| Message ID | 20240306033404.18537-1-venkatesh.abbarapu@amd.com |
|---|---|
| State | Accepted |
| Commit | 0508653ea65d7b708053c5cb6c2fb8632f68c885 |
| Delegated to: | Dario Binacchi |
| Headers | show |
| Series | [v2] mtd: nand: arasan: Fix the crash caused by use after free | expand |
On 3/6/24 04:34, Venkatesh Yadav Abbarapu wrote: > The below exception observed on QEMU, as it doesn't support > NAND controller. > > "Synchronous Abort" handler, esr 0x96000005, far 0x17acfc878 > elr: 000000000803ad40 lr : 000000000805f438 (reloc) > elr: 000000007fcb4d40 lr : 000000007fcd9438 > x0 : 000000007bbfc880 x1 : 00000000ff100000 > x2 : 000000007fcf059c x3 : 000000007bbfc870 > x4 : 000000007fd9a388 x5 : 000000017acfc870 > x6 : 0000000000000000 x7 : 000000007bbfd0e0 > x8 : 0000000000003dd4 x9 : 000000007bbeec0c > x10: 0000000000000001 x11: 0000000000003f8c > x12: 000000007bbeecfc x13: 000000007bbeeeb0 > x14: 000000007bbeeeb0 x15: 000000007bbee474 > x16: 000000007fcef18c x17: 0000000000000000 > x18: 000000007bbf9d70 x19: 000000007bbfc888 > x20: 000000007bbfc870 x21: 000000007fd68ddb > x22: 00000000ffffffed x23: 000000007bbfc878 > x24: 0000000000000000 x25: 0000000000000000 > x26: 0000000000000000 x27: 0000000000000000 > x28: 0000000000000000 x29: 000000007bbeed10 > > Code: 927ff8c1 924000c6 8b010065 f9400887 (f94004a2) > Resetting CPU ... > > The crash is caused by the use after free. > Updating the correct return codes rather than hardcoding. > Fixes: 3dd0f8cccd6d ("mtd: nand: Remove hardcoded base address of nand") > > Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com> > --- > Changes in v2: > - Updated the commit description. > --- > drivers/mtd/nand/raw/arasan_nfc.c | 27 ++++++++++++++------------- > 1 file changed, 14 insertions(+), 13 deletions(-) > > diff --git a/drivers/mtd/nand/raw/arasan_nfc.c b/drivers/mtd/nand/raw/arasan_nfc.c > index 0b1b91f771..ffcd963b3d 100644 > --- a/drivers/mtd/nand/raw/arasan_nfc.c > +++ b/drivers/mtd/nand/raw/arasan_nfc.c > @@ -1232,7 +1232,7 @@ static int arasan_probe(struct udevice *dev) > struct nand_config *nand = &info->config; > struct mtd_info *mtd; > ofnode child; > - int err = -1; > + int ret; > const char *str; > > info->reg = dev_read_addr_ptr(dev); > @@ -1259,9 +1259,10 @@ static int arasan_probe(struct udevice *dev) > writel(0x0, &info->reg->pgm_reg); > > /* first scan to find the device and get the page size */ > - if (nand_scan_ident(mtd, CONFIG_SYS_NAND_MAX_CHIPS, NULL)) { > + ret = nand_scan_ident(mtd, CONFIG_SYS_NAND_MAX_CHIPS, NULL); > + if (ret) { > printf("%s: nand_scan_ident failed\n", __func__); > - goto fail; > + return ret; > } > > str = ofnode_read_string(nand_chip->flash_node, "nand-ecc-mode"); > @@ -1289,26 +1290,26 @@ static int arasan_probe(struct udevice *dev) > nand_chip->ecc.bytes = 0; > nand_chip->ecc.layout = &ondie_nand_oob_64; > } else { > - if (arasan_nand_ecc_init(mtd)) { > + ret = arasan_nand_ecc_init(mtd); > + if (ret) { > printf("%s: nand_ecc_init failed\n", __func__); > - goto fail; > + return ret; > } > } > > - if (nand_scan_tail(mtd)) { > + ret = nand_scan_tail(mtd); > + if (ret) { > printf("%s: nand_scan_tail failed\n", __func__); > - goto fail; > + return ret; > } > > - if (nand_register(0, mtd)) { > + ret = nand_register(0, mtd); > + if (ret) { > printf("Nand Register Fail\n"); > - goto fail; > + return ret; > } > > - return 0; > -fail: > - free(nand); > - return err; > + return ret; > } > > static const struct udevice_id arasan_nand_dt_ids[] = { Applied. M
