Hi Evgeny,
Evgeny Novikov <novi...@ispras.ru> wrote on Wed, 16 Sep 2020 22:40:45
+0300:
> If of_get_property() will set nsels to negative values the driver may
Is this really a possible case?
Looking at the OF code, I don't think it can ever happen...
> allocate insufficient memory for chip. Moreover, there may be underflow
> for devm_kzalloc(). This can result in various bad consequences later.
> The patch causes mtk_nfc_nand_chip_init() to fail for negative values of
> nsels.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Evgeny Novikov <novi...@ispras.ru>
> ---
> drivers/mtd/nand/raw/mtk_nand.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/mtd/nand/raw/mtk_nand.c b/drivers/mtd/nand/raw/mtk_nand.c
> index ad1b55dab211..df98a2eec240 100644
> --- a/drivers/mtd/nand/raw/mtk_nand.c
> +++ b/drivers/mtd/nand/raw/mtk_nand.c
> @@ -1376,7 +1376,7 @@ static int mtk_nfc_nand_chip_init(struct device *dev,
> struct mtk_nfc *nfc,
> return -ENODEV;
>
> nsels /= sizeof(u32);
> - if (!nsels || nsels > MTK_NAND_MAX_NSELS) {
> + if (nsels <= 0 || nsels > MTK_NAND_MAX_NSELS) {
> dev_err(dev, "invalid reg property size %d\n", nsels);
> return -EINVAL;
> }
Thanks,
Miquèl
