[PATCH 5/8] spi: mtk-snor: add bounds checking in mtk_snor_cmd_program()

[David Lechner]

From: "Noah.Shen" <noah.shen at mediatek.com>

Add bounds checking of the various lengths in mtk_snor_cmd_program() to
prevent reading or writing registers out of bounds.

Signed-off-by: Noah.Shen <noah.shen at mediatek.com>
Signed-off-by: David Lechner <dlechner at baylibre.com>
---
 drivers/spi/mtk_snor.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/spi/mtk_snor.c b/drivers/spi/mtk_snor.c
index babdb4600d5..77f94827568 100644
--- a/drivers/spi/mtk_snor.c
+++ b/drivers/spi/mtk_snor.c
@@ -90,6 +90,7 @@
 #define MTK_NOR_REG_DMA_END_DADR 0x724
 
 #define MTK_NOR_PRG_MAX_SIZE 6
+#define MTK_NOR_PRG_CNT_MAX 56
 /* Reading DMA src/dst addresses have to be 16-byte aligned */
 #define MTK_NOR_DMA_ALIGN 16
 #define MTK_NOR_DMA_ALIGN_MASK (MTK_NOR_DMA_ALIGN - 1)
@@ -405,6 +406,16 @@ static int mtk_snor_cmd_program(struct mtk_snor_priv *priv,
 	prg_len = op->cmd.nbytes + op->addr.nbytes + op->dummy.nbytes +
 		  op->data.nbytes;
 
+	/*
+	 * An invalid op may reach here if the caller calls exec_op without
+	 * adjust_op_size. return -EINVAL instead of -ENOTSUPP so that
+	 * spi-mem won't try this op again with generic spi transfers.
+	 */
+	if ((tx_len > MTK_NOR_REG_PRGDATA_MAX + 1) ||
+	    (rx_len > MTK_NOR_REG_SHIFT_MAX + 1) ||
+	    (prg_len > MTK_NOR_PRG_CNT_MAX / 8))
+		return -EINVAL;
+
 	/* fill tx data */
 
 	for (i = op->cmd.nbytes; i > 0; i--, reg_offset--) {

-- 
2.43.0