mtd: nandsim: bugfix: fail if overridesize is too big

rgenoud · gregkh · commit 4e180af39587 · 2012-10-13T05:50:33.000+09:00
commit bb0a13a upstream. If override size is too big, the module was actually loaded instead of failing, because retval was not set. This lead to memory corruption with the use of the freed structs nandsim and nand_chip. Signed-off-by: Richard Genoud <richard.genoud@gmail.com> Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
@@ -2333,6 +2333,7 @@ static int __init ns_init_module(void)
 		uint64_t new_size = (uint64_t)nsmtd->erasesize << overridesize;
 		if (new_size >> overridesize != nsmtd->erasesize) {
 			NS_ERR("overridesize is too big\n");
+			retval = -EINVAL;
 			goto err_exit;
 		}
 		/* N.B. This relies on nand_scan not doing anything with the size before we change it */

Original file line number	Diff line number	Diff line change
`@@ -2333,6 +2333,7 @@ static int __init ns_init_module(void)`
`2333`	`2333`	`uint64_t new_size = (uint64_t)nsmtd->erasesize << overridesize;`
`2334`	`2334`	`if (new_size >> overridesize != nsmtd->erasesize) {`
`2335`	`2335`	`NS_ERR("overridesize is too big\n");`
	`2336`	`+ retval = -EINVAL;`
`2336`	`2337`	`goto err_exit;`
`2337`	`2338`	`}`
`2338`	`2339`	`/* N.B. This relies on nand_scan not doing anything with the size before we change it */`