Message ID | 20170625182257.20867-1-boris.brezillon@free-electrons.com |
---|---|
State | Accepted |
Commit | b9504247a6eb2bd68e3f620ca1f3fbe7309123ea |
Headers | show |
On Sun, Jun 25, 2017 at 08:22:57PM +0200, Boris Brezillon wrote: > The code checks that ->_point is not NULL, but we should actually check > ->_unpoint value which is dereferenced a few lines after the check. > > Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com> > --- > Found while checking that nobody except the core was directly calling > ->_xxx(). > Note that I didn't had a Fixes tag because it's hard to tell when > mtd_point() was introduced (code has been moved from mtd.h to mtdcore.c > in commit 8273a0c911d8 "mtd: add offset and length checks to the API > function"), and all drivers implementing ->_point() also implement > ->_unpoint (the only exception being drivers/mtd/maps/uclinux.c). Applied
diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c index e214af82b9be..e02ccdbdcdf1 100644 --- a/drivers/mtd/mtdcore.c +++ b/drivers/mtd/mtdcore.c @@ -991,7 +991,7 @@ EXPORT_SYMBOL_GPL(mtd_point); /* We probably shouldn't allow XIP if the unpoint isn't a NULL */ int mtd_unpoint(struct mtd_info *mtd, loff_t from, size_t len) { - if (!mtd->_point) + if (!mtd->_unpoint) return -EOPNOTSUPP; if (from < 0 || from >= mtd->size || len > mtd->size - from) return -EINVAL;
The code checks that ->_point is not NULL, but we should actually check ->_unpoint value which is dereferenced a few lines after the check. Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com> --- Found while checking that nobody except the core was directly calling ->_xxx(). Note that I didn't had a Fixes tag because it's hard to tell when mtd_point() was introduced (code has been moved from mtd.h to mtdcore.c in commit 8273a0c911d8 "mtd: add offset and length checks to the API function"), and all drivers implementing ->_point() also implement ->_unpoint (the only exception being drivers/mtd/maps/uclinux.c). --- drivers/mtd/mtdcore.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)