openwrt/target/linux/ipq806x/patches-4.9/0047-mtd-nand-Create-a-BBT-flag-to-access-bad-block-marke.patch
Stijn Tintel 2d02a4f5bd kernel: update 4.9 to 4.9.44
Refresh patches.
Adapt 704-phy-no-genphy-soft-reset.patch.
Remove brcm2708/950-0005-mm-Remove-the-PFN-busy-warning.patch.
Compile-tested on brcm2708/bcm2708 and x86/64.
Runtime-tested on brcm2708/bcm2708 and x86/64.

Fixes the following vulnerabilities:
- CVE-2017-7533
- CVE-2017-1000111
- CVE-2017-1000112

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-08-17 12:34:34 +02:00

73 lines
2.5 KiB
Diff

From c7c6a0f50f9ac3620c611ce06ba1f9fafea0444e Mon Sep 17 00:00:00 2001
From: Archit Taneja <architt@codeaurora.org>
Date: Mon, 3 Aug 2015 10:38:14 +0530
Subject: [PATCH 47/69] mtd: nand: Create a BBT flag to access bad block
markers in raw mode
Some controllers can access the factory bad block marker from OOB only
when they read it in raw mode. When ECC is enabled, these controllers
discard reading/writing bad block markers, preventing access to them
altogether.
The bbt driver assumes MTD_OPS_PLACE_OOB when scanning for bad blocks.
This results in the nand driver's ecc->read_oob() op to be called, which
works with ECC enabled.
Create a new BBT option flag that tells nand_bbt to force the mode to
MTD_OPS_RAW. This would result in the correct op being called for the
underlying nand controller driver.
Reviewed-by: Andy Gross <agross@codeaurora.org>
Signed-off-by: Archit Taneja <architt@codeaurora.org>
---
drivers/mtd/nand/nand_base.c | 6 +++++-
drivers/mtd/nand/nand_bbt.c | 6 +++++-
include/linux/mtd/bbm.h | 6 ++++++
3 files changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -488,7 +488,11 @@ static int nand_default_block_markbad(st
} else {
ops.len = ops.ooblen = 1;
}
- ops.mode = MTD_OPS_PLACE_OOB;
+
+ if (unlikely(chip->bbt_options & NAND_BBT_ACCESS_BBM_RAW))
+ ops.mode = MTD_OPS_RAW;
+ else
+ ops.mode = MTD_OPS_PLACE_OOB;
/* Write to first/last page(s) if necessary */
if (chip->bbt_options & NAND_BBT_SCANLASTPAGE)
--- a/drivers/mtd/nand/nand_bbt.c
+++ b/drivers/mtd/nand/nand_bbt.c
@@ -420,7 +420,11 @@ static int scan_block_fast(struct mtd_in
ops.oobbuf = buf;
ops.ooboffs = 0;
ops.datbuf = NULL;
- ops.mode = MTD_OPS_PLACE_OOB;
+
+ if (unlikely(bd->options & NAND_BBT_ACCESS_BBM_RAW))
+ ops.mode = MTD_OPS_RAW;
+ else
+ ops.mode = MTD_OPS_PLACE_OOB;
for (j = 0; j < numpages; j++) {
/*
--- a/include/linux/mtd/bbm.h
+++ b/include/linux/mtd/bbm.h
@@ -116,6 +116,12 @@ struct nand_bbt_descr {
#define NAND_BBT_NO_OOB_BBM 0x00080000
/*
+ * Force MTD_OPS_RAW mode when trying to access bad block markes from OOB. To
+ * be used by controllers which can access BBM only when ECC is disabled, i.e,
+ * when in RAW access mode
+ */
+#define NAND_BBT_ACCESS_BBM_RAW 0x00100000
+/*
* Flag set by nand_create_default_bbt_descr(), marking that the nand_bbt_descr
* was allocated dynamicaly and must be freed in nand_release(). Has no meaning
* in nand_chip.bbt_options.