Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp3667580iob; Sat, 7 May 2022 11:20:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzq417C0QR8P9BV19BDdMPEewtowELfyQNZjUYRT/xz0hOFfg0X7zzVGgCvmFx0rXAY6Yn/ X-Received: by 2002:a17:903:41c7:b0:15e:b1f4:3530 with SMTP id u7-20020a17090341c700b0015eb1f43530mr9741741ple.84.1651947635638; Sat, 07 May 2022 11:20:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651947635; cv=none; d=google.com; s=arc-20160816; b=QE+yQhQIxcIhN4MwE651KMf6wiqpQH0tLmtYZTo15FQlG/ybEAAET6bKf164fLCjsw FHRRQ7zzgX+9uyMMtBfwyNfH3s2+/WUx2BsIMxOC/2XkYVgEUho2icwpl8rsEuqLNM7s DbrdY49DLA1AVusPIJ2xv3qxOqQJCtJhT6fz4QO6ATFGDxezK3RAx0oTzWw/UIyzAcHU 6GisA6GBBaKXmrcXkk4rJiThVJkr4uV7RDTW7or/W4WATzX8HAQr49MJioiKde5+aJY9 mIZediZnE19yACggJkMiX4jcuwNce+pe2IDgr83+J60scnwUX+X4vjCof4Zm8OTbumEB B0tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=SwOoHAX2bU/UaJaIDgBIC2/jx8qE2GrC9JRNOyKxPPk=; b=Dev1L0K+ZEkb58saliHHsB/6Gymf+7qOG2eisNHojnWeLKWPC2pFrjM+dBnncikihV krLd2y0jfiMFEuUbPmWvP2c+1WSmh9b/HnnRgElly+MNzj5QH8oz6L3FugKABc4ySUpf TYxjsxT9F4QrVTbJWYRB7l+9Xlfe2zgPwcD4vdFn2mZ4iOpUnnjqH+s9CTAl1zbfoPL1 4vwlwnhAnaLCFNt8mef6TpmICWA8JnDzOBvA1Pe0FmriwBxaHxK2XYXQHB/COR7pe50v OGVFF61JB1zBD5Hx+KPmEmf7V1OoiNq6JkN9H2Vf/XXQlBRWfKOiEvlLVy+HK7fGmPTU Jmpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1jUWDGn0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u14-20020a62790e000000b00505d916bf8esi7620531pfc.263.2022.05.07.11.20.20; Sat, 07 May 2022 11:20:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1jUWDGn0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1376284AbiEDRyF (ORCPT + 99 others); Wed, 4 May 2022 13:54:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58780 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1357737AbiEDRPN (ORCPT ); Wed, 4 May 2022 13:15:13 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C453C4C7AD; Wed, 4 May 2022 09:58:56 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 750A36179D; Wed, 4 May 2022 16:58:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C4689C385AF; Wed, 4 May 2022 16:58:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1651683535; bh=9nkD2SE53bRlHU0pkR8vDTiiUJ6AdkmA6MVSqFni6Wk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1jUWDGn0YfLqiGWMg8LrqHIwP6VTebrrDEa1qFeRhfBE288BIwb4duWlWdDDRyzOi VM+7hgu8c0dedGWgvlWQzlALH8SeFAW4Prhld7+AMaWgIKPTw9DuFpINaoWd0yzMeB VT22bGBXzLlxBqfP8OCOJ4i6JJrLDUeW16r5k7Yk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Konrad Dybcio , Manivannan Sadhasivam , Sricharan R , Md Sadre Alam , Miquel Raynal Subject: [PATCH 5.17 183/225] mtd: rawnand: qcom: fix memory corruption that causes panic Date: Wed, 4 May 2022 18:47:01 +0200 Message-Id: <20220504153126.756708959@linuxfoundation.org> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220504153110.096069935@linuxfoundation.org> References: <20220504153110.096069935@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Md Sadre Alam commit ba7542eb2dd5dfc75c457198b88986642e602065 upstream. This patch fixes a memory corruption that occurred in the nand_scan() path for Hynix nand device. On boot, for Hynix nand device will panic at a weird place: | Unable to handle kernel NULL pointer dereference at virtual address 00000070 | [00000070] *pgd=00000000 | Internal error: Oops: 5 [#1] PREEMPT SMP ARM | Modules linked in: | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.0-01473-g13ae1769cfb0 #38 | Hardware