Re: [PATCH] mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[]

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Brian Norris <computersforpeace@gmail.com>
To: linux-mtd@lists.infradead.org
Cc: "Rafał Miłecki" <zajec5@gmail.com>
Subject: Re: [PATCH] mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[]
Date: Thu, 3 Sep 2015 13:33:18 -0700	[thread overview]
Message-ID: <20150903203318.GC81844@google.com> (raw)
In-Reply-To: <1441237380-18522-1-git-send-email-computersforpeace@gmail.com>

On Wed, Sep 02, 2015 at 04:43:00PM -0700, Brian Norris wrote:
> Commit 06bb6f5a69df ("mtd: spi-nor: stop (ab)using struct
> spi_device_id") converted an array into a pointer, which means that
> we should be checking if the pointer goes anywhere, not whether the C
> string is empty. To do the latter means we dereference a NULL pointer
> when we reach the terminating entry, for which 'name' is now NULL
> instead of an array { 0, 0, ... }.
> 
> Sample crash:
> 
> [    1.101371] Unable to handle kernel NULL pointer dereference at virtual address 00000000
> [    1.109457] pgd = c0004000
> [    1.112157] [00000000] *pgd=00000000
> [    1.115736] Internal error: Oops: 5 [#1] SMP ARM
> [    1.120345] Modules linked in:
> [    1.123405] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.2.0-next-20150902+ #61
> [    1.130611] Hardware name: Rockchip (Device Tree)
> [    1.135306] task: ee0b8d40 ti: ee0ba000 task.ti: ee0ba000
> [    1.140697] PC is at spi_nor_scan+0x90/0x8c4
> [    1.144958] LR is at spi_nor_scan+0xa4/0x8c4
> ...
> [    1.504112] [<c03cc2e0>] (spi_nor_scan) from [<c03cb188>] (m25p_probe+0xc8/0x11c)
> [    1.511583] [<c03cb188>] (m25p_probe) from [<c03cd9d8>] (spi_drv_probe+0x60/0x7c)
> [    1.519055] [<c03cd9d8>] (spi_drv_probe) from [<c037faa0>] (driver_probe_device+0x1a0/0x444)
> [    1.527478] [<c037faa0>] (driver_probe_device) from [<c037fec8>] (__device_attach_driver+0x94/0xa0)
> [    1.536507] [<c037fec8>] (__device_attach_driver) from [<c037db3c>] (bus_for_each_drv+0x94/0xa4)
> [    1.545277] [<c037db3c>] (bus_for_each_drv) from [<c037f7e4>] (__device_attach+0xa4/0x144)
> [    1.553526] [<c037f7e4>] (__device_attach) from [<c0380058>] (device_initial_probe+0x1c/0x20)
> [    1.562035] [<c0380058>] (device_initial_probe) from [<c037ec88>] (bus_probe_device+0x38/0x94)
> [    1.570631] [<c037ec88>] (bus_probe_device) from [<c037ccf4>] (device_add+0x430/0x558)
> [    1.578534] [<c037ccf4>] (device_add) from [<c03d0240>] (spi_add_device+0xe4/0x174)
> [    1.586178] [<c03d0240>] (spi_add_device) from [<c03d0a24>] (spi_register_master+0x698/0x7d4)
> [    1.594688] [<c03d0a24>] (spi_register_master) from [<c03d0ba0>] (devm_spi_register_master+0x40/0x7c)
> [    1.603892] [<c03d0ba0>] (devm_spi_register_master) from [<c03d2fb4>] (rockchip_spi_probe+0x360/0x3f4)
> [    1.613182] [<c03d2fb4>] (rockchip_spi_probe) from [<c0381e34>] (platform_drv_probe+0x58/0xa8)
> [    1.621779] [<c0381e34>] (platform_drv_probe) from [<c037faa0>] (driver_probe_device+0x1a0/0x444)
> [    1.630635] [<c037faa0>] (driver_probe_device) from [<c037fdc4>] (__driver_attach+0x80/0xa4)
> [    1.639058] [<c037fdc4>] (__driver_attach) from [<c037e850>] (bus_for_each_dev+0x98/0xac)
> [    1.647221] [<c037e850>] (bus_for_each_dev) from [<c037f448>] (driver_attach+0x28/0x30)
> [    1.655210] [<c037f448>] (driver_attach) from [<c037ef74>] (bus_add_driver+0x128/0x250)
> [    1.663200] [<c037ef74>] (bus_add_driver) from [<c0380c40>] (driver_register+0xac/0xf0)
> [    1.671191] [<c0380c40>] (driver_register) from [<c0381d50>] (__platform_driver_register+0x58/0x6c)
> [    1.680221] [<c0381d50>] (__platform_driver_register) from [<c0a467c8>] (rockchip_spi_driver_init+0x18/0x20)
> [    1.690033] [<c0a467c8>] (rockchip_spi_driver_init) from [<c00098a4>] (do_one_initcall+0x124/0x1dc)
> [    1.699063] [<c00098a4>] (do_one_initcall) from [<c0a19f84>] (kernel_init_freeable+0x218/0x2ec)
> [    1.707748] [<c0a19f84>] (kernel_init_freeable) from [<c0719ed8>] (kernel_init+0x1c/0xf4)
> [    1.715912] [<c0719ed8>] (kernel_init) from [<c000fe50>] (ret_from_fork+0x14/0x24)
> [    1.723460] Code: e3510000 159f67c0 0a00000c e5961000 (e5d13000)
> [    1.729564] ---[ end trace 95baa6b3b861ce25 ]---
> 
> Fixes: 06bb6f5a69df ("mtd: spi-nor: stop (ab)using struct spi_device_id")
> Signed-off-by: Brian Norris <computersforpeace@gmail.com>
> Cc: Rafał Miłecki <zajec5@gmail.com>

Pushed to l2-mtd.git. I'll need to get this into 4.3-rc1 quick, since
the buggy patch just made it in this week...

Brian

     prev parent reply	other threads:[~2015-09-03 20:33 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-02 23:43 [PATCH] mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[] Brian Norris
2015-09-03 20:33 ` Brian Norris [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150903203318.GC81844@google.com \
    --to=computersforpeace@gmail.com \
    --cc=linux-mtd@lists.infradead.org \
    --cc=zajec5@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.