[PATCH] mtd: spi-nor: fix NULL dereference when no match found in spi_nor

linux-mtd.lists.infradead.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[]
@ 2015-09-02 23:43 Brian Norris
  2015-09-03 20:33 ` Brian Norris
  0 siblings, 1 reply; 2+ messages in thread
From: Brian Norris @ 2015-09-02 23:43 UTC (permalink / raw)
  To: linux-mtd; +Cc: Brian Norris, Rafał Miłecki

Commit 06bb6f5a69df ("mtd: spi-nor: stop (ab)using struct
spi_device_id") converted an array into a pointer, which means that
we should be checking if the pointer goes anywhere, not whether the C
string is empty. To do the latter means we dereference a NULL pointer
when we reach the terminating entry, for which 'name' is now NULL
instead of an array { 0, 0, ... }.

Sample crash:

[    1.101371] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[    1.109457] pgd = c0004000
[    1.112157] [00000000] *pgd=00000000
[    1.115736] Internal error: Oops: 5 [#1] SMP ARM
[    1.120345] Modules linked in:
[    1.123405] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.2.0-next-20150902+ #61
[    1.130611] Hardware name: Rockchip (Device Tree)
[    1.135306] task: ee0b8d40 ti: ee0ba000 task.ti: ee0ba000
[    1.140697] PC is at spi_nor_scan+0x90/0x8c4
[    1.144958] LR is at spi_nor_scan+0xa4/0x8c4
...
[    1.504112] [<c03cc2e0>] (spi_nor_scan) from [<c03cb188>] (m25p_probe+0xc8/0x11c)
[    1.511583] [<c03cb188>] (m25p_probe) from [<c03cd9d8>] (spi_drv_probe+0x60/0x7c)
[    1.519055] [<c03cd9d8>] (spi_drv_probe) from [<c037faa0>] (driver_probe_device+0x1a0/0x444)
[    1.527478] [<c037faa0>] (driver_probe_device) from [<c037fec8>] (__device_attach_driver+0x94/0xa0)
[    1.536507] [<c037fec8>] (__device_attach_driver) from [<c037db3c>] (bus_for_each_drv+0x94/0xa4)
[    1.545277] [<c037db3c>] (bus_for_each_drv) from [<c037f7e4>] (__device_attach+0xa4/0x144)
[    1.553526] [<c037f7e4>] (__device_attach) from [<c0380058>] (device_initial_probe+0x1c/0x20)
[    1.562035] [<c0380058>] (device_initial_probe) from [<c037ec88>] (bus_probe_device+0x38/0x94)
[    1.570631] [<c037ec88>] (bus_probe_device) from [<c037ccf4>] (device_add+0x430/0x558)
[    1.578534] [<c037ccf4>] (device_add) from [<c03d0240>] (spi_add_device+0xe4/0x174)
[    1.586178] [<c03d0240>] (spi_add_device) from [<c03d0a24>] (spi_register_master+0x698/0x7d4)
[    1.594688] [<c03d0a24>] (spi_register_master) from [<c03d0ba0>] (devm_spi_register_master+0x40/0x7c)
[    1.603892] [<c03d0ba0>] (devm_spi_register_master) from [<c03d2fb4>] (rockchip_spi_probe+0x360/0x3f4)
[    1.613182] [<c03d2fb4>] (rockchip_spi_probe) from [<c0381e34>] (platform_drv_probe+0x58/0xa8)
[    1.621779] [<c0381e34>] (platform_drv_probe) from [<c037faa0>] (driver_probe_device+0x1a0/0x444)
[    1.630635] [<c037faa0>] (driver_probe_device) from [<c037fdc4>] (__driver_attach+0x80/0xa4)
[    1.639058] [<c037fdc4>] (__driver_attach) from [<c037e850>] (bus_for_each_dev+0x98/0xac)
[    1.647221] [<c037e850>] (bus_for_each_dev) from [<c037f448>] (driver_attach+0x28/0x30)
[    1.655210] [<c037f448>] (driver_attach) from [<c037ef74>] (bus_add_driver+0x128/0x250)
[    1.663200] [<c037ef74>] (bus_add_driver) from [<c0380c40>] (driver_register+0xac/0xf0)
[    1.671191] [<c0380c40>] (driver_register) from [<c0381d50>] (__platform_driver_register+0x58/0x6c)
[    1.680221] [<c0381d50>] (__platform_driver_register) from [<c0a467c8>] (rockchip_spi_driver_init+0x18/0x20)
[    1.690033] [<c0a467c8>] (rockchip_spi_driver_init) from [<c00098a4>] (do_one_initcall+0x124/0x1dc)
[    1.699063] [<c00098a4>] (do_one_initcall) from [<c0a19f84>] (kernel_init_freeable+0x218/0x2ec)
[    1.707748] [<c0a19f84>] (kernel_init_freeable) from [<c0719ed8>] (kernel_init+0x1c/0xf4)
[    1.715912] [<c0719ed8>] (kernel_init) from [<c000fe50>] (ret_from_fork+0x14/0x24)
[    1.723460] Code: e3510000 159f67c0 0a00000c e5961000 (e5d13000)
[    1.729564] ---[ end trace 95baa6b3b861ce25 ]---

