Commit 2d0eb3f1 authored by Masahiro Yamada's avatar Masahiro Yamada Committed by Greg Kroah-Hartman

mtd: nand: check ecc->total sanity in nand_scan_tail


[ Upstream commit 79e0348c ]

Drivers are supposed to set correct ecc->{size,strength,bytes} before
calling nand_scan_tail(), but it does not complain about ecc->total
bigger than oobsize.

In this case, chip->scan_bbt() crashes due to memory corruption, but
it is hard to debug.  It would be kind to fail it earlier with a clear
message.
Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 8bf47820
...@@ -4785,6 +4785,11 @@ int nand_scan_tail(struct mtd_info *mtd) ...@@ -4785,6 +4785,11 @@ int nand_scan_tail(struct mtd_info *mtd)
goto err_free; goto err_free;
} }
ecc->total = ecc->steps * ecc->bytes; ecc->total = ecc->steps * ecc->bytes;
if (ecc->total > mtd->oobsize) {
WARN(1, "Total number of ECC bytes exceeded oobsize\n");
ret = -EINVAL;
goto err_free;
}
/* /*
* The number of bytes available for a client to place data into * The number of bytes available for a client to place data into
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment