From d30f11d22549c54e9b05d153e37d166f88a2aa43 Mon Sep 17 00:00:00 2001 From: Joern Engel Date: Wed, 23 Feb 2005 19:37:11 +0000 Subject: [MTD] Use after free, found by the Coverity tool Signed-off-by: Alexander Nyberg Signed-off-by: Joern Engel Signed-off-by: Thomas Gleixner --- drivers/mtd/devices/phram.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'drivers/mtd/devices/phram.c') diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c index 5f8e164ddb7..57454df639f 100644 --- a/drivers/mtd/devices/phram.c +++ b/drivers/mtd/devices/phram.c @@ -1,5 +1,5 @@ /** - * $Id: phram.c,v 1.11 2005/01/05 18:05:13 dwmw2 Exp $ + * $Id: phram.c,v 1.12 2005/02/23 19:37:07 joern Exp $ * * Copyright (c) ???? Jochen Schäuble * Copyright (c) 2003-2004 Jörn Engel @@ -107,9 +107,9 @@ static int phram_write(struct mtd_info *mtd, loff_t to, size_t len, static void unregister_devices(void) { - struct phram_mtd_list *this; + struct phram_mtd_list *this, *safe; - list_for_each_entry(this, &phram_list, list) { + list_for_each_entry_safe(this, safe, &phram_list, list) { del_mtd_device(&this->mtd); iounmap(this->mtd.priv); kfree(this); -- cgit v1.2.3 From 663259a44f440249cab1b0f3f4b82cfab8e4758d Mon Sep 17 00:00:00 2001 From: Joern Engel Date: Mon, 7 Mar 2005 21:43:42 +0000 Subject: [MTD] phram: Allow short reads. Jffs2 apparently needs this. Accept newline at the end of input. Signed-off-by: Joern Engel Signed-off-by: Thomas Gleixner --- drivers/mtd/devices/phram.c | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) (limited to 'drivers/mtd/devices/phram.c') diff --git a/drivers/mtd/devices/phram.c b/drivers/mtd/devices/phram.c index 57454df639f..a423a382095 100644 --- a/drivers/mtd/devices/phram.c +++ b/drivers/mtd/devices/phram.c @@ -1,5 +1,5 @@ /** - * $Id: phram.c,v 1.12 2005/02/23 19:37:07 joern Exp $ + * $Id: phram.c,v 1.14 2005/03/07 21:43:38 joern Exp $ * * Copyright (c) ???? Jochen Schäuble * Copyright (c) 2003-2004 Jörn Engel @@ -15,9 +15,7 @@ * * Example: * phram=swap,64Mi,128Mi phram=test,900Mi,1Mi - * */ - #include #include #include @@ -36,7 +34,6 @@ struct phram_mtd_list { static LIST_HEAD(phram_list); - static int phram_erase(struct mtd_info *mtd, struct erase_info *instr) { u_char *start = mtd->priv; @@ -71,7 +68,8 @@ static int phram_point(struct mtd_info *mtd, loff_t from, size_t len, return 0; } -static void phram_unpoint(struct mtd_info *mtd, u_char *addr, loff_t from, size_t len) +static void phram_unpoint(struct mtd_info *mtd, u_char *addr, loff_t from, + size_t len) { } @@ -80,8 +78,11 @@ static int phram_read(struct mtd_info *mtd, loff_t from, size_t len, { u_char *start = mtd->priv; - if (from + len > mtd->size) + if (from >= mtd->size) return -EINVAL; + + if (len > mtd->size - from) + len = mtd->size - from; memcpy(buf, start + from, len); @@ -94,8 +95,11 @@ static int phram_write(struct mtd_info *mtd, loff_t to, size_t len, { u_char *start = mtd->priv; - if (to + len > mtd->size) + if (to >= mtd->size) return -EINVAL; + + if (len > mtd->size - to) + len = mtd->size - to; memcpy(start + to, buf, len); @@ -145,7 +149,7 @@ static int register_device(char *name, unsigned long start, unsigned long len) new->mtd.write = phram_write; new->mtd.owner = THIS_MODULE; new->mtd.type = MTD_RAM; - new->mtd.erasesize = 0; + new->mtd.erasesize = PAGE_SIZE; ret = -EAGAIN; if (add_mtd_device(&new->mtd)) { @@ -214,6 +218,15 @@ static int parse_name(char **pname, const char *token) return 0; } + +static inline void kill_final_newline(char *str) +{ + char *newline = strrchr(str, '\n'); + if (newline && !newline[1]) + *newline = 0; +} + + #define parse_err(fmt, args...) do { \ ERROR(fmt , ## args); \ return 0; \ @@ -232,6 +245,7 @@ static int phram_setup(const char *val, struct kernel_param *kp) parse_err("parameter too long\n"); strcpy(str, val); + kill_final_newline(str); for (i=0; i<3; i++) token[i] = strsep(&str, ","); -- cgit v1.2.3