linux-stable.git/drivers/mtd/chips, branch linux-3.2.y Linux kernel stable tree mtd: jedec_probe: Fix crash in jedec_read_mfr() 2018-05-31T23:30:26+00:00 Linus Walleij linus.walleij@linaro.org 2018-03-03T22:29:03+00:00 0b8479056e90225a9f913d7eee4876295989ca62 commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream. It turns out that the loop where we read manufacturer jedec_read_mfd() can under some circumstances get a CFI_MFR_CONTINUATION repeatedly, making the loop go over all banks and eventually hit the end of the map and crash because of an access violation: Unable to handle kernel paging request at virtual address c4980000 pgd = (ptrval) [c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000 Internal error: Oops: 7 [#1] PREEMPT ARM CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150 Hardware name: Gemini (Device Tree) PC is at jedec_probe_chip+0x6ec/0xcd0 LR is at 0x4 pc : [<c03a2bf4>] lr : [<00000004>] psr: 60000013 sp : c382dd18 ip : 0000ffff fp : 00000000 r10: c0626388 r9 : 00020000 r8 : c0626340 r7 : 00000000 r6 : 00000001 r5 : c3a71afc r4 : c382dd70 r3 : 00000001 r2 : c4900000 r1 : 00000002 r0 : 00080000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 0000397f Table: 00004000 DAC: 00000053 Process swapper (pid: 1, stack limit = 0x(ptrval)) Fix this by breaking the loop with a return 0 if the offset exceeds the map size. Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0") Signed-off-by: Linus Walleij <linus.walleij@linaro.org> Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.

It turns out that the loop where we read manufacturer
jedec_read_mfd() can under some circumstances get a
CFI_MFR_CONTINUATION repeatedly, making the loop go
over all banks and eventually hit the end of the
map and crash because of an access violation:

Unable to handle kernel paging request at virtual address c4980000
pgd = (ptrval)
[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000
Internal error: Oops: 7 [#1] PREEMPT ARM
CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
Hardware name: Gemini (Device Tree)
PC is at jedec_probe_chip+0x6ec/0xcd0
LR is at 0x4
pc : [<c03a2bf4>]    lr : [<00000004>]    psr: 60000013
sp : c382dd18  ip : 0000ffff  fp : 00000000
r10: c0626388  r9 : 00020000  r8 : c0626340
r7 : 00000000  r6 : 00000001  r5 : c3a71afc  r4 : c382dd70
r3 : 00000001  r2 : c4900000  r1 : 00000002  r0 : 00080000
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 0000397f  Table: 00004000  DAC: 00000053
Process swapper (pid: 1, stack limit = 0x(ptrval))

Fix this by breaking the loop with a return 0 if
the offset exceeds the map size.

Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mtd: cleanup style on pr_debug messages 2011-09-11T12:02:16+00:00 Brian Norris computersforpeace@gmail.com 2011-07-19T17:06:10+00:00 0a32a10264d151bc2d1616d69edaf915aa728698 Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@intel.com> 
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@intel.com>
mtd: replace DEBUG() with pr_debug() 2011-09-11T12:02:16+00:00 Brian Norris computersforpeace@gmail.com 2011-07-19T17:06:09+00:00 289c05222172b51401dbbb017115655f241d94ab Start moving away from the MTD_DEBUG_LEVEL messages. The dynamic debugging feature is a generic kernel feature that provides more flexibility. (See Documentation/dynamic-debug-howto.txt) Also fix some punctuation, indentation, and capitalization that went along with the affected lines. Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@intel.com> 
Start moving away from the MTD_DEBUG_LEVEL messages. The dynamic
debugging feature is a generic kernel feature that provides more
flexibility.

(See Documentation/dynamic-debug-howto.txt)

Also fix some punctuation, indentation, and capitalization that went
along with the affected lines.

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@intel.com>
mtd: spelling, capitalization, uniformity 2011-09-11T12:02:13+00:00 Brian Norris computersforpeace@gmail.com 2011-06-23T21:12:08+00:00 7854d3f7495b11be1570cd3e2318674d8f9ed797 Therefor -> Therefore [Intern], [Internal] -> [INTERN] [REPLACABLE] -> [REPLACEABLE] syndrom, syndom -> syndrome ecc -> ECC buswith -> buswidth endianess -> endianness dont -> don't occures -> occurs independend -> independent wihin -> within erease -> erase blockes -> blocks ... Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> 
Therefor -> Therefore
[Intern], [Internal] -> [INTERN]
[REPLACABLE] -> [REPLACEABLE]
syndrom, syndom -> syndrome
ecc -> ECC
buswith -> buswidth
endianess -> endianness
dont -> don't
occures -> occurs
independend -> independent
wihin -> within
erease -> erase
blockes -> blocks
...

