<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/mtd, branch linux-4.0.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>mtd: dc21285: use raw spinlock functions for nw_gpio_lock</title>
<updated>2015-07-21T17:10:14+00:00</updated>
<author>
<name>Uwe Kleine-König</name>
<email>u.kleine-koenig@pengutronix.de</email>
</author>
<published>2015-05-28T08:22:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cf5a5f22560fd3ec00551760264ec22bfdb3e5ee'/>
<id>cf5a5f22560fd3ec00551760264ec22bfdb3e5ee</id>
<content type='text'>
commit e5babdf928e5d0c432a8d4b99f20421ce14d1ab6 upstream.

Since commit bd31b85960a7 (which is in 3.2-rc1) nw_gpio_lock is a raw spinlock
that needs usage of the corresponding raw functions.

This fixes:

  drivers/mtd/maps/dc21285.c: In function 'nw_en_write':
  drivers/mtd/maps/dc21285.c:41:340: warning: passing argument 1 of 'spinlock_check' from incompatible pointer type
    spin_lock_irqsave(&amp;nw_gpio_lock, flags);

  In file included from include/linux/seqlock.h:35:0,
                   from include/linux/time.h:5,
                   from include/linux/stat.h:18,
                   from include/linux/module.h:10,
                   from drivers/mtd/maps/dc21285.c:8:
  include/linux/spinlock.h:299:102: note: expected 'struct spinlock_t *' but argument is of type 'struct raw_spinlock_t *'
   static inline raw_spinlock_t *spinlock_check(spinlock_t *lock)
                                                                                                        ^
  drivers/mtd/maps/dc21285.c:43:25: warning: passing argument 1 of 'spin_unlock_irqrestore' from incompatible pointer type
    spin_unlock_irqrestore(&amp;nw_gpio_lock, flags);
                           ^
  In file included from include/linux/seqlock.h:35:0,
                   from include/linux/time.h:5,
                   from include/linux/stat.h:18,
                   from include/linux/module.h:10,
                   from drivers/mtd/maps/dc21285.c:8:
  include/linux/spinlock.h:370:91: note: expected 'struct spinlock_t *' but argument is of type 'struct raw_spinlock_t *'
   static inline void spin_unlock_irqrestore(spinlock_t *lock, unsigned long flags)

Fixes: bd31b85960a7 ("locking, ARM: Annotate low level hw locks as raw")
Signed-off-by: Uwe Kleine-König &lt;u.kleine-koenig@pengutronix.de&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e5babdf928e5d0c432a8d4b99f20421ce14d1ab6 upstream.

Since commit bd31b85960a7 (which is in 3.2-rc1) nw_gpio_lock is a raw spinlock
that needs usage of the corresponding raw functions.

This fixes:

  drivers/mtd/maps/dc21285.c: In function 'nw_en_write':
  drivers/mtd/maps/dc21285.c:41:340: warning: passing argument 1 of 'spinlock_check' from incompatible pointer type
    spin_lock_irqsave(&amp;nw_gpio_lock, flags);

  In file included from include/linux/seqlock.h:35:0,
                   from include/linux/time.h:5,
                   from include/linux/stat.h:18,
                   from include/linux/module.h:10,
                   from drivers/mtd/maps/dc21285.c:8:
  include/linux/spinlock.h:299:102: note: expected 'struct spinlock_t *' but argument is of type 'struct raw_spinlock_t *'
   static inline raw_spinlock_t *spinlock_check(spinlock_t *lock)
                                                                                                        ^
  drivers/mtd/maps/dc21285.c:43:25: warning: passing argument 1 of 'spin_unlock_irqrestore' from incompatible pointer type
    spin_unlock_irqrestore(&amp;nw_gpio_lock, flags);
                           ^
  In file included from include/linux/seqlock.h:35:0,
                   from include/linux/time.h:5,
                   from include/linux/stat.h:18,
                   from include/linux/module.h:10,
                   from drivers/mtd/maps/dc21285.c:8:
  include/linux/spinlock.h:370:91: note: expected 'struct spinlock_t *' but argument is of type 'struct raw_spinlock_t *'
   static inline void spin_unlock_irqrestore(spinlock_t *lock, unsigned long flags)

