forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers/mtd
History
Christian Lamparter 1e235ec00b mtd: rawnand: qcom: fix memory corruption that causes panic 
commit 81d9bdf590 upstream.

This patch fixes a memory corruption that occurred in the
qcom-nandc driver since it was converted to nand_scan().

On boot, an affected device will panic from a NPE at a weird place:
| Unable to handle kernel NULL pointer dereference at virtual address 0
| pgd = (ptrval)
| [00000000] *pgd=00000000
| Internal error: Oops: 80000005 [#1] SMP ARM
| CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.9 #0
| Hardware name: Generic DT based system
| PC is at   (null)
| LR is at nand_block_isbad+0x90/0xa4
| pc : [<00000000>]    lr : [<c0592240>]    psr: 80000013
| sp : cf839d40  ip : 00000000  fp : cfae9e20
| r10: cf815810  r9 : 00000000  r8 : 00000000
| r7 : 00000000  r6 : 00000000  r5 : 00000001  r4 : cf815810
| r3 : 00000000  r2 : cfae9810  r1 : ffffffff  r0 : cf815810
| Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
| Control: 10c5387d  Table: 8020406a  DAC: 00000051
| Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
| [<c0592240>] (nand_block_isbad) from [<c0580a94>]
| [<c0580a94>] (allocate_partition) from [<c05811e4>]
| [<c05811e4>] (add_mtd_partitions) from [<c0581164>]
| [<c0581164>] (parse_mtd_partitions) from [<c057def4>]
| [<c057def4>] (mtd_device_parse_register) from [<c059d274>]
| [<c059d274>] (qcom_nandc_probe) from [<c0567f00>]

The problem is that the nand_scan()'s qcom_nand_attach_chip callback
is updating the nandc->max_cwperpage from 1 to 4. This causes the
sg_init_table of clear_bam_transaction() in the driver's
qcom_nandc_block_bad() to memset much more than what was initially
allocated by alloc_bam_transaction().

This patch restores the old behavior by reallocating the shared bam
transaction alloc_bam_transaction() after the chip was identified,
but before mtd_device_parse_register() (which is an alias for
mtd_device_register() - see panic) gets called. This fixes the
corruption and the driver is working again.

Cc: stable@vger.kernel.org
Fixes: 6a3cec64f1 ("mtd: rawnand: qcom: convert driver to nand_scan()")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-01-16 22:04:34 +01:00
..
chips NAND core changes: 2018-08-11 12:15:19 +02:00
devices mtd: docg3: don't set conflicting BCH_CONST_PARAMS option 2018-11-21 09:19:19 +01:00
lpddr mtd: lpddr: use mtd_device_register() 2018-07-24 07:50:22 +02:00
maps mtd: maps: gpio-addr-flash: Fix ioremapped size 2018-11-13 11:08:14 -08:00
nand mtd: rawnand: qcom: fix memory corruption that causes panic 2019-01-16 22:04:34 +01:00
parsers mtd: parsers: trx: add of_match_table with the new DT binding 2018-07-07 10:51:00 +02:00
spi-nor mtd: atmel-quadspi: disallow building on ebsa110 2019-01-09 17:38:37 +01:00
tests treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
ubi ubi: expose the volume CRC check skip flag 2018-08-15 00:25:21 +02:00
afs.c
ar7part.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
bcm47xxpart.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
bcm63xxpart.c
cmdlinepart.c mtd: cmdlinepart: Update comment for introduction of OFFSET_CONTINUOUS 2018-05-23 10:08:48 +02:00
ftl.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
inftlcore.c mtd: nand: Rename nand.h into rawnand.h 2017-08-13 10:11:49 +02:00
inftlmount.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
Kconfig mtd: Make Kconfig formatting consistent 2018-07-19 23:12:06 +02:00
Makefile mtd: Move onenand code base to drivers/mtd/nand/onenand 2018-03-15 15:40:37 +01:00
mtd_blkdevs.c mtd_blkdevs: handle highmem pages 2018-05-11 15:07:58 -06:00
mtdblock.c mtd: Unconditionally update ->fail_addr and ->addr in part_erase() 2018-03-15 18:22:26 +01:00
mtdblock_ro.c
mtdchar.c mtdchar: fix overflows in adjustment of count 2018-07-18 16:46:38 +02:00
mtdconcat.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
mtdcore.c mtd: Fallback to ->_read/write() when ->_read/write_oob() is missing 2018-07-18 16:44:03 +02:00
mtdcore.h mtd: move code adding (registering) partitions to the parse_mtd_partitions() 2018-05-07 10:10:47 +02:00
mtdoops.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
mtdpart.c mtd: partitions: fix unbalanced of_node_get/put() 2018-09-17 16:23:12 +02:00
mtdsuper.c Rename superblock flags (MS_xyz -> SB_xyz) 2017-11-27 13:05:09 -08:00
mtdswap.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
nftlcore.c mtd: nand: Rename nand.h into rawnand.h 2017-08-13 10:11:49 +02:00
nftlmount.c mtd: nftl: remove redundant variable nb_erases 2018-07-07 10:55:05 +02:00
ofpart.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
redboot.c
rfd_ftl.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
sm_ftl.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
sm_ftl.h mtd: Stop assuming mtd_erase() is asynchronous 2018-03-15 18:21:07 +01:00
ssfdc.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00