From 7638c27a6b20926e502741bebd77d12ab5d4dc0c Mon Sep 17 00:00:00 2001
From: "xianjun.liu" <xianjun.liu@amlogic.com>
Date: Mon, 28 Oct 2019 16:05:39 +0800
Subject: [PATCH] MTD: slc-nand: fix boot system failed due to pointer
 out-bounds operating [1/1]

PD#SWPL-15894

Problem:
The audio 113D platform + TC58NVG2S0HTA00 boot system failed due
to pointer out-bounds operating

Solution:
reduce oobavail value to avoid pointer access overbounds

Verify:
AXG-S400

Change-Id: I737d16b937b39b0b03c9248e6688c1158face3b5
Signed-off-by: xianjun.liu <xianjun.liu@amlogic.com>
---
 drivers/amlogic/mtd/aml_nand.c | 40 +++++-----------------------------
 1 file changed, 6 insertions(+), 34 deletions(-)

diff --git a/drivers/amlogic/mtd/aml_nand.c b/drivers/amlogic/mtd/aml_nand.c
index b7fcac346f04..e86893a44f0a 100644
--- a/drivers/amlogic/mtd/aml_nand.c
+++ b/drivers/amlogic/mtd/aml_nand.c
@@ -91,42 +91,14 @@ static int aml_ooblayout_ecc(struct mtd_info *mtd, int section,
 static int aml_ooblayout_free(struct mtd_info *mtd, int section,
 				   struct mtd_oob_region *oobregion)
 {
-	struct aml_nand_chip *aml_chip = mtd_to_nand_chip(mtd);
-	struct aml_nand_platform *plat = aml_chip->platform;
+	struct nand_chip *chip = mtd_to_nand(mtd);
+	struct nand_ecc_ctrl *ecc = &chip->ecc;
 
-	if (section)
+	if (section < 0 || section > ecc->steps)
 		return -ERANGE;
 
-	if (!strncmp((char *)plat->name,
-		NAND_BOOT_NAME, strlen((const char *)NAND_BOOT_NAME))) {
-		oobregion->length = 8;
-		oobregion->offset = 0;
-	}
-	switch (aml_chip->oob_size) {
-	case 64:
-	case 128:
-	case 218:
-	case 224:
-		oobregion->length = 8;
-		oobregion->offset = 0;
-		break;
-	case 256:
-	case 376:
-	case 436:
-	case 448:
-	case 640:
-	case 744:
-		oobregion->length = 16;
-		oobregion->offset = 0;
-		break;
-	case 1280:
-	case 1664:
-		oobregion->length = 32;
-		oobregion->offset = 0;
-		break;
-	default:
-		break;
-	}
+	oobregion->length = 2;
+	oobregion->offset = 2 * section;
 
 	return 0;
 }
@@ -2042,7 +2014,7 @@ int aml_nand_init(struct aml_nand_chip *aml_chip)
 
 	mtd_set_ooblayout(mtd, &aml_ooblayout_ops);
 	mtd_ooblayout_free(mtd, 0, &oobregion);
-	mtd->oobavail = oobregion.length;
+
 	chip->options = 0;
 	chip->options |=  NAND_SKIP_BBTSCAN;
 	chip->options |= NAND_NO_SUBPAGE_WRITE;