Fixes: bd31b85960a7 ("locking, ARM: Annotate low level hw locks as raw")
Signed-off-by: Uwe Kleine-König &lt;u.kleine-koenig@pengutronix.de&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mtd: fix: avoid race condition when accessing mtd-&gt;usecount</title>
<updated>2015-07-21T17:10:14+00:00</updated>
<author>
<name>Brian Norris</name>
<email>computersforpeace@gmail.com</email>
</author>
<published>2015-05-08T00:55:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4c5f659b4ce744621371ca60590a37f1781ada8e'/>
<id>4c5f659b4ce744621371ca60590a37f1781ada8e</id>
<content type='text'>
commit 073db4a51ee43ccb827f54a4261c0583b028d5ab upstream.

On A MIPS 32-cores machine a BUG_ON was triggered because some acesses to
mtd-&gt;usecount were done without taking mtd_table_mutex.
kernel: Call Trace:
kernel: [&lt;ffffffff80401818&gt;] __put_mtd_device+0x20/0x50
kernel: [&lt;ffffffff804086f4&gt;] blktrans_release+0x8c/0xd8
kernel: [&lt;ffffffff802577e0&gt;] __blkdev_put+0x1a8/0x200
kernel: [&lt;ffffffff802579a4&gt;] blkdev_close+0x1c/0x30
kernel: [&lt;ffffffff8022006c&gt;] __fput+0xac/0x250
kernel: [&lt;ffffffff80171208&gt;] task_work_run+0xd8/0x120
kernel: [&lt;ffffffff8012c23c&gt;] work_notifysig+0x10/0x18
kernel:
kernel:
        Code: 2442ffff  ac8202d8  000217fe &lt;00020336&gt; dc820128  10400003
               00000000  0040f809  00000000
kernel: ---[ end trace 080fbb4579b47a73 ]---

Fixed by taking the mutex in blktrans_open and blktrans_release.

Note that this locking is already suggested in
include/linux/mtd/blktrans.h:

struct mtd_blktrans_ops {
...
	/* Called with mtd_table_mutex held; no race with add/remove */
	int (*open)(struct mtd_blktrans_dev *dev);
	void (*release)(struct mtd_blktrans_dev *dev);
...
};

But we weren't following it.

Originally reported by (and patched by) Zhang and Giuseppe,
independently. Improved and rewritten.

Reported-by: Zhang Xingcai &lt;zhangxingcai@huawei.com&gt;
Reported-by: Giuseppe Cantavenera &lt;giuseppe.cantavenera.ext@nokia.com&gt;
Tested-by: Giuseppe Cantavenera &lt;giuseppe.cantavenera.ext@nokia.com&gt;
Acked-by: Alexander Sverdlin &lt;alexander.sverdlin@nokia.com&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 073db4a51ee43ccb827f54a4261c0583b028d5ab upstream.

On A MIPS 32-cores machine a BUG_ON was triggered because some acesses to
mtd-&gt;usecount were done without taking mtd_table_mutex.
kernel: Call Trace:
kernel: [&lt;ffffffff80401818&gt;] __put_mtd_device+0x20/0x50
kernel: [&lt;ffffffff804086f4&gt;] blktrans_release+0x8c/0xd8
kernel: [&lt;ffffffff802577e0&gt;] __blkdev_put+0x1a8/0x200
kernel: [&lt;ffffffff802579a4&gt;] blkdev_close+0x1c/0x30
kernel: [&lt;ffffffff8022006c&gt;] __fput+0xac/0x250
kernel: [&lt;ffffffff80171208&gt;] task_work_run+0xd8/0x120
kernel: [&lt;ffffffff8012c23c&gt;] work_notifysig+0x10/0x18
kernel:
kernel:
        Code: 2442ffff  ac8202d8  000217fe &lt;00020336&gt; dc820128  10400003
               00000000  0040f809  00000000
kernel: ---[ end trace 080fbb4579b47a73 ]---

Fixed by taking the mutex in blktrans_open and blktrans_release.

