct mtd_info *mtd, loff_t from,
59{ 59{
60 struct ms02nv_private *mp = mtd->priv; 60 struct ms02nv_private *mp = mtd->priv;
61 61
62 if (from + len > mtd->size)
63 return -EINVAL;
64
65 memcpy(buf, mp->uaddr + from, len); 62 memcpy(buf, mp->uaddr + from, len);
66 *retlen = len; 63 *retlen = len;
67
68 return 0; 64 return 0;
69} 65}
70 66
@@ -73,12 +69,8 @@ static int ms02nv_write(struct mtd_info *mtd, loff_t to,
73{ 69{
74 struct ms02nv_private *mp = mtd->priv; 70 struct ms02nv_private *mp = mtd->priv;
75 71
76 if (to + len > mtd->size)
77 return -EINVAL;
78
79 memcpy(mp->uaddr + to, buf, len); 72 memcpy(mp->uaddr + to, buf, len);
80 *retlen = len; 73 *retlen = len;
81
82 return 0; 74 return 0;
83} 75}
84 76
diff --git a/drivers/mtd/devices/mtd_dataflash.c b/drivers/mtd/devices/mtd_dataflash.c
index fd4a9fc0d8b8..fc5c78171844 100644
--- a/drivers/mtd/devices/mtd_dataflash.c
+++ b/drivers/mtd/devices/mtd_dataflash.c
@@ -164,9 +164,6 @@ static int dataflash_erase(struct mtd_info *mtd, struct erase_info *instr)
164 dev_name(&spi->dev), (long long)instr->addr, 164 dev_name(&spi->dev), (long long)instr->addr,
165 (long long)instr->len); 165 (long long)instr->len);
166 166
167 /* Sanity checks */
168 if (instr->addr + instr->len > mtd->size)
169 return -EINVAL;
170 div_u64_rem(instr->len, priv->page_size, &rem); 167 div_u64_rem(instr->len, priv->page_size, &rem);
171 if (rem) 168 if (rem)
172 return -EINVAL; 169 return -EINVAL;
@@ -257,8 +254,6 @@ static int dataflash_read(struct mtd_info *mtd, loff_t from, size_t len,
257 /* Sanity checks */ 254 /* Sanity checks */
258 if (!len) 255 if (!len)
259 return 0; 256 return 0;
260 if (from + len > mtd->size)
261 return -EINVAL;
262 257
263 /* Calculate flash page/byte address */ 258 /* Calculate flash page/byte address */
264 addr = (((unsigned)from / priv->page_size) << priv->page_offset) 259 addr = (((unsigned)from / priv->page_size) << priv->page_offset)
@@ -333,8 +328,6 @@ static int dataflash_write(struct mtd_info *mtd, loff_t to, size_t len,
333 /* Sanity checks */ 328 /* Sanity checks */
334 if (!len) 329 if (!len)
335 return 0; 330 return 0;
336 if ((to + len) > mtd->size)
337 return -EINVAL;
338 331
339 spi_message_init(&msg); 332 spi_message_init(&msg);
340 333
diff --git a/drivers/mtd/devices/mtdram.c b/drivers/mtd/devices/mtdram.c
index e1f017bf0777..0e0e6ed4443c 100644
--- a/drivers/mtd/devices/mtdram.c
+++ b/drivers/mtd/devices/mtdram.c
@@ -34,27 +34,18 @@ static struct mtd_info *mtd_info;
34 34
35static int ram_erase(struct mtd_info *mtd, struct erase_info *instr) 35static int ram_erase(struct mtd_info *mtd, struct erase_info *instr)
36{ 36{
37 if (instr->addr + instr->len > mtd->size)
38 return -EINVAL;
39
40 memset((char *)mtd->priv + instr->addr, 0xff, instr->len); 37 memset((char *)mtd->priv + instr->addr, 0xff, instr->len);
41
42 instr->state = MTD_ERASE_DONE; 38 instr->state = MTD_ERASE_DONE;
43 mtd_erase_callback(instr); 39 mtd_erase_callback(instr);
44
45 return 0; 40 return 0;
46} 41}
47 42
48static int ram_point(struct mtd_info *mtd, loff_t from, size_t len, 43static int ram_point(struct mtd_info *mtd, loff_t from, size_t len,
49 size_t *retlen, void **virt, resource_size_t *phys) 44 size_t *retlen, void **virt, resource_size_t *phys)
50{ 45{
51 if (from + len > mtd->size)
52 return -EINVAL;
53
54 /* can we return a physical address with this driver? */ 46 /* can we return a physical address with this driver? */
55 if (phys) 47 if (phys)
56 return -EINVAL; 48 return -EINVAL;
57
58 *virt = mtd->priv + from; 49 *virt = mtd->priv + from;
59 *retlen = len; 50 *retlen = len;
60 return 0; 51 return 0;
@@ -81,11 +72,7 @@ static unsigned long ram_get_unmapped_area(struct mtd_info *mtd,
81static int ram_read(struct mtd_info *mtd, loff_t from, size_t len, 72static int ram_read(struct mtd_info *mtd, loff_t from, size_t len,
82 size_t *retlen, u_char *buf) 73 size_t *retlen, u_char *buf)
83{ 74{
84 if (from + len > mtd->size)
85 return -EINVAL;
86
87 memcpy(buf, mtd->priv + from, len); 75 memcpy(buf, mtd->priv + from, len);
88
89 *retlen = len; 76 *retlen = len;
