Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4626070iob; Sun, 8 May 2022 19:42:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx5gwzmB1wx8jCJzuuTm3WLS4/xBPNhIw8o+YHjvHJ3kjac10qSMGaoCm3yM5meZPxIkH8m X-Received: by 2002:a17:902:f605:b0:154:aa89:bd13 with SMTP id n5-20020a170902f60500b00154aa89bd13mr14622178plg.112.1652064162465; Sun, 08 May 2022 19:42:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652064162; cv=none; d=google.com; s=arc-20160816; b=frw2pDgHtoY9Iu66w2gRnkZmG79j4MSkh2Qr9061kKOVJWL+MmnBns/+Qsh0smVBnS hwiJj/rFAiNQq03RehjC3t66WFGSVE7Vv6UI0FEfhhZacxw/+1yoaTmsgj7eiB42c23K DlTiVyLAcVwZVEpU6kfnoVAj7BYeGgXmhtUAks5e6twE69MBWw3wSoOA+6Nhw0bpvnW7 WtrXi4+E1AIOBwhfRJotgF6aKjY5H8ruK9uvb9k9mLANg8GQSSJbprv6SRk5n/mS9OIc I+zTndS0cpRQHUunPaYJZD4r3OKt9XdMrqzXHAxUcLARAwgL+nA6a9js8wD36VzE4vKK ZkUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LaLNoXZuOANUDDRlERj8I84WMaHvf0eZwmi53FJcfdc=; b=Yz/T9FUtZsHifHo5NviDzOLA0l7HUwmg/oPG79BmMCESJEkQySABn5Db0wAa+aKLOZ mofpglC87c+zMsvABrFs7pMytMarwrMa/dL2yIHxI/ctkHCHnY1uJR0L+jYA4dIdYq56 f6CLCq0tG99/X46G+/aJT2PDHVccoO1a5/KXA0SlTryf+QE8oBGGm5lNbKGSZtnZVxn9 PMLtstXOceLQALIP2uqHVibrWKy2gptItPPdHmCKYkgN4GZN0yp+F/o2H6u6MC02O8OQ 9Tpcyk5vC8tQqqgsRM5fqGj/dcbIY2HoySBHynX97UqLZ/rHQYPqe79Ae+MXjLeRf6kz 5jNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xdVzsm1M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id p8-20020aa79e88000000b004fa3a8e006fsi12097613pfq.294.2022.05.08.19.42.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 May 2022 19:42:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xdVzsm1M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id CC24B7648; Sun, 8 May 2022 19:40:54 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1359137AbiEDRnz (ORCPT + 99 others); Wed, 4 May 2022 13:43:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38804 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356013AbiEDRI6 (ORCPT ); Wed, 4 May 2022 13:08:58 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 65763527D9; Wed, 4 May 2022 09:54:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id E8CCBB82552; Wed, 4 May 2022 16:54:47 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7F2AAC385AA; Wed, 4 May 2022 16:54:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1651683286; bh=V0v9LxIcrNzOs2RS2t7EIxt9/eWLs0W0ZPrTycKHqTI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xdVzsm1MUtba1j3ItHE5+x5mEQv18E9JJToyDEDNA4XOFoAWEFvOWqC6KhbjZzSte GBbpB/afXAfuKqVRGBUZV16CnHlFRBx4IYsEPeTz79+I3Grm6aFijxOgBaSqK1ibvl YdNvuAPwesllMOwmeX+lfSbvS9aaEreonQOtcyY4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Konrad Dybcio , Manivannan Sadhasivam , Sricharan R , Md Sadre Alam , Miquel Raynal Subject: [PATCH 5.15 144/177] mtd: rawnand: qcom: fix memory corruption that causes panic Date: Wed, 4 May 2022 18:45:37 +0200 Message-Id: <20220504153106.166117829@linuxfoundation.org> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220504153053.873100034@linuxfoundation.org> References: <20220504153053.873100034@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Md Sadre Alam commit ba7542eb2dd5dfc75c457198b88986642e602065 upstream. This patch fixes a memory corruption that occurred in the nand_scan() path for Hynix nand device. On boot, for Hynix nand device will panic at a weird place: | Unable to handle kernel NULL pointer dereference at virtual address 00000070 | [00000070] *pgd=00000000 | Internal error: Oops: 5 [#1] PREEMPT SMP ARM | Modules linked in: | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.0-01473-g13ae1769cfb0 #38 | Hardware name: Generic DT based system | PC is at nandc_set_reg+0x8/0x1c | LR is at qcom_nandc_command+0x20c/0x5d0 | pc : [] lr : [] psr: 00000113 | sp : c14adc50 ip : c14ee208 fp : c0cc970c | r10: 000000a3 r9 : 00000000 r8 : 00000040 | r7 : c16f6a00 r6 : 00000090 r5 : 00000004 r4 :c14ee040 | r3 : 00000000 r2 : 0000000b r1 : 00000000 r0 :c14ee040 | Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none | Control: 10c5387d Table: 8020406a DAC: 00000051 | Register r0 information: slab kmalloc-2k start c14ee000 pointer offset 64 size 2048 | Process swapper/0 (pid: 1, stack limit = 0x(ptrval)) | nandc_set_reg from qcom_nandc_command+0x20c/0x5d0 | qcom_nandc_command from nand_readid_op+0x198/0x1e8 | nand_readid_op from hynix_nand_has_valid_jedecid+0x30/0x78 | hynix_nand_has_valid_jedecid from hynix_nand_init+0xb8/0x454 | hynix_nand_init from nand_scan_with_ids+0xa30/0x14a8 | nand_scan_with_ids from qcom_nandc_probe+0x648/0x7b0 | qcom_nandc_probe from platform_probe+0x58/0xac The problem is that the nand_scan()'s qcom_nand_attach_chip callback is updating the nandc->max_cwperpage from 1 to 4 or 8 based on page size. This causes the sg_init_table of clear_bam_transaction() in the driver's qcom_nandc_command() to memset much more than what was initially allocated by alloc_bam_transaction(). This patch will update nandc->max_cwperpage 1 to 4 or 8 based on page size in qcom_nand_attach_chip call back after freeing the previously allocated memory for bam txn as per nandc->max_cwperpage = 1 and then again allocating bam txn as per nandc->max_cwperpage = 4 or 8 based on page size in qcom_nand_attach_chip call back itself. Cc: stable@vger.kernel.org Fixes: 6a3cec64f18c ("mtd: rawnand: qcom: convert driver to nand_scan()") Reported-by: Konrad Dybcio Reviewed-by: Manivannan Sadhasivam Co-developed-by: Sricharan R Signed-off-by: Sricharan R Signed-off-by: Md Sadre Alam Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/1650268107-5363-1-git-send-email-quic_mdalam@quicinc.com Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/nand/raw/qcom_nandc.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) --- a/drivers/mtd/nand/raw/qcom_nandc.c +++ b/drivers/mtd/nand/raw/qcom_nandc.c @@ -2641,10 +2641,23 @@ static int qcom_nand_attach_chip(struct ecc->engine_type = NAND_ECC_ENGINE_TYPE_ON_HOST; mtd_set_ooblayout(mtd, &qcom_nand_ooblayout_ops); + /* Free the initially allocated BAM transaction for reading the ONFI params */ + if (nandc->props->is_bam) + free_bam_transaction(nandc); nandc->max_cwperpage = max_t(unsigned int, nandc->max_cwperpage, cwperpage); + /* Now allocate the BAM transaction based on updated max_cwperpage */ + if (nandc->props->is_bam) { + nandc->bam_txn = alloc_bam_transaction(nandc); + if (!nandc->bam_txn) { + dev_err(nandc->dev, + "failed to allocate bam transaction\n"); + return -ENOMEM; + } + } + /* * DATA_UD_BYTES varies based on whether the read/write command protects * spare data with ECC too. We protect spare data by default, so we set @@ -2945,17 +2958,6 @@ static int qcom_nand_host_init_and_regis if (ret) return ret; - if (nandc->props->is_bam) { - free_bam_transaction(nandc); - nandc->bam_txn = alloc_bam_transaction(nandc); - if (!nandc->bam_txn) { - dev_err(nandc->dev, - "failed to allocate bam transaction\n"); - nand_cleanup(chip); - return -ENOMEM; - } - } - ret = mtd_device_parse_register(mtd, probes, NULL, NULL, 0); if (ret) nand_cleanup(chip);