Fixes: 06bb6f5a69df ("mtd: spi-nor: stop (ab)using struct spi_device_id")
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Cc: Rafał Miłecki <zajec5@gmail.com>
---
 drivers/mtd/spi-nor/spi-nor.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
index 25372f9b534e..f59aedfe1462 100644
--- a/drivers/mtd/spi-nor/spi-nor.c
+++ b/drivers/mtd/spi-nor/spi-nor.c
@@ -1218,7 +1218,7 @@ static const struct flash_info *spi_nor_match_id(const char *name)
 {
 	const struct flash_info *id = spi_nor_ids;
 
-	while (id->name[0]) {
+	while (id->name) {
 		if (!strcmp(name, id->name))
 			return id;
 		id++;
-- 
2.5.0.457.gab17608

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[]
  2015-09-02 23:43 [PATCH] mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[] Brian Norris
@ 2015-09-03 20:33 ` Brian Norris
  0 siblings, 0 replies; 2+ messages in thread
From: Brian Norris @ 2015-09-03 20:33 UTC (permalink / raw)
  To: linux-mtd; +Cc: Rafał Miłecki

On Wed, Sep 02, 2015 at 04:43:00PM -0700, Brian Norris wrote:
> Commit 06bb6f5a69df ("mtd: spi-nor: stop (ab)using struct
> spi_device_id") converted an array into a pointer, which means that
> we should be checking if the pointer goes anywhere, not whether the C
> string is empty. To do the latter means we dereference a NULL pointer
> when we reach the terminating entry, for which 'name' is now NULL
> instead of an array { 0, 0, ... }.
> 
> Sample crash:
> 
> [    1.101371] Unable to handle kernel NULL pointer dereference at virtual address 00000000
> [    1.109457] pgd = c0004000
> [    1.112157] [00000000] *pgd=00000000
> [    1.115736] Internal error: Oops: 5 [#1] SMP ARM
> [    1.120345] Modules linked in:
> [    1.123405] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.2.0-next-20150902+ #61
> [    1.130611] Hardware name: Rockchip (Device Tree)
> [    1.135306] task: ee0b8d40 ti: ee0ba000 task.ti: ee0ba000
> [    1.140697] PC is at spi_nor_scan+0x90/0x8c4
> [    1.144958] LR is at spi_nor_scan+0xa4/0x8c4
> ...
> [    1.504112] [<c03cc2e0>] (spi_nor_scan) from [<c03cb188>] (m25p_probe+0xc8/0x11c)
> [    1.511583] [<c03cb188>] (m25p_probe) from [<c03cd9d8>] (spi_drv_probe+0x60/0x7c)
> [    1.519055] [<c03cd9d8>] (spi_drv_probe) from [<c037faa0>] (driver_probe_device+0x1a0/0x444)
> [    1.527478] [<c037faa0>] (driver_probe_device) from [<c037fec8>] (__device_attach_driver+0x94/0xa0)
> [    1.536507] [<c037fec8>] (__device_attach_driver) from [<c037db3c>] (bus_for_each_drv+0x94/0xa4)
> [    1.545277] [<c037db3c>] (bus_for_each_drv) from [<c037f7e4>] (__device_attach+0xa4/0x144)
> [    1.553526] [<c037f7e4>] (__device_attach) from [<c0380058>] (device_initial_probe+0x1c/0x20)