90 return 0; 77 return 0;
91} 78}
@@ -93,11 +80,7 @@ static int ram_read(struct mtd_info *mtd, loff_t from, size_t len,
93static int ram_write(struct mtd_info *mtd, loff_t to, size_t len, 80static int ram_write(struct mtd_info *mtd, loff_t to, size_t len,
94 size_t *retlen, const u_char *buf) 81 size_t *retlen, const u_char *buf)
95{ 82{
96 if (to + len > mtd->size)
97 return -EINVAL;
98
99 memcpy((char *)mtd->priv + to, buf, len); 83 memcpy((char *)mtd->priv + to, buf, len);
100
101 *retlen = len; 84 *retlen = len;
102 return 0; 85 return 0;
103} 86}
diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c
index 38035551a7d2..36add7ce4632 100644
--- a/drivers/mtd/devices/phram.c
+++ b/drivers/mtd/devices/phram.c
@@ -38,29 +38,20 @@ static int phram_erase(struct mtd_info *mtd, struct erase_info *instr)
38{ 38{
39 u_char *start = mtd->priv; 39 u_char *start = mtd->priv;
40 40
41 if (instr->addr + instr->len > mtd->size)
42 return -EINVAL;
43
44 memset(start + instr->addr, 0xff, instr->len); 41 memset(start + instr->addr, 0xff, instr->len);
45 42
46 /* This'll catch a few races. Free the thing before returning :) 43 /* This'll catch a few races. Free the thing before returning :)
47 * I don't feel at all ashamed. This kind of thing is possible anyway 44 * I don't feel at all ashamed. This kind of thing is possible anyway
48 * with flash, but unlikely. 45 * with flash, but unlikely.
49 */ 46 */
50
51 instr->state = MTD_ERASE_DONE; 47 instr->state = MTD_ERASE_DONE;
52
53 mtd_erase_callback(instr); 48 mtd_erase_callback(instr);
54
55 return 0; 49 return 0;
56} 50}
57 51
58static int phram_point(struct mtd_info *mtd, loff_t from, size_t len, 52static int phram_point(struct mtd_info *mtd, loff_t from, size_t len,
59 size_t *retlen, void **virt, resource_size_t *phys) 53 size_t *retlen, void **virt, resource_size_t *phys)
60{ 54{
61 if (from + len > mtd->size)
62 return -EINVAL;
63
64 /* can we return a physical address with this driver? */ 55 /* can we return a physical address with this driver? */
65 if (phys) 56 if (phys)
66 return -EINVAL; 57 return -EINVAL;
@@ -80,14 +71,7 @@ static int phram_read(struct mtd_info *mtd, loff_t from, size_t len,
80{ 71{
81 u_char *start = mtd->priv; 72 u_char *start = mtd->priv;
82 73
83 if (from >= mtd->size)
84 return -EINVAL;
85
86 if (len > mtd->size - from)
87 len = mtd->size - from;
88
89 memcpy(buf, start + from, len); 74 memcpy(buf, start + from, len);
90
91 *retlen = len; 75 *retlen = len;
92 return 0; 76 return 0;
93} 77}
@@ -97,14 +81,7 @@ static int phram_write(struct mtd_info *mtd, loff_t to, size_t len,
97{ 81{
98 u_char *start = mtd->priv; 82 u_char *start = mtd->priv;
99 83
100 if (to >= mtd->size)
101 return -EINVAL;
102
103 if (len > mtd->size - to)
104 len = mtd->size - to;
105
106 memcpy(start + to, buf, len); 84 memcpy(start + to, buf, len);
107
108 *retlen = len; 85 *retlen = len;
109 return 0; 86 return 0;
110} 87}
diff --git a/drivers/mtd/devices/pmc551.c b/drivers/mtd/devices/pmc551.c
index 933127ecebe5..d394e06e4279 100644
--- a/drivers/mtd/devices/pmc551.c
+++ b/drivers/mtd/devices/pmc551.c
@@ -116,16 +116,6 @@ static int pmc551_erase(struct mtd_info *mtd, struct erase_info *instr)
116#endif 116#endif
117 117
118 end = instr->addr + instr->len - 1; 118 end = instr->addr + instr->len - 1;
119
120 /* Is it past the end? */
121 if (end > mtd->size) {
122#ifdef CONFIG_MTD_PMC551_DEBUG
123 printk(KERN_DEBUG "pmc551_erase() out of bounds (%ld > %ld)\n",
124 (long)end, (long)mtd->size);
125#endif
126 return -EINVAL;
127 }
128
129 eoff_hi = end & ~(priv->asize - 1); 119 eoff_hi = end & ~(priv->asize - 1);
130 soff_hi = instr->addr & ~(priv->asize - 1); 120 soff_hi = instr->addr & ~(priv->asize - 1);
131 eoff_lo = end & (priv->asize - 1); 121 eoff_lo = end & (priv->asize - 1);
@@ -179,14 +169,6 @@ static int pmc551_point(struct mtd_info *mtd, loff_t from, size_t len,
179 printk(KERN_DEBUG "pmc551_point(%ld, %ld)\n", (long)from, (long)len); 169 printk(KERN_DEBUG "pmc551_point(%ld, %ld)\n", (long)from, (long)len);
180#endif 170#endif
181 171
182 if (from + len > mtd->size) {
