Received: by 2002:ac8:4892:0:b0:41c:c224:f26f with SMTP id i18csp823526qtq; Thu, 19 Oct 2023 13:27:43 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHc9ITaWndPWdRyDYTotKC1a6D3M0aU3CEeN7gDZH5pgDf9wFmsAkzpZasjFHrVhIExfZdI X-Received: by 2002:a05:6a20:3954:b0:171:48a1:a85a with SMTP id r20-20020a056a20395400b0017148a1a85amr3792247pzg.23.1697747262789; Thu, 19 Oct 2023 13:27:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697747262; cv=none; d=google.com; s=arc-20160816; b=WqUOvEBFZ3u1xZcwQo9GCdEJ7XProrh8WBDfSResvly4aOkUyv2uVUk7KelAzatdSi wAbmRU54y9FMWQXzPvn37ZjW69p4JrZz2IQVfFFXW2yYxxcbTVGQshZxM2mQSm297wkX 2xTafJPh7n+XvvUYXjqcpwoCXUdspw4z8DdQvIhuTjBFb2NFiQVBO0WJivlC01a2DAYe Jvsz4qXQ1v5jqq5IjLexGtQfivgmtsu4KaOL1cuMNMY7elvRKyT+V+FW0rkqemD8Ziqh UzhMBtA1KOtCMosDpJBvKdO4pbLfDX9SePjEdf3Uv92G3IFESozMw4nznTmsnSu3mVX1 QeXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:thread-index:thread-topic :content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date; bh=ucjbKPDM3AFlfkw3jdE3bUVlNTBfdunijavf6DkuEN8=; fh=u5IHfztn2Rp2n2HyRnXrAJYBIpyjVMyMno/hdnvvoUw=; b=NXgEA+e3D8GVUiotn2beMYs+13fprdhrlCKAGW5Bv7ZnkM+3NPps0FG7J0Zu1zuaNx z2W0TTGziLtfTCXQmrJYq4Lk3sVrIJkOFv3NUZPgU9ZaBgG5kJpZuMABIJZ7gL4dlfmD 7WojaJsj5xJnxTVyv/wDYnJc775SZq3R1kPdE0MrrgNV8Scmb32wmFl8gOq2R63+S0Bs CwLWLj/jkNCkTYMxGsjRcAZmgnZRGghmwdSfWN9yAyPzSFpbL3nrAs5I+n+qVIqRfyy1 a2HgnZFnekyASvbPXTMc9YPbpuECQKDVD0iqzMzDuASMtqXDSzI66NN0L3aEzWJqRgDf W7Kg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id r25-20020a632059000000b0056f7f18bbfdsi316103pgm.632.2023.10.19.13.27.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Oct 2023 13:27:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id CA1E7827C193; Thu, 19 Oct 2023 13:27:41 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346552AbjJSU1g convert rfc822-to-8bit (ORCPT + 99 others); Thu, 19 Oct 2023 16:27:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34070 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346466AbjJSU1f (ORCPT ); Thu, 19 Oct 2023 16:27:35 -0400 Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E0E212D for ; Thu, 19 Oct 2023 13:27:32 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 24C7F63DCAAA; Thu, 19 Oct 2023 22:27:30 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id PZCW94g8D12l; Thu, 19 Oct 2023 22:27:29 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id EA22063DCABE; Thu, 19 Oct 2023 22:27:28 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id PUJHuXQVN78Y; Thu, 19 Oct 2023 22:27:28 +0200 (CEST) Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lithops.sigma-star.at (Postfix) with ESMTP id C1E3063DCAAA; Thu, 19 Oct 2023 22:27:28 +0200 (CEST) Date: Thu, 19 Oct 2023 22:27:28 +0200 (CEST) From: Richard Weinberger To: ZhaoLong Wang Cc: Miquel Raynal , Vignesh Raghavendra , dpervushin@embeddedalley.com, Artem Bityutskiy , linux-mtd , linux-kernel , chengzhihao1 , yi zhang , yangerkun Message-ID: <1381458025.20897.1697747248632.JavaMail.zimbra@nod.at> In-Reply-To: <20231018121618.778385-1-wangzhaolong1@huawei.com> References: <20231018121618.778385-1-wangzhaolong1@huawei.com> Subject: Re: [PATCH v2] ubi: gluebi: Fix NULL pointer dereference caused by ftl notifier MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-Originating-IP: [195.201.40.130] X-Mailer: Zimbra 8.8.12_GA_3807 (ZimbraWebClient - FF97 (Linux)/8.8.12_GA_3809) Thread-Topic: gluebi: Fix NULL pointer dereference caused by ftl notifier Thread-Index: RXBccCZfZ5BmLv0YkPinrieu1FJ81Q== X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, T_SPF_PERMERROR autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 19 Oct 2023 13:27:42 -0700 (PDT) ----- Ursprüngliche Mail ----- > Von: "ZhaoLong Wang" > An: "richard" , "Miquel Raynal" , "Vignesh Raghavendra" , > dpervushin@embeddedalley.com, "Artem Bityutskiy" > CC: "linux-mtd" , "linux-kernel" , "chengzhihao1" > , "ZhaoLong Wang" , "yi zhang" , "yangerkun" > > Gesendet: Mittwoch, 18. Oktober 2023 14:16:18 > Betreff: [PATCH v2] ubi: gluebi: Fix NULL pointer dereference caused by ftl notifier > If both flt.ko and gluebi.ko are loaded, the notiier of ftl > triggers NULL pointer dereference when trying to access > ‘gluebi->desc’ in gluebi_read(). > > ubi_gluebi_init > ubi_register_volume_notifier > ubi_enumerate_volumes > ubi_notify_all > gluebi_notify nb->notifier_call() > gluebi_create > mtd_device_register > mtd_device_parse_register > add_mtd_device > blktrans_notify_add not->add() > ftl_add_mtd tr->add_mtd() > scan_header > mtd_read > mtd_read > mtd_read_oob > gluebi_read mtd->read() > gluebi->desc - NULL > > Detailed reproduction information available at the link[1], > > In the normal case, obtain gluebi->desc in the gluebi_get_device(), > and accesses gluebi->desc in the gluebi_read(). However, > gluebi_get_device() is not executed in advance in the > ftl_add_mtd() process, which leads to NULL pointer dereference. > > The value of gluebi->desc may also be a negative error code, which > triggers the page fault error. > > This patch has the following modifications: > > 1. Do not assign gluebi->desc to the error code. Use the NULL instead. > > 2. Always check the validity of gluebi->desc in gluebi_read() If the > gluebi->desc is NULL, try to get MTD device. > > Such a modification currently works because the mutex "mtd_table_mutex" > is held on all necessary paths, including the ftl_add_mtd() call path, > open and close paths. Therefore, many race condition can be avoided. I see the problem, but I'm not really satisfied by the solution. Adding this hack to gluebi_read() is not nice at all. Is there a strong reason why have to defer ubi_open_volume() to gluebi_get_device()? Miquel, what do you think? Thanks, //richard