A report from Colin Ian King pointed a CoverityScan issue where error values on these helpers where not checked in the drivers. These helpers could error out only in case of a software bug in driver code, not because of a runtime/hardware error but in any cases it is safer to handle these errors properly. Fix the Marvell NAND controller driver implementation by checking potential negative error values. Fixes: 02f26ecf8c77 ("mtd: nand: add reworked Marvell NAND controller driver") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Miquel Raynal <miquel.raynal@xxxxxxxxxxx> --- drivers/mtd/nand/raw/marvell_nand.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c index 07b8a2677c10..1bb0cf6c945f 100644 --- a/drivers/mtd/nand/raw/marvell_nand.c +++ b/drivers/mtd/nand/raw/marvell_nand.c @@ -1554,6 +1554,9 @@ static int marvell_nfc_parse_instructions(struct nand_chip *chip, const u8 *addrs; int len = nand_subop_get_data_len(subop, op_id); + if (len < 0) + return -EINVAL; + instr = &subop->instrs[op_id]; switch (instr->type) { @@ -1573,6 +1576,9 @@ static int marvell_nfc_parse_instructions(struct nand_chip *chip, case NAND_OP_ADDR_INSTR: offset = nand_subop_get_addr_start_off(subop, op_id); naddrs = nand_subop_get_num_addr_cyc(subop, op_id); + if (offset < 0 || naddrs < 0) + return -EINVAL; + addrs = &instr->ctx.addr.addrs[offset]; nfc_op->ndcb[0] |= NDCB0_ADDR_CYC(naddrs); @@ -1638,6 +1644,9 @@ static int marvell_nfc_xfer_data_pio(struct nand_chip *chip, bool reading = (instr->type == NAND_OP_DATA_IN_INSTR); int ret; + if (len < 0 || offset < 0) + return -EINVAL; + if (instr->ctx.data.force_8bit) marvell_nfc_force_byte_access(chip, true); -- 2.14.1