From: syzbot <syzbot+3ae80219c633aca5431c@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] mtd: mtdpart: fix uninitialized erasesize on MTDPART_OFS_RETAIN error path
Date: Sat, 20 Jun 2026 09:09:37 -0700 [thread overview]
Message-ID: <6a36bb41.956a836d.179a93.0001.GAE@google.com> (raw)
In-Reply-To: <6a364dbc.713c5d62.148f7.0000.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] mtd: mtdpart: fix uninitialized erasesize on MTDPART_OFS_RETAIN error path
Author: nivchenko.dev@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When parsing partition layouts, if a partition requested with
MTDPART_OFS_RETAIN runs out of space, the allocator jumps directly
to 'out_register' to preserve partition numbering.
However, this jump bypasses child->erasesize initialization, leaving
it at zero. When add_mtd_device() is later called on this child, the
registration fails and triggers a WARN_ON() due to the zero ->erasesize.
Fix this by zeroing out child->part.offset and child->part.size, and
initializing child->erasesize to parent->erasesize. This is the exact
same pattern already used just a few lines below in the "out of reach"
error check (child->part.offset >= parent_size) to safely register a
disabled partition.
Reported-by: syzbot+3ae80219c633aca5431c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3ae80219c633aca5431c
Signed-off-by: Nikolay Ivchenko <nivchenko.dev@gmail.com>
---
drivers/mtd/mtdpart.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mtd/mtdpart.c b/drivers/mtd/mtdpart.c
index 795a94e6b482..7f23f8a1b59c 100644
--- a/drivers/mtd/mtdpart.c
+++ b/drivers/mtd/mtdpart.c
@@ -118,6 +118,9 @@ static struct mtd_info *allocate_partition(struct mtd_info *parent,
part->name, parent_size - child->part.offset,
child->part.size);
/* register to preserve ordering */
+ child->part.offset = 0;
+ child->part.size = 0;
+ child->erasesize = parent->erasesize;
goto out_register;
}
}
--
2.43.0
prev parent reply other threads:[~2026-06-20 16:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-20 8:22 [syzbot] [mtd?] WARNING in add_mtd_device syzbot
2026-06-20 8:22 ` syzbot
2026-06-20 9:10 ` syzbot
2026-06-20 9:10 ` syzbot
2026-06-20 13:05 ` Forwarded: [PATCH] mtd: mtdpart: validate partition bounds in mtd_add_partition() syzbot
2026-06-20 16:09 ` syzbot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a36bb41.956a836d.179a93.0001.GAE@google.com \
--to=syzbot+3ae80219c633aca5431c@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.