kernel/linux.git/drivers/mtd/mtdchar.c, branch v6.19.11

mtdchar: fix integer overflow in read/write ioctls

2025-10-22T09:53:59+00:00

The "req.start" and "req.len" variables are u64 values that come from the user at the start of the function. We mask away the high 32 bits of "req.len" so that's capped at U32_MAX but the "req.start" variable can go up to U64_MAX which means that the addition can still integer overflow. Use check_add_overflow() to fix this bug. Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl") Fixes: 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: Miquel Raynal

Revert "mtd: core: always create master device"

2025-06-18T09:18:23+00:00

The idea behind this patch was to always let a "master" mtd device available to anchor runtime PM. Historically, there was no mtd device representing the whole storage as soon as partitions were coming into play. The introduction of CONFIG_MTD_PARTITIONED_MASTER allowed to keep this "master" device, but was not enabled by default to avoid breaking existing users (otherwise the mtd device numbering would be totally messed up with an off by 1, at least). The approach of adding an mtd_master class on top of partitioned mtd devices is breaking the mtd core in many creative ways, so better think again this approach and revert the faulty changes for now. This reverts commit 0aa7b390fc40a871267a2328bbbefca8b37ad307. Fixes: 0aa7b390fc40 ("mtd: core: always create master device") Tested-by: Guenter Roeck Acked-by: Guenter Roeck Signed-off-by: Miquel Raynal

mtd: core: always create master device

2025-05-13T07:33:57+00:00

Create master device without partition when CONFIG_MTD_PARTITIONED_MASTER flag is unset. This streamlines device tree and allows to anchor runtime power management on master device in all cases. Signed-off-by: Alexander Usyskin Signed-off-by: Miquel Raynal

mtdchar: mark bits of ioctl handler noinline

2023-06-01T16:12:31+00:00

The addition of the mtdchar_read_ioctl() function caused the stack usage of mtdchar_ioctl() to grow beyond the warning limit on 32-bit architectures with gcc-13: drivers/mtd/mtdchar.c: In function 'mtdchar_ioctl': drivers/mtd/mtdchar.c:1229:1: error: the frame size of 1488 bytes is larger than 1024 bytes [-Werror=frame-larger-than=] Mark both the read and write portions as noinline_for_stack to ensure they don't get inlined and use separate stack slots to reduce the maximum usage, both in the mtdchar_ioctl() and combined with any of its callees. Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl") Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann Reviewed-by: Richard Weinberger Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20230417205654.1982368-1-arnd@kernel.org

mtdchar: add MEMREAD ioctl

2022-09-21T08:38:11+00:00

User-space applications making use of MTD devices via /dev/mtd* character devices currently have limited capabilities for reading data: - only deprecated methods of accessing OOB layout information exist, - there is no way to explicitly specify MTD operation mode to use; it is auto-selected based on the MTD file mode (MTD_FILE_MODE_*) set for the character device; in particular, this prevents using MTD_OPS_AUTO_OOB for reads, - all existing user-space interfaces which cause mtd_read() or mtd_read_oob() to be called (via mtdchar_read() and mtdchar_read_oob(), respectively) return success even when those functions return -EUCLEAN or -EBADMSG; this renders user-space applications using these interfaces unaware of any corrected bitflips or uncorrectable ECC errors detected during reads. Note that the existing MEMWRITE ioctl allows the MTD operation mode to be explicitly set, allowing user-space applications to write page data and OOB data without requiring them to know anything about the OOB layout of the MTD device they are writing to (MTD_OPS_AUTO_OOB). Also, the MEMWRITE ioctl does not mangle the return value of mtd_write_oob(). Add a new ioctl, MEMREAD, which addresses the above issues. It is intended to be a read-side counterpart of the existing MEMWRITE ioctl. Similarly to the latter, the read operation is performed in a loop which processes at most mtd->erasesize bytes in each iteration. This is done to prevent unbounded memory allocations caused by calling kmalloc() with the 'size' argument taken directly from the struct mtd_read_req provided by user space. However, the new ioctl is implemented so that the values it returns match those that would have been returned if just a single mtd_read_oob() call was issued to handle the entire read operation in one go. Note that while just returning -EUCLEAN or -EBADMSG to user space would already be a valid and useful indication of the ECC algorithm detecting errors during a read operation, that signal would not be granular enough to cover all use cases. For example, knowing the maximum number of bitflips detected in a single ECC step during a read operation performed on a given page may be useful when dealing with an MTD partition whose ECC layout varies across pages (e.g. a partition consisting of a bootloader area using a "custom" ECC layout followed by data pages using a "standard" ECC layout). To address that, include ECC statistics in the structure returned to user space by the new MEMREAD ioctl. Link: https://www.infradead.org/pipermail/linux-mtd/2016-April/067085.html Suggested-by: Boris Brezillon Signed-off-by: Michał Kępień Acked-by: Richard Weinberger Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220629125737.14418-5-kernel@kempniu.pl