183#ifdef CONFIG_MTD_PMC551_DEBUG
184 printk(KERN_DEBUG "pmc551_point() out of bounds (%ld > %ld)\n",
185 (long)from + len, (long)mtd->size);
186#endif
187 return -EINVAL;
188 }
189
190 /* can we return a physical address with this driver? */ 172 /* can we return a physical address with this driver? */
191 if (phys) 173 if (phys)
192 return -EINVAL; 174 return -EINVAL;
@@ -230,16 +212,6 @@ static int pmc551_read(struct mtd_info *mtd, loff_t from, size_t len,
230#endif 212#endif
231 213
232 end = from + len - 1; 214 end = from + len - 1;
233
234 /* Is it past the end? */
235 if (end > mtd->size) {
236#ifdef CONFIG_MTD_PMC551_DEBUG
237 printk(KERN_DEBUG "pmc551_read() out of bounds (%ld > %ld)\n",
238 (long)end, (long)mtd->size);
239#endif
240 return -EINVAL;
241 }
242
243 soff_hi = from & ~(priv->asize - 1); 215 soff_hi = from & ~(priv->asize - 1);
244 eoff_hi = end & ~(priv->asize - 1); 216 eoff_hi = end & ~(priv->asize - 1);
245 soff_lo = from & (priv->asize - 1); 217 soff_lo = from & (priv->asize - 1);
@@ -297,16 +269,6 @@ static int pmc551_write(struct mtd_info *mtd, loff_t to, size_t len,
297#endif 269#endif
298 270
299 end = to + len - 1; 271 end = to + len - 1;
300 /* Is it past the end? or did the u32 wrap? */
301 if (end > mtd->size) {
302#ifdef CONFIG_MTD_PMC551_DEBUG
303 printk(KERN_DEBUG "pmc551_write() out of bounds (end: %ld, "
304 "size: %ld, to: %ld)\n", (long)end, (long)mtd->size,
305 (long)to);
306#endif
307 return -EINVAL;
308 }
309
310 soff_hi = to & ~(priv->asize - 1); 272 soff_hi = to & ~(priv->asize - 1);
311 eoff_hi = end & ~(priv->asize - 1); 273 eoff_hi = end & ~(priv->asize - 1);
312 soff_lo = to & (priv->asize - 1); 274 soff_lo = to & (priv->asize - 1);
diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
index 9431ffc761c2..842e4890d771 100644
--- a/drivers/mtd/devices/slram.c
+++ b/drivers/mtd/devices/slram.c
@@ -84,21 +84,13 @@ static int slram_erase(struct mtd_info *mtd, struct erase_info *instr)
84{ 84{
85 slram_priv_t *priv = mtd->priv; 85 slram_priv_t *priv = mtd->priv;
86 86
87 if (instr->addr + instr->len > mtd->size) {
88 return(-EINVAL);
89 }
90
91 memset(priv->start + instr->addr, 0xff, instr->len); 87 memset(priv->start + instr->addr, 0xff, instr->len);
92
93 /* This'll catch a few races. Free the thing before returning :) 88 /* This'll catch a few races. Free the thing before returning :)
94 * I don't feel at all ashamed. This kind of thing is possible anyway 89 * I don't feel at all ashamed. This kind of thing is possible anyway
95 * with flash, but unlikely. 90 * with flash, but unlikely.
96 */ 91 */
97
98 instr->state = MTD_ERASE_DONE; 92 instr->state = MTD_ERASE_DONE;
99
100 mtd_erase_callback(instr); 93 mtd_erase_callback(instr);
101
102 return(0); 94 return(0);
103} 95}
104 96
@@ -110,10 +102,6 @@ static int slram_point(struct mtd_info *mtd, loff_t from, size_t len,
110 /* can we return a physical address with this driver? */ 102 /* can we return a physical address with this driver? */
111 if (phys) 103 if (phys)
112 return -EINVAL; 104 return -EINVAL;
113
114 if (from + len > mtd->size)
115 return -EINVAL;
116
117 *virt = priv->start + from; 105 *virt = priv->start + from;
118 *retlen = len; 106 *retlen = len;
119 return(0); 107 return(0);
@@ -129,14 +117,7 @@ static int slram_read(struct mtd_info *mtd, loff_t from, size_t len,
129{ 117{
130 slram_priv_t *priv = mtd->priv; 118 slram_priv_t *priv = mtd->priv;
131 119
132 if (from > mtd->size)
133 return -EINVAL;
134
135 if (from + len > mtd->size)
136 len = mtd->size - from;
137
138 memcpy(buf, priv->start + from, len); 120 memcpy(buf, priv->start + from, len);
139
140 *retlen = len; 121 *retlen = len;
141 return(0); 122 return(0);
142} 123}
@@ -146,11 +127,7 @@ static int slram_write(struct mtd_info *mtd, loff_t to, size_t len,
146{ 127{
147 slram_priv_t *priv = mtd->priv; 128 slram_priv_t *priv = mtd->priv;
148 129
149 if (to + len > mtd->size)
150 return -EINVAL;
151
152 memcpy(priv->start + to, buf, len); 130 memcpy(priv->start + to, buf, len);
153
154 *retlen = len; 131 *retlen = len;
155 return(0); 132 return(0);
