linux-stable.git/drivers/mtd, branch v3.16.78 Linux kernel stable tree mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer 2019-08-13T11:39:01+00:00 Liu Jian liujian56@huawei.com 2019-03-03T07:04:18+00:00 f4ee4821f98966482707acca74e5f3a1cf034437 commit d9b8a67b3b95a5c5aae6422b8113adc1c2485f2b upstream. In function do_write_buffer(), in the for loop, there is a case chip_ready() returns 1 while chip_good() returns 0, so it never break the loop. To fix this, chip_good() is enough and it should timeout if it stay bad for a while. Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value") Signed-off-by: Yi Huaijie <yihuaijie@huawei.com> Signed-off-by: Liu Jian <liujian56@huawei.com> Reviewed-by: Tokunori Ikegami <ikegami_to@yahoo.co.jp> Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit d9b8a67b3b95a5c5aae6422b8113adc1c2485f2b upstream.

In function do_write_buffer(), in the for loop, there is a case
chip_ready() returns 1 while chip_good() returns 0, so it never
break the loop.
To fix this, chip_good() is enough and it should timeout if it stay
bad for a while.

Fixes: dfeae1073583("mtd: cfi_cmdset_0002: Change write buffer to check correct value")
Signed-off-by: Yi Huaijie <yihuaijie@huawei.com>
Signed-off-by: Liu Jian <liujian56@huawei.com>
Reviewed-by: Tokunori Ikegami <ikegami_to@yahoo.co.jp>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mtd: docg3: Fix passing zero to 'PTR_ERR' warning in doc_probe_device 2019-07-09T21:03:51+00:00 YueHaibing yuehaibing@huawei.com 2019-01-23T06:58:27+00:00 692c4f1cae57b407d67ba921f332be610d81bb60 commit 32937a82f36c7bbe08db4052de94bc7ade4e3c51 upstream. Fix a static code checker warning: drivers/mtd/devices/docg3.c:1875 doc_probe_device() warn: passing zero to 'ERR_PTR' Fixes: ae9d4934b2d7 ("mtd: docg3: add multiple floor support") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Acked-by: Robert Jarzmik <robert.jarzmik@free.fr> Signed-off-by: Boris Brezillon <bbrezillon@kernel.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 32937a82f36c7bbe08db4052de94bc7ade4e3c51 upstream.

Fix a static code checker warning:
drivers/mtd/devices/docg3.c:1875
 doc_probe_device() warn: passing zero to 'ERR_PTR'

Fixes: ae9d4934b2d7 ("mtd: docg3: add multiple floor support")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mtd: docg3: Fix kasprintf() usage 2019-07-09T21:03:51+00:00 Richard Weinberger richard@nod.at 2015-06-01T21:10:53+00:00 2b651dccb59faeff3ed6c2f767b0c72161712b1a commit 0eb8618bd07533f423fed47399a0d6387bfe7cac upstream. kasprintf() does a dynamic memory allocation and can fail. We have to handle that case. Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 0eb8618bd07533f423fed47399a0d6387bfe7cac upstream.

kasprintf() does a dynamic memory allocation and can fail.
We have to handle that case.

Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mtd: docg3: Don't leak docg3->bbt in error path 2019-07-09T21:03:50+00:00 Richard Weinberger richard@nod.at 2015-06-01T21:10:52+00:00 877ea54ae7258dc6ed431d88f8c836e5391df02f commit 45c2ebd702a468d5037cf16aa4f8ea8d67776f6a upstream. Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 45c2ebd702a468d5037cf16aa4f8ea8d67776f6a upstream.

Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mtd: rawnand: gpmi: fix MX28 bus master lockup problem 2019-05-02T20:41:40+00:00 Martin Kepplinger martin.kepplinger@ginzinger.com 2019-02-05T15:52:51+00:00 346d2dfe192155723f6ad08724d9443177fe755f commit d5d27fd9826b59979b184ec288e4812abac0e988 upstream. Disable BCH soft reset according to MX23 erratum #2847 ("BCH soft reset may cause bus master lock up") for MX28 too. It has the same problem. Observed problem: once per 100,000+ MX28 reboots NAND read failed on DMA timeout errors: [ 1.770823] UBI: attaching mtd3 to ubi0 [ 2.768088] gpmi_nand: DMA timeout, last DMA :1 [ 3.958087] gpmi_nand: BCH timeout, last DMA :1 [ 4.156033] gpmi_nand: Error in ECC-based read: -110 [ 4.161136] UBI warning: ubi_io_read: error -110 while reading 64 bytes from PEB 0:0, read only 0 bytes, retry [ 4.171283] step 1 error [ 4.173846] gpmi_nand: Chip: 0, Error -1 Without BCH soft reset we successfully executed 1,000,000 MX28 reboots. I have a quote from NXP regarding this problem, from July 18th 2016: "As the i.MX23 and i.MX28 are of the same generation, they share many characteristics. Unfortunately, also the erratas may be shared. In case of the documented erratas and the workarounds, you can also apply the workaround solution of one device on the other one. This have been reported, but I’m afraid that there are not an estimated date for updating the Errata documents. Please accept our apologies for any inconveniences this may cause." Fixes: 6f2a6a52560a ("mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems") Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com> Signed-off-by: Martin Kepplinger <martin.kepplinger@ginzinger.com> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Reviewed-by: Fabio Estevam <festevam@gmail.com> Acked-by: Han Xu <han.xu@nxp.com> Signed-off-by: Boris Brezillon <bbrezillon@kernel.org> [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit d5d27fd9826b59979b184ec288e4812abac0e988 upstream.

Disable BCH soft reset according to MX23 erratum #2847 ("BCH soft
reset may cause bus master lock up") for MX28 too. It has the same
problem.

Observed problem: once per 100,000+ MX28 reboots NAND read failed on
DMA timeout errors:
[    1.770823] UBI: attaching mtd3 to ubi0
[    2.768088] gpmi_nand: DMA timeout, last DMA :1
[    3.958087] gpmi_nand: BCH timeout, last DMA :1
[    4.156033] gpmi_nand: Error in ECC-based read: -110
[    4.161136] UBI warning: ubi_io_read: error -110 while reading 64
bytes from PEB 0:0, read only 0 bytes, retry
[    4.171283] step 1 error
[    4.173846] gpmi_nand: Chip: 0, Error -1

Without BCH soft reset we successfully executed 1,000,000 MX28 reboots.

I have a quote from NXP regarding this problem, from July 18th 2016:

"As the i.MX23 and i.MX28 are of the same generation, they share many
characteristics. Unfortunately, also the erratas may be shared.
In case of the documented erratas and the workarounds, you can also
apply the workaround solution of one device on the other one. This have
been reported, but I’m afraid that there are not an estimated date for
updating the Errata documents.
Please accept our apologies for any inconveniences this may cause."

Fixes: 6f2a6a52560a ("mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems")
Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
Signed-off-by: Martin Kepplinger <martin.kepplinger@ginzinger.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Acked-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mtd: docg3: don't set conflicting BCH_CONST_PARAMS option 2019-02-11T17:53:48+00:00 Arnd Bergmann arnd@arndb.de 2018-10-11T11:06:16+00:00 c595f953a957df6e2cb6da7f0728b4602239d0f8 commit be2e1c9dcf76886a83fb1c433a316e26d4ca2550 upstream. I noticed during the creation of another bugfix that the BCH_CONST_PARAMS option that is set by DOCG3 breaks setting variable parameters for any other users of the BCH library code. The only other user we have today is the MTD_NAND software BCH implementation (most flash controllers use hardware BCH these days and are not affected). I considered removing BCH_CONST_PARAMS entirely because of the inherent conflict, but according to the description in lib/bch.c there is a significant performance benefit in keeping it. To avoid the immediate problem of the conflict between MTD_NAND_BCH and DOCG3, this only sets the constant parameters if MTD_NAND_BCH is disabled, which should fix the problem for all cases that are affected. This should also work for all stable kernels. Note that there is only one machine that actually seems to use the DOCG3 driver (arch/arm/mach-pxa/mioa701.c), so most users should have the driver disabled, but it almost certainly shows up if we wanted to test random kernels on machines that use software BCH in MTD. Fixes: d13d19ece39f ("mtd: docg3: add ECC correction code") Cc: Robert Jarzmik <robert.jarzmik@free.fr> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit be2e1c9dcf76886a83fb1c433a316e26d4ca2550 upstream.

