From patchwork Wed Feb 15 10:50:51 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cao Van Dong X-Patchwork-Id: 9573825 X-Patchwork-Delegate: geert@linux-m68k.org Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 464D060209 for ; Wed, 15 Feb 2017 10:51:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 363F32846C for ; Wed, 15 Feb 2017 10:51:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2ACC928477; Wed, 15 Feb 2017 10:51:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C81872846C for ; Wed, 15 Feb 2017 10:51:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751775AbdBOKvT (ORCPT ); Wed, 15 Feb 2017 05:51:19 -0500 Received: from www3345.sakura.ne.jp ([49.212.235.55]:49902 "EHLO www3345.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751735AbdBOKvS (ORCPT ); Wed, 15 Feb 2017 05:51:18 -0500 Received: from fsav402.sakura.ne.jp (fsav402.sakura.ne.jp [133.242.250.101]) by www3345.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id v1FApBPC079683; Wed, 15 Feb 2017 19:51:12 +0900 (JST) (envelope-from cv-dong@jinso.co.jp) Received: from www3345.sakura.ne.jp (49.212.235.55) by fsav402.sakura.ne.jp (F-Secure/fsigk_smtp/530/fsav402.sakura.ne.jp); Wed, 15 Feb 2017 19:51:11 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/530/fsav402.sakura.ne.jp) Received: from localhost (p14010-ipadfx41marunouchi.tokyo.ocn.ne.jp [61.118.107.10]) (authenticated bits=0) by www3345.sakura.ne.jp (8.14.5/8.14.5) with ESMTP id v1FAp7Vg079664 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Wed, 15 Feb 2017 19:51:11 +0900 (JST) (envelope-from cv-dong@jinso.co.jp) From: DongCV To: broonie@kernel.org, geert+renesas@glider.be, linux-spi@vger.kernel.org Cc: kuninori.morimoto.gx@renesas.com, yoshihiro.shimoda.uh@renesas.com, ryusuke.sakato.bx@renesas.com, linux-renesas-soc@vger.kernel.org, nv-dung@jinso.co.jp, h-inayoshi@jinso.co.jp, cm-hiep@jinso.co.jp Subject: [PATCH 1/2] spi: rspi: Fixes bogus received byte in qspi_transfer_in() Date: Wed, 15 Feb 2017 19:50:51 +0900 Message-Id: <1487155852-12102-2-git-send-email-cv-dong@jinso.co.jp> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1487155852-12102-1-git-send-email-cv-dong@jinso.co.jp> References: <1487155852-12102-1-git-send-email-cv-dong@jinso.co.jp> Sender: linux-renesas-soc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-renesas-soc@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In qspi_transfer_in(), when receiving the last n (or len) bytes of data, one bogus byte was written in the receive buffer. This code leads to a buffer overflow. "jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x03b40000: 0x1900 instead jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x03b40004: 0x000c instead" The error message above happens when trying to mount, unmount, and remount a jffs2-formatted device. This patch removed the bogus write to fixes: 3be09bec42a800d4 "spi: rspi: supports 32bytes buffer for DUAL and QUAD" And here is Geert's comment: "spi: rspi: Fix bogus received byte in qspi_transfer_in() When there are less than QSPI_BUFFER_SIZE remaining bytes to be received, qspi_transfer_in() writes one bogus byte in the receive buffer, possibly leading to a buffer overflow. This can be reproduced by mounting, unmounting, and remounting a jffs2-formatted device, causing lots of warnings like: "jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x03b40000: 0x1900 instead" Remove the bogus write to fix this. " Signed-off-by: DongCV Reviewed-by: Geert Uytterhoeven --- drivers/spi/spi-rspi.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c index 9daf500..2ee1301 100644 --- a/drivers/spi/spi-rspi.c +++ b/drivers/spi/spi-rspi.c @@ -848,7 +848,6 @@ static int qspi_transfer_in(struct rspi_data *rspi, struct spi_transfer *xfer) ret = rspi_pio_transfer(rspi, NULL, rx, n); if (ret < 0) return ret; - *rx++ = ret; } n -= len; }