From 6815e0d0548011a9e8574947f5de4754530d3edd Mon Sep 17 00:00:00 2001
From: Johannes Stezenbach <js@sig21.net>
Date: Wed, 6 Jun 2012 18:05:00 +0200
Subject: [PATCH] fs: limit flash erase and protect to the partiton boundary

Passing a too large size or offset to erase could
affect flash outside the partition boundary.
Addresses for SPI flash wrap around, thus giving a
count + offset going past the end of the flash would
wrap around and erase flash at offset 0.

Add the same check for protect.

Signed-off-by: Johannes Stezenbach <js@sig21.net>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 fs/fs.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/fs/fs.c b/fs/fs.c
index 9cda1d996..af73c8c8a 100644
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -751,14 +751,13 @@ int erase(int fd, size_t count, unsigned long offset)
 
 	if (check_fd(fd))
 		return -errno;
+	if (offset >= f->size)
+		return 0;
+	if (count > f->size - offset)
+		count = f->size - offset;
 
 	dev = f->dev;
-
 	fsdrv = dev_to_fs_driver(dev);
-
-	if (f->pos + count > f->size)
-		count = f->size - f->pos;
-
 	if (fsdrv->erase)
 		ret = fsdrv->erase(dev, f, count, offset);
 	else
@@ -780,14 +779,13 @@ int protect(int fd, size_t count, unsigned long offset, int prot)
 
 	if (check_fd(fd))
 		return -errno;
+	if (offset >= f->size)
+		return 0;
+	if (count > f->size - offset)
+		count = f->size - offset;
 
 	dev = f->dev;
-
 	fsdrv = dev_to_fs_driver(dev);
-
-	if (f->pos + count > f->size)
-		count = f->size - f->pos;
-
 	if (fsdrv->protect)
 		ret = fsdrv->protect(dev, f, count, offset, prot);
 	else