> [    1.562035] [<c0380058>] (device_initial_probe) from [<c037ec88>] (bus_probe_device+0x38/0x94)
> [    1.570631] [<c037ec88>] (bus_probe_device) from [<c037ccf4>] (device_add+0x430/0x558)
> [    1.578534] [<c037ccf4>] (device_add) from [<c03d0240>] (spi_add_device+0xe4/0x174)
> [    1.586178] [<c03d0240>] (spi_add_device) from [<c03d0a24>] (spi_register_master+0x698/0x7d4)
> [    1.594688] [<c03d0a24>] (spi_register_master) from [<c03d0ba0>] (devm_spi_register_master+0x40/0x7c)
> [    1.603892] [<c03d0ba0>] (devm_spi_register_master) from [<c03d2fb4>] (rockchip_spi_probe+0x360/0x3f4)
> [    1.613182] [<c03d2fb4>] (rockchip_spi_probe) from [<c0381e34>] (platform_drv_probe+0x58/0xa8)
> [    1.621779] [<c0381e34>] (platform_drv_probe) from [<c037faa0>] (driver_probe_device+0x1a0/0x444)
> [    1.630635] [<c037faa0>] (driver_probe_device) from [<c037fdc4>] (__driver_attach+0x80/0xa4)
> [    1.639058] [<c037fdc4>] (__driver_attach) from [<c037e850>] (bus_for_each_dev+0x98/0xac)
> [    1.647221] [<c037e850>] (bus_for_each_dev) from [<c037f448>] (driver_attach+0x28/0x30)
> [    1.655210] [<c037f448>] (driver_attach) from [<c037ef74>] (bus_add_driver+0x128/0x250)
> [    1.663200] [<c037ef74>] (bus_add_driver) from [<c0380c40>] (driver_register+0xac/0xf0)
> [    1.671191] [<c0380c40>] (driver_register) from [<c0381d50>] (__platform_driver_register+0x58/0x6c)
> [    1.680221] [<c0381d50>] (__platform_driver_register) from [<c0a467c8>] (rockchip_spi_driver_init+0x18/0x20)
> [    1.690033] [<c0a467c8>] (rockchip_spi_driver_init) from [<c00098a4>] (do_one_initcall+0x124/0x1dc)
> [    1.699063] [<c00098a4>] (do_one_initcall) from [<c0a19f84>] (kernel_init_freeable+0x218/0x2ec)
> [    1.707748] [<c0a19f84>] (kernel_init_freeable) from [<c0719ed8>] (kernel_init+0x1c/0xf4)
> [    1.715912] [<c0719ed8>] (kernel_init) from [<c000fe50>] (ret_from_fork+0x14/0x24)
> [    1.723460] Code: e3510000 159f67c0 0a00000c e5961000 (e5d13000)
> [    1.729564] ---[ end trace 95baa6b3b861ce25 ]---
> 
> Fixes: 06bb6f5a69df ("mtd: spi-nor: stop (ab)using struct spi_device_id")
> Signed-off-by: Brian Norris <computersforpeace@gmail.com>
> Cc: Rafał Miłecki <zajec5@gmail.com>

Pushed to l2-mtd.git. I'll need to get this into 4.3-rc1 quick, since
the buggy patch just made it in this week...

Brian

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-09-03 20:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-02 23:43 [PATCH] mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[] Brian Norris
2015-09-03 20:33 ` Brian Norris

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).