From: DongCV <cv-dong@jinso.co.jp>
To: broonie@kernel.org, geert+renesas@glider.be, linux-spi@vger.kernel.org
Cc: kuninori.morimoto.gx@renesas.com,
yoshihiro.shimoda.uh@renesas.com, ryusuke.sakato.bx@renesas.com,
linux-renesas-soc@vger.kernel.org, nv-dung@jinso.co.jp,
h-inayoshi@jinso.co.jp, cm-hiep@jinso.co.jp
Subject: [PATCH 1/2] spi: rspi: Fixes bogus received byte in qspi_transfer_in()
Date: Wed, 15 Feb 2017 19:50:51 +0900 [thread overview]
Message-ID: <1487155852-12102-2-git-send-email-cv-dong@jinso.co.jp> (raw)
In-Reply-To: <1487155852-12102-1-git-send-email-cv-dong@jinso.co.jp>
In qspi_transfer_in(), when receiving the last n (or len) bytes of data,
one bogus byte was written in the receive buffer.
This code leads to a buffer overflow.
"jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found
at 0x03b40000: 0x1900 instead
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found
at 0x03b40004: 0x000c instead"
The error message above happens when trying to mount, unmount,
and remount a jffs2-formatted device.
This patch removed the bogus write to fixes: 3be09bec42a800d4
"spi: rspi: supports 32bytes buffer for DUAL and QUAD"
And here is Geert's comment:
"spi: rspi: Fix bogus received byte in qspi_transfer_in()
When there are less than QSPI_BUFFER_SIZE remaining bytes to be received,
qspi_transfer_in() writes one bogus byte in the receive buffer, possibly
leading to a buffer overflow.
This can be reproduced by mounting, unmounting, and remounting a
jffs2-formatted device, causing lots of warnings like:
"jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found
at 0x03b40000: 0x1900 instead"
Remove the bogus write to fix this. "
Signed-off-by: DongCV <cv-dong@jinso.co.jp>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
---
drivers/spi/spi-rspi.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c
index 9daf500..2ee1301 100644
--- a/drivers/spi/spi-rspi.c
+++ b/drivers/spi/spi-rspi.c
@@ -848,7 +848,6 @@ static int qspi_transfer_in(struct rspi_data *rspi, struct spi_transfer *xfer)
ret = rspi_pio_transfer(rspi, NULL, rx, n);
if (ret < 0)
return ret;
- *rx++ = ret;
}
n -= len;
}
--
1.9.1
WARNING: multiple messages have this Message-ID (diff)
From: DongCV <cv-dong-HEF513clHfp3+QwDJ9on6Q@public.gmane.org>
To: broonie-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
geert+renesas-gXvu3+zWzMSzQB+pC5nmwQ@public.gmane.org,
linux-spi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: kuninori.morimoto.gx-zM6kxYcvzFBBDgjK7y7TUQ@public.gmane.org,
yoshihiro.shimoda.uh-zM6kxYcvzFBBDgjK7y7TUQ@public.gmane.org,
ryusuke.sakato.bx-zM6kxYcvzFBBDgjK7y7TUQ@public.gmane.org,
linux-renesas-soc-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
nv-dung-HEF513clHfp3+QwDJ9on6Q@public.gmane.org,
h-inayoshi-HEF513clHfp3+QwDJ9on6Q@public.gmane.org,
cm-hiep-HEF513clHfp3+QwDJ9on6Q@public.gmane.org
Subject: [PATCH 1/2] spi: rspi: Fixes bogus received byte in qspi_transfer_in()
Date: Wed, 15 Feb 2017 19:50:51 +0900 [thread overview]
Message-ID: <1487155852-12102-2-git-send-email-cv-dong@jinso.co.jp> (raw)
In-Reply-To: <1487155852-12102-1-git-send-email-cv-dong-HEF513clHfp3+QwDJ9on6Q@public.gmane.org>
In qspi_transfer_in(), when receiving the last n (or len) bytes of data,
one bogus byte was written in the receive buffer.
This code leads to a buffer overflow.
"jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found
at 0x03b40000: 0x1900 instead
jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found
at 0x03b40004: 0x000c instead"
The error message above happens when trying to mount, unmount,
and remount a jffs2-formatted device.
This patch removed the bogus write to fixes: 3be09bec42a800d4
"spi: rspi: supports 32bytes buffer for DUAL and QUAD"
And here is Geert's comment:
"spi: rspi: Fix bogus received byte in qspi_transfer_in()
When there are less than QSPI_BUFFER_SIZE remaining bytes to be received,
qspi_transfer_in() writes one bogus byte in the receive buffer, possibly
leading to a buffer overflow.
This can be reproduced by mounting, unmounting, and remounting a
jffs2-formatted device, causing lots of warnings like:
"jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found
at 0x03b40000: 0x1900 instead"
Remove the bogus write to fix this. "
Signed-off-by: DongCV <cv-dong-HEF513clHfp3+QwDJ9on6Q@public.gmane.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas-gXvu3+zWzMSzQB+pC5nmwQ@public.gmane.org>
---
drivers/spi/spi-rspi.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c
index 9daf500..2ee1301 100644
--- a/drivers/spi/spi-rspi.c
+++ b/drivers/spi/spi-rspi.c
@@ -848,7 +848,6 @@ static int qspi_transfer_in(struct rspi_data *rspi, struct spi_transfer *xfer)
ret = rspi_pio_transfer(rspi, NULL, rx, n);
if (ret < 0)
return ret;
- *rx++ = ret;
}
n -= len;
}
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-spi" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-02-15 10:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-15 10:50 [PATCH 0/2 v4] spi: rspi: Fixes bogus received byte and replaces "n" by "len" DongCV
2017-02-15 10:50 ` DongCV
2017-02-15 10:50 ` DongCV [this message]
2017-02-15 10:50 ` [PATCH 1/2] spi: rspi: Fixes bogus received byte in qspi_transfer_in() DongCV
2017-02-15 12:17 ` Sergei Shtylyov
2017-02-15 10:50 ` [PATCH 2/2] spi: rspi: Replaces "n" by "len" in qspi_transfer_*() DongCV
2017-02-15 10:50 ` DongCV
2017-02-15 12:17 ` Geert Uytterhoeven
2017-02-16 19:05 ` Applied "spi: rspi: Replaces "n" by "len" in qspi_transfer_*()" to the spi tree Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1487155852-12102-2-git-send-email-cv-dong@jinso.co.jp \
--to=cv-dong@jinso.co.jp \
--cc=broonie@kernel.org \
--cc=cm-hiep@jinso.co.jp \
--cc=geert+renesas@glider.be \
--cc=h-inayoshi@jinso.co.jp \
--cc=kuninori.morimoto.gx@renesas.com \
--cc=linux-renesas-soc@vger.kernel.org \
--cc=linux-spi@vger.kernel.org \
--cc=nv-dung@jinso.co.jp \
--cc=ryusuke.sakato.bx@renesas.com \
--cc=yoshihiro.shimoda.uh@renesas.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.