Re: [PATCH] mtd: rawnand: tegra: check bounds of die_nr properly
From: Marcel Ziswiler
Date: Thu Jul 12 2018 - 09:32:05 EST
On Wed, 2018-07-04 at 11:13 +0200, Stefan Agner wrote:
> The Tegra driver currently only support a single chip select, hence
> check boundaries accordingly. This fixes a off by one issue catched
> with Smatch:
> drivers/mtd/nand/raw/tegra_nand.c:476 tegra_nand_select_chip()
> warn: array off by one? 'nand->cs[die_nr]'
>
> Also warn in case the stack asks for a chip select we currently do
> not support.
>
> Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> Signed-off-by: Stefan Agner <stefan@xxxxxxxx>
> ---
> drivers/mtd/nand/raw/tegra_nand.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/mtd/nand/raw/tegra_nand.c
> b/drivers/mtd/nand/raw/tegra_nand.c
> index 4daa88d814134..e65ef584df0b9 100644
> --- a/drivers/mtd/nand/raw/tegra_nand.c
> +++ b/drivers/mtd/nand/raw/tegra_nand.c
> @@ -468,7 +468,9 @@ static void tegra_nand_select_chip(struct
> mtd_info *mtd, int die_nr)
> struct tegra_nand_chip *nand = to_tegra_chip(chip);
> struct tegra_nand_controller *ctrl = to_tegra_ctrl(chip-
> >controller);
>
> - if (die_nr < 0 || die_nr > 1) {
> + WARN_ON(die_nr >= ARRAY_SIZE(nand->cs));
Unfortunately, that has a tiny little issue as die_nr is a signed
integer and ARRAY_SIZE of course is unsigned. While I could have sworn
my shirt off that the compiler would have to promote this to signed
this is not quite what happens and upon deselecting with -1 this
warning gets triggered!
I will send an updated patch explicitly casting the ARRAY_SIZE side to
int as well shortly.
> +
> + if (die_nr < 0 || die_nr > 0) {
> ctrl->cur_cs = -1;
> return;
> }