aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--drivers/mtd/chips/cfi_cmdset_0001.c2
-rw-r--r--drivers/mtd/chips/cfi_cmdset_0020.c9
-rw-r--r--drivers/mtd/chips/cfi_util.c6
-rw-r--r--drivers/mtd/devices/block2mtd.c9
-rw-r--r--drivers/mtd/devices/doc2000.c8
-rw-r--r--drivers/mtd/devices/doc2001.c8
-rw-r--r--drivers/mtd/devices/doc2001plus.c8
-rw-r--r--drivers/mtd/devices/lart.c5
-rw-r--r--drivers/mtd/devices/m25p80.c12
-rw-r--r--drivers/mtd/devices/ms02-nv.c8
-rw-r--r--drivers/mtd/devices/mtd_dataflash.c7
-rw-r--r--drivers/mtd/devices/mtdram.c17
-rw-r--r--drivers/mtd/devices/phram.c23
-rw-r--r--drivers/mtd/devices/pmc551.c38
-rw-r--r--drivers/mtd/devices/slram.c23
-rw-r--r--drivers/mtd/devices/spear_smi.c12
-rw-r--r--drivers/mtd/devices/sst25l.c9
-rw-r--r--drivers/mtd/lpddr/lpddr_cmds.c5
-rw-r--r--drivers/mtd/mtdconcat.c26
-rw-r--r--drivers/mtd/mtdpart.c30
-rw-r--r--drivers/mtd/nand/nand_base.c28
-rw-r--r--drivers/mtd/onenand/onenand_base.c20
-rw-r--r--drivers/mtd/ubi/gluebi.c11
23 files changed, 3 insertions, 321 deletions
diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c
index 4d04551cffd7..27008ae8f695 100644
--- a/drivers/mtd/chips/cfi_cmdset_0001.c
+++ b/drivers/mtd/chips/cfi_cmdset_0001.c
@@ -1324,7 +1324,7 @@ static int cfi_intelext_point(struct mtd_info *mtd, loff_t from, size_t len,
1324 int chipnum; 1324 int chipnum;
1325 int ret = 0; 1325 int ret = 0;
1326 1326
1327 if (!map->virt || (from + len > mtd->size)) 1327 if (!map->virt)
1328 return -EINVAL; 1328 return -EINVAL;
1329 1329
1330 /* Now lock the chip(s) to POINT state */ 1330 /* Now lock the chip(s) to POINT state */
diff --git a/drivers/mtd/chips/cfi_cmdset_0020.c b/drivers/mtd/chips/cfi_cmdset_0020.c
index 3861cca97bb0..160402fb65d1 100644
--- a/drivers/mtd/chips/cfi_cmdset_0020.c
+++ b/drivers/mtd/chips/cfi_cmdset_0020.c
@@ -904,12 +904,6 @@ static int cfi_staa_erase_varsize(struct mtd_info *mtd,
904 int i, first; 904 int i, first;
905 struct mtd_erase_region_info *regions = mtd->eraseregions; 905 struct mtd_erase_region_info *regions = mtd->eraseregions;
906 906
907 if (instr->addr > mtd->size)
908 return -EINVAL;
909
910 if ((instr->len + instr->addr) > mtd->size)
911 return -EINVAL;
912
913 /* Check that both start and end of the requested erase are 907 /* Check that both start and end of the requested erase are
914 * aligned with the erasesize at the appropriate addresses. 908 * aligned with the erasesize at the appropriate addresses.
915 */ 909 */
@@ -1155,9 +1149,6 @@ static int cfi_staa_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
1155 if (len & (mtd->erasesize -1)) 1149 if (len & (mtd->erasesize -1))
1156 return -EINVAL; 1150 return -EINVAL;
1157 1151
1158 if ((len + ofs) > mtd->size)
1159 return -EINVAL;
1160
1161 chipnum = ofs >> cfi->chipshift; 1152 chipnum = ofs >> cfi->chipshift;
1162 adr = ofs - (chipnum << cfi->chipshift); 1153 adr = ofs - (chipnum << cfi->chipshift);
1163 1154
diff --git a/drivers/mtd/chips/cfi_util.c b/drivers/mtd/chips/cfi_util.c
index 8e464054a631..f992418f40a8 100644
--- a/drivers/mtd/chips/cfi_util.c
+++ b/drivers/mtd/chips/cfi_util.c
@@ -173,12 +173,6 @@ int cfi_varsize_frob(struct mtd_info *mtd, varsize_frob_t frob,
173 int i, first; 173 int i, first;
174 struct mtd_erase_region_info *regions = mtd->eraseregions; 174 struct mtd_erase_region_info *regions = mtd->eraseregions;
175 175
176 if (ofs > mtd->size)
177 return -EINVAL;
178
179 if ((len + ofs) > mtd->size)
180 return -EINVAL;
181
182 /* Check that both start and end of the requested erase are 176 /* Check that both start and end of the requested erase are
183 * aligned with the erasesize at the appropriate addresses. 177 * aligned with the erasesize at the appropriate addresses.
184 */ 178 */
diff --git a/drivers/mtd/devices/block2mtd.c b/drivers/mtd/devices/block2mtd.c
index 0fccf149f5aa..4c2f84c2a7c7 100644
--- a/drivers/mtd/devices/block2mtd.c
+++ b/drivers/mtd/devices/block2mtd.c
@@ -104,11 +104,6 @@ static int block2mtd_read(struct mtd_info *mtd, loff_t from, size_t len,
104 int offset = from & (PAGE_SIZE-1); 104 int offset = from & (PAGE_SIZE-1);
105 int cpylen; 105 int cpylen;
106 106
107 if (from > mtd->size)
108 return -EINVAL;
109 if (from + len > mtd->size)
110 len = mtd->size - from;
111
112 if (retlen) 107 if (retlen)
113 *retlen = 0; 108 *retlen = 0;
114 109
@@ -190,10 +185,6 @@ static int block2mtd_write(struct mtd_info *mtd, loff_t to, size_t len,
190 185
191 if (!len) 186 if (!len)
192 return 0; 187 return 0;
193 if (to >= mtd->size)
194 return -ENOSPC;
195 if (to + len > mtd->size)
196 len = mtd->size - to;
197 188
198 mutex_lock(&dev->write_mutex); 189 mutex_lock(&dev->write_mutex);
199 err = _block2mtd_write(dev, buf, to, len, retlen); 190 err = _block2mtd_write(dev, buf, to, len, retlen);
diff --git a/drivers/mtd/devices/doc2000.c b/drivers/mtd/devices/doc2000.c