I noticed during the creation of another bugfix that the BCH_CONST_PARAMS
option that is set by DOCG3 breaks setting variable parameters for any
other users of the BCH library code.

The only other user we have today is the MTD_NAND software BCH
implementation (most flash controllers use hardware BCH these days
and are not affected). I considered removing BCH_CONST_PARAMS entirely
because of the inherent conflict, but according to the description in
lib/bch.c there is a significant performance benefit in keeping it.

To avoid the immediate problem of the conflict between MTD_NAND_BCH
and DOCG3, this only sets the constant parameters if MTD_NAND_BCH
is disabled, which should fix the problem for all cases that
are affected. This should also work for all stable kernels.

Note that there is only one machine that actually seems to use the
DOCG3 driver (arch/arm/mach-pxa/mioa701.c), so most users should have
the driver disabled, but it almost certainly shows up if we wanted
to test random kernels on machines that use software BCH in MTD.

Fixes: d13d19ece39f ("mtd: docg3: add ECC correction code")
Cc: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mtd: spi-nor: fsl-quadspi: Don't let -EINVAL on the bus 2019-02-11T17:53:29+00:00 Ahmad Fatoum a.fatoum@pengutronix.de 2018-09-21T09:32:53+00:00 e1f74817ac5ca5d1a68b0d42dda71f179b1c9506 commit 000412276370a9bcfec73b3752ceefd9a927f1db upstream. fsl_qspi_get_seqid() may return -EINVAL, but fsl_qspi_init_ahb_read() doesn't check for error codes with the result that -EINVAL could find itself signalled over the bus. In conjunction with the LS1046A SoC's A-009283 errata ("Illegal accesses to SPI flash memory can result in a system hang") this illegal access to SPI flash memory results in a system hang if userspace attempts reading later on. Avoid this by always checking fsl_qspi_get_seqid()'s return value and bail out otherwise. Fixes: e46ecda764dc ("mtd: spi-nor: Add Freescale QuadSPI driver") Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 000412276370a9bcfec73b3752ceefd9a927f1db upstream.

fsl_qspi_get_seqid() may return -EINVAL, but fsl_qspi_init_ahb_read()
doesn't check for error codes with the result that -EINVAL could find
itself signalled over the bus.

In conjunction with the LS1046A SoC's A-009283 errata
("Illegal accesses to SPI flash memory can result in a system hang")
this illegal access to SPI flash memory results in a system hang
if userspace attempts reading later on.

Avoid this by always checking fsl_qspi_get_seqid()'s return value
and bail out otherwise.

Fixes: e46ecda764dc ("mtd: spi-nor: Add Freescale QuadSPI driver")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mtd: spi-nor: fsl-quadspi: fix api naming typo _init_ahb_read 2019-02-11T17:53:29+00:00 Yogesh Gaur yogeshnarayan.gaur@nxp.com 2018-01-02T10:39:12+00:00 293d59dd2e4a7d0a50bd1b94b855d913c7235d3a commit dd50a1c4e56d6d2ea753f87a35b1f1e09cb877d7 upstream. Fix api naming typo _init_ahb_read fsl_qspi_init_abh_read --> fsl_qspi_init_ahb_read Signed-off-by: Yogesh Gaur <yogeshnarayan.gaur@nxp.com> Acked-by: Han Xu <han.xu@nxp.com> Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit dd50a1c4e56d6d2ea753f87a35b1f1e09cb877d7 upstream.

