From: Miquel Raynal <miquel.raynal@bootlin.com>
To: ZhaoLong Wang <wangzhaolong1@huawei.com>
Cc: <richard@nod.at>, <vigneshr@ti.com>, <Artem.Bityutskiy@nokia.com>,
<dpervushin@embeddedalley.com>, <linux-mtd@lists.infradead.org>,
<linux-kernel@vger.kernel.org>, <chengzhihao1@huawei.com>,
<yi.zhang@huawei.com>, <yangerkun@huawei.com>
Subject: Re: [PATCH v3] mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
Date: Fri, 27 Oct 2023 19:40:26 +0200 [thread overview]
Message-ID: <20231027194026.1bc32dfe@xps-13> (raw)
In-Reply-To: <20231027012033.50280-1-wangzhaolong1@huawei.com>
Hi ZhaoLong,
wangzhaolong1@huawei.com wrote on Fri, 27 Oct 2023 09:20:33 +0800:
> If both flt.ko and gluebi.ko are loaded, the notiier of ftl
flt ? notifier
> triggers NULL pointer dereference when trying to access
> ‘gluebi->desc’ in gluebi_read().
>
> ubi_gluebi_init
> ubi_register_volume_notifier
> ubi_enumerate_volumes
> ubi_notify_all
> gluebi_notify nb->notifier_call()
> gluebi_create
> mtd_device_register
> mtd_device_parse_register
> add_mtd_device
> blktrans_notify_add not->add()
> ftl_add_mtd tr->add_mtd()
Glitches?
> scan_header
> mtd_read
> mtd_read_oob
> mtd_read_oob_std
> gluebi_read mtd->read()
> gluebi->desc - NULL
>
> Detailed reproduction information available at the link[1],
>
> The solution for the gluebi module is to run jffs2 on the UBI
> volume without considering working with ftl or mtdblock.[2].
I am sorry but ftl, gluebi, mtdblock, jffs2 and ubi in the same report
seem a little bit fuzzy. Are you sure about this sentence?
> Therefore, this problem can be avoided by preventing gluebi
> from creating mtdblock devices.
This sentence sounds wrong :)
> Fixes: 2ba3d76a1e29 ("UBI: make gluebi a separate module")
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=217992 [1]
> Link: https://lore.kernel.org/lkml/441107100.23734.1697904580252.JavaMail.zimbra@nod.at/ [2]
> Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
> ---
> drivers/mtd/mtd_blkdevs.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c
> index ff18636e0889..5bc32108ca03 100644
> --- a/drivers/mtd/mtd_blkdevs.c
> +++ b/drivers/mtd/mtd_blkdevs.c
> @@ -463,7 +463,7 @@ static void blktrans_notify_add(struct mtd_info *mtd)
> {
> struct mtd_blktrans_ops *tr;
>
> - if (mtd->type == MTD_ABSENT)
> + if (mtd->type == MTD_ABSENT || mtd->type == MTD_UBIVOLUME)
> return;
>
> list_for_each_entry(tr, &blktrans_majors, list)
> @@ -503,7 +503,7 @@ int register_mtd_blktrans(struct mtd_blktrans_ops *tr)
> mutex_lock(&mtd_table_mutex);
> list_add(&tr->list, &blktrans_majors);
> mtd_for_each_device(mtd)
> - if (mtd->type != MTD_ABSENT)
> + if (mtd->type != MTD_ABSENT && mtd->type != MTD_UBIVOLUME)
> tr->add_mtd(tr, mtd);
> mutex_unlock(&mtd_table_mutex);
> return 0;
Thanks,
Miquèl
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
WARNING: multiple messages have this Message-ID (diff)
From: Miquel Raynal <miquel.raynal@bootlin.com>
To: ZhaoLong Wang <wangzhaolong1@huawei.com>
Cc: <richard@nod.at>, <vigneshr@ti.com>, <Artem.Bityutskiy@nokia.com>,
<dpervushin@embeddedalley.com>, <linux-mtd@lists.infradead.org>,
<linux-kernel@vger.kernel.org>, <chengzhihao1@huawei.com>,
<yi.zhang@huawei.com>, <yangerkun@huawei.com>
Subject: Re: [PATCH v3] mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
Date: Fri, 27 Oct 2023 19:40:26 +0200 [thread overview]
Message-ID: <20231027194026.1bc32dfe@xps-13> (raw)
In-Reply-To: <20231027012033.50280-1-wangzhaolong1@huawei.com>
Hi ZhaoLong,
wangzhaolong1@huawei.com wrote on Fri, 27 Oct 2023 09:20:33 +0800:
> If both flt.ko and gluebi.ko are loaded, the notiier of ftl
flt ? notifier
> triggers NULL pointer dereference when trying to access
> ‘gluebi->desc’ in gluebi_read().
