mtd: correct upper bounds check for mtd_*() APIs
When checking the upper boundary (i.e., whether an address is higher
than the maximum size of the MTD), we should be doing an inclusive check
(greater or equal). For instance, an address of 16MB (0x1000000) on a
16MB device is invalid.
The strengthening of this bounds check is redundant for those which
already have a address+length check and ensure that the length is
non-zero, but let's just fix them all, for completeness.
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
index e4831b4..c101517 100644
--- a/drivers/mtd/mtdcore.c
+++ b/drivers/mtd/mtdcore.c
@@ -778,7 +778,7 @@
*/
int mtd_erase(struct mtd_info *mtd, struct erase_info *instr)
{
- if (instr->addr > mtd->size || instr->len > mtd->size - instr->addr)
+ if (instr->addr >= mtd->size || instr->len > mtd->size - instr->addr)
return -EINVAL;
if (!(mtd->flags & MTD_WRITEABLE))
return -EROFS;
@@ -804,7 +804,7 @@
*phys = 0;
if (!mtd->_point)
return -EOPNOTSUPP;
- if (from < 0 || from > mtd->size || len > mtd->size - from)
+ if (from < 0 || from >= mtd->size || len > mtd->size - from)
return -EINVAL;
if (!len)
return 0;
@@ -817,7 +817,7 @@
{
if (!mtd->_point)
return -EOPNOTSUPP;
- if (from < 0 || from > mtd->size || len > mtd->size - from)
+ if (from < 0 || from >= mtd->size || len > mtd->size - from)
return -EINVAL;
if (!len)
return 0;
@@ -835,7 +835,7 @@
{
if (!mtd->_get_unmapped_area)
return -EOPNOTSUPP;
- if (offset > mtd->size || len > mtd->size - offset)
+ if (offset >= mtd->size || len > mtd->size - offset)
return -EINVAL;
return mtd->_get_unmapped_area(mtd, len, offset, flags);
}
@@ -846,7 +846,7 @@
{
int ret_code;
*retlen = 0;
- if (from < 0 || from > mtd->size || len > mtd->size - from)
+ if (from < 0 || from >= mtd->size || len > mtd->size - from)
return -EINVAL;
if (!len)
return 0;
@@ -869,7 +869,7 @@
const u_char *buf)
{
*retlen = 0;
- if (to < 0 || to > mtd->size || len > mtd->size - to)
+ if (to < 0 || to >= mtd->size || len > mtd->size - to)
return -EINVAL;
if (!mtd->_write || !(mtd->flags & MTD_WRITEABLE))
return -EROFS;
@@ -892,7 +892,7 @@
*retlen = 0;
if (!mtd->_panic_write)
return -EOPNOTSUPP;
- if (to < 0 || to > mtd->size || len > mtd->size - to)
+ if (to < 0 || to >= mtd->size || len > mtd->size - to)
return -EINVAL;
if (!(mtd->flags & MTD_WRITEABLE))
return -EROFS;
@@ -1011,7 +1011,7 @@
{
if (!mtd->_lock)
return -EOPNOTSUPP;
- if (ofs < 0 || ofs > mtd->size || len > mtd->size - ofs)
+ if (ofs < 0 || ofs >= mtd->size || len > mtd->size - ofs)
return -EINVAL;
if (!len)
return 0;
@@ -1023,7 +1023,7 @@
{
if (!mtd->_unlock)
return -EOPNOTSUPP;
- if (ofs < 0 || ofs > mtd->size || len > mtd->size - ofs)
+ if (ofs < 0 || ofs >= mtd->size || len > mtd->size - ofs)
return -EINVAL;
if (!len)
return 0;
@@ -1035,7 +1035,7 @@
{
if (!mtd->_is_locked)
return -EOPNOTSUPP;
- if (ofs < 0 || ofs > mtd->size || len > mtd->size - ofs)
+ if (ofs < 0 || ofs >= mtd->size || len > mtd->size - ofs)
return -EINVAL;
if (!len)
return 0;
@@ -1045,7 +1045,7 @@
int mtd_block_isreserved(struct mtd_info *mtd, loff_t ofs)
{
- if (ofs < 0 || ofs > mtd->size)
+ if (ofs < 0 || ofs >= mtd->size)
return -EINVAL;
if (!mtd->_block_isreserved)
return 0;
@@ -1055,7 +1055,7 @@
int mtd_block_isbad(struct mtd_info *mtd, loff_t ofs)
{
- if (ofs < 0 || ofs > mtd->size)
+ if (ofs < 0 || ofs >= mtd->size)
return -EINVAL;
if (!mtd->_block_isbad)
return 0;
@@ -1067,7 +1067,7 @@
{
if (!mtd->_block_markbad)
return -EOPNOTSUPP;
- if (ofs < 0 || ofs > mtd->size)
+ if (ofs < 0 || ofs >= mtd->size)
return -EINVAL;
if (!(mtd->flags & MTD_WRITEABLE))
return -EROFS;