From patchwork Mon Nov 11 19:13:41 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabio Estevam X-Patchwork-Id: 290470 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from casper.infradead.org (unknown [IPv6:2001:770:15f::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by ozlabs.org (Postfix) with ESMTPS id DFFD22C00C1 for ; Tue, 12 Nov 2013 06:14:57 +1100 (EST) Received: from merlin.infradead.org ([2001:4978:20e::2]) by casper.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1Vfwwf-0007qz-Fv; Mon, 11 Nov 2013 19:14:45 +0000 Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1Vfwwd-00024t-SB; Mon, 11 Nov 2013 19:14:43 +0000 Received: from mail-qc0-x231.google.com ([2607:f8b0:400d:c01::231]) by merlin.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1Vfwwa-00023n-Pn for linux-mtd@lists.infradead.org; Mon, 11 Nov 2013 19:14:41 +0000 Received: by mail-qc0-f177.google.com with SMTP id b10so2212116qcw.8 for ; Mon, 11 Nov 2013 11:14:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=B8PSUpq4Z8/u14C5h+/ycHtJpAlkIKketKMVcO51kks=; b=QKcR9YkRBNkOixJw8iV9evgY9ZspNqcCu+xubgx7RD0UJaMI+jtIL0PpXaMJpETwrw UTVob1KM1foWGwrV73CV/LCSu93/lvFmeKD1QXbPX4siPpRURzp6iROwu/kwZQltfTO5 hEbWQMogYk178oyoAnrxOlgEem95rd1uARA1F5W6Nq/6+Zi+BfTnlBBxH5sl0mHllrrC Pd1+UQBZ1/KUuSgCKJ+Tp4Ld93syTpktfz9G0qx4yj4AvIvo4eA7vc4v1hKRXt84MN3V qMWxZwcw208+VLKl4zVe07otfC5XxEYCWVK4CmnTzuxhlUSSWZw/cCXVi+iwOt00pg9U f0Vg== X-Received: by 10.236.44.42 with SMTP id m30mr12265960yhb.7.1384197255299; Mon, 11 Nov 2013 11:14:15 -0800 (PST) Received: from localhost.localdomain ([201.82.207.53]) by mx.google.com with ESMTPSA id g25sm41278515yhg.6.2013.11.11.11.14.13 for (version=TLSv1.1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 11 Nov 2013 11:14:14 -0800 (PST) From: Fabio Estevam To: computersforpeace@gmail.com Subject: [PATCH v2] mtd: gpmi: Fix NULL pointer dereference Date: Mon, 11 Nov 2013 17:13:41 -0200 Message-Id: <1384197222-23783-1-git-send-email-festevam@gmail.com> X-Mailer: git-send-email 1.8.1.2 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20131111_141440_909942_3A231FFC X-CRM114-Status: GOOD ( 18.92 ) X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.3.2 on merlin.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (festevam[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Cc: Fabio Estevam , b32955@freescale.com, linux-mtd@lists.infradead.org, stable@vger.kernel.org X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Fabio Estevam Currently mx23_check_transcription_stamp() uses chip->buffers->databuf as its buffer, which is allocated by nand_scan_tail(). Since commit 720e7ce5 ("mtd: gpmi: remove the nand_scan()"), mx23_check_transcription_stamp() is called before nand_scan_tail(), which causes a NULL pointer dereference: [ 1.150000] NAND device: Manufacturer ID: 0xec, Chip ID: 0xd7 (Samsung NAND 4GiB 3,3V 8-bit), 4096MiB, page size: 4096, OOB size: 8 [ 1.160000] Unable to handle kernel NULL pointer dereference at virtual address 000005d0 [ 1.170000] pgd = c0004000 [ 1.170000] [000005d0] *pgd=00000000 [ 1.180000] Internal error: Oops: 5 [#1] ARM [ 1.180000] Modules linked in: [ 1.180000] CPU: 0 PID: 1 Comm: swapper Not tainted 3.12.0 #89 [ 1.180000] task: c7440000 ti: c743a000 task.ti: c743a000 [ 1.180000] PC is at memcmp+0x10/0x54 [ 1.180000] LR is at gpmi_nand_probe+0x42c/0x894 [ 1.180000] pc : [] lr : [] psr: 20000053 [ 1.180000] sp : c743be2c ip : 600000d3 fp : ffffffff [ 1.180000] r10: 000005d0 r9 : c02f5f08 r8 : 00000000 [ 1.180000] r7 : c75858a8 r6 : c75858a8 r5 : c7585b18 r4 : c7585800 [ 1.180000] r3 : 000005d0 r2 : 00000004 r1 : c05c33e4 r0 : 000005d0 [ 1.180000] Flags: nzCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment kernel [ 1.180000] Control: 0005317f Table: 40004000 DAC: 00000017 [ 1.180000] Process swapper (pid: 1, stack limit = 0xc743a1c0) In order to fix this problem, allocate the buffer locally via kzalloc(). Also, as mx23_check_transcription_stamp() can return en error code now, adapt the logic in mx23_boot_init() to take this into account. Cc: # 3.12 Signed-off-by: Fabio Estevam Signed-off-by: Brian Norris --- Changes since v1: - Drop sizeof(*buffer) from size calculatio in kzalloc (Brian Norris) - Propagate the error if mx23_check_transcription_stamp returns a negative error code (Brian Norris) drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c index a9830ff..f99b876 100644 --- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c @@ -1342,7 +1342,7 @@ static int mx23_check_transcription_stamp(struct gpmi_nand_data *this) unsigned int search_area_size_in_strides; unsigned int stride; unsigned int page; - uint8_t *buffer = chip->buffers->databuf; + uint8_t *buffer; int saved_chip_number; int found_an_ncb_fingerprint = false; @@ -1352,6 +1352,9 @@ static int mx23_check_transcription_stamp(struct gpmi_nand_data *this) saved_chip_number = this->current_chip; chip->select_chip(mtd, 0); + buffer = kzalloc(strlen(fingerprint), GFP_KERNEL); + if (!buffer) + return -ENOMEM; /* * Loop through the first search area, looking for the NCB fingerprint. */ @@ -1380,6 +1383,8 @@ static int mx23_check_transcription_stamp(struct gpmi_nand_data *this) chip->select_chip(mtd, saved_chip_number); + kfree(buffer); + if (found_an_ncb_fingerprint) dev_dbg(dev, "\tFound a fingerprint\n"); else @@ -1488,7 +1493,11 @@ static int mx23_boot_init(struct gpmi_nand_data *this) * transcription stamp. If we find it, then we don't have to do * anything -- the block marks are already transcribed. */ - if (mx23_check_transcription_stamp(this)) + + ret = mx23_check_transcription_stamp(this); + if (ret < 0) + return ret; + else if (ret) return 0; /*