Note that this locking is already suggested in
include/linux/mtd/blktrans.h:

struct mtd_blktrans_ops {
...
	/* Called with mtd_table_mutex held; no race with add/remove */
	int (*open)(struct mtd_blktrans_dev *dev);
	void (*release)(struct mtd_blktrans_dev *dev);
...
};

But we weren't following it.

Originally reported by (and patched by) Zhang and Giuseppe,
independently. Improved and rewritten.

Reported-by: Zhang Xingcai &lt;zhangxingcai@huawei.com&gt;
Reported-by: Giuseppe Cantavenera &lt;giuseppe.cantavenera.ext@nokia.com&gt;
Tested-by: Giuseppe Cantavenera &lt;giuseppe.cantavenera.ext@nokia.com&gt;
Acked-by: Alexander Sverdlin &lt;alexander.sverdlin@nokia.com&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>UBI: block: Add missing cache flushes</title>
<updated>2015-06-06T15:21:09+00:00</updated>
<author>
<name>Kevin Cernekee</name>
<email>cernekee@chromium.org</email>
</author>
<published>2015-04-22T12:30:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eb20e69ac83a1e4d764a49bf671e1e2e5dc4c15c'/>
<id>eb20e69ac83a1e4d764a49bf671e1e2e5dc4c15c</id>
<content type='text'>
commit 98fb1ffd8154890d7051750e61ff5548c3ee2ab2 upstream.

Block drivers are responsible for calling flush_dcache_page() on each
BIO request. This operation keeps the I$ coherent with the D$ on
architectures that don't have hardware coherency support. Without this
flush, random crashes are seen when executing user programs from an ext4
filesystem backed by a ubiblock device.

This patch is based on the change implemented in commit 2d4dc890b5c8
("block: add helpers to run flush_dcache_page() against a bio and a
request's pages").

Fixes: 9d54c8a33eec ("UBI: R/O block driver on top of UBI volumes")
Signed-off-by: Kevin Cernekee &lt;cernekee@chromium.org&gt;
Signed-off-by: Ezequiel Garcia &lt;ezequiel.garcia@imgtec.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 98fb1ffd8154890d7051750e61ff5548c3ee2ab2 upstream.

Block drivers are responsible for calling flush_dcache_page() on each
BIO request. This operation keeps the I$ coherent with the D$ on
architectures that don't have hardware coherency support. Without this
flush, random crashes are seen when executing user programs from an ext4
filesystem backed by a ubiblock device.

This patch is based on the change implemented in commit 2d4dc890b5c8
("block: add helpers to run flush_dcache_page() against a bio and a
request's pages").

Fixes: 9d54c8a33eec ("UBI: R/O block driver on top of UBI volumes")
Signed-off-by: Kevin Cernekee &lt;cernekee@chromium.org&gt;
Signed-off-by: Ezequiel Garcia &lt;ezequiel.garcia@imgtec.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>UBI: fix check for "too many bytes"</title>
<updated>2015-05-06T20:03:53+00:00</updated>
<author>
<name>Brian Norris</name>
<email>computersforpeace@gmail.com</email>
</author>
<published>2015-02-28T10:23:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=075831830ff0277572a93633cce3807394955358'/>
<id>075831830ff0277572a93633cce3807394955358</id>
<content type='text'>
commit 299d0c5b27346a77a0777c993372bf8777d4f2e5 upstream.

The comparison from the previous line seems to have been erroneously
(partially) copied-and-pasted onto the next. The second line should be
checking req.bytes, not req.lnum.

Coverity CID #139400

Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
[rw: Fixed comparison]
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 299d0c5b27346a77a0777c993372bf8777d4f2e5 upstream.

The comparison from the previous line seems to have been erroneously
(partially) copied-and-pasted onto the next. The second line should be
checking req.bytes, not req.lnum.

Coverity CID #139400

Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
[rw: Fixed comparison]
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>UBI: initialize LEB number variable</title>
<updated>2015-05-06T20:03:52+00:00</updated>
<author>
<name>Brian Norris</name>
<email>computersforpeace@gmail.com</email>
</author>
<published>2015-02-28T10:23:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5a156e848f96a0f0024ef94a3e19979f8f7e9dbc'/>
<id>5a156e848f96a0f0024ef94a3e19979f8f7e9dbc</id>
<content type='text'>
commit f16db8071ce18819fbd705ddcc91c6f392fb61f8 upstream.

