From: Brian Norris <computersforpeace@gmail.com>
To: <linux-mtd@lists.infradead.org>
Cc: "Brian Norris" <computersforpeace@gmail.com>,
"Rafał Miłecki" <zajec5@gmail.com>
Subject: [PATCH] mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[]
Date: Wed, 2 Sep 2015 16:43:00 -0700 [thread overview]
Message-ID: <1441237380-18522-1-git-send-email-computersforpeace@gmail.com> (raw)
Commit 06bb6f5a69df ("mtd: spi-nor: stop (ab)using struct
spi_device_id") converted an array into a pointer, which means that
we should be checking if the pointer goes anywhere, not whether the C
string is empty. To do the latter means we dereference a NULL pointer
when we reach the terminating entry, for which 'name' is now NULL
instead of an array { 0, 0, ... }.
Sample crash:
[ 1.101371] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 1.109457] pgd = c0004000
[ 1.112157] [00000000] *pgd=00000000
[ 1.115736] Internal error: Oops: 5 [#1] SMP ARM
[ 1.120345] Modules linked in:
[ 1.123405] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.2.0-next-20150902+ #61
[ 1.130611] Hardware name: Rockchip (Device Tree)
[ 1.135306] task: ee0b8d40 ti: ee0ba000 task.ti: ee0ba000
[ 1.140697] PC is at spi_nor_scan+0x90/0x8c4
[ 1.144958] LR is at spi_nor_scan+0xa4/0x8c4
...
[ 1.504112] [<c03cc2e0>] (spi_nor_scan) from [<c03cb188>] (m25p_probe+0xc8/0x11c)
[ 1.511583] [<c03cb188>] (m25p_probe) from [<c03cd9d8>] (spi_drv_probe+0x60/0x7c)
[ 1.519055] [<c03cd9d8>] (spi_drv_probe) from [<c037faa0>] (driver_probe_device+0x1a0/0x444)
[ 1.527478] [<c037faa0>] (driver_probe_device) from [<c037fec8>] (__device_attach_driver+0x94/0xa0)
[ 1.536507] [<c037fec8>] (__device_attach_driver) from [<c037db3c>] (bus_for_each_drv+0x94/0xa4)
[ 1.545277] [<c037db3c>] (bus_for_each_drv) from [<c037f7e4>] (__device_attach+0xa4/0x144)
[ 1.553526] [<c037f7e4>] (__device_attach) from [<c0380058>] (device_initial_probe+0x1c/0x20)
[ 1.562035] [<c0380058>] (device_initial_probe) from [<c037ec88>] (bus_probe_device+0x38/0x94)
[ 1.570631] [<c037ec88>] (bus_probe_device) from [<c037ccf4>] (device_add+0x430/0x558)
[ 1.578534] [<c037ccf4>] (device_add) from [<c03d0240>] (spi_add_device+0xe4/0x174)
[ 1.586178] [<c03d0240>] (spi_add_device) from [<c03d0a24>] (spi_register_master+0x698/0x7d4)
[ 1.594688] [<c03d0a24>] (spi_register_master) from [<c03d0ba0>] (devm_spi_register_master+0x40/0x7c)
[ 1.603892] [<c03d0ba0>] (devm_spi_register_master) from [<c03d2fb4>] (rockchip_spi_probe+0x360/0x3f4)
[ 1.613182] [<c03d2fb4>] (rockchip_spi_probe) from [<c0381e34>] (platform_drv_probe+0x58/0xa8)
[ 1.621779] [<c0381e34>] (platform_drv_probe) from [<c037faa0>] (driver_probe_device+0x1a0/0x444)
[ 1.630635] [<c037faa0>] (driver_probe_device) from [<c037fdc4>] (__driver_attach+0x80/0xa4)
[ 1.639058] [<c037fdc4>] (__driver_attach) from [<c037e850>] (bus_for_each_dev+0x98/0xac)
[ 1.647221] [<c037e850>] (bus_for_each_dev) from [<c037f448>] (driver_attach+0x28/0x30)
[ 1.655210] [<c037f448>] (driver_attach) from [<c037ef74>] (bus_add_driver+0x128/0x250)
[ 1.663200] [<c037ef74>] (bus_add_driver) from [<c0380c40>] (driver_register+0xac/0xf0)
[ 1.671191] [<c0380c40>] (driver_register) from [<c0381d50>] (__platform_driver_register+0x58/0x6c)
[ 1.680221] [<c0381d50>] (__platform_driver_register) from [<c0a467c8>] (rockchip_spi_driver_init+0x18/0x20)
[ 1.690033] [<c0a467c8>] (rockchip_spi_driver_init) from [<c00098a4>] (do_one_initcall+0x124/0x1dc)
[ 1.699063] [<c00098a4>] (do_one_initcall) from [<c0a19f84>] (kernel_init_freeable+0x218/0x2ec)
[ 1.707748] [<c0a19f84>] (kernel_init_freeable) from [<c0719ed8>] (kernel_init+0x1c/0xf4)
[ 1.715912] [<c0719ed8>] (kernel_init) from [<c000fe50>] (ret_from_fork+0x14/0x24)
[ 1.723460] Code: e3510000 159f67c0 0a00000c e5961000 (e5d13000)
[ 1.729564] ---[ end trace 95baa6b3b861ce25 ]---
Fixes: 06bb6f5a69df ("mtd: spi-nor: stop (ab)using struct spi_device_id")
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Cc: Rafał Miłecki <zajec5@gmail.com>
---
drivers/mtd/spi-nor/spi-nor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
index 25372f9b534e..f59aedfe1462 100644
--- a/drivers/mtd/spi-nor/spi-nor.c
+++ b/drivers/mtd/spi-nor/spi-nor.c
@@ -1218,7 +1218,7 @@ static const struct flash_info *spi_nor_match_id(const char *name)
{
const struct flash_info *id = spi_nor_ids;
- while (id->name[0]) {
+ while (id->name) {
if (!strcmp(name, id->name))
return id;
id++;
--
2.5.0.457.gab17608
next reply other threads:[~2015-09-02 23:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-02 23:43 Brian Norris [this message]
2015-09-03 20:33 ` [PATCH] mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[] Brian Norris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1441237380-18522-1-git-send-email-computersforpeace@gmail.com \
--to=computersforpeace@gmail.com \
--cc=linux-mtd@lists.infradead.org \
--cc=zajec5@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.