kernel/linux.git/drivers/mtd/mtdchar.c, branch linux-6.0.y

mtdchar: use kvmalloc() for potentially large allocations

2022-06-09T13:03:32+00:00

mtdchar_write_ioctl() calls kmalloc() with the 'size' argument set to the smaller of two values: the write request's data/OOB length provided by user space and the erase block size of the MTD device. If the latter is large, kmalloc() may not be able to serve such allocation requests. Use kvmalloc() instead. Correspondingly, replace kfree() calls with kvfree() calls. Suggested-by: Richard Weinberger Signed-off-by: Michał Kępień Acked-by: Richard Weinberger Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220516070601.11428-3-kernel@kempniu.pl

mtdchar: prevent integer overflow in a safety check

2022-06-09T13:03:32+00:00

Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl") added a safety check to mtdchar_write_ioctl() which attempts to ensure that the write request sent by user space does not extend beyond the MTD device's size. However, that check contains an addition of two struct mtd_write_req fields, 'start' and 'len', both of which are u64 variables. The result of that addition can overflow, allowing the safety check to be bypassed. The arguably simplest fix - changing the data types of the relevant struct mtd_write_req fields - is not feasible as it would break user space. Fix by making mtdchar_write_ioctl() truncate the value provided by user space in the 'len' field of struct mtd_write_req, so that only the lower 32 bits of that field are used, preventing the overflow. While the 'ooblen' field of struct mtd_write_req is not currently used in any similarly flawed safety check, also truncate it to 32 bits, for consistency with the 'len' field and with other MTD routines handling OOB data. Update include/uapi/mtd/mtd-abi.h accordingly. Suggested-by: Richard Weinberger Signed-off-by: Michał Kępień Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220516070601.11428-2-kernel@kempniu.pl

mtdchar: prevent unbounded allocation in MEMWRITE ioctl

2021-12-09T16:52:29+00:00

In the mtdchar_write_ioctl() function, memdup_user() is called with its 'len' parameter set to verbatim values provided by user space via a struct mtd_write_req. Both the 'len' and 'ooblen' fields of that structure are 64-bit unsigned integers, which means the MEMWRITE ioctl can trigger unbounded kernel memory allocation requests. Fix by iterating over the buffers provided by user space in a loop, processing at most mtd->erasesize bytes in each iteration. Adopt some checks from mtd_check_oob_ops() to retain backward user space compatibility. Suggested-by: Boris Brezillon Signed-off-by: Michał Kępień Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20211130113149.21848-1-kernel@kempniu.pl

mtd: add OTP (one-time-programmable) erase ioctl

2021-03-28T17:24:54+00:00

This may sound like a contradiction but some SPI-NOR flashes really support erasing their OTP region until it is finally locked. Having the possibility to erase an OTP region might come in handy during development. The ioctl argument follows the OTPLOCK style. Signed-off-by: Michael Walle Acked-by: Vignesh Raghavendra Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210303201819.2752-1-michael@walle.cc

mtd: require write permissions for locking and badblock ioctls

2021-03-28T17:20:11+00:00

MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require write permission. Depending on the hardware MEMLOCK might even be write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK is always write-once. MEMSETBADBLOCK modifies the bad block table. Fixes: f7e6b19bc764 ("mtd: properly check all write ioctls for permissions") Signed-off-by: Michael Walle Reviewed-by: Greg Kroah-Hartman Acked-by: Rafał Miłecki Acked-by: Richard Weinberger Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210303155735.25887-1-michael@walle.cc

mtd: mtdchar: Fix fall-through warnings for Clang

2021-03-11T11:17:42+00:00

In preparation to enable -Wimplicit-fallthrough for Clang, fix a warning by explicitly adding a break statement instead of letting the code fall through to the next case. Link: https://github.com/KSPP/linux/issues/115 Signed-off-by: Gustavo A. R. Silva Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210305082224.GA137360@embeddedor

mtd: char: Get rid of Big MTD Lock

2021-03-11T08:37:49+00:00

Get rid of central chrdev MTD lock, which prevents simultaneous operations on completely independent physical MTD chips. Replace it with newly introduced per-master mutex. Signed-off-by: Alexander Sverdlin Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210217211845.43364-2-alexander.sverdlin@nokia.com

mtd: char: Drop mtd_mutex usage from mtdchar_open()

2021-03-11T08:37:49+00:00

It looks unnecessary in the function, remove it from the function having in mind to remove it completely. Signed-off-by: Alexander Sverdlin Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210217211845.43364-1-alexander.sverdlin@nokia.com

mtd: remove unneeded break

2020-10-28T10:58:11+00:00

A break is not needed if it is preceded by a return Signed-off-by: Tom Rix Acked-by: Richard Weinberger Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20201019191631.9604-1-trix@redhat.com

mtd: properly check all write ioctls for permissions

2020-07-24T21:03:11+00:00

When doing a "write" ioctl call, properly check that we have permissions to do so before copying anything from userspace or anything else so we can "fail fast". This includes also covering the MEMWRITE ioctl which previously missed checking for this. Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: stable Signed-off-by: Greg Kroah-Hartman [rw: Fixed locking issue] Signed-off-by: Richard Weinberger