156} 133}
diff --git a/drivers/mtd/devices/spear_smi.c b/drivers/mtd/devices/spear_smi.c
index b80cb5b5ebbd..2238ab916a06 100644
--- a/drivers/mtd/devices/spear_smi.c
+++ b/drivers/mtd/devices/spear_smi.c
@@ -510,10 +510,6 @@ static int spear_mtd_erase(struct mtd_info *mtd, struct erase_info *e_info)
510 if (!flash || !dev) 510 if (!flash || !dev)
511 return -ENODEV; 511 return -ENODEV;
512 512
513 /* do not allow erase past end of device */
514 if (e_info->addr + e_info->len > flash->mtd.size)
515 return -EINVAL;
516
517 bank = flash->bank; 513 bank = flash->bank;
518 if (bank > dev->num_flashes - 1) { 514 if (bank > dev->num_flashes - 1) {
519 dev_err(&dev->pdev->dev, "Invalid Bank Num"); 515 dev_err(&dev->pdev->dev, "Invalid Bank Num");
@@ -573,10 +569,6 @@ static int spear_mtd_read(struct mtd_info *mtd, loff_t from, size_t len,
573 if (!flash || !dev) 569 if (!flash || !dev)
574 return -ENODEV; 570 return -ENODEV;
575 571
576 /* do not allow reads past end of device */
577 if (from + len > flash->mtd.size)
578 return -EINVAL;
579
580 if (flash->bank > dev->num_flashes - 1) { 572 if (flash->bank > dev->num_flashes - 1) {
581 dev_err(&dev->pdev->dev, "Invalid Bank Num"); 573 dev_err(&dev->pdev->dev, "Invalid Bank Num");
582 return -EINVAL; 574 return -EINVAL;
@@ -678,10 +670,6 @@ static int spear_mtd_write(struct mtd_info *mtd, loff_t to, size_t len,
678 if (!len) 670 if (!len)
679 return 0; 671 return 0;
680 672
681 /* do not allow write past end of page */
682 if (to + len > flash->mtd.size)
683 return -EINVAL;
684
685 if (flash->bank > dev->num_flashes - 1) { 673 if (flash->bank > dev->num_flashes - 1) {
686 dev_err(&dev->pdev->dev, "Invalid Bank Num"); 674 dev_err(&dev->pdev->dev, "Invalid Bank Num");
687 return -EINVAL; 675 return -EINVAL;
diff --git a/drivers/mtd/devices/sst25l.c b/drivers/mtd/devices/sst25l.c
index 8b9ffafcc401..99d4a3c510d7 100644
--- a/drivers/mtd/devices/sst25l.c
+++ b/drivers/mtd/devices/sst25l.c
@@ -175,9 +175,6 @@ static int sst25l_erase(struct mtd_info *mtd, struct erase_info *instr)
175 int err; 175 int err;
176 176
177 /* Sanity checks */ 177 /* Sanity checks */
178 if (instr->addr + instr->len > flash->mtd.size)
179 return -EINVAL;
180
181 if ((uint32_t)instr->len % mtd->erasesize) 178 if ((uint32_t)instr->len % mtd->erasesize)
182 return -EINVAL; 179 return -EINVAL;
183 180
@@ -227,9 +224,6 @@ static int sst25l_read(struct mtd_info *mtd, loff_t from, size_t len,
227 if (len == 0) 224 if (len == 0)
228 return 0; 225 return 0;
229 226
230 if (from + len > flash->mtd.size)
231 return -EINVAL;
232
233 if (retlen) 227 if (retlen)
234 *retlen = 0; 228 *retlen = 0;
235 229
@@ -278,9 +272,6 @@ static int sst25l_write(struct mtd_info *mtd, loff_t to, size_t len,
278 if (!len) 272 if (!len)
279 return 0; 273 return 0;
280 274
281 if (to + len > flash->mtd.size)
282 return -EINVAL;
283
284 if ((uint32_t)to % mtd->writesize) 275 if ((uint32_t)to % mtd->writesize)
285 return -EINVAL; 276 return -EINVAL;
286 277
diff --git a/drivers/mtd/lpddr/lpddr_cmds.c b/drivers/mtd/lpddr/lpddr_cmds.c
index de960b1d395a..0f3731c6b3f6 100644
--- a/drivers/mtd/lpddr/lpddr_cmds.c
+++ b/drivers/mtd/lpddr/lpddr_cmds.c
@@ -530,7 +530,7 @@ static int lpddr_point(struct mtd_info *mtd, loff_t adr, size_t len,
530 struct flchip *chip = &lpddr->chips[chipnum]; 530 struct flchip *chip = &lpddr->chips[chipnum];
531 int ret = 0; 531 int ret = 0;
532 532
533 if (!map->virt || (adr + len > mtd->size)) 533 if (!map->virt)
534 return -EINVAL; 534 return -EINVAL;
535 535
536 /* ofs: offset within the first chip that the first read should start */ 536 /* ofs: offset within the first chip that the first read should start */
@@ -692,9 +692,6 @@ static int lpddr_erase(struct mtd_info *mtd, struct erase_info *instr)
692 ofs = instr->addr; 692 ofs = instr->addr;
693 len = instr->len; 693 len = instr->len;
694 694
695 if (ofs > mtd->size || (len + ofs) > mtd->size)
696 return -EINVAL;
697
698 while (len > 0) { 695 while (len > 0) {
699 ret = do_erase_oneblock(mtd, ofs); 696 ret = do_erase_oneblock(mtd, ofs);