name: Generic DT based system | PC is at nandc_set_reg+0x8/0x1c | LR is at qcom_nandc_command+0x20c/0x5d0 | pc : [] lr : [] psr: 00000113 | sp : c14adc50 ip : c14ee208 fp : c0cc970c | r10: 000000a3 r9 : 00000000 r8 : 00000040 | r7 : c16f6a00 r6 : 00000090 r5 : 00000004 r4 :c14ee040 | r3 : 00000000 r2 : 0000000b r1 : 00000000 r0 :c14ee040 | Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none | Control: 10c5387d Table: 8020406a DAC: 00000051 | Register r0 information: slab kmalloc-2k start c14ee000 pointer offset 64 size 2048 | Process swapper/0 (pid: 1, stack limit = 0x(ptrval)) | nandc_set_reg from qcom_nandc_command+0x20c/0x5d0 | qcom_nandc_command from nand_readid_op+0x198/0x1e8 | nand_readid_op from hynix_nand_has_valid_jedecid+0x30/0x78 | hynix_nand_has_valid_jedecid from hynix_nand_init+0xb8/0x454 | hynix_nand_init from nand_scan_with_ids+0xa30/0x14a8 | nand_scan_with_ids from qcom_nandc_probe+0x648/0x7b0 | qcom_nandc_probe from platform_probe+0x58/0xac The problem is that the nand_scan()'s qcom_nand_attach_chip callback is updating the nandc->max_cwperpage from 1 to 4 or 8 based on page size. This causes the sg_init_table of clear_bam_transaction() in the driver's qcom_nandc_command() to memset much more than what was initially allocated by alloc_bam_transaction(). This patch will update nandc->max_cwperpage 1 to 4 or 8 based on page size in qcom_nand_attach_chip call back after freeing the previously allocated memory for bam txn as per nandc->max_cwperpage = 1 and then again allocating bam txn as per nandc->max_cwperpage = 4 or 8 based on page size in qcom_nand_attach_chip call back itself. Cc: stable@vger.kernel.org Fixes: 6a3cec64f18c ("mtd: rawnand: qcom: convert driver to nand_scan()") Reported-by: Konrad Dybcio Reviewed-by: Manivannan Sadhasivam Co-developed-by: Sricharan R Signed-off-by: Sricharan R Signed-off-by: Md Sadre Alam Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/1650268107-5363-1-git-send-email-quic_mdalam@quicinc.com Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/nand/raw/qcom_nandc.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) --- a/drivers/mtd/nand/raw/qcom_nandc.c +++ b/drivers/mtd/nand/raw/qcom_nandc.c @@ -2651,10 +2651,23 @@ static int qcom_nand_attach_chip(struct ecc->engine_type = NAND_ECC_ENGINE_TYPE_ON_HOST; mtd_set_ooblayout(mtd, &qcom_nand_ooblayout_ops); + /* Free the initially allocated BAM transaction for reading the ONFI params */ + if (nandc->props->is_bam) + free_bam_transaction(nandc); nandc->max_cwperpage = max_t(unsigned int, nandc->max_cwperpage, cwperpage); + /* Now allocate the BAM transaction based on updated max_cwperpage */ + if (nandc->props->is_bam) { + nandc->bam_txn = alloc_bam_transaction(nandc); + if (!nandc->bam_txn) { + dev_err(nandc->dev, + "failed to allocate bam transaction\n"); + return -ENOMEM; + } + } + /* * DATA_UD_BYTES varies based on whether the read/write command protects * spare data with ECC too. We protect spare data by default, so we set @@ -2955,17 +2968,6 @@ static int qcom_nand_host_init_and_regis if (ret) return ret; - if (nandc->props->is_bam) { - free_bam_transaction(nandc); - nandc->bam_txn = alloc_bam_transaction(nandc); - if (!nandc->bam_txn) { - dev_err(nandc->dev, - "failed to allocate bam transaction\n"); - nand_cleanup(chip); - return -ENOMEM; - } - } - ret = mtd_device_parse_register(mtd, probes, NULL, NULL, 0); if (ret) nand_cleanup(chip);