In some of the 'out_not_moved' error paths, lnum may be used
uninitialized. Don't ignore the warning; let's fix it.

This uninitialized variable doesn't have much visible effect in the end,
since we just schedule the PEB for erasure, and its LEB number doesn't
really matter (it just gets printed in debug messages). But let's get it
straight anyway.

Coverity CID #113449

Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f16db8071ce18819fbd705ddcc91c6f392fb61f8 upstream.

In some of the 'out_not_moved' error paths, lnum may be used
uninitialized. Don't ignore the warning; let's fix it.

This uninitialized variable doesn't have much visible effect in the end,
since we just schedule the PEB for erasure, and its LEB number doesn't
really matter (it just gets printed in debug messages). But let's get it
straight anyway.

Coverity CID #113449

Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>UBI: fix out of bounds write</title>
<updated>2015-05-06T20:03:52+00:00</updated>
<author>
<name>Brian Norris</name>
<email>computersforpeace@gmail.com</email>
</author>
<published>2015-02-28T10:23:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=921b47c10b2b18b3562152aa0eacc1b2e56c6996'/>
<id>921b47c10b2b18b3562152aa0eacc1b2e56c6996</id>
<content type='text'>
commit d74adbdb9abf0d2506a6c4afa534d894f28b763f upstream.

If aeb-&gt;len &gt;= vol-&gt;reserved_pebs, we should not be writing aeb into the
PEB-&gt;LEB mapping.

Caught by Coverity, CID #711212.

Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit d74adbdb9abf0d2506a6c4afa534d894f28b763f upstream.

If aeb-&gt;len &gt;= vol-&gt;reserved_pebs, we should not be writing aeb into the
PEB-&gt;LEB mapping.

Caught by Coverity, CID #711212.

Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>UBI: account for bitflips in both the VID header and data</title>
<updated>2015-05-06T20:03:52+00:00</updated>
<author>
<name>Brian Norris</name>
<email>computersforpeace@gmail.com</email>
</author>
<published>2015-02-28T10:23:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=67e9563f2e494959696ff3128cf9d5fb1b3dbad7'/>
<id>67e9563f2e494959696ff3128cf9d5fb1b3dbad7</id>
<content type='text'>
commit 8eef7d70f7c6772c3490f410ee2bceab3b543fa1 upstream.

We are completely discarding the earlier value of 'bitflips', which
could reflect a bitflip found in ubi_io_read_vid_hdr(). Let's use the
bitwise OR of header and data 'bitflip' statuses instead.

Coverity CID #1226856

Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 8eef7d70f7c6772c3490f410ee2bceab3b543fa1 upstream.

We are completely discarding the earlier value of 'bitflips', which
could reflect a bitflip found in ubi_io_read_vid_hdr(). Let's use the
bitwise OR of header and data 'bitflip' statuses instead.

Coverity CID #1226856

Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Richard Weinberger &lt;richard@nod.at&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'upstream-4.0-rc5' of git://git.infradead.org/linux-ubifs</title>
<updated>2015-03-21T17:36:44+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2015-03-21T17:36:44+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c6ef814509fedb4ab4b5dc5bdca309d4e7181597'/>
<id>c6ef814509fedb4ab4b5dc5bdca309d4e7181597</id>
<content type='text'>
Pull UBI fix from Artem Bityutskiy:
 "This fixes a bug introduced during the v4.0 merge window where we
  forgot to put braces where they should be"

* tag 'upstream-4.0-rc5' of git://git.infradead.org/linux-ubifs:
  UBI: fix missing brace control flow
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Pull UBI fix from Artem Bityutskiy:
 "This fixes a bug introduced during the v4.0 merge window where we
  forgot to put braces where they should be"

