In yaffs_proc_write
static int yaffs_proc_write(struct file *file, const char *buf,
					 unsigned long count, void *data)
{
...
		mask_bitfield = simple_strtoul(buf + pos, &end, 0);
		if (end > buf + pos) {
			mask_name = "numeral";
			len = end - (buf + pos);
			pos += len;
			done = 0;
		} else {
...
}

simple_strtoul may cause end>=buf+count.

I think we may need another check-length version of simple_strtoul
which is like nstrcpy v.s. strcpy.

-- 
Regards, neversetsun