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
mtd: remove duplicate assignment of chip->state 2011-05-25T01:11:13+00:00 Tadashi Abe tabe@mvista.com 2011-05-19T07:17:50+00:00 5c8d2607756a63ddf5b2f2dd368851b8febe4e72 This is a trivial patch which removes unnecessary assignment of chip->state in put_chip(). It's duplicated. Signed-off-by: Tadashi Abe <tabe@mvista.com> Acked-by: Joakim Tjernlund <joakim.tjernlund@transmode.se> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> 
This is a trivial patch which removes unnecessary assignment of chip->state
in put_chip(). It's duplicated.

Signed-off-by: Tadashi Abe <tabe@mvista.com>
Acked-by: Joakim Tjernlund <joakim.tjernlund@transmode.se>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
mtd: fix hang-up in cfi erase and read contention 2011-05-25T01:11:11+00:00 Tadashi Abe tabe@mvista.com 2011-05-19T06:58:15+00:00 100f2341e305f98de3aa12fb472771ab029cbda7 cfi erase command hangs up when erase and read contention occurs. If read runs at the same address as erase operation, read issues Erase-Suspend via get_chip() and the erase goes into sleep in wait queue. But in this case, read operation exits by time-out without waking it up. I think the other variants (0001, 0020 and lpddr) have the same problem too. Tested and verified the patch only on CFI-0002 flash, though. Signed-off-by: Tadashi Abe <tabe@mvista.com> Acked-by: Joakim Tjernlund <joakim.tjernlund@transmode.se> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> 
cfi erase command hangs up when erase and read contention occurs.
If read runs at the same address as erase operation, read issues
Erase-Suspend via get_chip() and the erase goes into sleep in wait queue.
But in this case, read operation exits by time-out without waking it up.

I think the other variants (0001, 0020 and lpddr) have the same problem too.
Tested and verified the patch only on CFI-0002 flash, though.

Signed-off-by: Tadashi Abe <tabe@mvista.com>
Acked-by: Joakim Tjernlund <joakim.tjernlund@transmode.se>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
mtd: cmdset_0002: add CFI 1.5 support for S29GL-S 2011-05-25T00:51:35+00:00 Gernot Hoyler Gernot.Hoyler@spansion.com 2011-04-11T13:53:35+00:00 c9ddab25d1b62baead4b0c5de562f1fce026dcfd This patch adds CFI 1.5 support for the new Spansion S29GL-S device family. For details, see the data sheet on the Spansion web site: http://www.spansion.com/Support/Datasheets/S29GL_128S_01GS_00_02_e.pdf Signed-off-by: Gernot Hoyler <Gernot.Hoyler@spansion.com> Acked-by: Guillaume LECERF <glecerf@gmail.com> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> 
This patch adds CFI 1.5 support for the new Spansion S29GL-S device family.
For details, see the data sheet on the Spansion web site:
http://www.spansion.com/Support/Datasheets/S29GL_128S_01GS_00_02_e.pdf

Signed-off-by: Gernot Hoyler <Gernot.Hoyler@spansion.com>
Acked-by: Guillaume LECERF <glecerf@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Fix common misspellings 2011-03-31T14:26:23+00:00 Lucas De Marchi lucas.demarchi@profusion.mobi 2011-03-31T01:57:33+00:00 25985edcedea6396277003854657b5f3cb31a628 Fixes generated by 'codespell' and manually reviewed. Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi> 
Fixes generated by 'codespell' and manually reviewed.

Signed-off-by: Lucas De Marchi <lucas.demarchi@profusion.mobi>
mtd: cfi: add support for AMIC flashes (e.g. A29L160AT) 2011-03-11T14:27:01+00:00 Steffen Sledz sledz@dresearch.de 2011-03-10T08:05:12+00:00 1065cda8a1a57d0d3bfccdce1a655a84439d24e0 Signed-off-by: Steffen Sledz <sledz@dresearch.de> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> 
Signed-off-by: Steffen Sledz <sledz@dresearch.de>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
mtd: cfi: fix writebufsize initialization 2011-03-11T14:22:46+00:00 Anatolij Gustschin agust@denx.de 2011-02-10T15:01:46+00:00 13ce77f46c79a3839e4c2ff9722c9416c165f498 When initializing mtd->writebufsize, we must take into account possible flash chip interleaving. Wrong writebufsize initialization caused UBIFS recovery issues resulting in unmountable UBIFS file system on NOR flash partitions. Signed-off-by: Anatolij Gustschin <agust@denx.de> Acked-by: Guillaume LECERF <glecerf@gmail.com> Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> 
When initializing mtd->writebufsize, we must take into account
possible flash chip interleaving. Wrong writebufsize initialization
caused UBIFS recovery issues resulting in unmountable UBIFS file
system on NOR flash partitions.

Signed-off-by: Anatolij Gustschin <agust@denx.de>
Acked-by: Guillaume LECERF <glecerf@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>