66d90453b4
commit 31507fc2ad36e0071751a710449db19c85d82a7f upstream.
When __nvmem_cell_entry_write() is called for an nvmem cell that does
not need bit shifting, it requires that the len parameter exactly
matches the nvmem cell size. However, when the nvmem cell has a nonzero
bit_offset, it was skipping this check.
Accepting values of len larger than the cell size results in
nvmem_cell_prepare_write_buffer() trying to write past the end of a heap
buffer that it allocates. Add a check to avoid that problem and instead
return -EINVAL when len doesn't match the number of bits expected by the
nvmem cell when bit_offset is nonzero.
This check uses cell->nbits in order to allow providing the smaller size
to cells that are shifted into another byte by bit_offset. For example,
a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should
accept a 1-byte write here, although no current callers depend on this.
Fixes:
|
||
|---|---|---|
| .. | ||
| apple-efuses.c | ||
| bcm-ocotp.c | ||
| brcm_nvram.c | ||
| core.c | ||
| imx-iim.c | ||
| imx-ocotp-scu.c | ||
| imx-ocotp.c | ||
| jz4780-efuse.c | ||
| Kconfig | ||
| lan9662-otpc.c | ||
| layerscape-sfp.c | ||
| lpc18xx_eeprom.c | ||
| lpc18xx_otp.c | ||
| Makefile | ||
| meson-efuse.c | ||
| meson-mx-efuse.c | ||
| microchip-otpc.c | ||
| mtk-efuse.c | ||
| mxs-ocotp.c | ||
| nintendo-otp.c | ||
| qcom-spmi-sdam.c | ||
| qfprom.c | ||
| rave-sp-eeprom.c | ||
| rmem.c | ||
| rockchip-efuse.c | ||
| rockchip-otp.c | ||
| sc27xx-efuse.c | ||
| snvs_lpgpr.c | ||
| sprd-efuse.c | ||
| stm32-romem.c | ||
| sunplus-ocotp.c | ||
| sunxi_sid.c | ||
| u-boot-env.c | ||
| uniphier-efuse.c | ||
| vf610-ocotp.c | ||
| zynqmp_nvmem.c | ||