From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-Id: <20120518212651.009900734@linuxfoundation.org> Date: Fri, 18 May 2012 14:27:09 -0700 From: Greg KH To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk, Artem Bityutskiy , David Woodhouse Subject: [ 20/47] mtd: fix oops in dataflash driver In-Reply-To: <20120518212701.GA5023@kroah.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.3-stable review patch. If anyone has any objections, please let me know. ------------------ From: Will Newton commit 7a84477c4acebf6299b6a8bd6a1d5894eb838ffa upstream. I'm seeing an oops in mtd_dataflash.c with Linux 3.3. What appears to be happening is that otp_select_filemode calls mtd_read_fact_prot_reg with -1 for offset and length and a NULL buffer to test if OTP operations are supported. This finds its way down to otp_read in mtd_dataflash.c and causes an oops when memcpying the returned data into the NULL buf. None of the checks in otp_read catches the negative length and offset. Changing the length of the dummy read to 0 prevents the oops. Signed-off-by: Artem Bityutskiy Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/mtdchar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -369,7 +369,7 @@ static int otp_select_filemode(struct mt * Make a fake call to mtd_read_fact_prot_reg() to check if OTP * operations are supported. */ - if (mtd_read_fact_prot_reg(mtd, -1, -1, &retlen, NULL) == -EOPNOTSUPP) + if (mtd_read_fact_prot_reg(mtd, -1, 0, &retlen, NULL) == -EOPNOTSUPP) return -EOPNOTSUPP; switch (mode) {