mtd: fix oops in dataflash driver

I'm seeing an oops in mtd_dataflash.c with Linux 3.3. What appears to
be happening is that otp_select_filemode calls mtd_read_fact_prot_reg
with -1 for offset and length and a NULL buffer to test if OTP
operations are supported. This finds its way down to otp_read in
mtd_dataflash.c and causes an oops when memcpying the returned data
into the NULL buf.

None of the checks in otp_read catches the negative length and offset.
Changing the length of the dummy read to 0 prevents the oops.

Cc: stable@kernel.org [3.3+]
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 58fc65f..f2f482b 100644 (file)
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -376,7 +376,7 @@ static int otp_select_filemode(struct mtd_file_info *mfi, int mode)
         * Make a fake call to mtd_read_fact_prot_reg() to check if OTP
         * operations are supported.
         */
-       if (mtd_read_fact_prot_reg(mtd, -1, -1, &retlen, NULL) == -EOPNOTSUPP)
+       if (mtd_read_fact_prot_reg(mtd, -1, 0, &retlen, NULL) == -EOPNOTSUPP)
                return -EOPNOTSUPP;
 
        switch (mode) {