From: DongCV <cv-dong@jinso.co.jp> To: broonie@kernel.org, geert+renesas@glider.be, linux-spi@vger.kernel.org Cc: kuninori.morimoto.gx@renesas.com, yoshihiro.shimoda.uh@renesas.com, ryusuke.sakato.bx@renesas.com, linux-renesas-soc@vger.kernel.org, nv-dung@jinso.co.jp, h-inayoshi@jinso.co.jp, cm-hiep@jinso.co.jp Subject: [PATCH 1/2] spi: rspi: Fixes bogus received byte in qspi_transfer_in() Date: Wed, 15 Feb 2017 19:50:51 +0900 [thread overview] Message-ID: <1487155852-12102-2-git-send-email-cv-dong@jinso.co.jp> (raw) In-Reply-To: <1487155852-12102-1-git-send-email-cv-dong@jinso.co.jp> In qspi_transfer_in(), when receiving the last n (or len) bytes of data, one bogus byte was written in the receive buffer. This code leads to a buffer overflow. "jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x03b40000: 0x1900 instead jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x03b40004: 0x000c instead" The error message above happens when trying to mount, unmount, and remount a jffs2-formatted device. This patch removed the bogus write to fixes: 3be09bec42a800d4 "spi: rspi: supports 32bytes buffer for DUAL and QUAD" And here is Geert's comment: "spi: rspi: Fix bogus received byte in qspi_transfer_in() When there are less than QSPI_BUFFER_SIZE remaining bytes to be received, qspi_transfer_in() writes one bogus byte in the receive buffer, possibly leading to a buffer overflow. This can be reproduced by mounting, unmounting, and remounting a jffs2-formatted device, causing lots of warnings like: "jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x03b40000: 0x1900 instead" Remove the bogus write to fix this. " Signed-off-by: DongCV <cv-dong@jinso.co.jp> Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> --- drivers/spi/spi-rspi.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c index 9daf500..2ee1301 100644 --- a/drivers/spi/spi-rspi.c +++ b/drivers/spi/spi-rspi.c @@ -848,7 +848,6 @@ static int qspi_transfer_in(struct rspi_data *rspi, struct spi_transfer *xfer) ret = rspi_pio_transfer(rspi, NULL, rx, n); if (ret < 0) return ret; - *rx++ = ret; } n -= len; } -- 1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: DongCV <cv-dong-HEF513clHfp3+QwDJ9on6Q@public.gmane.org> To: broonie-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org, geert+renesas-gXvu3+zWzMSzQB+pC5nmwQ@public.gmane.org, linux-spi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Cc: kuninori.morimoto.gx-zM6kxYcvzFBBDgjK7y7TUQ@public.gmane.org, yoshihiro.shimoda.uh-zM6kxYcvzFBBDgjK7y7TUQ@public.gmane.org, ryusuke.sakato.bx-zM6kxYcvzFBBDgjK7y7TUQ@public.gmane.org, linux-renesas-soc-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, nv-dung-HEF513clHfp3+QwDJ9on6Q@public.gmane.org, h-inayoshi-HEF513clHfp3+QwDJ9on6Q@public.gmane.org, cm-hiep-HEF513clHfp3+QwDJ9on6Q@public.gmane.org Subject: [PATCH 1/2] spi: rspi: Fixes bogus received byte in qspi_transfer_in() Date: Wed, 15 Feb 2017 19:50:51 +0900 [thread overview] Message-ID: <1487155852-12102-2-git-send-email-cv-dong@jinso.co.jp> (raw) In-Reply-To: <1487155852-12102-1-git-send-email-cv-dong-HEF513clHfp3+QwDJ9on6Q@public.gmane.org> In qspi_transfer_in(), when receiving the last n (or len) bytes of data, one bogus byte was written in the receive buffer. This code leads to a buffer overflow. "jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x03b40000: 0x1900 instead jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x03b40004: 0x000c instead" The error message above happens when trying to mount, unmount, and remount a jffs2-formatted device. This patch removed the bogus write to fixes: 3be09bec42a800d4 "spi: rspi: supports 32bytes buffer for DUAL and QUAD" And here is Geert's comment: "spi: rspi: Fix bogus received byte in qspi_transfer_in() When there are less than QSPI_BUFFER_SIZE remaining bytes to be received, qspi_transfer_in() writes one bogus byte in the receive buffer, possibly leading to a buffer overflow. This can be reproduced by mounting, unmounting, and remounting a jffs2-formatted device, causing lots of warnings like: "jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x03b40000: 0x1900 instead" Remove the bogus write to fix this. " Signed-off-by: DongCV <cv-dong-HEF513clHfp3+QwDJ9on6Q@public.gmane.org> Reviewed-by: Geert Uytterhoeven <geert+renesas-gXvu3+zWzMSzQB+pC5nmwQ@public.gmane.org> --- drivers/spi/spi-rspi.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c index 9daf500..2ee1301 100644 --- a/drivers/spi/spi-rspi.c +++ b/drivers/spi/spi-rspi.c @@ -848,7 +848,6 @@ static int qspi_transfer_in(struct rspi_data *rspi, struct spi_transfer *xfer) ret = rspi_pio_transfer(rspi, NULL, rx, n); if (ret < 0) return ret; - *rx++ = ret; } n -= len; } -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-spi" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-02-15 10:51 UTC|newest] Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top 2017-02-15 10:50 [PATCH 0/2 v4] spi: rspi: Fixes bogus received byte and replaces "n" by "len" DongCV 2017-02-15 10:50 ` DongCV 2017-02-15 10:50 ` DongCV [this message] 2017-02-15 10:50 ` [PATCH 1/2] spi: rspi: Fixes bogus received byte in qspi_transfer_in() DongCV 2017-02-15 12:17 ` Sergei Shtylyov 2017-02-15 10:50 ` [PATCH 2/2] spi: rspi: Replaces "n" by "len" in qspi_transfer_*() DongCV 2017-02-15 10:50 ` DongCV 2017-02-15 12:17 ` Geert Uytterhoeven 2017-02-16 19:05 ` Applied "spi: rspi: Replaces "n" by "len" in qspi_transfer_*()" to the spi tree Mark Brown
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1487155852-12102-2-git-send-email-cv-dong@jinso.co.jp \ --to=cv-dong@jinso.co.jp \ --cc=broonie@kernel.org \ --cc=cm-hiep@jinso.co.jp \ --cc=geert+renesas@glider.be \ --cc=h-inayoshi@jinso.co.jp \ --cc=kuninori.morimoto.gx@renesas.com \ --cc=linux-renesas-soc@vger.kernel.org \ --cc=linux-spi@vger.kernel.org \ --cc=nv-dung@jinso.co.jp \ --cc=ryusuke.sakato.bx@renesas.com \ --cc=yoshihiro.shimoda.uh@renesas.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.