>
> ubi_gluebi_init
> ubi_register_volume_notifier
> ubi_enumerate_volumes
> ubi_notify_all
> gluebi_notify nb->notifier_call()
> gluebi_create
> mtd_device_register
> mtd_device_parse_register
> add_mtd_device
> blktrans_notify_add not->add()
> ftl_add_mtd tr->add_mtd()
Glitches?
> scan_header
> mtd_read
> mtd_read_oob
> mtd_read_oob_std
> gluebi_read mtd->read()
> gluebi->desc - NULL
>
> Detailed reproduction information available at the link[1],
>
> The solution for the gluebi module is to run jffs2 on the UBI
> volume without considering working with ftl or mtdblock.[2].
I am sorry but ftl, gluebi, mtdblock, jffs2 and ubi in the same report
seem a little bit fuzzy. Are you sure about this sentence?
> Therefore, this problem can be avoided by preventing gluebi
> from creating mtdblock devices.
This sentence sounds wrong :)
> Fixes: 2ba3d76a1e29 ("UBI: make gluebi a separate module")
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=217992 [1]
> Link: https://lore.kernel.org/lkml/441107100.23734.1697904580252.JavaMail.zimbra@nod.at/ [2]
> Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
> ---
> drivers/mtd/mtd_blkdevs.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/mtd/mtd_blkdevs.c b/drivers/mtd/mtd_blkdevs.c
> index ff18636e0889..5bc32108ca03 100644
> --- a/drivers/mtd/mtd_blkdevs.c
> +++ b/drivers/mtd/mtd_blkdevs.c
> @@ -463,7 +463,7 @@ static void blktrans_notify_add(struct mtd_info *mtd)
> {
> struct mtd_blktrans_ops *tr;
>
> - if (mtd->type == MTD_ABSENT)
> + if (mtd->type == MTD_ABSENT || mtd->type == MTD_UBIVOLUME)
> return;
>
> list_for_each_entry(tr, &blktrans_majors, list)
> @@ -503,7 +503,7 @@ int register_mtd_blktrans(struct mtd_blktrans_ops *tr)
> mutex_lock(&mtd_table_mutex);
> list_add(&tr->list, &blktrans_majors);
> mtd_for_each_device(mtd)
> - if (mtd->type != MTD_ABSENT)
> + if (mtd->type != MTD_ABSENT && mtd->type != MTD_UBIVOLUME)
> tr->add_mtd(tr, mtd);
> mutex_unlock(&mtd_table_mutex);
> return 0;
Thanks,
Miquèl
next prev parent reply other threads:[~2023-10-27 17:40 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-27 1:20 [PATCH v3] mtd: Fix gluebi NULL pointer dereference caused by ftl notifier ZhaoLong Wang
2023-10-27 1:20 ` ZhaoLong Wang
2023-10-27 3:23 ` Zhihao Cheng
2023-10-27 3:23 ` Zhihao Cheng
2023-10-27 17:40 ` Miquel Raynal [this message]
2023-10-27 17:40 ` Miquel Raynal
2023-10-27 20:30 ` Richard Weinberger
2023-10-27 20:30 ` Richard Weinberger
2023-10-29 13:50 ` Miquel Raynal
2023-10-29 13:50 ` Miquel Raynal
2023-10-29 15:39 ` Richard Weinberger
2023-10-29 15:39 ` Richard Weinberger
2023-12-19 14:36 ` ZhaoLong Wang
2023-12-19 14:36 ` ZhaoLong Wang
2023-12-19 14:44 ` Miquel Raynal
2023-12-19 14:44 ` Miquel Raynal
2023-12-20 2:15 ` ZhaoLong Wang
2023-12-20 2:15 ` ZhaoLong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231027194026.1bc32dfe@xps-13 \
--to=miquel.raynal@bootlin.com \
--cc=Artem.Bityutskiy@nokia.com \
--cc=chengzhihao1@huawei.com \
--cc=dpervushin@embeddedalley.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=richard@nod.at \
--cc=vigneshr@ti.com \
--cc=wangzhaolong1@huawei.com \
--cc=yangerkun@huawei.com \
--cc=yi.zhang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.