* tag 'upstream-4.0-rc5' of git://git.infradead.org/linux-ubifs:
  UBI: fix missing brace control flow
</pre>
</div>
</content>
</entry>
<entry>
<title>mtd: nand: MTD_NAND_HISI504 should depend on HAS_DMA</title>
<updated>2015-03-03T06:55:56+00:00</updated>
<author>
<name>Geert Uytterhoeven</name>
<email>geert@linux-m68k.org</email>
</author>
<published>2015-03-01T09:35:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5e0899db69e27abfdc1c6223ca74f479acdedaa6'/>
<id>5e0899db69e27abfdc1c6223ca74f479acdedaa6</id>
<content type='text'>
If NO_DMA=y:

    drivers/built-in.o: In function `hisi_nfc_probe':
    hisi504_nand.c:(.text+0x23e646): undefined reference to `dmam_alloc_coherent'

Signed-off-by: Geert Uytterhoeven &lt;geert@linux-m68k.org&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
If NO_DMA=y:

    drivers/built-in.o: In function `hisi_nfc_probe':
    hisi504_nand.c:(.text+0x23e646): undefined reference to `dmam_alloc_coherent'

Signed-off-by: Geert Uytterhoeven &lt;geert@linux-m68k.org&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mtd: pxa3xx_nand: fix driver when num_cs is 0</title>
<updated>2015-02-28T09:22:07+00:00</updated>
<author>
<name>Robert Jarzmik</name>
<email>robert.jarzmik@free.fr</email>
</author>
<published>2015-02-08T20:02:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e423c90a6520d704cd885d742b499dfd6b0f6277'/>
<id>e423c90a6520d704cd885d742b499dfd6b0f6277</id>
<content type='text'>
As the devicetree binding doesn't require num_cs to exist or be strictly
positive, and neither does the platform data case, a bug appear when
num_cs is set to 0 and panics the kernel.

The issue is that in alloc_nand_resource(), chip is dereferenced without
having a value assigned when num_cs == 0.

Fix this by returning ENODEV is num_cs == 0.

The panic seen is :
Unable to handle kernel NULL pointer dereference at virtual address 000002b8
pgd = c0004000
[000002b8] *pgd=00000000
Internal error: Oops: 5 [#1] PREEMPT ARM
Modules linked in:
Hardware name: Marvell PXA3xx (Device Tree Support)
task: c3822aa0 ti: c3826000 task.ti: c3826000
PC is at alloc_nand_resource+0x180/0x4a8
LR is at alloc_nand_resource+0xa0/0x4a8
pc : [&lt;c0275b90&gt;]    lr : [&lt;c0275ab0&gt;]    psr: 68000013
sp : c3827d90  ip : 00000000  fp : 00000000
r10: c3862200  r9 : 0000005e  r8 : 00000000
r7 : c3865610  r6 : c3862210  r5 : c3924210  r4 : c3862200
r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000000
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
Control: 0000397f  Table: 80004018  DAC: 00000035
Process swapper (pid: 1, stack limit = 0xc3826198)
Stack: (0xc3827d90 to 0xc3828000)
...zip...
[&lt;c0275b90&gt;] (alloc_nand_resource) from [&lt;c0275ff8&gt;] (pxa3xx_nand_probe+0x140/0x978)
[&lt;c0275ff8&gt;] (pxa3xx_nand_probe) from [&lt;c0258c40&gt;] (platform_drv_probe+0x48/0xa4)
[&lt;c0258c40&gt;] (platform_drv_probe) from [&lt;c0257650&gt;] (driver_probe_device+0x80/0x21c)
[&lt;c0257650&gt;] (driver_probe_device) from [&lt;c0257878&gt;] (__driver_attach+0x8c/0x90)
[&lt;c0257878&gt;] (__driver_attach) from [&lt;c0255ec4&gt;] (bus_for_each_dev+0x58/0x88)
[&lt;c0255ec4&gt;] (bus_for_each_dev) from [&lt;c0256ec8&gt;] (bus_add_driver+0xd8/0x1d4)
[&lt;c0256ec8&gt;] (bus_add_driver) from [&lt;c0257f14&gt;] (driver_register+0x78/0xf4)
[&lt;c0257f14&gt;] (driver_register) from [&lt;c00088a8&gt;] (do_one_initcall+0x80/0x1e4)
[&lt;c00088a8&gt;] (do_one_initcall) from [&lt;c048ed08&gt;] (kernel_init_freeable+0xec/0x1b4)
[&lt;c048ed08&gt;] (kernel_init_freeable) from [&lt;c0377d8c&gt;] (kernel_init+0x8/0xe4)
[&lt;c0377d8c&gt;] (kernel_init) from [&lt;c00095f8&gt;] (ret_from_fork+0x14/0x3c)
Code: e503b234 e5953008 e1530001 caffffd1 (e59002b8)
---[ end trace a5770060c8441895 ]---