index 115d890e9919..ee4ee0b8440d 100644
--- a/drivers/mtd/devices/doc2000.c
+++ b/drivers/mtd/devices/doc2000.c
@@ -602,10 +602,6 @@ static int doc_read(struct mtd_info *mtd, loff_t from, size_t len,
602 int i, len256 = 0, ret=0; 602 int i, len256 = 0, ret=0;
603 size_t left = len; 603 size_t left = len;
604 604
605 /* Don't allow read past end of device */
606 if (from >= this->totlen)
607 return -EINVAL;
608
609 mutex_lock(&this->lock); 605 mutex_lock(&this->lock);
610 606
611 *retlen = 0; 607 *retlen = 0;
@@ -748,10 +744,6 @@ static int doc_write(struct mtd_info *mtd, loff_t to, size_t len,
748 size_t left = len; 744 size_t left = len;
749 int status; 745 int status;
750 746
751 /* Don't allow write past end of device */
752 if (to >= this->totlen)
753 return -EINVAL;
754
755 mutex_lock(&this->lock); 747 mutex_lock(&this->lock);
756 748
757 *retlen = 0; 749 *retlen = 0;
diff --git a/drivers/mtd/devices/doc2001.c b/drivers/mtd/devices/doc2001.c
index b1185f938711..17844155a685 100644
--- a/drivers/mtd/devices/doc2001.c
+++ b/drivers/mtd/devices/doc2001.c
@@ -383,10 +383,6 @@ static int doc_read (struct mtd_info *mtd, loff_t from, size_t len,
383 void __iomem *docptr = this->virtadr; 383 void __iomem *docptr = this->virtadr;
384 struct Nand *mychip = &this->chips[from >> (this->chipshift)]; 384 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
385 385
386 /* Don't allow read past end of device */
387 if (from >= this->totlen)
388 return -EINVAL;
389
390 /* Don't allow a single read to cross a 512-byte block boundary */ 386 /* Don't allow a single read to cross a 512-byte block boundary */
391 if (from + len > ((from | 0x1ff) + 1)) 387 if (from + len > ((from | 0x1ff) + 1))
392 len = ((from | 0x1ff) + 1) - from; 388 len = ((from | 0x1ff) + 1) - from;
@@ -494,10 +490,6 @@ static int doc_write (struct mtd_info *mtd, loff_t to, size_t len,
494 void __iomem *docptr = this->virtadr; 490 void __iomem *docptr = this->virtadr;
495 struct Nand *mychip = &this->chips[to >> (this->chipshift)]; 491 struct Nand *mychip = &this->chips[to >> (this->chipshift)];
496 492
497 /* Don't allow write past end of device */
498 if (to >= this->totlen)
499 return -EINVAL;
500
501#if 0 493#if 0
502 /* Don't allow a single write to cross a 512-byte block boundary */ 494 /* Don't allow a single write to cross a 512-byte block boundary */
503 if (to + len > ( (to | 0x1ff) + 1)) 495 if (to + len > ( (to | 0x1ff) + 1))
diff --git a/drivers/mtd/devices/doc2001plus.c b/drivers/mtd/devices/doc2001plus.c
index c9fbadd3303e..a472bab7ef2b 100644
--- a/drivers/mtd/devices/doc2001plus.c
+++ b/drivers/mtd/devices/doc2001plus.c
@@ -581,10 +581,6 @@ static int doc_read(struct mtd_info *mtd, loff_t from, size_t len,
581 void __iomem * docptr = this->virtadr; 581 void __iomem * docptr = this->virtadr;
582 struct Nand *mychip = &this->chips[from >> (this->chipshift)]; 582 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
583 583
584 /* Don't allow read past end of device */
585 if (from >= this->totlen)
586 return -EINVAL;
587
588 /* Don't allow a single read to cross a 512-byte block boundary */ 584 /* Don't allow a single read to cross a 512-byte block boundary */
589 if (from + len > ((from | 0x1ff) + 1)) 585 if (from + len > ((from | 0x1ff) + 1))
590 len = ((from | 0x1ff) + 1) - from; 586 len = ((from | 0x1ff) + 1) - from;
@@ -700,10 +696,6 @@ static int doc_write(struct mtd_info *mtd, loff_t to, size_t len,
700 void __iomem * docptr = this->virtadr; 696 void __iomem * docptr = this->virtadr;
701 struct Nand *mychip = &this->chips[to >> (this->chipshift)]; 697 struct Nand *mychip = &this->chips[to >> (this->chipshift)];
702 698
703 /* Don't allow write past end of device */
704 if (to >= this->totlen)
705 return -EINVAL;
706
707 /* Don't allow writes which aren't exactly one block (512 bytes) */ 699 /* Don't allow writes which aren't exactly one block (512 bytes) */
708 if ((to & 0x1ff) || (len != 0x200)) 700 if ((to & 0x1ff) || (len != 0x200))
709 return -EINVAL; 701 return -EINVAL;
diff --git a/drivers/mtd/devices/lart.c b/drivers/mtd/devices/lart.c
index 6d6502c2ec35..c9ae60112a90 100644
--- a/drivers/mtd/devices/lart.c
+++ b/drivers/mtd/devices/lart.c
@@ -367,9 +367,6 @@ static int flash_erase (struct mtd_info *mtd,struct erase_info *instr)
367 printk (KERN_DEBUG "%s(addr = 0x%.8x, len = %d)\n", __func__, instr->addr, instr->len); 367 printk (KERN_DEBUG "%s(addr = 0x%.8x, len = %d)\n", __func__, instr->addr, instr->len);
368#endif 368#endif
369 369
370 /* sanity checks */
371 if (instr->addr + instr->len > mtd->size) return (-EINVAL);
372
373 /* 370 /*
374 * check that both start and end of the requested erase are 371 * check that both start and end of the requested erase are
375 * aligned with the erasesize at the appropriate addresses. 372 * aligned with the erasesize at the appropriate addresses.
