| Message ID | 20171212204950.13799-1-juhosg@freemail.hu |
|---|---|
| State | Accepted |
| Delegated to: | John Crispin |
| Headers | show |
| Series | [LEDE-DEV] ar71xx: fix invalid pointer dereference in rb95x_nand_scan_fixup() | expand |
Citeren Gabor Juhos <juhosg@freemail.hu>: > Since Linux 4.6, mtd->priv no longer points to the NAND specific > structure. Under 4.9 it contains NULL, thus using it to access > chip->options causes an invalid pointer dereference (FS#1200). > > Update the code to use the mtd_to_nand() helper under 4.9 to obtain > the address of the chip specific data. This same construction is present in other files as well: target/linux/ar71xx/files/arch/mips/ath79/mach-c60.c: struct nand_chip *chip = mtd->priv; target/linux/ar71xx/files/arch/mips/ath79/mach-rb2011.c: struct nand_chip *chip = mtd->priv; target/linux/ar71xx/files/arch/mips/ath79/mach-rb922.c: struct nand_chip *chip = mtd->priv; target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c: struct nand_chip *chip = mtd->priv; target/linux/ar71xx/files/arch/mips/ath79/mach-rbsxtlite.c: struct nand_chip *chip = mtd->priv; Shouldn't these be included in this patch as well for sake of completeness? > Fixes: 7bbf4117c6fe ("ar71xx: Add kernel 4.9 support") > Signed-off-by: Gabor Juhos <juhosg@freemail.hu> > --- > target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c > b/target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c > index 9eaeaa7f9d..5e24694d5c 100644 > --- a/target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c > +++ b/target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c > @@ -207,7 +207,11 @@ static const struct mtd_ooblayout_ops > rb95x_nand_ecclayout_ops = { > > static int rb95x_nand_scan_fixup(struct mtd_info *mtd) > { > +#if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0) > struct nand_chip *chip = mtd->priv; > +#else > + struct nand_chip *chip = mtd_to_nand(mtd); > +#endif /* < 4.6.0 */ > > if (mtd->writesize == 512) { > /*
Hello, >> Since Linux 4.6, mtd->priv no longer points to the NAND specific >> structure. Under 4.9 it contains NULL, thus using it to access >> chip->options causes an invalid pointer dereference (FS#1200). >> >> Update the code to use the mtd_to_nand() helper under 4.9 to obtain >> the address of the chip specific data. > > This same construction is present in other files as well: > > target/linux/ar71xx/files/arch/mips/ath79/mach-c60.c: struct > nand_chip *chip = mtd->priv; > target/linux/ar71xx/files/arch/mips/ath79/mach-rb2011.c: struct > nand_chip *chip = mtd->priv; > target/linux/ar71xx/files/arch/mips/ath79/mach-rb922.c: struct > nand_chip *chip = mtd->priv; > target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c: struct > nand_chip *chip = mtd->priv; > target/linux/ar71xx/files/arch/mips/ath79/mach-rbsxtlite.c: struct > nand_chip *chip = mtd->priv; > > Shouldn't these be included in this patch as well for sake of completeness? Good point, mach-c60.c should be fixed as well. I will send a separate patch for that. The other mach-rb*.c files are not affected. The fields of the nand_chip structure are not accessed under 4.9 in those files. Regards, Gabor
diff --git a/target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c b/target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c index 9eaeaa7f9d..5e24694d5c 100644 --- a/target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c +++ b/target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c @@ -207,7 +207,11 @@ static const struct mtd_ooblayout_ops rb95x_nand_ecclayout_ops = { static int rb95x_nand_scan_fixup(struct mtd_info *mtd) { +#if LINUX_VERSION_CODE < KERNEL_VERSION(4,6,0) struct nand_chip *chip = mtd->priv; +#else + struct nand_chip *chip = mtd_to_nand(mtd); +#endif /* < 4.6.0 */ if (mtd->writesize == 512) { /*
Since Linux 4.6, mtd->priv no longer points to the NAND specific structure. Under 4.9 it contains NULL, thus using it to access chip->options causes an invalid pointer dereference (FS#1200). Update the code to use the mtd_to_nand() helper under 4.9 to obtain the address of the chip specific data. Fixes: 7bbf4117c6fe ("ar71xx: Add kernel 4.9 support") Signed-off-by: Gabor Juhos <juhosg@freemail.hu> --- target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c | 4 ++++ 1 file changed, 4 insertions(+)