On Fri, 2018-04-06 at 15:23 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Linus Walleij <linus.walleij@xxxxxxxxxx>
>
> commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.
[...]
> --- a/drivers/mtd/chips/jedec_probe.c
> +++ b/drivers/mtd/chips/jedec_probe.c
> @@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct
> do {
> uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
> mask = (1 << (cfi->device_type * 8)) - 1;
> + if (ofs >= map->size)
> + return 0;
> result = map_read(map, base + ofs);
> bank++;
> } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
Looking at the calling code several levels up, in
genprobe_ident_chips():
max_chips = map->size >> cfi.chipshift;
[...]
for (i = 1; i < max_chips; i++) {
cp->probe_chip(map, i << cfi.chipshift, chip_map, &cfi);
}
The expression i << cfi.chipshift becomes the base parameter here, so
we have base < map->size. That implies to me that map->size is the
size of the complete mapping, and we need to compare it with the
complete address.
So shouldn't the test be ofs >= (map->size - base)?
Or even ofs >= (1 << cfi->chipshift)?
Ben.
--
Ben Hutchings
Software Developer, Codethink Ltd.