@@ -442,7 +439,6 @@ static int flash_read (struct mtd_info *mtd,loff_t from,size_t len,size_t *retle
442 439
443 /* sanity checks */ 440 /* sanity checks */
444 if (!len) return (0); 441 if (!len) return (0);
445 if (from + len > mtd->size) return (-EINVAL);
446 442
447 /* we always read len bytes */ 443 /* we always read len bytes */
448 *retlen = len; 444 *retlen = len;
@@ -526,7 +522,6 @@ static int flash_write (struct mtd_info *mtd,loff_t to,size_t len,size_t *retlen
526 522
527 /* sanity checks */ 523 /* sanity checks */
528 if (!len) return (0); 524 if (!len) return (0);
529 if (to + len > mtd->size) return (-EINVAL);
530 525
531 /* first, we write a 0xFF.... padded byte until we reach a dword boundary */ 526 /* first, we write a 0xFF.... padded byte until we reach a dword boundary */
532 if (to & (BUSWIDTH - 1)) 527 if (to & (BUSWIDTH - 1))
diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c
index 8808da9ee31f..0955a8f4fd25 100644
--- a/drivers/mtd/devices/m25p80.c
+++ b/drivers/mtd/devices/m25p80.c
@@ -288,9 +288,6 @@ static int m25p80_erase(struct mtd_info *mtd, struct erase_info *instr)
288 __func__, (long long)instr->addr, 288 __func__, (long long)instr->addr,
289 (long long)instr->len); 289 (long long)instr->len);
290 290
291 /* sanity checks */
292 if (instr->addr + instr->len > flash->mtd.size)
293 return -EINVAL;
294 div_u64_rem(instr->len, mtd->erasesize, &rem); 291 div_u64_rem(instr->len, mtd->erasesize, &rem);
295 if (rem) 292 if (rem)
296 return -EINVAL; 293 return -EINVAL;
@@ -353,9 +350,6 @@ static int m25p80_read(struct mtd_info *mtd, loff_t from, size_t len,
353 if (!len) 350 if (!len)
354 return 0; 351 return 0;
355 352
356 if (from + len > flash->mtd.size)
357 return -EINVAL;
358
359 spi_message_init(&m); 353 spi_message_init(&m);
360 memset(t, 0, (sizeof t)); 354 memset(t, 0, (sizeof t));
361 355
@@ -423,9 +417,6 @@ static int m25p80_write(struct mtd_info *mtd, loff_t to, size_t len,
423 if (!len) 417 if (!len)
424 return(0); 418 return(0);
425 419
426 if (to + len > flash->mtd.size)
427 return -EINVAL;
428
429 spi_message_init(&m); 420 spi_message_init(&m);
430 memset(t, 0, (sizeof t)); 421 memset(t, 0, (sizeof t));
431 422
@@ -515,9 +506,6 @@ static int sst_write(struct mtd_info *mtd, loff_t to, size_t len,
515 if (!len) 506 if (!len)
516 return 0; 507 return 0;
517 508
518 if (to + len > flash->mtd.size)
519 return -EINVAL;
520
521 spi_message_init(&m); 509 spi_message_init(&m);
522 memset(t, 0, (sizeof t)); 510 memset(t, 0, (sizeof t));
523 511
diff --git a/drivers/mtd/devices/ms02-nv.c b/drivers/mtd/devices/ms02-nv.c
index 3a05af529e7d..182849d39c61 100644
--- a/drivers/mtd/devices/ms02-nv.c
+++ b/drivers/mtd/devices/ms02-nv.c
@@ -59,12 +59,8 @@ static int ms02nv_read(struct mtd_info *mtd, loff_t from,
59{ 59{
60 struct ms02nv_private *mp = mtd->priv; 60 struct ms02nv_private *mp = mtd->priv;
61 61
62 if (from + len > mtd->size)
63 return -EINVAL;
64
65 memcpy(buf, mp->uaddr + from, len); 62 memcpy(buf, mp->uaddr + from, len);
66 *retlen = len; 63 *retlen = len;
67
68 return 0; 64 return 0;
69} 65}
70 66
@@ -73,12 +69,8 @@ static int ms02nv_write(struct mtd_info *mtd, loff_t to,
73{ 69{
74 struct ms02nv_private *mp = mtd->priv; 70 struct ms02nv_private *mp = mtd->priv;
75 71
76 if (to + len > mtd->size)
77 return -EINVAL;
78
79 memcpy(mp->uaddr + to, buf, len); 72 memcpy(mp->uaddr + to, buf, len);
80 *retlen = len; 73 *retlen = len;
81
82 return 0; 74 return 0;
83} 75}
84 76
diff --git a/drivers/mtd/devices/mtd_dataflash.c b/drivers/mtd/devices/mtd_dataflash.c
index fd4a9fc0d8b8..fc5c78171844 100644
--- a/drivers/mtd/devices/mtd_dataflash.c
+++ b/drivers/mtd/devices/mtd_dataflash.c
@@ -164,9 +164,6 @@ static int dataflash_erase(struct mtd_info *mtd, struct erase_info *instr)
164 dev_name(&spi->dev), (long long)instr->addr, 164 dev_name(&spi->dev), (long long)instr->addr,
165 (long long)instr->len); 165 (long long)instr->len);
166 166
167 /* Sanity checks */
168 if (instr->addr + instr->len > mtd->size)
169 return -EINVAL;
170 div_u64_rem(instr->len, priv->page_size, &rem); 167 div_u64_rem(instr->len, priv->page_size, &rem);
171 if (rem) 168 if (rem)
172 return -EINVAL; 169 return -EINVAL;
@@ -257,8 +254,6 @@ static int dataflash_read(struct mtd_info *mtd, loff_t from, size_t len,
257 /* Sanity checks */ 254 /* Sanity checks */
258 if (!len) 255 if (!len)
259 return 0; 256 return 0;
260 if (from + len > mtd->size)
261 return -EINVAL;
262 257
263 /* Calculate flash page/byte address */ 258 /* Calculate flash page/byte address */
264 addr = (((unsigned)from / priv->page_size) << priv->page_offset) 259 addr = (((unsigned)from / priv->page_size) << priv->page_offset)
@@ -333,8 +328,6 @@ static int dataflash_write(struct mtd_info *mtd, loff_t to, size_t len,
333 /* Sanity checks */ 328 /* Sanity checks */
334 if (!len) 329 if (!len)
335 return 0; 330 return 0;
336 if ((to + len) > mtd->size)
337 return -EINVAL;
338 331
339 spi_message_init(&msg); 332 spi_message_init(&msg);
340 333
diff --git a/drivers/mtd/devices/mtdram.c b/drivers/mtd/devices/mtdram.c
index e1f017bf0777..0e0e6ed4443c 100644
--- a/drivers/mtd/devices/mtdram.c
+++ b/drivers/mtd/devices/mtdram.c
@@ -34,27 +34,18 @@ static struct mtd_info *mtd_info;
34 34
35static int ram_erase(struct mtd_info *mtd, struct erase_info *instr) 35static int ram_erase(struct mtd_info *mtd, struct erase_info *instr)
36{ 36{
37 if (instr->addr + instr->len > mtd->size)
38 return -EINVAL;
39
40 memset((char *)mtd->priv + instr->addr, 0xff, instr->len); 37 memset((char *)mtd->priv + instr->addr, 0xff, instr->len);
41
42 instr->state = MTD_ERASE_DONE; 38 instr->state = MTD_ERASE_DONE;
43 mtd_erase_callback(instr); 39 mtd_erase_callback(instr);
44
45 return 0; 40 return 0;
46} 41}
47 42
48static int ram_point(struct mtd_info *mtd, loff_t from, size_t len, 43static int ram_point(struct mtd_info *mtd, loff_t from, size_t len,
49 size_t *retlen, void **virt, resource_size_t *phys) 44 size_t *retlen, void **virt, resource_size_t *phys)
50{ 45{
51 if (from + len > mtd->size)
52 return -EINVAL;
53
54 /* can we return a physical address with this driver? */ 46 /* can we return a physical address with this driver? */
55 if (phys) 47 if (phys)
56 return -EINVAL; 48 return -EINVAL;
57
58 *virt = mtd->priv + from; 49 *virt = mtd->priv + from;
59 *retlen = len; 50 *retlen = len;
60 return 0; 51 return 0;
@@ -81,11 +72,7 @@ static unsigned long ram_get_unmapped_area(struct mtd_info *mtd,
81static int ram_read(struct mtd_info *mtd, loff_t from, size_t len, 72static int ram_read(struct mtd_info *mtd, loff_t from, size_t len,
82 size_t *retlen, u_char *buf) 73 size_t *retlen, u_char *buf)
83{ 74{
84 if (from + len > mtd->size)
85 return -EINVAL;
86
87 memcpy(buf, mtd->priv + from, len); 75 memcpy(buf, mtd->priv + from, len);
88
89 *retlen = len; 76 *retlen = len;
90 return 0; 77 return 0;
91} 78}
@@ -93,11 +80,7 @@ static int ram_read(struct mtd_info *mtd, loff_t from, size_t len,
93static int ram_write(struct mtd_info *mtd, loff_t to, size_t len, 80static int ram_write(struct mtd_info *mtd, loff_t to, size_t len,
94 size_t *retlen, const u_char *buf) 81 size_t *retlen, const u_char *buf)
95{ 82{
96 if (to + len > mtd->size)
97 return -EINVAL;
98
99 memcpy((char *)mtd->priv + to, buf, len); 83 memcpy((char *)mtd->priv + to, buf, len);
100
101 *retlen = len; 84 *retlen = len;
102 return 0; 85 return 0;
103} 86}
diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c
index 38035551a7d2..36add7ce4632 100644
--- a/drivers/mtd/devices/phram.c
+++ b/drivers/mtd/devices/phram.c
@@ -38,29 +38,20 @@ static int phram_erase(struct mtd_info *mtd, struct erase_info *instr)
38{ 38{
39 u_char *start = mtd->priv; 39 u_char *start = mtd->priv;
40 40
41 if (instr->addr + instr->len > mtd->size)
42 return -EINVAL;
43
44 memset(start + instr->addr, 0xff, instr->len); 41 memset(start + instr->addr, 0xff, instr->len);
45 42
46 /* This'll catch a few races. Free the thing before returning :) 43 /* This'll catch a few races. Free the thing before returning :)
47 * I don't feel at all ashamed. This kind of thing is possible anyway 44 * I don't feel at all ashamed. This kind of thing is possible anyway
48 * with flash, but unlikely. 45 * with flash, but unlikely.
