From: Claire Lin <claire.lin@xxxxxxxxxxxx> commit 7f852cc1579297fd763789f8cd370639d0c654b6 upstream. In brcmstb_nand_verify_erased_page(), the ECC chunk pointer calculation while correcting erased page bitflips is wrong, fix it. Fixes: 02b88eea9f9c ("mtd: brcmnand: Add check for erased page bitflips") Signed-off-by: Claire Lin <claire.lin@xxxxxxxxxxxx> Reviewed-by: Ray Jui <ray.jui@xxxxxxxxxxxx> Signed-off-by: Kamal Dasu <kdasu.kdev@xxxxxxxxx> Signed-off-by: Miquel Raynal <miquel.raynal@xxxxxxxxxxx> Signed-off-by: Yuta Hayama <hayama@xxxxxxxxxxx> --- After applying e44b9a9c1357 ("mtd: nand: brcmnand: Zero bitflip is not an error"), the return value 0 of brcmstb_nand_verify_erased_page() is *correctly* interpreted as "no bit flips, no errors". However, that function still has the issue that it may incorrectly return 0 for a page that contains bitflips. Without this patch, the data buffer of the erased page could be passed to a upper layer (e.g. UBIFS) without bitflips being detected and corrected. In active stable, 4.14.y and 4.19.y seem to have a same issue. drivers/mtd/nand/brcmnand/brcmnand.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/nand/brcmnand/brcmnand.c b/drivers/mtd/nand/brcmnand/brcmnand.c index fa66663df6e8..267bbba09afb 100644 --- a/drivers/mtd/nand/brcmnand/brcmnand.c +++ b/drivers/mtd/nand/brcmnand/brcmnand.c @@ -1753,6 +1753,7 @@ static int brcmstb_nand_verify_erased_page(struct mtd_info *mtd, int bitflips = 0; int page = addr >> chip->page_shift; int ret; + void *ecc_chunk; if (!buf) { buf = chip->buffers->databuf; @@ -1769,7 +1770,9 @@ static int brcmstb_nand_verify_erased_page(struct mtd_info *mtd, return ret; for (i = 0; i < chip->ecc.steps; i++, oob += sas) { - ret = nand_check_erased_ecc_chunk(buf, chip->ecc.size, + ecc_chunk = buf + chip->ecc.size * i; + ret = nand_check_erased_ecc_chunk(ecc_chunk, + chip->ecc.size, oob, sas, NULL, 0, chip->ecc.strength); if (ret < 0) -- 2.25.1