On Mon, Apr 18, 2016 at 01:10:43PM +0200, Rafał Miłecki wrote:
> +static int bcm53xxspi_flash_read(struct spi_device *spi,
> + struct spi_flash_read_message *msg)
> +{
> + struct bcm53xxspi *b53spi = spi_master_get_devdata(spi->master);
> + int ret = 0;
> +
> + bcm53xxspi_enable_bspi(b53spi);
> + memcpy_fromio(msg->buf, b53spi->mmio_base + msg->from, msg->len);
> + msg->retlen = msg->len;There's no bounds check here but... > + if (core->addr_s[0]) > + b53spi->mmio_base = devm_ioremap(dev, core->addr_s[0], SZ_32M); ...we only mapped 32M here. What if something tries to do a larger read? It's also a bit surprising that we're mapping a specific size here rather than the entire resource.
signature.asc
Description: PGP signature
