From patchwork Thu Sep 30 02:48:25 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: pwrite() to nand in raw mode fails with EINVAL
Date: Wed, 29 Sep 2010 16:48:25 -0000
From: David Woodhouse <dwmw2@infradead.org>
X-Patchwork-Id: 66108
Message-Id: <1285814905.31224.4.camel@macbook.infradead.org>
To: mbizon@freebox.fr
Cc: "linux-mtd@lists.infradead.org" <linux-mtd@lists.infradead.org>,
 Maxim Levitsky <maximlevitsky@gmail.com>

On Tue, 2010-09-28 at 20:47 +0200, Maxime Bizon wrote:
> Since commit 782ce79a45b3b850b108896fcf7da26754061c8f ("cleanup the
> nand_do_write_ops"), a pwrite() to a NAND device fails with EINVAL.
> 
> The EINVAL comes from here:
> 
>         /* Don't allow multipage oob writes with offset */
>         if (ops->ooboffs && (ops->ooboffs + ops->ooblen > oobmaxlen))
>                 return -EINVAL;
> 
> 
> ops->ooboffs seems uninitialized.
> 
> 
> I think the following memset() are missing: 

Alternatively, perhaps the sanity check should treat the ->oob{offs,len}
fields as undefined if ->oobbuf is NULL (which is set explicitly in the
two functions you patched). Otherwise, we've effectively changed the API
and we need to make more of an effort to audit *all* users.


diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
index d551ddd..5d0dc74 100644
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -2200,7 +2200,8 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
 		memset(chip->oob_poi, 0xff, mtd->oobsize);
 
 	/* Don't allow multipage oob writes with offset */
-	if (ops->ooboffs && (ops->ooboffs + ops->ooblen > oobmaxlen))
+	if (ops->oobbuf && ops->ooboffs &&
+	    (ops->ooboffs + ops->ooblen > oobmaxlen))
 		return -EINVAL;
 
 	while(1) {