Signed-off-by: Robert Jarzmik &lt;robert.jarzmik@free.fr&gt;
Acked-by: Ezequiel Garcia &lt;ezequiel.garcia@free-electrons.com&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
As the devicetree binding doesn't require num_cs to exist or be strictly
positive, and neither does the platform data case, a bug appear when
num_cs is set to 0 and panics the kernel.

The issue is that in alloc_nand_resource(), chip is dereferenced without
having a value assigned when num_cs == 0.

Fix this by returning ENODEV is num_cs == 0.

The panic seen is :
Unable to handle kernel NULL pointer dereference at virtual address 000002b8
pgd = c0004000
[000002b8] *pgd=00000000
Internal error: Oops: 5 [#1] PREEMPT ARM
Modules linked in:
Hardware name: Marvell PXA3xx (Device Tree Support)
task: c3822aa0 ti: c3826000 task.ti: c3826000
PC is at alloc_nand_resource+0x180/0x4a8
LR is at alloc_nand_resource+0xa0/0x4a8
pc : [&lt;c0275b90&gt;]    lr : [&lt;c0275ab0&gt;]    psr: 68000013
sp : c3827d90  ip : 00000000  fp : 00000000
r10: c3862200  r9 : 0000005e  r8 : 00000000
r7 : c3865610  r6 : c3862210  r5 : c3924210  r4 : c3862200
r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : 00000000
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
Control: 0000397f  Table: 80004018  DAC: 00000035
Process swapper (pid: 1, stack limit = 0xc3826198)
Stack: (0xc3827d90 to 0xc3828000)
...zip...
[&lt;c0275b90&gt;] (alloc_nand_resource) from [&lt;c0275ff8&gt;] (pxa3xx_nand_probe+0x140/0x978)
[&lt;c0275ff8&gt;] (pxa3xx_nand_probe) from [&lt;c0258c40&gt;] (platform_drv_probe+0x48/0xa4)
[&lt;c0258c40&gt;] (platform_drv_probe) from [&lt;c0257650&gt;] (driver_probe_device+0x80/0x21c)
[&lt;c0257650&gt;] (driver_probe_device) from [&lt;c0257878&gt;] (__driver_attach+0x8c/0x90)
[&lt;c0257878&gt;] (__driver_attach) from [&lt;c0255ec4&gt;] (bus_for_each_dev+0x58/0x88)
[&lt;c0255ec4&gt;] (bus_for_each_dev) from [&lt;c0256ec8&gt;] (bus_add_driver+0xd8/0x1d4)
[&lt;c0256ec8&gt;] (bus_add_driver) from [&lt;c0257f14&gt;] (driver_register+0x78/0xf4)
[&lt;c0257f14&gt;] (driver_register) from [&lt;c00088a8&gt;] (do_one_initcall+0x80/0x1e4)
[&lt;c00088a8&gt;] (do_one_initcall) from [&lt;c048ed08&gt;] (kernel_init_freeable+0xec/0x1b4)
[&lt;c048ed08&gt;] (kernel_init_freeable) from [&lt;c0377d8c&gt;] (kernel_init+0x8/0xe4)
[&lt;c0377d8c&gt;] (kernel_init) from [&lt;c00095f8&gt;] (ret_from_fork+0x14/0x3c)
Code: e503b234 e5953008 e1530001 caffffd1 (e59002b8)
---[ end trace a5770060c8441895 ]---

Signed-off-by: Robert Jarzmik &lt;robert.jarzmik@free.fr&gt;
Acked-by: Ezequiel Garcia &lt;ezequiel.garcia@free-electrons.com&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