700 if (ret) 697 if (ret)
diff --git a/drivers/mtd/mtdconcat.c b/drivers/mtd/mtdconcat.c
index d826a8a50e73..1f2071803931 100644
--- a/drivers/mtd/mtdconcat.c
+++ b/drivers/mtd/mtdconcat.c
@@ -185,10 +185,6 @@ concat_writev(struct mtd_info *mtd, const struct kvec *vecs,
185 for (i = 0; i < count; i++) 185 for (i = 0; i < count; i++)
186 total_len += vecs[i].iov_len; 186 total_len += vecs[i].iov_len;
187 187
188 /* Do not allow write past end of device */
189 if ((to + total_len) > mtd->size)
190 return -EINVAL;
191
192 /* Check alignment */ 188 /* Check alignment */
193 if (mtd->writesize > 1) { 189 if (mtd->writesize > 1) {
194 uint64_t __to = to; 190 uint64_t __to = to;
@@ -406,12 +402,6 @@ static int concat_erase(struct mtd_info *mtd, struct erase_info *instr)
406 if (!(mtd->flags & MTD_WRITEABLE)) 402 if (!(mtd->flags & MTD_WRITEABLE))
407 return -EROFS; 403 return -EROFS;
408 404
409 if (instr->addr > concat->mtd.size)
410 return -EINVAL;
411
412 if (instr->len + instr->addr > concat->mtd.size)
413 return -EINVAL;
414
415 /* 405 /*
416 * Check for proper erase block alignment of the to-be-erased area. 406 * Check for proper erase block alignment of the to-be-erased area.
417 * It is easier to do this based on the super device's erase 407 * It is easier to do this based on the super device's erase
@@ -538,9 +528,6 @@ static int concat_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
538 struct mtd_concat *concat = CONCAT(mtd); 528 struct mtd_concat *concat = CONCAT(mtd);
539 int i, err = -EINVAL; 529 int i, err = -EINVAL;
540 530
541 if ((len + ofs) > mtd->size)
542 return -EINVAL;
543
544 for (i = 0; i < concat->num_subdev; i++) { 531 for (i = 0; i < concat->num_subdev; i++) {
545 struct mtd_info *subdev = concat->subdev[i]; 532 struct mtd_info *subdev = concat->subdev[i];
546 uint64_t size; 533 uint64_t size;
@@ -575,9 +562,6 @@ static int concat_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
575 struct mtd_concat *concat = CONCAT(mtd); 562 struct mtd_concat *concat = CONCAT(mtd);
576 int i, err = 0; 563 int i, err = 0;
577 564
578 if ((len + ofs) > mtd->size)
579 return -EINVAL;
580
581 for (i = 0; i < concat->num_subdev; i++) { 565 for (i = 0; i < concat->num_subdev; i++) {
582 struct mtd_info *subdev = concat->subdev[i]; 566 struct mtd_info *subdev = concat->subdev[i];
583 uint64_t size; 567 uint64_t size;
@@ -650,9 +634,6 @@ static int concat_block_isbad(struct mtd_info *mtd, loff_t ofs)
650 if (!mtd_can_have_bb(concat->subdev[0])) 634 if (!mtd_can_have_bb(concat->subdev[0]))
651 return res; 635 return res;
652 636
653 if (ofs > mtd->size)
654 return -EINVAL;
655
656 for (i = 0; i < concat->num_subdev; i++) { 637 for (i = 0; i < concat->num_subdev; i++) {
657 struct mtd_info *subdev = concat->subdev[i]; 638 struct mtd_info *subdev = concat->subdev[i];
658 639
@@ -673,9 +654,6 @@ static int concat_block_markbad(struct mtd_info *mtd, loff_t ofs)
673 struct mtd_concat *concat = CONCAT(mtd); 654 struct mtd_concat *concat = CONCAT(mtd);
674 int i, err = -EINVAL; 655 int i, err = -EINVAL;
675 656
676 if (ofs > mtd->size)
677 return -EINVAL;
678
679 for (i = 0; i < concat->num_subdev; i++) { 657 for (i = 0; i < concat->num_subdev; i++) {
680 struct mtd_info *subdev = concat->subdev[i]; 658 struct mtd_info *subdev = concat->subdev[i];
681 659
@@ -713,10 +691,6 @@ static unsigned long concat_get_unmapped_area(struct mtd_info *mtd,
713 continue; 691 continue;
714 } 692 }
715 693
716 /* we've found the subdev over which the mapping will reside */
717 if (offset + len > subdev->size)
718 return (unsigned long) -EINVAL;
719
720 return mtd_get_unmapped_area(subdev, len, offset, flags); 694 return mtd_get_unmapped_area(subdev, len, offset, flags);
721 } 695 }
722 696
diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c
index da8a0b28316c..fbe2c8a22e1c 100644
--- a/drivers/mtd/mtdpart.c
+++ b/drivers/mtd/mtdpart.c
@@ -65,11 +65,6 @@ static int part_read(struct mtd_info *mtd, loff_t from, size_t len,
65 int res; 65 int res;
66 66
67 stats = part->master->ecc_stats; 67 stats = part->master->ecc_stats;
68