49 */ 46 */
50
51 instr->state = MTD_ERASE_DONE; 47 instr->state = MTD_ERASE_DONE;
52
53 mtd_erase_callback(instr); 48 mtd_erase_callback(instr);
54
55 return 0; 49 return 0;
56} 50}
57 51
58static int phram_point(struct mtd_info *mtd, loff_t from, size_t len, 52static int phram_point(struct mtd_info *mtd, loff_t from, size_t len,
59 size_t *retlen, void **virt, resource_size_t *phys) 53 size_t *retlen, void **virt, resource_size_t *phys)
60{ 54{
61 if (from + len > mtd->size)
62 return -EINVAL;
63
64 /* can we return a physical address with this driver? */ 55 /* can we return a physical address with this driver? */
65 if (phys) 56 if (phys)
66 return -EINVAL; 57 return -EINVAL;
@@ -80,14 +71,7 @@ static int phram_read(struct mtd_info *mtd, loff_t from, size_t len,
80{ 71{
81 u_char *start = mtd->priv; 72 u_char *start = mtd->priv;
82 73
83 if (from >= mtd->size)
84 return -EINVAL;
85
86 if (len > mtd->size - from)
87 len = mtd->size - from;
88
89 memcpy(buf, start + from, len); 74 memcpy(buf, start + from, len);
90
91 *retlen = len; 75 *retlen = len;
92 return 0; 76 return 0;
93} 77}
@@ -97,14 +81,7 @@ static int phram_write(struct mtd_info *mtd, loff_t to, size_t len,
97{ 81{
98 u_char *start = mtd->priv; 82 u_char *start = mtd->priv;
99 83
100 if (to >= mtd->size)
101 return -EINVAL;
102
103 if (len > mtd->size - to)
104 len = mtd->size - to;
105
106 memcpy(start + to, buf, len); 84 memcpy(start + to, buf, len);
107
108 *retlen = len; 85 *retlen = len;
109 return 0; 86 return 0;
110} 87}
diff --git a/drivers/mtd/devices/pmc551.c b/drivers/mtd/devices/pmc551.c
index 933127ecebe5..d394e06e4279 100644
--- a/drivers/mtd/devices/pmc551.c
+++ b/drivers/mtd/devices/pmc551.c
@@ -116,16 +116,6 @@ static int pmc551_erase(struct mtd_info *mtd, struct erase_info *instr)
116#endif 116#endif
117 117
118 end = instr->addr + instr->len - 1; 118 end = instr->addr + instr->len - 1;
119
120 /* Is it past the end? */
121 if (end > mtd->size) {
122#ifdef CONFIG_MTD_PMC551_DEBUG
123 printk(KERN_DEBUG "pmc551_erase() out of bounds (%ld > %ld)\n",
124 (long)end, (long)mtd->size);
125#endif
126 return -EINVAL;
127 }
128
129 eoff_hi = end & ~(priv->asize - 1); 119 eoff_hi = end & ~(priv->asize - 1);
130 soff_hi = instr->addr & ~(priv->asize - 1); 120 soff_hi = instr->addr & ~(priv->asize - 1);
131 eoff_lo = end & (priv->asize - 1); 121 eoff_lo = end & (priv->asize - 1);
@@ -179,14 +169,6 @@ static int pmc551_point(struct mtd_info *mtd, loff_t from, size_t len,
179 printk(KERN_DEBUG "pmc551_point(%ld, %ld)\n", (long)from, (long)len); 169 printk(KERN_DEBUG "pmc551_point(%ld, %ld)\n", (long)from, (long)len);
180#endif 170#endif
181 171
182 if (from + len > mtd->size) {
183#ifdef CONFIG_MTD_PMC551_DEBUG
184 printk(KERN_DEBUG "pmc551_point() out of bounds (%ld > %ld)\n",
185 (long)from + len, (long)mtd->size);
186#endif
187 return -EINVAL;
188 }
189
190 /* can we return a physical address with this driver? */ 172 /* can we return a physical address with this driver? */
191 if (phys) 173 if (phys)
192 return -EINVAL; 174 return -EINVAL;
@@ -230,16 +212,6 @@ static int pmc551_read(struct mtd_info *mtd, loff_t from, size_t len,
230#endif 212#endif
231 213
232 end = from + len - 1; 214 end = from + len - 1;
233
234 /* Is it past the end? */
235 if (end > mtd->size) {
236#ifdef CONFIG_MTD_PMC551_DEBUG
237 printk(KERN_DEBUG "pmc551_read() out of bounds (%ld > %ld)\n",
238 (long)end, (long)mtd->size);
239#endif
240 return -EINVAL;
241 }
242
243 soff_hi = from & ~(priv->asize - 1); 215 soff_hi = from & ~(priv->asize - 1);
244 eoff_hi = end & ~(priv->asize - 1); 216 eoff_hi = end & ~(priv->asize - 1);
245 soff_lo = from & (priv->asize - 1); 217 soff_lo = from & (priv->asize - 1);
@@ -297,16 +269,6 @@ static int pmc551_write(struct mtd_info *mtd, loff_t to, size_t len,
297#endif 269#endif
298 270
299 end = to + len - 1; 271 end = to + len - 1;
300 /* Is it past the end? or did the u32 wrap? */
301 if (end > mtd->size) {
302#ifdef CONFIG_MTD_PMC551_DEBUG
303 printk(KERN_DEBUG "pmc551_write() out of bounds (end: %ld, "
304 "size: %ld, to: %ld)\n", (long)end, (long)mtd->size,
305 (long)to);
306#endif
307 return -EINVAL;
308 }
309
310 soff_hi = to & ~(priv->asize - 1); 272 soff_hi = to & ~(priv->asize - 1);
311 eoff_hi = end & ~(priv->asize - 1); 273 eoff_hi = end & ~(priv->asize - 1);
312 soff_lo = to & (priv->asize - 1); 274 soff_lo = to & (priv->asize - 1);
diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
index 9431ffc761c2..842e4890d771 100644
--- a/drivers/mtd/devices/slram.c
+++ b/drivers/mtd/devices/slram.c
@@ -84,21 +84,13 @@ static int slram_erase(struct mtd_info *mtd, struct erase_info *instr)
84{ 84{
85 slram_priv_t *priv = mtd->priv; 85 slram_priv_t *priv = mtd->priv;
86 86
87 if (instr->addr + instr->len > mtd->size) {
88 return(-EINVAL);
89 }
90
91 memset(priv->start + instr->addr, 0xff, instr->len); 87 memset(priv->start + instr->addr, 0xff, instr->len);
92
93 /* This'll catch a few races. Free the thing before returning :) 88 /* This'll catch a few races. Free the thing before returning :)
94 * I don't feel at all ashamed. This kind of thing is possible anyway 89 * I don't feel at all ashamed. This kind of thing is possible anyway
95 * with flash, but unlikely. 90 * with flash, but unlikely.
