Wrong CFI offset in cfi_cmdset_0001.c

Nicolas Pitre nico at cam.org
Tue Oct 25 14:45:47 EDT 2005


On Mon, 24 Oct 2005, Jared Hulbert wrote:

> Sorry. It took me longer than it should have to track down a P30 part
> and get it on my machine.  Does this work for you?

I have a problem convincing myself it should work at all.

> --- trunk/drivers/mtd/chips/cfi_cmdset_0001.c	(revision 8)
> +++ trunk/drivers/mtd/chips/cfi_cmdset_0001.c	(revision 10)
> @@ -285,7 +285,7 @@
>  			      sizeof(struct cfi_intelext_otpinfo);
> 
>  		/* Burst Read info */
> -		extra_size += (extp->MinorVersion < '4') ? 6 : 5;
> +		extra_size += (unsigned int)extp->extra[extra_size+1]+2;

Here you're dereferencing the extra array which (initially) has not even 
been read into memory yet.  It probably only work because it just 
happens that extra_size is not increased enough to bypass the later 
"goto again" which would manage to read the extra data needed and things 
would get back on track at that point.  but that's relying on pure luck.

Could you fix that and get rid of the needless cast please?  (extra is 
uint8_t so there is no signedness issues to worry about)


Nicolas




More information about the linux-mtd mailing list