Fix api naming typo _init_ahb_read
fsl_qspi_init_abh_read --> fsl_qspi_init_ahb_read

Signed-off-by: Yogesh Gaur <yogeshnarayan.gaur@nxp.com>
Acked-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mtd: fsl-quadspi: fix macro collision problems with READ/WRITE 2018-12-16T22:09:43+00:00 Han Xu b45815@freescale.com 2015-10-23T18:18:28+00:00 7e6fc0b317c4cbd504434395edd7a99bd69e440e commit 04850c4d8613127a9b488321c0ad83bff7519311 upstream. Change the READ/WRITE to FSL_READ/FSL_WRITE to resolve any possible namespace collisions with READ/WRITE macros (e.g., from <linux/fs.h>). Problems have been seen, for example, on mips: >> drivers/mtd/spi-nor/fsl-quadspi.c:186:5: error: 'LUT_0' undeclared (first use in this function) ((LUT_##ins) << INSTR0_SHIFT)) ^ >> drivers/mtd/spi-nor/fsl-quadspi.c:188:30: note: in expansion of macro 'LUT0' On SPARC: drivers/mtd/spi-nor/fsl-quadspi.c: In function 'fsl_qspi_init_lut': drivers/mtd/spi-nor/fsl-quadspi.c:369:1: error: 'LUT_0' undeclared (first use in this function) drivers/mtd/spi-nor/fsl-quadspi.c:418:1: error: pasting "LUT_" and "(" does not give a valid preprocessing token drivers/mtd/spi-nor/fsl-quadspi.c:418:2: error: implicit declaration of function 'LUT_' And surely on others. Fixes: d26a22d06708 ("mtd: fsl-quadspi: allow building for other ARCHes with COMPILE_TEST") Reported-by: Guenter Roeck <linux@roeck-us.net> Reported-by: kbuild test robot <fengguang.wu@intel.com> Signed-off-by: Han Xu <b45815@freescale.com> [Brian: rewrote commit description] Signed-off-by: Brian Norris <computersforpeace@gmail.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 04850c4d8613127a9b488321c0ad83bff7519311 upstream.

Change the READ/WRITE to FSL_READ/FSL_WRITE to resolve any possible
namespace collisions with READ/WRITE macros (e.g., from <linux/fs.h>).

Problems have been seen, for example, on mips:

>> drivers/mtd/spi-nor/fsl-quadspi.c:186:5: error: 'LUT_0' undeclared (first use in this function)
      ((LUT_##ins) << INSTR0_SHIFT))
        ^
>> drivers/mtd/spi-nor/fsl-quadspi.c:188:30: note: in expansion of macro 'LUT0'

On SPARC:

drivers/mtd/spi-nor/fsl-quadspi.c: In function 'fsl_qspi_init_lut':
drivers/mtd/spi-nor/fsl-quadspi.c:369:1: error: 'LUT_0' undeclared (first use in this function)
drivers/mtd/spi-nor/fsl-quadspi.c:418:1: error: pasting "LUT_" and "(" does not give a valid preprocessing token
drivers/mtd/spi-nor/fsl-quadspi.c:418:2: error: implicit declaration of function 'LUT_'

And surely on others.

Fixes: d26a22d06708 ("mtd: fsl-quadspi: allow building for other ARCHes with COMPILE_TEST")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Han Xu <b45815@freescale.com>
[Brian: rewrote commit description]
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
mtdchar: fix overflows in adjustment of `count` 2018-12-16T22:08:16+00:00 Jann Horn jannh@google.com 2018-07-07T03:37:22+00:00 1dead6b0b9c9f368aab74d042bd76646e3c8abc2 commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf upstream. The first checks in mtdchar_read() and mtdchar_write() attempt to limit `count` such that `*ppos + count <= mtd->size`. However, they ignore the possibility of `*ppos > mtd->size`, allowing the calculation of `count` to wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the pread/pwrite syscalls bypass this. I haven't found any codepath on which this actually causes dangerous behavior, but it seems like a sensible change anyway. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf upstream.

The first checks in mtdchar_read() and mtdchar_write() attempt to limit
`count` such that `*ppos + count <= mtd->size`. However, they ignore the
possibility of `*ppos > mtd->size`, allowing the calculation of `count` to
wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the
pread/pwrite syscalls bypass this.

I haven't found any codepath on which this actually causes dangerous
behavior, but it seems like a sensible change anyway.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>