96 */ 91 */
97
98 instr->state = MTD_ERASE_DONE; 92 instr->state = MTD_ERASE_DONE;
99
100 mtd_erase_callback(instr); 93 mtd_erase_callback(instr);
101
102 return(0); 94 return(0);
103} 95}
104 96
@@ -110,10 +102,6 @@ static int slram_point(struct mtd_info *mtd, loff_t from, size_t len,
110 /* can we return a physical address with this driver? */ 102 /* can we return a physical address with this driver? */
111 if (phys) 103 if (phys)
112 return -EINVAL; 104 return -EINVAL;
113
114 if (from + len > mtd->size)
115 return -EINVAL;
116
117 *virt = priv->start + from; 105 *virt = priv->start + from;
118 *retlen = len; 106 *retlen = len;
119 return(0); 107 return(0);
@@ -129,14 +117,7 @@ static int slram_read(struct mtd_info *mtd, loff_t from, size_t len,
129{ 117{
130 slram_priv_t *priv = mtd->priv; 118 slram_priv_t *priv = mtd->priv;
131 119
132 if (from > mtd->size)
133 return -EINVAL;
134
135 if (from + len > mtd->size)
136 len = mtd->size - from;
137
138 memcpy(buf, priv->start + from, len); 120 memcpy(buf, priv->start + from, len);
139
140 *retlen = len; 121 *retlen = len;
141 return(0); 122 return(0);
142} 123}
@@ -146,11 +127,7 @@ static int slram_write(struct mtd_info *mtd, loff_t to, size_t len,
146{ 127{
147 slram_priv_t *priv = mtd->priv; 128 slram_priv_t *priv = mtd->priv;
148 129
149 if (to + len > mtd->size)
150 return -EINVAL;
151
152 memcpy(priv->start + to, buf, len); 130 memcpy(priv->start + to, buf, len);
153
154 *retlen = len; 131 *retlen = len;
155 return(0); 132 return(0);
156} 133}
diff --git a/drivers/mtd/devices/spear_smi.c b/drivers/mtd/devices/spear_smi.c
index b80cb5b5ebbd..2238ab916a06 100644
--- a/drivers/mtd/devices/spear_smi.c
+++ b/drivers/mtd/devices/spear_smi.c
@@ -510,10 +510,6 @@ static int spear_mtd_erase(struct mtd_info *mtd, struct erase_info *e_info)
510 if (!flash || !dev) 510 if (!flash || !dev)
511 return -ENODEV; 511 return -ENODEV;
512 512
513 /* do not allow erase past end of device */
514 if (e_info->addr + e_info->len > flash->mtd.size)
515 return -EINVAL;
516
517 bank = flash->bank; 513 bank = flash->bank;
518 if (bank > dev->num_flashes - 1) { 514 if (bank > dev->num_flashes - 1) {
519 dev_err(&dev->pdev->dev, "Invalid Bank Num"); 515 dev_err(&dev->pdev->dev, "Invalid Bank Num");
@@ -573,10 +569,6 @@ static int spear_mtd_read(struct mtd_info *mtd, loff_t from, size_t len,
573 if (!flash || !dev) 569 if (!flash || !dev)
574 return -ENODEV; 570 return -ENODEV;
575 571
576 /* do not allow reads past end of device */
577 if (from + len > flash->mtd.size)
578 return -EINVAL;
579
580 if (flash->bank > dev->num_flashes - 1) { 572 if (flash->bank > dev->num_flashes - 1) {
581 dev_err(&dev->pdev->dev, "Invalid Bank Num"); 573 dev_err(&dev->pdev->dev, "Invalid Bank Num");
582 return -EINVAL; 574 return -EINVAL;
@@ -678,10 +670,6 @@ static int spear_mtd_write(struct mtd_info *mtd, loff_t to, size_t len,
678 if (!len) 670 if (!len)
679 return 0; 671 return 0;
680 672
681 /* do not allow write past end of page */
682 if (to + len > flash->mtd.size)
683 return -EINVAL;
684
685 if (flash->bank > dev->num_flashes - 1) { 673 if (flash->bank > dev->num_flashes - 1) {
686 dev_err(&dev->pdev->dev, "Invalid Bank Num"); 674 dev_err(&dev->pdev->dev, "Invalid Bank Num");
687 return -EINVAL; 675 return -EINVAL;
diff --git a/drivers/mtd/devices/sst25l.c b/drivers/mtd/devices/sst25l.c
index 8b9ffafcc401..99d4a3c510d7 100644
--- a/drivers/mtd/devices/sst25l.c
+++ b/drivers/mtd/devices/sst25l.c
@@ -175,9 +175,6 @@ static int sst25l_erase(struct mtd_info *mtd, struct erase_info *instr)
175 int err; 175 int err;
176 176
177 /* Sanity checks */ 177 /* Sanity checks */
178 if (instr->addr + instr->len > flash->mtd.size)
179 return -EINVAL;
180
181 if ((uint32_t)instr->len % mtd->erasesize) 178 if ((uint32_t)instr->len % mtd->erasesize)
182 return -EINVAL; 179 return -EINVAL;
183 180
@@ -227,9 +224,6 @@ static int sst25l_read(struct mtd_info *mtd, loff_t from, size_t len,
227 if (len == 0) 224 if (len == 0)
228 return 0; 225 return 0;
229 226
230 if (from + len > flash->mtd.size)
231 return -EINVAL;
232
233 if (retlen) 227 if (retlen)
234 *retlen = 0; 228 *retlen = 0;
235 229
@@ -278,9 +272,6 @@ static int sst25l_write(struct mtd_info *mtd, loff_t to, size_t len,
278 if (!len) 272 if (!len)
279 return 0; 273 return 0;
280 274
281 if (to + len > flash->mtd.size)
282 return -EINVAL;
283
284 if ((uint32_t)to % mtd->writesize) 275 if ((uint32_t)to % mtd->writesize)
285 return -EINVAL; 276 return -EINVAL;
286 277
diff --git a/drivers/mtd/lpddr/lpddr_cmds.c b/drivers/mtd/lpddr/lpddr_cmds.c
index de960b1d395a..0f3731c6b3f6 100644
--- a/drivers/mtd/lpddr/lpddr_cmds.c
+++ b/drivers/mtd/lpddr/lpddr_cmds.c
@@ -530,7 +530,7 @@ static int lpddr_point(struct mtd_info *mtd, loff_t adr, size_t len,
530 struct flchip *chip = &lpddr->chips[chipnum]; 530 struct flchip *chip = &lpddr->chips[chipnum];
531 int ret = 0; 531 int ret = 0;
532 532
533 if (!map->virt || (adr + len > mtd->size)) 533 if (!map->virt)
534 return -EINVAL; 534 return -EINVAL;
535 535
536 /* ofs: offset within the first chip that the first read should start */ 536 /* ofs: offset within the first chip that the first read should start */
@@ -692,9 +692,6 @@ static int lpddr_erase(struct mtd_info *mtd, struct erase_info *instr)
692 ofs = instr->addr; 692 ofs = instr->addr;
693 len = instr->len; 693 len = instr->len;
694 694
695 if (ofs > mtd->size || (len + ofs) > mtd->size)
696 return -EINVAL;
697
698 while (len > 0) { 695 while (len > 0) {
