From patchwork Sun Dec 23 00:31:26 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Lamparter X-Patchwork-Id: 1017933 X-Patchwork-Delegate: boris.brezillon@free-electrons.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="Ys38ya1x"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="NljgzJB0"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 43Mjww2RXjz9sLt for ; Sun, 23 Dec 2018 11:31:58 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=nCKRrU8t9UFrdUNps0tiR8kXrDd42fh++sSyvi0hW84=; b=Ys38ya1xfZf6Pi 5RrOlntVYMawP91FBivXYh6BrvFoAceDvENb1gg70kISgCfYkAEOm854e1xHXFVi0FsdLel/Hfudt z9pt8WmLxgvYANBcsciGP6Uc9u8YBPAH9AqDuOfAh3M6s5DAWF/xbJYIz/7KEooC3ZeAvLe9GVN0P ZwPh4VTb0cJoyLvKvSX+IyrpX7+c9/8k6Gu0Zk3vRwxMEe0ozMEWof0/caWG2XBNEOJUnZhnDI3gs 1VDs6Q0YLxEq3U/s3VjRSt6ITqADtxzhSeZRpF9jgFvqIQbwjRBBTxKBMJUFcUaFgnboFz1Mm7SBX Bc+I/2XyTcOH3sRACCZA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1gargG-00024M-W4; Sun, 23 Dec 2018 00:31:44 +0000 Received: from mail-wm1-x342.google.com ([2a00:1450:4864:20::342]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1gargD-00023p-NC for linux-mtd@lists.infradead.org; Sun, 23 Dec 2018 00:31:43 +0000 Received: by mail-wm1-x342.google.com with SMTP id y139so8467973wmc.5 for ; Sat, 22 Dec 2018 16:31:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=xJ/VEsiRDRrp5LKpDOBeiv21+eunWT7HJHvkh2HlgEw=; b=NljgzJB0tK1TsvsXbq4fiL9XrlblRQp3+fq2wbrFE5S9Ny4oX1VFhILa20SGJsfy6P yjnD/l3Up3oyrWHXa7yN0lT5KGhd3SCgWaKun5XqXHISVFUD292a27O3i+C1eF2Yy2io tu9GKGZOkvrlN0JhmlwsHzK4+5vHryyKVqiL9VOORKk08InLQvjBlLL9XuM88PUggEpO YxTVJLbgMbdgWflws0zu8b+CQ37FoCWXRj/uFl7S8lhEcqSr3c1StU9oe8eM+tjeLbtr m0toaf5uc31JgbQuyn5K9Y2fgqRE3H/sxmc6/DpgBxJX63EUl0LKK628dD1NFBiJfbGv NKog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=xJ/VEsiRDRrp5LKpDOBeiv21+eunWT7HJHvkh2HlgEw=; b=GbHfAelIpDEg0obtG1MA9jVkM16i+0XarZ9ciUI4ma+YFAh/2e3I24QCOKQ2lvudme c27j3Z8DBC7fUEQs8tP7PjCkLUcRfsaKmAedEN0T5Ocf94ICBKQhKbl+9f4wCFLSOWIx ZLEYrkR2zHsCbG5e6oI3U7Y0UL2kL4iFOq0w8zMHkwzRKiS473rYUR+QtRgRGSU9kjpb 05THQXwxID1Patb3p3agJWcrW92UKXZtVh2wHsoIlXANp0LInExwUNu8gD8BBq3Ema/t We3zTF19Clz9OIzi+it+T30RS468ITN+46yTQqu+RpfkxxVsBZ5gBy9cHsyEIreOghju I8UQ== X-Gm-Message-State: AA+aEWbllLsuXhJgi6Ib9VFbCWOJZaK1n10TF+cjevOor0ymV5h8Tj9D BABS/fTkigEfGARRehXcKwHyZXVbhwo= X-Google-Smtp-Source: ALg8bN7EmM+lQ+jMIC7SDE70OEeP2xijlldBusSG7xWbTVwk/aSCe30QO1qExMKeG0b2l6kt/U4YmQ== X-Received: by 2002:a1c:bdc5:: with SMTP id n188mr8104119wmf.69.1545525088520; Sat, 22 Dec 2018 16:31:28 -0800 (PST) Received: from debian64.daheim (p4FD094B4.dip0.t-ipconnect.de. [79.208.148.180]) by smtp.gmail.com with ESMTPSA id p24sm4758869wmc.0.2018.12.22.16.31.27 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 22 Dec 2018 16:31:27 -0800 (PST) Received: from chuck by debian64.daheim with local (Exim 4.91) (envelope-from ) id 1garfy-0000SF-O0; Sun, 23 Dec 2018 01:31:26 +0100 From: Christian Lamparter To: linux-mtd@lists.infradead.org Subject: [PATCH] mtd: rawnand: qcom: fix memory corruption that causes panic Date: Sun, 23 Dec 2018 01:31:26 +0100 Message-Id: <20181223003126.1704-1-chunkeey@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20181222_163141_790800_7C4AF1BA X-CRM114-Status: GOOD ( 18.37 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (chunkeey[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:342 