| Message ID | 1434362138-21272-1-git-send-email-clg@fr.ibm.com |
|---|---|
| State | Accepted |
| Headers | show |
Hi Cedric, > It seems that the check on the parameters in the opal_flash_op() > routine are bit excessive and we fail to write or read the last > block. > > Here is a fix below which should be enough to catch an out of bounds > operation. Looks good, thanks. Acked-by: Jeremy Kerr <jk@ozlabs.org> Cheers, Jeremy
Index: skiboot.git/core/flash.c =================================================================== --- skiboot.git.orig/core/flash.c +++ skiboot.git/core/flash.c @@ -312,7 +312,7 @@ static int64_t opal_flash_op(enum flash_ } if (size >= flash->size || offset >= flash->size - || offset + size >= flash->size) { + || offset + size > flash->size) { rc = OPAL_PARAMETER; goto err; }
Copying the flash from the host fails : # cat /dev/mtd0 > pnor cat: /dev/mtd0: Input/output error and the kernel logs : [ 1357.866996] mtd mtd0: opal_flash_async_op(op=0) failed (rc -1) It seems that the check on the parameters in the opal_flash_op() routine are bit excessive and we fail to write or read the last block. Here is a fix below which should be enough to catch an out of bounds operation. Signed-off-by: Cédric Le Goater <clg@fr.ibm.com> --- Change since V2 : - kept the check for the overflow condition (J. Kerr) core/flash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)