699 ret = do_erase_oneblock(mtd, ofs); 696 ret = do_erase_oneblock(mtd, ofs);
700 if (ret) 697 if (ret)
diff --git a/drivers/mtd/mtdconcat.c b/drivers/mtd/mtdconcat.c
index d826a8a50e73..1f2071803931 100644
--- a/drivers/mtd/mtdconcat.c
+++ b/drivers/mtd/mtdconcat.c
@@ -185,10 +185,6 @@ concat_writev(struct mtd_info *mtd, const struct kvec *vecs,
185 for (i = 0; i < count; i++) 185 for (i = 0; i < count; i++)
186 total_len += vecs[i].iov_len; 186 total_len += vecs[i].iov_len;
187 187
188 /* Do not allow write past end of device */
189 if ((to + total_len) > mtd->size)
190 return -EINVAL;
191
192 /* Check alignment */ 188 /* Check alignment */
193 if (mtd->writesize > 1) { 189 if (mtd->writesize > 1) {
194 uint64_t __to = to; 190 uint64_t __to = to;
@@ -406,12 +402,6 @@ static int concat_erase(struct mtd_info *mtd, struct erase_info *instr)
406 if (!(mtd->flags & MTD_WRITEABLE)) 402 if (!(mtd->flags & MTD_WRITEABLE))
407 return -EROFS; 403 return -EROFS;
408 404
409 if (instr->addr > concat->mtd.size)
410 return -EINVAL;
411
412 if (instr->len + instr->addr > concat->mtd.size)
413 return -EINVAL;
414
415 /* 405 /*
416 * Check for proper erase block alignment of the to-be-erased area. 406 * Check for proper erase block alignment of the to-be-erased area.
417 * It is easier to do this based on the super device's erase 407 * It is easier to do this based on the super device's erase
@@ -538,9 +528,6 @@ static int concat_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
538 struct mtd_concat *concat = CONCAT(mtd); 528 struct mtd_concat *concat = CONCAT(mtd);
539 int i, err = -EINVAL; 529 int i, err = -EINVAL;
540 530
541 if ((len + ofs) > mtd->size)
542 return -EINVAL;
543
544 for (i = 0; i < concat->num_subdev; i++) { 531 for (i = 0; i < concat->num_subdev; i++) {
545 struct mtd_info *subdev = concat->subdev[i]; 532 struct mtd_info *subdev = concat->subdev[i];
546 uint64_t size; 533 uint64_t size;
@@ -575,9 +562,6 @@ static int concat_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
575 struct mtd_concat *concat = CONCAT(mtd); 562 struct mtd_concat *concat = CONCAT(mtd);
576 int i, err = 0; 563 int i, err = 0;
577 564
578 if ((len + ofs) > mtd->size)
579 return -EINVAL;
580
581 for (i = 0; i < concat->num_subdev; i++) { 565 for (i = 0; i < concat->num_subdev; i++) {
582 struct mtd_info *subdev = concat->subdev[i]; 566 struct mtd_info *subdev = concat->subdev[i];
583 uint64_t size; 567 uint64_t size;
@@ -650,9 +634,6 @@ static int concat_block_isbad(struct mtd_info *mtd, loff_t ofs)
650 if (!mtd_can_have_bb(concat->subdev[0])) 634 if (!mtd_can_have_bb(concat->subdev[0]))
651 return res; 635 return res;
652 636
653 if (ofs > mtd->size)
654 return -EINVAL;
655
656 for (i = 0; i < concat->num_subdev; i++) { 637 for (i = 0; i < concat->num_subdev; i++) {
657 struct mtd_info *subdev = concat->subdev[i]; 638 struct mtd_info *subdev = concat->subdev[i];
658 639
@@ -673,9 +654,6 @@ static int concat_block_markbad(struct mtd_info *mtd, loff_t ofs)
673 struct mtd_concat *concat = CONCAT(mtd); 654 struct mtd_concat *concat = CONCAT(mtd);
674 int i, err = -EINVAL; 655 int i, err = -EINVAL;
675 656
676 if (ofs > mtd->size)
677 return -EINVAL;
678
679 for (i = 0; i < concat->num_subdev; i++) { 657 for (i = 0; i < concat->num_subdev; i++) {
680 struct mtd_info *subdev = concat->subdev[i]; 658 struct mtd_info *subdev = concat->subdev[i];
681 659
@@ -713,10 +691,6 @@ static unsigned long concat_get_unmapped_area(struct mtd_info *mtd,
713 continue; 691 continue;
714 } 692 }
715 693
716 /* we've found the subdev over which the mapping will reside */
717 if (offset + len > subdev->size)
718 return (unsigned long) -EINVAL;
719
720 return mtd_get_unmapped_area(subdev, len, offset, flags); 694 return mtd_get_unmapped_area(subdev, len, offset, flags);
721 } 695 }
722 696
diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c
index da8a0b28316c..fbe2c8a22e1c 100644
--- a/drivers/mtd/mtdpart.c
+++ b/drivers/mtd/mtdpart.c
@@ -65,11 +65,6 @@ static int part_read(struct mtd_info *mtd, loff_t from, size_t len,
65 int res; 65 int res;
66 66
67 stats = part->master->ecc_stats; 67 stats = part->master->ecc_stats;
68
69 if (from >= mtd->size)
70 len = 0;
71 else if (from + len > mtd->size)
72 len = mtd->size - from;
73 res = mtd_read(part->master, from + part->offset, len, retlen, buf); 68 res = mtd_read(part->master, from + part->offset, len, retlen, buf);
74 if (unlikely(res)) { 69 if (unlikely(res)) {
75 if (mtd_is_bitflip(res)) 70 if (mtd_is_bitflip(res))
@@ -84,10 +79,7 @@ static int part_point(struct mtd_info *mtd, loff_t from, size_t len,
84 size_t *retlen, void **virt, resource_size_t *phys) 79 size_t *retlen, void **virt, resource_size_t *phys)
85{ 80{
86 struct mtd_part *part = PART(mtd); 81 struct mtd_part *part = PART(mtd);
87 if (from >= mtd->size) 82
88 len = 0;
89 else if (from + len > mtd->size)
90 len = mtd->size - from;
91 return mtd_point(part->master, from + part->offset, len, retlen, 83 return mtd_point(part->master, from + part->offset, len, retlen,
92 virt, phys); 84 virt, phys);
93} 85}
@@ -182,10 +174,6 @@ static int part_write(struct mtd_info *mtd, loff_t to, size_t len,
182 struct mtd_part *part = PART(mtd); 174 struct mtd_part *part = PART(mtd);
183 if (!(mtd->flags & MTD_WRITEABLE)) 175 if (!(mtd->flags & MTD_WRITEABLE))
184 return -EROFS; 176 return -EROFS;
185 if (to >= mtd->size)
186 len = 0;
187 else if (to + len > mtd->size)
188 len = mtd->size - to;