mtdchar: use kvmalloc() for potentially large allocations

2022-06-09T13:03:32+00:00

mtdchar_write_ioctl() calls kmalloc() with the 'size' argument set to the smaller of two values: the write request's data/OOB length provided by user space and the erase block size of the MTD device. If the latter is large, kmalloc() may not be able to serve such allocation requests. Use kvmalloc() instead. Correspondingly, replace kfree() calls with kvfree() calls. Suggested-by: Richard Weinberger Signed-off-by: Michał Kępień Acked-by: Richard Weinberger Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220516070601.11428-3-kernel@kempniu.pl

mtdchar: prevent integer overflow in a safety check

2022-06-09T13:03:32+00:00

Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl") added a safety check to mtdchar_write_ioctl() which attempts to ensure that the write request sent by user space does not extend beyond the MTD device's size. However, that check contains an addition of two struct mtd_write_req fields, 'start' and 'len', both of which are u64 variables. The result of that addition can overflow, allowing the safety check to be bypassed. The arguably simplest fix - changing the data types of the relevant struct mtd_write_req fields - is not feasible as it would break user space. Fix by making mtdchar_write_ioctl() truncate the value provided by user space in the 'len' field of struct mtd_write_req, so that only the lower 32 bits of that field are used, preventing the overflow. While the 'ooblen' field of struct mtd_write_req is not currently used in any similarly flawed safety check, also truncate it to 32 bits, for consistency with the 'len' field and with other MTD routines handling OOB data. Update include/uapi/mtd/mtd-abi.h accordingly. Suggested-by: Richard Weinberger Signed-off-by: Michał Kępień Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220516070601.11428-2-kernel@kempniu.pl

mtdchar: prevent unbounded allocation in MEMWRITE ioctl

2021-12-09T16:52:29+00:00

In the mtdchar_write_ioctl() function, memdup_user() is called with its 'len' parameter set to verbatim values provided by user space via a struct mtd_write_req. Both the 'len' and 'ooblen' fields of that structure are 64-bit unsigned integers, which means the MEMWRITE ioctl can trigger unbounded kernel memory allocation requests. Fix by iterating over the buffers provided by user space in a loop, processing at most mtd->erasesize bytes in each iteration. Adopt some checks from mtd_check_oob_ops() to retain backward user space compatibility. Suggested-by: Boris Brezillon Signed-off-by: Michał Kępień Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20211130113149.21848-1-kernel@kempniu.pl

mtd: add OTP (one-time-programmable) erase ioctl

2021-03-28T17:24:54+00:00

This may sound like a contradiction but some SPI-NOR flashes really support erasing their OTP region until it is finally locked. Having the possibility to erase an OTP region might come in handy during development. The ioctl argument follows the OTPLOCK style. Signed-off-by: Michael Walle Acked-by: Vignesh Raghavendra Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210303201819.2752-1-michael@walle.cc

mtd: require write permissions for locking and badblock ioctls

2021-03-28T17:20:11+00:00

MEMLOCK, MEMUNLOCK and OTPLOCK modify protection bits. Thus require write permission. Depending on the hardware MEMLOCK might even be write-once, e.g. for SPI-NOR flashes with their WP# tied to GND. OTPLOCK is always write-once. MEMSETBADBLOCK modifies the bad block table. Fixes: f7e6b19bc764 ("mtd: properly check all write ioctls for permissions") Signed-off-by: Michael Walle Reviewed-by: Greg Kroah-Hartman Acked-by: Rafał Miłecki Acked-by: Richard Weinberger Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210303155735.25887-1-michael@walle.cc