mtd: nandsim: bugfix: fail if overridesize is too big

rgenoud · David Woodhouse · commit bb0a13a13411 · 2012-09-29T15:54:12.000+01:00
If override size is too big, the module was actually loaded instead of
failing, because retval was not set.

This lead to memory corruption with the use of the freed structs nandsim
and nand_chip.

Cc: stable@vger.kernel.org
Signed-off-by: Richard Genoud &lt;richard.genoud@gmail.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@linux.intel.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
@@ -2317,6 +2317,7 @@ static int __init ns_init_module(void)
 		uint64_t new_size = (uint64_t)nsmtd->erasesize << overridesize;
 		if (new_size >> overridesize != nsmtd->erasesize) {
 			NS_ERR("overridesize is too big\n");
+			retval = -EINVAL;
 			goto err_exit;
 		}
 		/* N.B. This relies on nand_scan not doing anything with the size before we change it */

Original file line number	Diff line number	Diff line change
`@@ -2317,6 +2317,7 @@ static int __init ns_init_module(void)`
`2317`	`2317`	`uint64_t new_size = (uint64_t)nsmtd->erasesize << overridesize;`
`2318`	`2318`	`if (new_size >> overridesize != nsmtd->erasesize) {`
`2319`	`2319`	`NS_ERR("overridesize is too big\n");`
	`2320`	`+ retval = -EINVAL;`
`2320`	`2321`	`goto err_exit;`
`2321`	`2322`	`}`
`2322`	`2323`	`/* N.B. This relies on nand_scan not doing anything with the size before we change it */`