From patchwork Sat Mar 3 22:29:03 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linus Walleij X-Patchwork-Id: 881100 X-Patchwork-Delegate: boris.brezillon@free-electrons.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="E0n6f0Hs"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="g08Vv4dR"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zv19d6Fzwz9sX0 for ; Sun, 4 Mar 2018 09:31:33 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=k4DDeVaJr993juTiUYspz6DJ+oFXjie+mnm3OPXJgIk=; b=E0n 6f0Hs2bibkAFEiQ4zoUKMo878yBjq1HREs+NZrQV6iBzzSG7GeYDAsmCk+fe1pOXYEbVs9d6TOBNL +wJGw3t3fZTEoZUNViFyjL4xi8MZMbe9ThCMmOIsQF/MtyIuM6UOmS1BAlhFqLZFQlYvnx1MZ3l6w +zc34/+LqxZ4TXIjLuvv4HQdrNor7TxC/8NFhlo46giXQLKxn5+An8Aapb6FAsGNcXB4lctPsKbCj SVv6BDcvnGHsbyx1OETvKDCVL/cnME+nCsk8SEq1gogRXaqQcUy4Yr56+c7KHE3EK4Qy+1QtBt3do BEJkwSpknltEiaLpJCk12fUrx3YeNRA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1esFgb-00088A-OD; Sat, 03 Mar 2018 22:31:25 +0000 Received: from mail-lf0-x242.google.com ([2a00:1450:4010:c07::242]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1esFgW-00081L-GT for linux-mtd@lists.infradead.org; Sat, 03 Mar 2018 22:31:22 +0000 Received: by mail-lf0-x242.google.com with SMTP id f75so18136270lfg.6 for ; Sat, 03 Mar 2018 14:31:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=CYQ/RO3LUSOqeus2HvaBykX5NSkB6TLtHwItrdi0/9Q=; b=g08Vv4dRn6Ks2sb/Pzo82jkBG5zqt84uuU9YhnHSZpewLtaozesMm2fv93KjaVBF18 oDtv04kMvGL+wjXxObB6g2dhAK2QQmD8DN+ECzG3FysKesKN3Z3oHnMktoPiFyp3rdjn 23L33sEWFnsQhUqp5/2sL03dkcHMgpjDpATWI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=CYQ/RO3LUSOqeus2HvaBykX5NSkB6TLtHwItrdi0/9Q=; b=e2KLBOHJyFe58ajH6YF9ZFIruWJJJzlx73pS6XaZJffKRrVOcpRJu7moLPCcBjlLeQ BewMsX7lHtrR+2/LjP4rJONRIhR/GrZuX9dhUnk7MzaKhmM8jVZrc9YoFFm4W89ZV/g+ mqnaenTU9amaz0tp3UWp0U2R4uDN9ZDA8AJE0j07LwYvBKeR2ST4xEknzvQ0te/jmEeq Wv8LKeODRCy4pJ53X83YC3vepq7viTRElmcOav2CUI8fJnvKj+ciJc7i/EkffTw78REC XRgRieLgtvYvKEcczGoz18OjIIq5S4zF+P4c+dst85b0jYksIeZkgmKzni8684VDeYMT pYkQ== X-Gm-Message-State: AElRT7HBF5AJSMxvXqzdV2/fc7M3r5ojjnI0S64PfZXqeUuZzwRqWv2t Xg1UWprIhLOhEZHD2Hokip1X1g== X-Google-Smtp-Source: AG47ELvF6FvP5gbov+wWURiBQIHgMbraMOjdXP3jEqNkZzHM2exedAE4tEAxEnIyndd+UdKaKW0qLw== X-Received: by 10.46.145.131 with SMTP id f3mr6962650ljg.134.1520116267931; Sat, 03 Mar 2018 14:31:07 -0800 (PST) Received: from localhost.localdomain (c-cb7471d5.014-348-6c756e10.cust.bredbandsbolaget.se. [213.113.116.203]) by smtp.gmail.com with ESMTPSA id o14sm1364313ljc.52.2018.03.03.14.31.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 03 Mar 2018 14:31:07 -0800 (PST) From: Linus Walleij To: David Woodhouse , Brian Norris , Boris Brezillon , Marek Vasut , Richard Weinberger , Cyrille Pitchen , linux-mtd@lists.infradead.org Subject: [PATCH] mtd: jedec_probe: Fix crash in jedec_read_mfr() Date: Sat, 3 Mar 2018 23:29:03 +0100 Message-Id: <20180303222903.27767-1-linus.walleij@linaro.org> X-Mailer: git-send-email 2.14.3 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180303_143120_714505_C0665C96 X-CRM114-Status: GOOD ( 14.42 ) X-Spam-Score: -2.7 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2a00:1450:4010:c07:0:0:0:242 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Linus Walleij MIME-Version: 1.0 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org It turns out that the loop where we read manufacturer jedec_read_mfd() can under some circumstances get a CFI_MFR_CONTINUATION repeatedly, making the loop go over all banks and eventually hit the end of the map and crash because of an access violation: Unable to handle kernel paging request at virtual address c4980000 pgd = (ptrval) [c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000 Internal error: Oops: 7 [#1] PREEMPT ARM CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150 Hardware name: Gemini (Device Tree) PC is at jedec_probe_chip+0x6ec/0xcd0 LR is at 0x4 pc : [] lr : [<00000004>] psr: 60000013 sp : c382dd18 ip : 0000ffff fp : 00000000 r10: c0626388 r9 : 00020000 r8 : c0626340 r7 : 00000000 r6 : 00000001 r5 : c3a71afc r4 : c382dd70 r3 : 00000001 r2 : c4900000 r1 : 00000002 r0 : 00080000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 0000397f Table: 00004000 DAC: 00000053 Process swapper (pid: 1, stack limit = 0x(ptrval)) Fix this by breaking the loop with a return 0 if the offset exceeds the map size. Signed-off-by: Linus Walleij --- drivers/mtd/chips/jedec_probe.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/mtd/chips/jedec_probe.c b/drivers/mtd/chips/jedec_probe.c index 7c0b27d132b1..b479bd81120b 100644 --- a/drivers/mtd/chips/jedec_probe.c +++ b/drivers/mtd/chips/jedec_probe.c @@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct map_info *map, uint32_t base, do { uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi); mask = (1 << (cfi->device_type * 8)) - 1; + if (ofs >= map->size) + return 0; result = map_read(map, base + ofs); bank++; } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);