@@ -1554,6 +1554,9 @@ static int marvell_nfc_parse_instructions(struct nand_chip *chip,
const u8 *addrs;
int len = nand_subop_get_data_len(subop, op_id);
+ if (len < 0)
+ return -EINVAL;
+
instr = &subop->instrs[op_id];
switch (instr->type) {
@@ -1573,6 +1576,9 @@ static int marvell_nfc_parse_instructions(struct nand_chip *chip,
case NAND_OP_ADDR_INSTR:
offset = nand_subop_get_addr_start_off(subop, op_id);
naddrs = nand_subop_get_num_addr_cyc(subop, op_id);
+ if (offset < 0 || naddrs < 0)
+ return -EINVAL;
+
addrs = &instr->ctx.addr.addrs[offset];
nfc_op->ndcb[0] |= NDCB0_ADDR_CYC(naddrs);
@@ -1638,6 +1644,9 @@ static int marvell_nfc_xfer_data_pio(struct nand_chip *chip,
bool reading = (instr->type == NAND_OP_DATA_IN_INSTR);
int ret;
+ if (len < 0 || offset < 0)
+ return -EINVAL;
+
if (instr->ctx.data.force_8bit)
marvell_nfc_force_byte_access(chip, true);
A report from Colin Ian King pointed a CoverityScan issue where error values on these helpers where not checked in the drivers. These helpers could error out only in case of a software bug in driver code, not because of a runtime/hardware error but in any cases it is safer to handle these errors properly. Fix the Marvell NAND controller driver implementation by checking potential negative error values. Fixes: 02f26ecf8c77 ("mtd: nand: add reworked Marvell NAND controller driver") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com> --- drivers/mtd/nand/raw/marvell_nand.c | 9 +++++++++ 1 file changed, 9 insertions(+)