A report from Colin Ian King pointed a CoverityScan issue where error values on these helpers where not checked in the drivers. These helpers could error out only in case of a software bug in driver code, not because of a runtime/hardware error but in any cases it is safer to handle these errors properly.
Before fixing the drivers, let's add some consistency and fix these helpers error handling.
Fixes: 8878b126df76 ("mtd: nand: add ->exec_op() implementation") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal miquel.raynal@bootlin.com --- drivers/mtd/nand/raw/nand_base.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c index 10c4f9919850..51f68203aa63 100644 --- a/drivers/mtd/nand/raw/nand_base.c +++ b/drivers/mtd/nand/raw/nand_base.c @@ -2720,6 +2720,8 @@ int nand_subop_get_num_addr_cyc(const struct nand_subop *subop, return -EINVAL;
start_off = nand_subop_get_addr_start_off(subop, instr_idx); + if (start_off < 0) + return start_off;
if (instr_idx == subop->ninstrs - 1 && subop->last_instr_end_off) @@ -2774,6 +2776,8 @@ int nand_subop_get_data_len(const struct nand_subop *subop, return -EINVAL;
start_off = nand_subop_get_data_start_off(subop, instr_idx); + if (start_off < 0) + return start_off;
if (instr_idx == subop->ninstrs - 1 && subop->last_instr_end_off)
A report from Colin Ian King pointed a CoverityScan issue where error values on these helpers where not checked in the drivers. These helpers could error out only in case of a software bug in driver code, not because of a runtime/hardware error but in any cases it is safer to handle these errors properly.
Fix the Marvell NAND controller driver implementation by checking potential negative error values.
Fixes: 02f26ecf8c77 ("mtd: nand: add reworked Marvell NAND controller driver") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal miquel.raynal@bootlin.com --- drivers/mtd/nand/raw/marvell_nand.c | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c index 07b8a2677c10..1bb0cf6c945f 100644 --- a/drivers/mtd/nand/raw/marvell_nand.c +++ b/drivers/mtd/nand/raw/marvell_nand.c @@ -1554,6 +1554,9 @@ static int marvell_nfc_parse_instructions(struct nand_chip *chip, const u8 *addrs; int len = nand_subop_get_data_len(subop, op_id);
+ if (len < 0) + return -EINVAL; + instr = &subop->instrs[op_id];
switch (instr->type) { @@ -1573,6 +1576,9 @@ static int marvell_nfc_parse_instructions(struct nand_chip *chip, case NAND_OP_ADDR_INSTR: offset = nand_subop_get_addr_start_off(subop, op_id); naddrs = nand_subop_get_num_addr_cyc(subop, op_id); + if (offset < 0 || naddrs < 0) + return -EINVAL; + addrs = &instr->ctx.addr.addrs[offset];
nfc_op->ndcb[0] |= NDCB0_ADDR_CYC(naddrs); @@ -1638,6 +1644,9 @@ static int marvell_nfc_xfer_data_pio(struct nand_chip *chip, bool reading = (instr->type == NAND_OP_DATA_IN_INSTR); int ret;
+ if (len < 0 || offset < 0) + return -EINVAL; + if (instr->ctx.data.force_8bit) marvell_nfc_force_byte_access(chip, true);
A report from Colin Ian King pointed a CoverityScan issue where error values on these helpers where not checked in the drivers. These helpers could error out only in case of a software bug in driver code, not because of a runtime/hardware error but in any cases it is safer to handle these errors properly.
Fix the VF610 NAND controller driver implementation by checking potential negative error values coming from these helpers.
Fixes: 1cbe30b0ddc7 ("mtd: rawnand: vf610_nfc: make use of ->exec_op()") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal miquel.raynal@bootlin.com --- drivers/mtd/nand/raw/vf610_nfc.c | 9 +++++++++ 1 file changed, 9 insertions(+)
diff --git a/drivers/mtd/nand/raw/vf610_nfc.c b/drivers/mtd/nand/raw/vf610_nfc.c index d5a22fc96878..cc88ed758685 100644 --- a/drivers/mtd/nand/raw/vf610_nfc.c +++ b/drivers/mtd/nand/raw/vf610_nfc.c @@ -398,6 +398,9 @@ static int vf610_nfc_cmd(struct nand_chip *chip, int naddrs = nand_subop_get_num_addr_cyc(subop, op_id); int i = nand_subop_get_addr_start_off(subop, op_id);
+ if (naddrs < 0 || i < 0) + return -EINVAL; + for (; i < naddrs; i++) { u8 val = instr->ctx.addr.addrs[i];
@@ -414,6 +417,9 @@ static int vf610_nfc_cmd(struct nand_chip *chip, if (instr && instr->type == NAND_OP_DATA_OUT_INSTR) { trfr_sz = nand_subop_get_data_len(subop, op_id); offset = nand_subop_get_data_start_off(subop, op_id); + if (trfr_sz < 0 || offset < 0) + return -EINVAL; + force8bit = instr->ctx.data.force_8bit;
/* @@ -444,6 +450,9 @@ static int vf610_nfc_cmd(struct nand_chip *chip, if (instr && instr->type == NAND_OP_DATA_IN_INSTR) { trfr_sz = nand_subop_get_data_len(subop, op_id); offset = nand_subop_get_data_start_off(subop, op_id); + if (trfr_sz < 0 || offset < 0) + return -EINVAL; + force8bit = instr->ctx.data.force_8bit;
code |= COMMAND_READ_DATA;
linux-stable-mirror@lists.linaro.org
-
Miquel Raynal