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Boris Brezillon , Richard Weinberger , Marek Vasut , Abhishek Sahu , Miquel Raynal , Brian Norris , David Woodhouse Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org This patch fixes a memory corruption that occurred in the qcom-nandc driver since it was converted to nand_scan(). On boot, an affected device will panic from a NPE at a weird place: | Unable to handle kernel NULL pointer dereference at virtual address 0 | pgd = (ptrval) | [00000000] *pgd=00000000 | Internal error: Oops: 80000005 [#1] SMP ARM | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.9 #0 | Hardware name: Generic DT based system | PC is at (null) | LR is at nand_block_isbad+0x90/0xa4 | pc : [<00000000>] lr : [] psr: 80000013 | sp : cf839d40 ip : 00000000 fp : cfae9e20 | r10: cf815810 r9 : 00000000 r8 : 00000000 | r7 : 00000000 r6 : 00000000 r5 : 00000001 r4 : cf815810 | r3 : 00000000 r2 : cfae9810 r1 : ffffffff r0 : cf815810 | Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none | Control: 10c5387d Table: 8020406a DAC: 00000051 | Process swapper/0 (pid: 1, stack limit = 0x(ptrval)) | [] (nand_block_isbad) from [] | [] (allocate_partition) from [] | [] (add_mtd_partitions) from [] | [] (parse_mtd_partitions) from [] | [] (mtd_device_parse_register) from [] | [] (qcom_nandc_probe) from [] The problem is that the nand_scan()'s qcom_nand_attach_chip callback is updating the nandc->max_cwperpage from 1 to 4. This causes the sg_init_table of clear_bam_transaction() in the driver's qcom_nandc_block_bad() to memset much more than what was initially allocated by alloc_bam_transaction(). This patch restores the old behavior by reallocating the shared bam transaction alloc_bam_transaction() after the chip was identified, but before mtd_device_parse_register() (which is an alias for mtd_device_register() - see panic) gets called. This fixes the corruption and the driver is working again. Cc: stable@vger.kernel.org Fixes: 6a3cec64f18c ("mtd: rawnand: qcom: convert driver to nand_scan()") Signed-off-by: Christian Lamparter Acked-by: Miquel Raynal --- drivers/mtd/nand/raw/qcom_nandc.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/mtd/nand/raw/qcom_nandc.c b/drivers/mtd/nand/raw/qcom_nandc.c index 699d3cf49c6d..7c42a57aca1f 100644 --- a/drivers/mtd/nand/raw/qcom_nandc.c +++ b/drivers/mtd/nand/raw/qcom_nandc.c @@ -2833,6 +2833,16 @@ static int qcom_nand_host_init_and_register(struct qcom_nand_controller *nandc, if (ret) return ret; + if (nandc->props->is_bam) { + free_bam_transaction(nandc); + nandc->bam_txn = alloc_bam_transaction(nandc); + if (!nandc->bam_txn) { + dev_err(nandc->dev, + "failed to allocate bam transaction\n"); + return -ENOMEM; + } + } + ret = mtd_device_register(mtd, NULL, 0); if (ret) nand_cleanup(chip); @@ -2847,16 +2857,6 @@ static int qcom_probe_nand_devices(struct qcom_nand_controller *nandc) struct qcom_nand_host *host; int ret; - if (nandc->props->is_bam) { - free_bam_transaction(nandc); - nandc->bam_txn = alloc_bam_transaction(nandc); - if (!nandc->bam_txn) { - dev_err(nandc->dev, - "failed to allocate bam transaction\n"); - return -ENOMEM; - } - } - for_each_available_child_of_node(dn, child) { host = devm_kzalloc(dev, sizeof(*host), GFP_KERNEL); if (!host) {