189 return mtd_write(part->master, to + part->offset, len, retlen, buf); 177 return mtd_write(part->master, to + part->offset, len, retlen, buf);
190} 178}
191 179
@@ -195,10 +183,6 @@ static int part_panic_write(struct mtd_info *mtd, loff_t to, size_t len,
195 struct mtd_part *part = PART(mtd); 183 struct mtd_part *part = PART(mtd);
196 if (!(mtd->flags & MTD_WRITEABLE)) 184 if (!(mtd->flags & MTD_WRITEABLE))
197 return -EROFS; 185 return -EROFS;
198 if (to >= mtd->size)
199 len = 0;
200 else if (to + len > mtd->size)
201 len = mtd->size - to;
202 return mtd_panic_write(part->master, to + part->offset, len, retlen, 186 return mtd_panic_write(part->master, to + part->offset, len, retlen,
203 buf); 187 buf);
204} 188}
@@ -248,8 +232,6 @@ static int part_erase(struct mtd_info *mtd, struct erase_info *instr)
248 int ret; 232 int ret;
249 if (!(mtd->flags & MTD_WRITEABLE)) 233 if (!(mtd->flags & MTD_WRITEABLE))
250 return -EROFS; 234 return -EROFS;
251 if (instr->addr >= mtd->size)
252 return -EINVAL;
253 instr->addr += part->offset; 235 instr->addr += part->offset;
254 ret = mtd_erase(part->master, instr); 236 ret = mtd_erase(part->master, instr);
255 if (ret) { 237 if (ret) {
@@ -277,24 +259,18 @@ EXPORT_SYMBOL_GPL(mtd_erase_callback);
277static int part_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len) 259static int part_lock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
278{ 260{
279 struct mtd_part *part = PART(mtd); 261 struct mtd_part *part = PART(mtd);
280 if ((len + ofs) > mtd->size)
281 return -EINVAL;
282 return mtd_lock(part->master, ofs + part->offset, len); 262 return mtd_lock(part->master, ofs + part->offset, len);
283} 263}
284 264
285static int part_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len) 265static int part_unlock(struct mtd_info *mtd, loff_t ofs, uint64_t len)
286{ 266{
287 struct mtd_part *part = PART(mtd); 267 struct mtd_part *part = PART(mtd);
288 if ((len + ofs) > mtd->size)
289 return -EINVAL;
290 return mtd_unlock(part->master, ofs + part->offset, len); 268 return mtd_unlock(part->master, ofs + part->offset, len);
291} 269}
292 270
293static int part_is_locked(struct mtd_info *mtd, loff_t ofs, uint64_t len) 271static int part_is_locked(struct mtd_info *mtd, loff_t ofs, uint64_t len)
294{ 272{
295 struct mtd_part *part = PART(mtd); 273 struct mtd_part *part = PART(mtd);
296 if ((len + ofs) > mtd->size)
297 return -EINVAL;
298 return mtd_is_locked(part->master, ofs + part->offset, len); 274 return mtd_is_locked(part->master, ofs + part->offset, len);
299} 275}
300 276
@@ -319,8 +295,6 @@ static void part_resume(struct mtd_info *mtd)
319static int part_block_isbad(struct mtd_info *mtd, loff_t ofs) 295static int part_block_isbad(struct mtd_info *mtd, loff_t ofs)
320{ 296{
321 struct mtd_part *part = PART(mtd); 297 struct mtd_part *part = PART(mtd);
322 if (ofs >= mtd->size)
323 return -EINVAL;
324 ofs += part->offset; 298 ofs += part->offset;
325 return mtd_block_isbad(part->master, ofs); 299 return mtd_block_isbad(part->master, ofs);
326} 300}
@@ -332,8 +306,6 @@ static int part_block_markbad(struct mtd_info *mtd, loff_t ofs)
332 306
333 if (!(mtd->flags & MTD_WRITEABLE)) 307 if (!(mtd->flags & MTD_WRITEABLE))
334 return -EROFS; 308 return -EROFS;
335 if (ofs >= mtd->size)
336 return -EINVAL;
337 ofs += part->offset; 309 ofs += part->offset;
338 res = mtd_block_markbad(part->master, ofs); 310 res = mtd_block_markbad(part->master, ofs);
339 if (!res) 311 if (!res)
diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
index 13a56d3e8aec..dd182c8591a9 100644
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -123,12 +123,6 @@ static int check_offs_len(struct mtd_info *mtd,
123 ret = -EINVAL; 123 ret = -EINVAL;
124 } 124 }
125 125
126 /* Do not allow past end of device */
127 if (ofs + len > mtd->size) {
128 pr_debug("%s: past end of device\n", __func__);
129 ret = -EINVAL;
130 }
131
132 return ret; 126 return ret;
133} 127}
134 128
@@ -1620,25 +1614,17 @@ static int nand_read(struct mtd_info *mtd, loff_t from, size_t len,
1620 struct mtd_oob_ops ops; 1614 struct mtd_oob_ops ops;
1621 int ret; 1615 int ret;
1622 1616
1623 /* Do not allow reads past end of device */
1624 if ((from + len) > mtd->size)
1625 return -EINVAL;
1626 if (!len) 1617 if (!len)
1627 return 0; 1618 return 0;
1628 1619
1629 nand_get_device(chip, mtd, FL_READING); 1620 nand_get_device(chip, mtd, FL_READING);
1630
1631 ops.len = len; 1621 ops.len = len;
1632 ops.datbuf = buf; 1622 ops.datbuf = buf;
1633 ops.oobbuf = NULL; 1623 ops.oobbuf = NULL;
1634 ops.mode = 0; 1624 ops.mode = 0;
1635
1636 ret = nand_do_read_ops(mtd, from, &ops); 1625 ret = nand_do_read_ops(mtd, from, &ops);
1637
1638 *retlen = ops.retlen; 1626 *retlen = ops.retlen;
1639
1640 nand_release_device(mtd); 1627 nand_release_device(mtd);
1641
1642 return ret; 1628 return ret;
1643} 1629}
1644 1630
@@ -2328,8 +2314,6 @@ static int panic_nand_write(struct mtd_info *mtd, loff_t to, size_t len,
2328 int ret; 2314 int ret;
2329 2315
2330 /* Do not allow reads past end of device */ 2316 /* Do not allow reads past end of device */
2331 if ((to + len) > mtd->size)
2332 return -EINVAL;
2333 if (!len) 2317 if (!len)
2334 return 0; 2318 return 0;
2335 2319
@@ -2367,25 +2351,17 @@ static int nand_write(struct mtd_info *mtd, loff_t to, size_t len,
2367 struct mtd_oob_ops ops; 2351 struct mtd_oob_ops ops;
2368 int ret; 2352 int ret;
2369 2353
2370 /* Do not allow reads past end of device */
2371 if ((to + len) > mtd->size)
2372 return -EINVAL;