69 if (from >= mtd->size)
70 len = 0;
71 else if (from + len > mtd->size)
72 len = mtd->size - from;
73 res = mtd_read(part->master, from + part->offset, len, retlen, buf); 68 res = mtd_read(part->master, from + part->offset, len, retlen, buf);
74 if (unlikely(res)) { 69 if (unlikely(res)) {
75 if (mtd_is_bitflip(res)) 70 if (mtd_is_bitflip(res))
@@ -84,10 +79,7 @@ static int part_point(struct mtd_info *mtd, loff_t from, size_t len,
84 size_t *retlen, void **virt, resource_size_t *phys) 79 size_t *retlen, void **virt, resource_size_t *phys)
85{ 80{
86 struct mtd_part *part = PART(mtd); 81 struct mtd_part *part = PART(mtd);
87 if (from >= mtd->size) 82
88 len = 0;
89 else if (from + len > mtd->size)
90 len = mtd->size - from;
91 return mtd_point(part->master, from + part->offset, len, retlen, 83 return mtd_point(part->master, from + part->offset, len, retlen,
92 virt, phys); 84 virt, phys);
93} 85}
@@ -182,10 +174,6 @@ static int part_write(struct mtd_info *mtd, loff_t to, size_t len,
182 struct mtd_part *part = PART(mtd); 174 struct mtd_part *part = PART(mtd);
183 if (!(mtd->flags & MTD_WRITEABLE)) 175 if (!(mtd->flags & MTD_WRITEABLE))
184 return -EROFS; 176 return -EROFS;
185 if (to >= mtd->size)
186 len = 0;
187 else if (to + len > mtd->size)
188 len = mtd->size - to;
189 return mtd_write(part->master, to + part->offset, len, retlen, buf); 177 return mtd_write(part->master, to + part->offset, len, retlen, buf);
190} 178}
191 179
@@ -195,10 +183,6 @@ static int part_panic_write(struct mtd_info *mtd, loff_t to, size_t len,
195 struct mtd_part *part = PART(mtd); 183 struct mtd_part *part = PART(mtd);
196 if (!(mtd->flags & MTD_WRITEABLE)) 184 if (!(mtd->flags & MTD_WRITEABLE))
197 return -EROFS; 185 return -EROFS;
198 if (to >= mtd->size)
199 len = 0;
200 else if (to + len > mtd->size)
201 len = mtd->size - to;
202 return mtd_panic_write(part->master, to + part->offset, len, retlen, 186 return mtd_panic_write(part->master, to + part->offset, len, retlen,
203 buf); 187 buf);
204} 188}
@@ -248,8 +232,6 @@ static int part_erase(struct mtd_info *mtd, struct erase_info *instr)
248 int ret; 232 int ret;
249 if (!(mtd->flags & MTD_WRITEABLE)) 233 if (!(mtd->flags & MTD_WRITEABLE))
250 return -EROFS; 234 return -EROFS;
251 if (instr->addr >= mtd->size)
252 return -EINVAL;
253 instr->addr += part->offset; 235 instr->addr += part->offset;
254 ret = mtd_erase(part->master, instr); 236 ret = mtd_erase(part->master, instr);
255 if (ret) { 237 if (ret) {
@@ -277,24 +259,18 @@ EXPORT_SYMBOL_GPL(mtd_erase_callback);
277static int part_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) 259static int part_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
278{ 260{
279 struct mtd_part *part = PART(mtd); 261 struct mtd_part *part = PART(mtd);
280 if ((len + ofs) > mtd->size)
281 return -EINVAL;
282 return mtd_lock(part->master, ofs + part->offset, len); 262 return mtd_lock(part->master, ofs + part->offset, len);
283} 263}
284 264
285static int part_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) 265static int part_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
286{ 266{
287 struct mtd_part *part = PART(mtd); 267 struct mtd_part *part = PART(mtd);
288 if ((len + ofs) > mtd->size)
289 return -EINVAL;
290 return mtd_unlock(part->master, ofs + part->offset, len); 268 return mtd_unlock(part->master, ofs + part->offset, len);
291} 269}
292 270
293static int part_is_locked(struct mtd_info *mtd, loff_t ofs, uint64_t len) 271static int part_is_locked(struct mtd_info *mtd, loff_t ofs, uint64_t len)
294{ 272{
295 struct mtd_part *part = PART(mtd); 273 struct mtd_part *part = PART(mtd);
296 if ((len + ofs) > mtd->size)
297 return -EINVAL;
298 return mtd_is_locked(part->master, ofs + part->offset, len); 274 return mtd_is_locked(part->master, ofs + part->offset, len);
299} 275}
300 276
@@ -319,8 +295,6 @@ static void part_resume(struct mtd_info *mtd)
319static int part_block_isbad(struct mtd_info *mtd, loff_t ofs) 295static int part_block_isbad(struct mtd_info *mtd, loff_t ofs)
320{ 296{
321 struct mtd_part *part = PART(mtd); 297 struct mtd_part *part = PART(mtd);
