On Fri, 2018-04-06 at 15:23 +0200, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Linus Walleij linus.walleij@linaro.org
commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.
[...]
--- a/drivers/mtd/chips/jedec_probe.c +++ b/drivers/mtd/chips/jedec_probe.c @@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct do { uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi); mask = (1 << (cfi->device_type * 8)) - 1;
if (ofs >= map->size)return 0;result = map_read(map, base + ofs); bank++; } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
Looking at the calling code several levels up, in genprobe_ident_chips():
max_chips = map->size >> cfi.chipshift; [...] for (i = 1; i < max_chips; i++) { cp->probe_chip(map, i << cfi.chipshift, chip_map, &cfi); }
The expression i << cfi.chipshift becomes the base parameter here, so we have base < map->size. That implies to me that map->size is the size of the complete mapping, and we need to compare it with the complete address.
So shouldn't the test be ofs >= (map->size - base)? Or even ofs >= (1 << cfi->chipshift)?
Ben.