Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.4.235 2020-08-21T08:52:56+00:00 2020-08-21T08:52:56+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2020-07-16T11:53:46+00:00 urn:sha1:1c9f9125892a43901438bf704ada6b7019e2a884 commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream. When doing a "write" ioctl call, properly check that we have permissions to do so before copying anything from userspace or anything else so we can "fail fast". This includes also covering the MEMWRITE ioctl which previously missed checking for this. Cc: Miquel Raynal <miquel.raynal@bootlin.com> Cc: Richard Weinberger <richard@nod.at> Cc: Vignesh Raghavendra <vigneshr@ti.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [rw: Fixed locking issue] Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-07-22T07:10:05+00:00 Álvaro Fernández Rojas noltari@gmail.com 2020-05-22T12:15:21+00:00 urn:sha1:bdc8219a1186e8ff4d8344f5cf891ac015439d84 commit 3d3fb3c5be9ce07fa85d8f67fb3922e4613b955b upstream. Only v3.3-v5.0 have a different CS0 layout. Controllers before v3.3 use the same layout for every CS. Fixes: 27c5b17cd1b1 ("mtd: nand: add NAND driver "library" for Broadcom STB NAND controller") Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com> Acked-by: Florian Fainelli <f.fainelli@gmail.com> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/linux-mtd/20200522121524.4161539-3-noltari@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-05-10T08:26:05+00:00 Boris Brezillon boris.brezillon@free-electrons.com 2015-12-11T14:02:34+00:00 urn:sha1:c5197b9e45f0de50aa3f704db0760972faa7dd70 commit 320092a05dab2f44819c42f33d6b51efb6c474f2 upstream. Unregister the NAND device from the NAND subsystem when removing a denali NAND controller, otherwise the MTD attached to the NAND device is still exposed by the MTD layer, and accesses to this device will likely crash the system. Fixes: 2a0a288ec258 ("mtd: denali: split the generic driver and PCI layer") Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com> Acked-by: Dinh Nguyen <dinguyen@opensource.altera.com> Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-05-02T15:20:52+00:00 Liu Jian liujian56@huawei.com 2019-03-03T07:04:18+00:00 urn:sha1:8660cae0b950dc4d9ab4834d67064d7754677403 commit d9b8a67b3b95a5c5aae6422b8113adc1c2485f2b upstream. In function do_write_buffer(), in the for loop, there is a case chip_ready() returns 1 while chip_good() returns 0, so it never break the loop. To fix this, chip_good() is enough and it should timeout if it stay bad for a while. Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value") Signed-off-by: Yi Huaijie <yihuaijie@huawei.com> Signed-off-by: Liu Jian <liujian56@huawei.com> Reviewed-by: Tokunori Ikegami <ikegami_to@yahoo.co.jp> Signed-off-by: Richard Weinberger <richard@nod.at> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-04-24T05:57:26+00:00 Wen Yang wenyang@linux.alibaba.com 2020-03-18T15:31:56+00:00 urn:sha1:128e99c8c35fb173b473ae865ea4f707e41154d9 commit 49c64df880570034308e4a9a49c4bc95cf8cdb33 upstream. The variable 'name' is released multiple times in the error path, which may cause double free issues. This problem is avoided by adding a goto label to release the memory uniformly. And this change also makes the code a bit more cleaner. Fixes: 4f678a58d335 ("mtd: fix memory leaks in phram_setup") Signed-off-by: Wen Yang <wenyang@linux.alibaba.com> Cc: Joern Engel <joern@lazybastard.org> Cc: Miquel Raynal <miquel.raynal@bootlin.com> Cc: Richard Weinberger <richard@nod.at> Cc: Vignesh Raghavendra <vigneshr@ti.com> Cc: linux-mtd@lists.infradead.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/linux-mtd/20200318153156.25612-1-wenyang@linux.alibaba.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-04-24T05:57:26+00:00 Dan Carpenter dan.carpenter@oracle.com 2020-02-28T09:25:54+00:00 urn:sha1:ea5a52ce59b220947faff6a9fa0b6aeabe863804 commit 4da0ea71ea934af18db4c63396ba2af1a679ef02 upstream. This function is only called from lpddr_probe(). We free "lpddr" both here and in the caller, so it's a double free. The best place to free "lpddr" is in lpddr_probe() so let's delete this one. Fixes: 8dc004395d5e ("[MTD] LPDDR qinfo probing.") