linux/drivers/mtd
Christian Lamparter 81d9bdf590 mtd: rawnand: qcom: fix memory corruption that causes panic
This patch fixes a memory corruption that occurred in the
qcom-nandc driver since it was converted to nand_scan().

On boot, an affected device will panic from a NPE at a weird place:
| Unable to handle kernel NULL pointer dereference at virtual address 0
| pgd = (ptrval)
| [00000000] *pgd=00000000
| Internal error: Oops: 80000005 [#1] SMP ARM
| CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.9 #0
| Hardware name: Generic DT based system
| PC is at   (null)
| LR is at nand_block_isbad+0x90/0xa4
| pc : [<00000000>]    lr : [<c0592240>]    psr: 80000013
| sp : cf839d40  ip : 00000000  fp : cfae9e20
| r10: cf815810  r9 : 00000000  r8 : 00000000
| r7 : 00000000  r6 : 00000000  r5 : 00000001  r4 : cf815810
| r3 : 00000000  r2 : cfae9810  r1 : ffffffff  r0 : cf815810
| Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
| Control: 10c5387d  Table: 8020406a  DAC: 00000051
| Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
| [<c0592240>] (nand_block_isbad) from [<c0580a94>]
| [<c0580a94>] (allocate_partition) from [<c05811e4>]
| [<c05811e4>] (add_mtd_partitions) from [<c0581164>]
| [<c0581164>] (parse_mtd_partitions) from [<c057def4>]
| [<c057def4>] (mtd_device_parse_register) from [<c059d274>]
| [<c059d274>] (qcom_nandc_probe) from [<c0567f00>]

The problem is that the nand_scan()'s qcom_nand_attach_chip callback
is updating the nandc->max_cwperpage from 1 to 4. This causes the
sg_init_table of clear_bam_transaction() in the driver's
qcom_nandc_block_bad() to memset much more than what was initially
allocated by alloc_bam_transaction().

This patch restores the old behavior by reallocating the shared bam
transaction alloc_bam_transaction() after the chip was identified,
but before mtd_device_parse_register() (which is an alias for
mtd_device_register() - see panic) gets called. This fixes the
corruption and the driver is working again.

Cc: stable@vger.kernel.org
Fixes: 6a3cec64f1 ("mtd: rawnand: qcom: convert driver to nand_scan()")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
2019-01-08 12:33:24 +01:00
..
chips mtd: cfi_cmdset_0020: Mark expected switch fall-throughs 2018-11-09 20:40:11 +01:00
devices Merge tag 'devicetree-for-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux 2018-12-28 20:08:34 -08:00
lpddr mtd: lpddr: use mtd_device_register() 2018-07-24 07:50:22 +02:00
maps Kbuild updates for v4.21 2018-12-29 12:03:17 -08:00
nand mtd: rawnand: qcom: fix memory corruption that causes panic 2019-01-08 12:33:24 +01:00
parsers mtd: partitions: Add OF support to RedBoot partitions 2018-11-12 11:51:02 +01:00
spi-nor spi: Updates for v4.21 2018-12-25 14:43:54 -08:00
tests mtd: rawnand: Allow selection of ECC byte ordering at runtime 2018-10-03 11:12:25 +02:00
ubi ubi: Do not drop UBI device reference before using 2018-12-13 22:09:44 +01:00
afs.c
ar7part.c mm: remove include/linux/bootmem.h 2018-10-31 08:54:16 -07:00
bcm47xxpart.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
bcm63xxpart.c
cmdlinepart.c mtd: cmdlinepart: Update comment for introduction of OFFSET_CONTINUOUS 2018-05-23 10:08:48 +02:00
ftl.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
inftlcore.c mtd: nand: Rename nand.h into rawnand.h 2017-08-13 10:11:49 +02:00
inftlmount.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
Kconfig Char/Misc driver patches for 4.21-rc1 2018-12-28 20:54:57 -08:00
Makefile mtd: Move Redboot partition parser 2018-11-12 11:44:13 +01:00
mtd_blkdevs.c mtd_blkdevs: convert to blk-mq 2018-10-16 08:09:58 -06:00
mtdblock_ro.c
mtdblock.c mtd: change len type from signed to unsigned type 2018-12-03 11:32:26 +01:00
mtdchar.c mtdchar: fix overflows in adjustment of count 2018-07-18 16:46:38 +02:00
mtdconcat.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
mtdcore.c mtd: Fix the check on nvmem_register() ret code 2019-01-07 14:06:22 +01:00
mtdcore.h mtd: Check add_mtd_device() ret code 2019-01-07 14:06:24 +01:00
mtdoops.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
mtdpart.c mtd: Check add_mtd_device() ret code 2019-01-07 14:06:24 +01:00
mtdsuper.c Rename superblock flags (MS_xyz -> SB_xyz) 2017-11-27 13:05:09 -08:00
mtdswap.c mtd: use DEFINE_SHOW_ATTRIBUTE() instead of open-coding it 2018-12-03 11:32:26 +01:00
nftlcore.c mtd: nand: Rename nand.h into rawnand.h 2017-08-13 10:11:49 +02:00
nftlmount.c mtd: nftl: clean up indentation, remove extraneous tabs 2018-12-02 09:20:36 +01:00
ofpart.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
rfd_ftl.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
sm_ftl.c mtd: rawnand: Allow selection of ECC byte ordering at runtime 2018-10-03 11:12:25 +02:00
sm_ftl.h mtd: Stop assuming mtd_erase() is asynchronous 2018-03-15 18:21:07 +01:00
ssfdc.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00