Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4634313imm; Mon, 14 May 2018 10:17:17 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrgFoSaOI+6jhx0H6j7dF6lzNJ8Ul6E/I9mnvzYH7HF+DFTmGTQBGtFcmuSxcLNaqqx6oCn X-Received: by 2002:a17:902:b60a:: with SMTP id b10-v6mr10625245pls.221.1526318237288; Mon, 14 May 2018 10:17:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526318237; cv=none; d=google.com; s=arc-20160816; b=ocXovJPysyGPZJEz5dAowbJdI8Yx/TiU5XU8d24YVYoadAeH+r7MICd9REgyUKw2qW CwIFuT67bhSn17Ja5hKTD8lOur8MDItSwUwAHW6c783qRxEFyiYwFzlXgR8qyyC4k8pP IfHIjGeLhjzTYEtPGFRgn6K/XkRIEPtj4ehK6VQFdrk9/0uao8gddb0S4BW9YUOsF9l3 +UTM1Jt+9n0raa8UVUlhx3TlnxOHtOcFQ0hG7yxa5kG/1Wydd3WKjPsrz/EETI1uNqbA JMJyf9FE8JoTYGGbrDDR8k+baZ6Vs5Ds1nEUn4tpGQtSfuAbhURtoCnzc08jnnxPjA73 AWcg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:date:cc:to:from:subject :message-id:arc-authentication-results; bh=qBoJiLPK0WvWoz74I2oo2xruCIWmJzQaqIEsit0Lacs=; b=d7IR3FpK5KHJuqfEAK32hiZ29ILoNWhZP5qXelsjc0Yd1/JNqr2AdcS2sDff2iRKiu p+PMwBkofgXG4GaY6BgLWrgBS0ezszy0IiNFXCDsa8d3AruJT7TI+eQ95PCLL7nfdc7c UyvKe5BHzrOnpA3gOWmBvaEOUDgRQrle3oiAbduhVIQ8nF46isV8KWL0RfRi1ZtM9RUP aiQCsFooM55DU+iVl0lGBvz02tkn/s7j/Q08Jn6Vj3ZehWYP9dAo5dPM79cJe4q9I3OZ Qsq49sEN1DsLCT37Zij6MYEWGUVf9xw6ftsa7HwZ82NKIUJdg7gE01Zj8rwthZQtijiP n/NQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k14-v6si2318766pgp.287.2018.05.14.10.17.02; Mon, 14 May 2018 10:17:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=codethink.co.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753519AbeENPQF (ORCPT + 99 others); Mon, 14 May 2018 11:16:05 -0400 Received: from imap1.codethink.co.uk ([176.9.8.82]:60030 "EHLO imap1.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752960AbeENPQE (ORCPT ); Mon, 14 May 2018 11:16:04 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126] helo=xylophone) by imap1.codethink.co.uk with esmtpsa (Exim 4.84_2 #1 (Debian)) id 1fIFCj-0004m7-GO; Mon, 14 May 2018 16:16:01 +0100 Message-ID: <1526310960.9159.3.camel@codethink.co.uk> Subject: Re: [PATCH 4.4 01/72] mtd: jedec_probe: Fix crash in jedec_read_mfr() From: Ben Hutchings To: Linus Walleij , Boris Brezillon Cc: stable@vger.kernel.org, Greg Kroah-Hartman , LKML Date: Mon, 14 May 2018 16:16:00 +0100 In-Reply-To: <20180406084305.298690833@linuxfoundation.org> References: <20180406084305.210085169@linuxfoundation.org> <20180406084305.298690833@linuxfoundation.org> Organization: Codethink Ltd. Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6-1+deb9u1 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2018-04-06 at 15:23 +0200, Greg Kroah-Hartman wrote: > 4.4-stable review patch.  If anyone has any objections, please let me know. > > ------------------ > > From: Linus Walleij > > commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream. [...] > --- a/drivers/mtd/chips/jedec_probe.c > +++ b/drivers/mtd/chips/jedec_probe.c > @@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct >   do { >   uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi); >   mask = (1 << (cfi->device_type * 8)) - 1; > + if (ofs >= map->size) > + return 0; >   result = map_read(map, base + ofs); >   bank++; >   } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION); Looking at the calling code several levels up, in genprobe_ident_chips(): max_chips = map->size >> cfi.chipshift; [...] for (i = 1; i < max_chips; i++) { cp->probe_chip(map, i << cfi.chipshift, chip_map, &cfi); } The expression i << cfi.chipshift becomes the base parameter here, so we have base < map->size. That implies to me that map->size is the size of the complete mapping, and we need to compare it with the complete address. So shouldn't the test be ofs >= (map->size - base)? Or even ofs >= (1 << cfi->chipshift)? Ben. -- Ben Hutchings Software Developer, Codethink Ltd.