From 87ed89d21ede38f86be9419ca7c6dd4761764bbb Mon Sep 17 00:00:00 2001 From: Tanya Brokhman Date: Tue, 1 Apr 2014 11:01:12 +0300 Subject: UBI: fix error path in __wl_get_peb In case of an error (if there are not free PEB's for example), __wl_get_peb will return a negative value. In order to prevent access violation we need to test the returned value prior to using it later on. Signed-off-by: Tatyana Brokhman Reviewed-by: Dolev Raviv Acked-by: Richard Weinberger Signed-off-by: Artem Bityutskiy --- drivers/mtd/ubi/wl.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers') diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c index 02317c1c0238..457ead32105c 100644 --- a/drivers/mtd/ubi/wl.c +++ b/drivers/mtd/ubi/wl.c @@ -684,6 +684,9 @@ int ubi_wl_get_peb(struct ubi_device *ubi) peb = __wl_get_peb(ubi); spin_unlock(&ubi->wl_lock); + if (peb < 0) + return peb; + err = ubi_self_check_all_ff(ubi, peb, ubi->vid_hdr_aloffset, ubi->peb_size - ubi->vid_hdr_aloffset); if (err) { -- cgit v1.2.3 From 3d21bb7667c4b57a15077d60d23385d9a1c01d08 Mon Sep 17 00:00:00 2001 From: Tanya Brokhman Date: Tue, 1 Apr 2014 11:02:07 +0300 Subject: UBI: fix ubi free PEBs count calculation The ubi->free_count should be updated with every insert/remove to/from the ubi->free list. Signed-off-by: Tanya Brokhman Reviewed-by: Dolev Raviv Acked-by: Richard Weinberger Signed-off-by: Artem Bityutskiy --- drivers/mtd/ubi/wl.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers') diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c index 457ead32105c..0f3425dac910 100644 --- a/drivers/mtd/ubi/wl.c +++ b/drivers/mtd/ubi/wl.c @@ -671,6 +671,8 @@ static struct ubi_wl_entry *get_peb_for_wl(struct ubi_device *ubi) e = find_wl_entry(ubi, &ubi->free, WL_FREE_MAX_DIFF); self_check_in_wl_tree(ubi, e, &ubi->free); + ubi->free_count--; + ubi_assert(ubi->free_count >= 0); rb_erase(&e->u.rb, &ubi->free); return e; @@ -1071,6 +1073,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk, /* Give the unused PEB back */ wl_tree_add(e2, &ubi->free); + ubi->free_count++; goto out_cancel; } self_check_in_wl_tree(ubi, e1, &ubi->used); -- cgit v1.2.3 From bebfef150e0b8fa68704cddacf05b8c26462d565 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Mon, 7 Apr 2014 21:44:07 -0700 Subject: UBI: avoid workqueue format string leak When building the name for the workqueue thread, make sure a format string cannot leak in from the disk name. Signed-off-by: Kees Cook Signed-off-by: Artem Bityutskiy --- drivers/mtd/ubi/block.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c index 7ff473c871a9..8d659e6a1b4c 100644 --- a/drivers/mtd/ubi/block.c +++ b/drivers/mtd/ubi/block.c @@ -431,7 +431,7 @@ int ubiblock_create(struct ubi_volume_info *vi) * Create one workqueue per volume (per registered block device). * Rembember workqueues are cheap, they're not threads. */ - dev->wq = alloc_workqueue(gd->disk_name, 0, 0); + dev->wq = alloc_workqueue("%s", 0, 0, gd->disk_name); if (!dev->wq) goto out_free_queue; INIT_WORK(&dev->work, ubiblock_do_work); -- cgit v1.2.3