diff --git a/drivers/mtd/nand/raw/arasan_nfc.c b/drivers/mtd/nand/raw/arasan_nfc.c index 0b1b91f771..ffcd963b3d 100644 --- a/drivers/mtd/nand/raw/arasan_nfc.c +++ b/drivers/mtd/nand/raw/arasan_nfc.c @@ -1232,7 +1232,7 @@ static int arasan_probe(struct udevice *dev) struct nand_config *nand = &info->config; struct mtd_info *mtd; ofnode child; - int err = -1; + int ret; const char *str; info->reg = dev_read_addr_ptr(dev); @@ -1259,9 +1259,10 @@ static int arasan_probe(struct udevice *dev) writel(0x0, &info->reg->pgm_reg); /* first scan to find the device and get the page size */ - if (nand_scan_ident(mtd, CONFIG_SYS_NAND_MAX_CHIPS, NULL)) { + ret = nand_scan_ident(mtd, CONFIG_SYS_NAND_MAX_CHIPS, NULL); + if (ret) { printf("%s: nand_scan_ident failed\n", __func__); - goto fail; + return ret; } str = ofnode_read_string(nand_chip->flash_node, "nand-ecc-mode"); @@ -1289,26 +1290,26 @@ static int arasan_probe(struct udevice *dev) nand_chip->ecc.bytes = 0; nand_chip->ecc.layout = &ondie_nand_oob_64; } else { - if (arasan_nand_ecc_init(mtd)) { + ret = arasan_nand_ecc_init(mtd); + if (ret) { printf("%s: nand_ecc_init failed\n", __func__); - goto fail; + return ret; } } - if (nand_scan_tail(mtd)) { + ret = nand_scan_tail(mtd); + if (ret) { printf("%s: nand_scan_tail failed\n", __func__); - goto fail; + return ret; } - if (nand_register(0, mtd)) { + ret = nand_register(0, mtd); + if (ret) { printf("Nand Register Fail\n"); - goto fail; + return ret; } - return 0; -fail: - free(nand); - return err; + return ret; } static const struct udevice_id arasan_nand_dt_ids[] = {
The below exception observed on QEMU, as it doesn't support NAND controller. "Synchronous Abort" handler, esr 0x96000005, far 0x17acfc878 elr: 000000000803ad40 lr : 000000000805f438 (reloc) elr: 000000007fcb4d40 lr : 000000007fcd9438 x0 : 000000007bbfc880 x1 : 00000000ff100000 x2 : 000000007fcf059c x3 : 000000007bbfc870 x4 : 000000007fd9a388 x5 : 000000017acfc870 x6 : 0000000000000000 x7 : 000000007bbfd0e0 x8 : 0000000000003dd4 x9 : 000000007bbeec0c x10: 0000000000000001 x11: 0000000000003f8c x12: 000000007bbeecfc x13: 000000007bbeeeb0 x14: 000000007bbeeeb0 x15: 000000007bbee474 x16: 000000007fcef18c x17: 0000000000000000 x18: 000000007bbf9d70 x19: 000000007bbfc888 x20: 000000007bbfc870 x21: 000000007fd68ddb x22: 00000000ffffffed x23: 000000007bbfc878 x24: 0000000000000000 x25: 0000000000000000 x26: 0000000000000000 x27: 0000000000000000 x28: 0000000000000000 x29: 000000007bbeed10 Code: 927ff8c1 924000c6 8b010065 f9400887 (f94004a2) Resetting CPU ... The crash is caused by the use after free. Updating the correct return codes rather than hardcoding. Fixes: 3dd0f8cccd6d ("mtd: nand: Remove hardcoded base address of nand") Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com> --- Changes in v2: - Updated the commit description. --- drivers/mtd/nand/raw/arasan_nfc.c | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-)