From b67c5f87c13f398ec3f4d6b455cb0bbeda8d7ac0 Mon Sep 17 00:00:00 2001 From: Zev Weiss Date: Mon, 1 Sep 2008 05:02:12 -0700 Subject: [MTD] mtdchar.c: Fix regression in MEMGETREGIONINFO ioctl() The MEMGETREGIONINFO ioctl() in mtdchar.c was clobbering user memory by overwriting more than intended, due the size of struct mtd_erase_region_info changing in commit 0ecbc81adfcb9f15f86b05ff576b342ce81bbef8 ('Support for auto locking flash on power up'). Fix avoids this by copying struct members one by one with put_user(), as there is no longer a convenient struct to use the size of as the length argument to copy_to_user(). Signed-off-by: Zev Weiss Signed-off-by: David Woodhouse --- drivers/mtd/mtdchar.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'drivers/mtd') diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index d2f331876e4..e00d424e657 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -410,16 +410,20 @@ static int mtd_ioctl(struct inode *inode, struct file *file, case MEMGETREGIONINFO: { - struct region_info_user ur; + uint32_t ur_idx; + struct mtd_erase_region_info *kr; + struct region_info_user *ur = (struct region_info_user *) argp; - if (copy_from_user(&ur, argp, sizeof(struct region_info_user))) + if (get_user(ur_idx, &(ur->regionindex))) return -EFAULT; - if (ur.regionindex >= mtd->numeraseregions) - return -EINVAL; - if (copy_to_user(argp, &(mtd->eraseregions[ur.regionindex]), - sizeof(struct mtd_erase_region_info))) + kr = &(mtd->eraseregions[ur_idx]); + + if (put_user(kr->offset, &(ur->offset)) + || put_user(kr->erasesize, &(ur->erasesize)) + || put_user(kr->numblocks, &(ur->numblocks))) return -EFAULT; + break; } -- cgit v1.2.3 From 076c7f4c6c55c37975c8e04ae6827267794d5d2e Mon Sep 17 00:00:00 2001 From: Dmitry Baryshkov Date: Thu, 4 Sep 2008 13:28:33 +0400 Subject: [MTD] [NAND] tmio_nand: fix base address programming Fix offset of second word used for programming base address of memory window. Also program tmio with offset of the FCR, not with physical memory location. Signed-off-by: Dmitry Baryshkov Cc: Ian Molton Signed-off-by: David Woodhouse --- drivers/mtd/nand/tmio_nand.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'drivers/mtd') diff --git a/drivers/mtd/nand/tmio_nand.c b/drivers/mtd/nand/tmio_nand.c index cbab654b03c..edb1e322113 100644 --- a/drivers/mtd/nand/tmio_nand.c +++ b/drivers/mtd/nand/tmio_nand.c @@ -109,7 +109,7 @@ struct tmio_nand { void __iomem *ccr; void __iomem *fcr; - unsigned long fcr_phys; + unsigned long fcr_base; unsigned int irq; @@ -316,8 +316,8 @@ static int tmio_hw_init(struct platform_device *dev, struct tmio_nand *tmio) tmio_iowrite8(0x81, tmio->ccr + CCR_ICC); /* (10h)BaseAddress 0x1000 spba.spba2 */ - tmio_iowrite16(tmio->fcr_phys, tmio->ccr + CCR_BASE); - tmio_iowrite16(tmio->fcr_phys >> 16, tmio->ccr + CCR_BASE + 16); + tmio_iowrite16(tmio->fcr_base, tmio->ccr + CCR_BASE); + tmio_iowrite16(tmio->fcr_base >> 16, tmio->ccr + CCR_BASE + 2); /* (04h)Command Register I/O spcmd */ tmio_iowrite8(0x02, tmio->ccr + CCR_COMMAND); @@ -395,7 +395,7 @@ static int tmio_probe(struct platform_device *dev) goto err_iomap_ccr; } - tmio->fcr_phys = (unsigned long)fcr->start; + tmio->fcr_base = fcr->start & 0xfffff; tmio->fcr = ioremap(fcr->start, fcr->end - fcr->start + 1); if (!tmio->fcr) { retval = -EIO; -- cgit v1.2.3