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Link: https://lore.kernel.org/linux-mtd/20200228092554.o57igp3nqhyvf66t@kili.mountain Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-12-21T09:35:17+00:00 Miquel Raynal miquel.raynal@bootlin.com 2019-10-22T14:58:59+00:00 urn:sha1:9f8f0193597af53b2787ca4dfb36c2a76635b2e4 commit 69c7f4618c16b4678f8a4949b6bb5ace259c0033 upstream. Any write with either dd or flashcp to a device driven by the spear_smi.c driver will pass through the spear_smi_cpy_toio() function. This function will get called for chunks of up to 256 bytes. If the amount of data is smaller, we may have a problem if the data length is not 4-byte aligned. In this situation, the kernel panics during the memcpy: # dd if=/dev/urandom bs=1001 count=1 of=/dev/mtd6 spear_smi_cpy_toio [620] dest c9070000, src c7be8800, len 256 spear_smi_cpy_toio [620] dest c9070100, src c7be8900, len 256 spear_smi_cpy_toio [620] dest c9070200, src c7be8a00, len 256 spear_smi_cpy_toio [620] dest c9070300, src c7be8b00, len 233 Unhandled fault: external abort on non-linefetch (0x808) at 0xc90703e8 [...] PC is at memcpy+0xcc/0x330 The above error occurs because the implementation of memcpy_toio() tries to optimize the number of I/O by writing 4 bytes at a time as much as possible, until there are less than 4 bytes left and then switches to word or byte writes. Unfortunately, the specification states about the Write Burst mode: "the next AHB Write request should point to the next incremented address and should have the same size (byte, half-word or word)" This means ARM architecture implementation of memcpy_toio() cannot reliably be used blindly here. Workaround this situation by update the write path to stick to byte access when the burst length is not multiple of 4. Fixes: f18dbbb1bfe0 ("mtd: ST SPEAr: Add SMI driver for serial NOR flash") Cc: Russell King <linux@armlinux.org.uk> Cc: Boris Brezillon <boris.brezillon@collabora.com> Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> Reviewed-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-12-05T14:27:10+00:00 Boris Brezillon bbrezillon@kernel.org 2019-01-30T08:47:00+00:00 urn:sha1:16851325cc14ae77763e1873d7902291194b1fe1 [ Upstream commit bda2ab56356b9acdfab150f31c4bac9846253092 ] Commit 2b6f0090a333 ("mtd: Check add_mtd_device() ret code") contained a leftover of the debug session that led to this bug fix. Remove this pr_info(). Fixes: 2b6f0090a333 ("mtd: Check add_mtd_device() ret code") Signed-off-by: Boris Brezillon <bbrezillon@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-12-05T14:27:04+00:00 Boris Brezillon bbrezillon@kernel.org 2019-01-02T14:36:54+00:00 urn:sha1:546e4e174436e340b5db850c30b2dc205bd8d9e2 [ Upstream commit 2b6f0090a3335b7bdd03ca520c35591159463041 ] add_mtd_device() can fail. We should always check its return value and gracefully handle the failure case. Fix the call sites where this not done (in mtdpart.c) and add a __must_check attribute to the prototype to avoid this kind of mistakes. Signed-off-by: Boris Brezillon <bbrezillon@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-12-05T14:26:47+00:00 Pan Bian bianpan2016@163.com 2018-11-28T03:20:03+00:00 urn:sha1:b53834869411c300a33f0e11c829d312f210ba48 [ Upstream commit e542087701f09418702673631a908429feb3eae0 ] The UBI device reference is dropped but then the device is used as a parameter of ubi_err. The bug is introduced in changing ubi_err's behavior. The old ubi_err does not require a UBI device as its first parameter, but the new one does. Fixes: 32608703310 ("UBI: Extend UBI layer debug/messaging capabilities") Signed-off-by: Pan Bian <bianpan2016@163.com> Reviewed-by: Boris Brezillon <boris.brezillon@bootlin.com> Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Sasha Levin <sashal@kernel.org>