2373 if (!len) 2354 if (!len)
2374 return 0; 2355 return 0;
2375 2356
2376 nand_get_device(chip, mtd, FL_WRITING); 2357 nand_get_device(chip, mtd, FL_WRITING);
2377
2378 ops.len = len; 2358 ops.len = len;
2379 ops.datbuf = (uint8_t *)buf; 2359 ops.datbuf = (uint8_t *)buf;
2380 ops.oobbuf = NULL; 2360 ops.oobbuf = NULL;
2381 ops.mode = 0; 2361 ops.mode = 0;
2382
2383 ret = nand_do_write_ops(mtd, to, &ops); 2362 ret = nand_do_write_ops(mtd, to, &ops);
2384
2385 *retlen = ops.retlen; 2363 *retlen = ops.retlen;
2386
2387 nand_release_device(mtd); 2364 nand_release_device(mtd);
2388
2389 return ret; 2365 return ret;
2390} 2366}
2391 2367
@@ -2749,10 +2725,6 @@ static void nand_sync(struct mtd_info *mtd)
2749 */ 2725 */
2750static int nand_block_isbad(struct mtd_info *mtd, loff_t offs) 2726static int nand_block_isbad(struct mtd_info *mtd, loff_t offs)
2751{ 2727{
2752 /* Check for invalid offset */
2753 if (offs > mtd->size)
2754 return -EINVAL;
2755
2756 return nand_block_checkbad(mtd, offs, 1, 0); 2728 return nand_block_checkbad(mtd, offs, 1, 0);
2757} 2729}
2758 2730
diff --git a/drivers/mtd/onenand/onenand_base.c b/drivers/mtd/onenand/onenand_base.c
index 914c49bdf2b6..9c6445d372ce 100644
--- a/drivers/mtd/onenand/onenand_base.c
+++ b/drivers/mtd/onenand/onenand_base.c
@@ -1756,13 +1756,6 @@ static int onenand_panic_write(struct mtd_info *mtd, loff_t to, size_t len,
1756 /* Initialize retlen, in case of early exit */ 1756 /* Initialize retlen, in case of early exit */
1757 *retlen = 0; 1757 *retlen = 0;
1758 1758
1759 /* Do not allow writes past end of device */
1760 if (unlikely((to + len) > mtd->size)) {
1761 printk(KERN_ERR "%s: Attempt write to past end of device\n",
1762 __func__);
1763 return -EINVAL;
1764 }
1765
1766 /* Reject writes, which are not page aligned */ 1759 /* Reject writes, which are not page aligned */
1767 if (unlikely(NOTALIGNED(to) || NOTALIGNED(len))) { 1760 if (unlikely(NOTALIGNED(to) || NOTALIGNED(len))) {
1768 printk(KERN_ERR "%s: Attempt to write not page aligned data\n", 1761 printk(KERN_ERR "%s: Attempt to write not page aligned data\n",
@@ -1890,13 +1883,6 @@ static int onenand_write_ops_nolock(struct mtd_info *mtd, loff_t to,
1890 ops->retlen = 0; 1883 ops->retlen = 0;
1891 ops->oobretlen = 0; 1884 ops->oobretlen = 0;
1892 1885
1893 /* Do not allow writes past end of device */
1894 if (unlikely((to + len) > mtd->size)) {
1895 printk(KERN_ERR "%s: Attempt write to past end of device\n",
1896 __func__);
1897 return -EINVAL;
1898 }
1899
1900 /* Reject writes, which are not page aligned */ 1886 /* Reject writes, which are not page aligned */
1901 if (unlikely(NOTALIGNED(to) || NOTALIGNED(len))) { 1887 if (unlikely(NOTALIGNED(to) || NOTALIGNED(len))) {
1902 printk(KERN_ERR "%s: Attempt to write not page aligned data\n", 1888 printk(KERN_ERR "%s: Attempt to write not page aligned data\n",
@@ -2493,12 +2479,6 @@ static int onenand_erase(struct mtd_info *mtd, struct erase_info *instr)
2493 (unsigned long long)instr->addr, 2479 (unsigned long long)instr->addr,
2494 (unsigned long long)instr->len); 2480 (unsigned long long)instr->len);
2495 2481
2496 /* Do not allow erase past end of device */
2497 if (unlikely((len + addr) > mtd->size)) {
2498 printk(KERN_ERR "%s: Erase past end of device\n", __func__);
2499 return -EINVAL;
2500 }
2501
2502 if (FLEXONENAND(this)) { 2482 if (FLEXONENAND(this)) {
2503 /* Find the eraseregion of this address */ 2483 /* Find the eraseregion of this address */
2504 int i = flexonenand_region(mtd, addr); 2484 int i = flexonenand_region(mtd, addr);
diff --git a/drivers/mtd/ubi/gluebi.c b/drivers/mtd/ubi/gluebi.c
index 0101dce90c45..b875c2c50d82 100644
--- a/drivers/mtd/ubi/gluebi.c
+++ b/drivers/mtd/ubi/gluebi.c
@@ -174,11 +174,7 @@ static int gluebi_read(struct mtd_info *mtd, loff_t from, size_t len,
174 int err = 0, lnum, offs, total_read; 174 int err = 0, lnum, offs, total_read;
175 struct gluebi_device *gluebi; 175 struct gluebi_device *gluebi;
176 176
177 if (len < 0 || from < 0 || from + len > mtd->size)
178 return -EINVAL;
179
180 gluebi = container_of(mtd, struct gluebi_device, mtd); 177 gluebi = container_of(mtd, struct gluebi_device, mtd);
181
182 lnum = div_u64_rem(from, mtd->erasesize, &offs); 178 lnum = div_u64_rem(from, mtd->erasesize, &offs);
183 total_read = len; 179 total_read = len;
184 while (total_read) { 180 while (total_read) {
@@ -218,9 +214,6 @@ static int gluebi_write(struct mtd_info *mtd, loff_t to, size_t len,
218 int err = 0, lnum, offs, total_written; 214 int err = 0, lnum, offs, total_written;
219 struct gluebi_device *gluebi; 215 struct gluebi_device *gluebi;
220 216
221 if (len < 0 || to < 0 || len + to > mtd->size)
222 return -EINVAL;
223
224 gluebi = container_of(mtd, struct gluebi_device, mtd); 217 gluebi = container_of(mtd, struct gluebi_device, mtd);
225 218
226 if (!(mtd->flags & MTD_WRITEABLE)) 219 if (!(mtd->flags & MTD_WRITEABLE))
@@ -265,10 +258,6 @@ static int gluebi_erase(struct mtd_info *mtd, struct erase_info *instr)
265 int err, i, lnum, count; 258 int err, i, lnum, count;
266 struct gluebi_device *gluebi; 259 struct gluebi_device *gluebi;
267 260
268 if (instr->addr < 0 || instr->addr > mtd->size - mtd->erasesize)
269 return -EINVAL;
270 if (instr->len < 0 || instr->addr + instr->len > mtd->size)
271 return -EINVAL;
272 if (mtd_mod_by_ws(instr->addr, mtd) || mtd_mod_by_ws(instr->len, mtd)) 261 if (mtd_mod_by_ws(instr->addr, mtd) || mtd_mod_by_ws(instr->len, mtd))
273 return -EINVAL; 262 return -EINVAL;
274 263