If of_get_property() will set nsels to negative values the driver may
allocate insufficient memory for chip. Moreover, there may be underflow
for devm_kzalloc(). This can result in various bad consequences later.
The patch causes mtk_nfc_nand_chip_init() to fail for negative values of
nsels.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov <novi...@ispras.ru>
---
drivers/mtd/nand/raw/mtk_nand.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c
index ad1b55dab211..df98a2eec240 100644
--- a/drivers/mtd/nand/raw/mtk_nand.c
+++ b/drivers/mtd/nand/raw/mtk_nand.c
@@ -1376,7 +1376,7 @@ static int mtk_nfc_nand_chip_init(struct device *dev,
struct mtk_nfc *nfc,
return -ENODEV;
nsels /= sizeof(u32);
- if (!nsels || nsels > MTK_NAND_MAX_NSELS) {
+ if (nsels <= 0 || nsels > MTK_NAND_MAX_NSELS) {
dev_err(dev, "invalid reg property size %d\n", nsels);
return -EINVAL;
}
--
2.26.2
