[PATCH 4.14 05/67] mtd: jedec_probe: Fix crash in jedec_read_mfr()

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Linus Walleij <linus.walleij@linaro.org>,
	Boris Brezillon <boris.brezillon@bootlin.com>
Subject: [PATCH 4.14 05/67] mtd: jedec_probe: Fix crash in jedec_read_mfr()
Date: Fri,  6 Apr 2018 15:23:35 +0200	[thread overview]
Message-ID: <20180406084341.973252108@linuxfoundation.org> (raw)
In-Reply-To: <20180406084341.225558262@linuxfoundation.org>

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Linus Walleij <linus.walleij@linaro.org>

commit 87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.

It turns out that the loop where we read manufacturer
jedec_read_mfd() can under some circumstances get a
CFI_MFR_CONTINUATION repeatedly, making the loop go
over all banks and eventually hit the end of the
map and crash because of an access violation:

Unable to handle kernel paging request at virtual address c4980000
pgd = (ptrval)
[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000
Internal error: Oops: 7 [#1] PREEMPT ARM
CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
Hardware name: Gemini (Device Tree)
PC is at jedec_probe_chip+0x6ec/0xcd0
LR is at 0x4
pc : [<c03a2bf4>]    lr : [<00000004>]    psr: 60000013
sp : c382dd18  ip : 0000ffff  fp : 00000000
r10: c0626388  r9 : 00020000  r8 : c0626340
r7 : 00000000  r6 : 00000001  r5 : c3a71afc  r4 : c382dd70
r3 : 00000001  r2 : c4900000  r1 : 00000002  r0 : 00080000
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 0000397f  Table: 00004000  DAC: 00000053
Process swapper (pid: 1, stack limit = 0x(ptrval))

Fix this by breaking the loop with a return 0 if
the offset exceeds the map size.

Fixes: 5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mtd/chips/jedec_probe.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/mtd/chips/jedec_probe.c
+++ b/drivers/mtd/chips/jedec_probe.c
@@ -1889,6 +1889,8 @@ static inline u32 jedec_read_mfr(struct
 	do {
 		uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
 		mask = (1 << (cfi->device_type * 8)) - 1;
+		if (ofs >= map->size)
+			return 0;
 		result = map_read(map, base + ofs);
 		bank++;
 	} while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);

next prev parent reply	other threads:[~2018-04-06 13:38 UTC|newest]

Thread overview: 69+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-06 13:23 [PATCH 4.14 00/67] 4.14.33-stable review Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 01/67] ARM: OMAP: Fix SRAM W+X mapping Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 02/67] ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[] Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 03/67] ARM: dts: sun6i: a31s: bpi-m2: improve pmic properties Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 04/67] ARM: dts: sun6i: a31s: bpi-m2: add missing regulators Greg Kroah-Hartman
2018-04-06 13:23 ` Greg Kroah-Hartman [this message]
2018-04-06 13:23 ` [PATCH 4.14 06/67] mtd: nand: atmel: Fix get_sectorsize() function Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 07/67] ALSA: usb-audio: Add native DSD support for TEAC UD-301 Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 08/67] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 09/67] ALSA: pcm: potential uninitialized return values Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 10/67] x86/platform/uv/BAU: Add APIC idt entry Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 11/67] perf/hwbp: Simplify the perf-hwbp code, fix documentation Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 12/67] ceph: only dirty ITER_IOVEC pages for direct read Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 13/67] ipc/shm.c: add split function to shm_vm_ops Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 14/67] i2c: i2c-stm32f7: fix no check on returned setup Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 15/67] powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 16/67] powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 17/67] partitions/msdos: Unable to mount UFS 44bsd partitions Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 18/67] xfrm_user: uncoditionally validate esn replay attribute struct Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 19/67] RDMA/ucma: Check AF family prior resolving address Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 20/67] RDMA/ucma: Fix use-after-free access in ucma_close Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 21/67] RDMA/ucma: Ensure that CM_ID exists prior to access it Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 22/67] RDMA/rdma_cm: Fix use after free race with process_one_req Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 23/67] RDMA/ucma: Check that device is connected prior to access it Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 24/67] RDMA/ucma: Check that device exists prior to accessing it Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 25/67] RDMA/ucma: Introduce safer rdma_addr_size() variants Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 26/67] net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 27/67] xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 28/67] percpu: add __GFP_NORETRY semantics to the percpu balancing path Greg Kroah-Hartman
2018-04-06 13:23 ` [PATCH 4.14 29/67] netfilter: x_tables: make allocation less aggressive Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 30/67] netfilter: bridge: ebt_among: add more missing match size checks Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 31/67] l2tp: fix races with ipv4-mapped ipv6 addresses Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 32/67] netfilter: drop template ct when conntrack is skipped Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 33/67] netfilter: x_tables: add and use xt_check_proc_name Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 34/67] phy: qcom-ufs: add MODULE_LICENSE tag Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 35/67] Bluetooth: Fix missing encryption refresh on Security Request Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 36/67] usb: dwc2: Improve gadget state disconnection handling Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 37/67] bitmap: fix memset optimization on big-endian systems Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 38/67] USB: serial: ftdi_sio: add RT Systems VX-8 cable Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 39/67] USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 40/67] USB: serial: cp210x: add ELDAT Easywave RX09 id Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 41/67] serial: 8250: Add Nuvoton NPCM UART Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 42/67] mei: remove dev_err message on an unsupported ioctl Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 43/67] /dev/mem: Avoid overwriting "err" in read_mem() Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 44/67] media: usbtv: prevent double free in error case Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 45/67] parport_pc: Add support for WCH CH382L PCI-E single parallel port card Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 46/67] crypto: lrw - Free rctx->ext with kzfree Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 47/67] crypto: inside-secure - fix clock management Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 48/67] crypto: testmgr - Fix incorrect values in PKCS#1 test vector Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 49/67] crypto: ahash - Fix early termination in hash walk Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 51/67] crypto: ccp - return an actual key size from RSA max_size callback Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 52/67] crypto: arm,arm64 - Fix random regeneration of S_shipped Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 53/67] crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 54/67] Btrfs: fix unexpected cow in run_delalloc_nocow Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 55/67] staging: comedi: ni_mio_common: ack ai fifo error interrupts Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 56/67] Revert "base: arch_topology: fix section mismatch build warnings" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 57/67] Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370 Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 58/67] Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 59/67] Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 60/67] vt: change SGR 21 to follow the standards Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 61/67] ARM: dts: DRA76-EVM: Set powerhold property for tps65917 Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 62/67] net: hns: Fix ethtool private flags Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 63/67] Fix slab name "biovec-(1<<(21-12))" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 64/67] Revert "ARM: dts: am335x-pepper: Fix the audio CODECs reset pin" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 65/67] Revert "ARM: dts: omap3-n900: " Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 66/67] Revert "cpufreq: Fix governor module removal race" Greg Kroah-Hartman
2018-04-06 13:24 ` [PATCH 4.14 67/67] Revert "ip6_vti: adjust vti mtu according to mtu of lower device" Greg Kroah-Hartman
2018-04-06 20:07 ` [PATCH 4.14 00/67] 4.14.33-stable review Dan Rue
2018-04-06 22:10 ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180406084341.973252108@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=boris.brezillon@bootlin.com \
    --cc=linus.walleij@linaro.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).