@@ -1767,8 +1767,7 @@ static int __nvmem_cell_entry_write(struct nvmem_cell_entry *cell, void *buf, si
struct nvmem_device *nvmem = cell->nvmem;
int rc;
- if (!nvmem || nvmem->read_only ||
- (cell->bit_offset == 0 && len != cell->bytes))
+ if (!nvmem || nvmem->read_only)
return -EINVAL;
/*
@@ -1780,9 +1779,13 @@ static int __nvmem_cell_entry_write(struct nvmem_cell_entry *cell, void *buf, si
return -EINVAL;
if (cell->bit_offset || cell->nbits) {
+ if (len > cell->bytes)
+ return -EINVAL;
buf = nvmem_cell_prepare_write_buffer(cell, buf, len);
if (IS_ERR(buf))
return PTR_ERR(buf);
+ } else if (len != cell->bytes) {
+ return -EINVAL;
}
rc = nvmem_reg_write(nvmem, cell->offset, buf, cell->bytes);
When __nvmem_cell_entry_write() is called for an nvmem cell that does not need bit shifting, it requires that the len parameter exactly matches the nvmem cell size. However, when the nvmem cell has a nonzero bit_offset, it was skipping this check. Accepting values of len larger than the cell size results in nvmem_cell_prepare_write_buffer() trying to write past the end of a heap buffer that it allocates. This patch adds a check to avoid that problem and instead return -EINVAL when len is too large. Rather than unconditionally checking that len exactly matches the nvmem cell size, allowing len to be smaller when bit shifts are involved may be helpful because some devices have nvmem cells that are less than 8 bits but span two bytes, although no current devices or drivers that do this seem to rely on nvmem_cell_write(). This possibility can be handled by nvmem_cell_prepare_write_buffer() because it allocates an appropriately-sized heap buffer and avoids reading past the end of buf. Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") Signed-off-by: Jennifer Berringer <jberring@redhat.com> --- drivers/nvmem/core.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) base-commit: 98f7e32f20d28ec452afb208f9cffc08448a2652