Commit 7a84477c authored Mar 30, 2012 by Will Newton Committed by David Woodhouse May 07, 2012

mtd: fix oops in dataflash driver



I'm seeing an oops in mtd_dataflash.c with Linux 3.3. What appears to
be happening is that otp_select_filemode calls mtd_read_fact_prot_reg
with -1 for offset and length and a NULL buffer to test if OTP
operations are supported. This finds its way down to otp_read in
mtd_dataflash.c and causes an oops when memcpying the returned data
into the NULL buf.

None of the checks in otp_read catches the negative length and offset.
Changing the length of the dummy read to 0 prevents the oops.

Cc: stable@kernel.org [3.3+]
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

parent 66f75a5d

drivers/mtd/mtdchar.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -376,7 +376,7 @@ static int otp_select_filemode(struct mtd_file_info *mfi, int mode)
		* Make a fake call to mtd_read_fact_prot_reg() to check if OTP
		* operations are supported.
		*/
		if (mtd_read_fact_prot_reg(mtd, -1, -1, &retlen, NULL) == -EOPNOTSUPP)
		if (mtd_read_fact_prot_reg(mtd, -1, 0, &retlen, NULL) == -EOPNOTSUPP)
		return -EOPNOTSUPP;

		switch (mode) {

Admin message