322 if (ofs >= mtd->size)
323 return -EINVAL;
324 ofs += part->offset; 298 ofs += part->offset;
325 return mtd_block_isbad(part->master, ofs); 299 return mtd_block_isbad(part->master, ofs);
326} 300}
@@ -332,8 +306,6 @@ static int part_block_markbad(struct mtd_info *mtd, loff_t ofs)
332 306
333 if (!(mtd->flags & MTD_WRITEABLE)) 307 if (!(mtd->flags & MTD_WRITEABLE))
334 return -EROFS; 308 return -EROFS;
335 if (ofs >= mtd->size)
336 return -EINVAL;
337 ofs += part->offset; 309 ofs += part->offset;
338 res = mtd_block_markbad(part->master, ofs); 310 res = mtd_block_markbad(part->master, ofs);
339 if (!res) 311 if (!res)
diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
index 13a56d3e8aec..dd182c8591a9 100644
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -123,12 +123,6 @@ static int check_offs_len(struct mtd_info *mtd,
123 ret = -EINVAL; 123 ret = -EINVAL;
124 } 124 }
125 125
126 /* Do not allow past end of device */
127 if (ofs + len > mtd->size) {
128 pr_debug("%s: past end of device\n", __func__);
129 ret = -EINVAL;
130 }
131
132 return ret; 126 return ret;
133} 127}
134 128
@@ -1620,25 +1614,17 @@ static int nand_read(struct mtd_info *mtd, loff_t from, size_t len,
1620 struct mtd_oob_ops ops; 1614 struct mtd_oob_ops ops;
1621 int ret; 1615 int ret;
1622 1616
1623 /* Do not allow reads past end of device */
1624 if ((from + len) > mtd->size)
1625 return -EINVAL;
1626 if (!len) 1617 if (!len)
1627 return 0; 1618 return 0;
1628 1619
1629 nand_get_device(chip, mtd, FL_READING); 1620 nand_get_device(chip, mtd, FL_READING);
1630
1631 ops.len = len; 1621 ops.len = len;
1632 ops.datbuf = buf; 1622 ops.datbuf = buf;
1633 ops.oobbuf = NULL; 1623 ops.oobbuf = NULL;
1634 ops.mode = 0; 1624 ops.mode = 0;
1635
1636 ret = nand_do_read_ops(mtd, from, &ops); 1625 ret = nand_do_read_ops(mtd, from, &ops);
1637
1638 *retlen = ops.retlen; 1626 *retlen = ops.retlen;
1639
1640 nand_release_device(mtd); 1627 nand_release_device(mtd);
1641
1642 return ret; 1628 return ret;
1643} 1629}
1644 1630
@@ -2328,8 +2314,6 @@ static int panic_nand_write(struct mtd_info *mtd, loff_t to, size_t len,
2328 int ret; 2314 int ret;
2329 2315
2330 /* Do not allow reads past end of device */ 2316 /* Do not allow reads past end of device */
2331 if ((to + len) > mtd->size)
2332 return -EINVAL;
2333 if (!len) 2317 if (!len)
2334 return 0; 2318 return 0;
2335 2319
@@ -2367,25 +2351,17 @@ static int nand_write(struct mtd_info *mtd, loff_t to, size_t len,
2367 struct mtd_oob_ops ops; 2351 struct mtd_oob_ops ops;
2368 int ret; 2352 int ret;
2369 2353
2370 /* Do not allow reads past end of device */
2371 if ((to + len) > mtd->size)
2372 return -EINVAL;
2373 if (!len) 2354 if (!len)
2374 return 0; 2355 return 0;
2375 2356
2376 nand_get_device(chip, mtd, FL_WRITING); 2357 nand_get_device(chip, mtd, FL_WRITING);
2377
2378 ops.len = len; 2358 ops.len = len;
2379 ops.datbuf = (uint8_t *)buf; 2359 ops.datbuf = (uint8_t *)buf;
2380 ops.oobbuf = NULL; 2360 ops.oobbuf = NULL;
2381 ops.mode = 0; 2361 ops.mode = 0;
2382
2383 ret = nand_do_write_ops(mtd, to, &ops); 2362 ret = nand_do_write_ops(mtd, to, &ops);
2384
2385 *retlen = ops.retlen; 2363 *retlen = ops.retlen;
2386
2387 nand_release_device(mtd); 2364 nand_release_device(mtd);
2388
2389 return ret; 2365 return ret;
2390} 2366}
2391 2367
@@ -2749,10 +2725,6 @@ static void nand_sync(struct mtd_info *mtd)
2749 */ 2725 */
2750static int nand_block_isbad(struct mtd_info *mtd, loff_t offs) 2726static int nand_block_isbad(struct mtd_info *mtd, loff_t offs)
2751{ 2727{
2752 /* Check for invalid offset */
2753 if (offs > mtd->size)
2754 return -EINVAL;
2755
2756 return nand_block_checkbad(mtd, offs, 1, 0); 2728 return nand_block_checkbad(mtd, offs, 1, 0);
2757} 2729}
2758 2730
diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c
index 914c49bdf2b6..9c6445d372ce 100644
--- a/drivers/mtd/onenand/onenand_base.c
+++ b/drivers/mtd/onenand/onenand_base.c
@@ -1756,13 +1756,6 @@ static int onenand_panic_write(struct mtd_info *mtd, loff_t to, size_t len,
1756 /* Initialize retlen, in case of early exit */ 1756 /* Initialize retlen, in case of early exit */
1757 *retlen = 0; 1757 *retlen = 0;
1758 1758
1759 /* Do not allow writes past end of device */
1760 if (unlikely((to + len) > mtd->size)) {
1761 printk(KERN_ERR "%s: Attempt write to past end of device\n",
1762 __func__);
1763 return -EINVAL;
1764 }
1765
1766 /* Reject writes, which are not page aligned */ 1759 /* Reject writes, which are not page aligned */
1767 if (unlikely(NOTALIGNED(to) || NOTALIGNED(len))) { 1760 if (unlikely(NOTALIGNED(to) || NOTALIGNED(len))) {
1768 printk(KERN_ERR "%s: Attempt to write not page aligned data\n", 1761 printk(KERN_ERR "%s: Attempt to write not page aligned data\n",
@@ -1890,13 +1883,6 @@ static int onenand_write_ops_nolock(struct mtd_info *mtd, loff_t to,
1890 ops->retlen = 0; 1883 ops->retlen = 0;
1891 ops->oobretlen = 0; 1884 ops->oobretlen = 0;
1892 1885
1893 /* Do not allow writes past end of device */
1894 if (unlikely((to + len) > mtd->size)) {
1895 printk(KERN_ERR "%s: Attempt write to past end of device\n",
1896 __func__);
1897 return -EINVAL;
1898 }
1899
1900 /* Reject writes, which are not page aligned */ 1886 /* Reject writes, which are not page aligned */
1901 if (unlikely(NOTALIGNED(to) || NOTALIGNED(len))) { 1887 if (unlikely(NOTALIGNED(to) || NOTALIGNED(len))) {
1902 printk(KERN_ERR "%s: Attempt to write not page aligned data\n", 1888 printk(KERN_ERR "%s: Attempt to write not page aligned data\n",
@@ -2493,12 +2479,6 @@ static int onenand_erase(struct mtd_info *mtd, struct erase_info *instr)
2493 (unsigned long long)instr->addr, 2479 (unsigned long long)instr->addr,
2494 (unsigned long long)instr->len); 2480 (unsigned long long)instr->len);
2495 2481
2496 /* Do not allow erase past end of device */
2497 if (unlikely((len + addr) > mtd->size)) {
2498 printk(KERN_ERR "%s: Erase past end of device\n", __func__);
2499 return -EINVAL;
2500 }
2501
2502 if (FLEXONENAND(this)) { 2482 if (FLEXONENAND(this)) {
2503 /* Find the eraseregion of this address */ 2483 /* Find the eraseregion of this address */
2504 int i = flexonenand_region(mtd, addr); 2484 int i = flexonenand_region(mtd, addr);
diff --git a/drivers/mtd/ubi/gluebi.c b/drivers/mtd/ubi/gluebi.c
index 0101dce90c45..b875c2c50d82 100644
--- a/drivers/mtd/ubi/gluebi.c
+++ b/drivers/mtd/ubi/gluebi.c
@@ -174,11 +174,7 @@ static int gluebi_read(struct mtd_info *mtd, loff_t from, size_t len,
174 int err = 0, lnum, offs, total_read; 174 int err = 0, lnum, offs, total_read;
175 struct gluebi_device *gluebi; 175 struct gluebi_device *gluebi;
176 176
177 if (len < 0 || from < 0 || from + len > mtd->size)
178 return -EINVAL;
179
180 gluebi = container_of(mtd, struct gluebi_device, mtd); 177 gluebi = container_of(mtd, struct gluebi_device, mtd);
181
182 lnum = div_u64_rem(from, mtd->erasesize, &offs); 178 lnum = div_u64_rem(from, mtd->erasesize, &offs);
183 total_read = len; 179 total_read = len;
184 while (total_read) { 180 while (total_read) {
@@ -218,9 +214,6 @@ static int gluebi_write(struct mtd_info *mtd, loff_t to, size_t len,
218 int err = 0, lnum, offs, total_written; 214 int err = 0, lnum, offs, total_written;
219 struct gluebi_device *gluebi; 215 struct gluebi_device *gluebi;
220 216
221 if (len < 0 || to < 0 || len + to > mtd->size)
222 return -EINVAL;
223
224 gluebi = container_of(mtd, struct gluebi_device, mtd); 217 gluebi = container_of(mtd, struct gluebi_device, mtd);
225 218
226 if (!(mtd->flags & MTD_WRITEABLE)) 219 if (!(mtd->flags & MTD_WRITEABLE))
@@ -265,10 +258,6 @@ static int gluebi_erase(struct mtd_info *mtd, struct erase_info *instr)
265 int err, i, lnum, count; 258 int err, i, lnum, count;
266 struct gluebi_device *gluebi; 259 struct gluebi_device *gluebi;
267 260
268 if (instr->addr < 0 || instr->addr > mtd->size - mtd->erasesize)
269 return -EINVAL;
270 if (instr->len < 0 || instr->addr + instr->len > mtd->size)
271 return -EINVAL;
272 if (mtd_mod_by_ws(instr->addr, mtd) || mtd_mod_by_ws(instr->len, mtd)) 261 if (mtd_mod_by_ws(instr->addr, mtd) || mtd_mod_by_ws(instr->len, mtd))
273 return -EINVAL; 262 return -EINVAL;
274 263