• Will Newton's avatar
    mtd: fix oops in dataflash driver · 7a84477c
    Will Newton authored
    I'm seeing an oops in mtd_dataflash.c with Linux 3.3. What appears to
    be happening is that otp_select_filemode calls mtd_read_fact_prot_reg
    with -1 for offset and length and a NULL buffer to test if OTP
    operations are supported. This finds its way down to otp_read in
    mtd_dataflash.c and causes an oops when memcpying the returned data
    into the NULL buf.
    
    None of the checks in otp_read catches the negative length and offset.
    Changing the length of the dummy read to 0 prevents the oops.
    
    Cc: stable@kernel.org [3.3+]
    Signed-off-by: default avatarArtem Bityutskiy <artem.bityutskiy@linux.intel.com>
    Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
    7a84477c
mtdchar.c 27.2 KB