| From foo@baz Mon Apr 9 17:09:24 CEST 2018 |
| From: Masahiro Yamada <yamada.masahiro@socionext.com> |
| Date: Thu, 25 May 2017 13:50:20 +0900 |
| Subject: mtd: nand: check ecc->total sanity in nand_scan_tail |
| |
| From: Masahiro Yamada <yamada.masahiro@socionext.com> |
| |
| |
| [ Upstream commit 79e0348c4e24fd1affdcf055e0269755580e0fcc ] |
| |
| Drivers are supposed to set correct ecc->{size,strength,bytes} before |
| calling nand_scan_tail(), but it does not complain about ecc->total |
| bigger than oobsize. |
| |
| In this case, chip->scan_bbt() crashes due to memory corruption, but |
| it is hard to debug. It would be kind to fail it earlier with a clear |
| message. |
| |
| Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> |
| Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/mtd/nand/nand_base.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| --- a/drivers/mtd/nand/nand_base.c |
| +++ b/drivers/mtd/nand/nand_base.c |
| @@ -4785,6 +4785,11 @@ int nand_scan_tail(struct mtd_info *mtd) |
| goto err_free; |
| } |
| ecc->total = ecc->steps * ecc->bytes; |
| + if (ecc->total > mtd->oobsize) { |
| + WARN(1, "Total number of ECC bytes exceeded oobsize\n"); |
| + ret = -EINVAL; |
| + goto err_free; |
| + } |
| |
| /* |
| * The number of bytes available for a client to place data into |