lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8140244d-81d8-6837-7fb9-728b042c115f@quicinc.com>
Date:   Mon, 18 Apr 2022 10:49:43 +0530
From:   Md Sadre Alam <quic_mdalam@...cinc.com>
To:     Manivannan Sadhasivam <mani@...nel.org>,
        Miquel Raynal <miquel.raynal@...tlin.com>
CC:     <richard@....at>, <vigneshr@...com>,
        <linux-mtd@...ts.infradead.org>, <linux-arm-msm@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <konrad.dybcio@...ainline.org>,
        <quic_srichara@...cinc.com>
Subject: Re: [PATCH V2] mtd: rawnand: qcom: fix memory corruption that causes
 panic


On 4/14/2022 9:23 PM, Manivannan Sadhasivam wrote:
> WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
>
> On Thu, Apr 14, 2022 at 05:36:42PM +0200, Miquel Raynal wrote:
>> Hi Md,
>>
>> quic_mdalam@...cinc.com wrote on Thu, 14 Apr 2022 21:00:17 +0530:
>>
>>> This patch fixes a memory corruption that occurred in the
>>> nand_scan() path for Hynix nand device.
>>>
>>> On boot, for Hynix nand device will panic at a weird place:
>>> | Unable to handle kernel NULL pointer dereference at virtual
>>>    address 00000070
>>> | [00000070] *pgd=00000000
>>> | Internal error: Oops: 5 [#1] PREEMPT SMP ARM
>>> | Modules linked in:
>>> | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.0-01473-g13ae1769cfb0
>>>    #38
>>> | Hardware name: Generic DT based system
>>> | PC is at nandc_set_reg+0x8/0x1c
>>> | LR is at qcom_nandc_command+0x20c/0x5d0
>>> | pc : [<c088b74c>]    lr : [<c088d9c8>]    psr: 00000113
>>> | sp : c14adc50  ip : c14ee208  fp : c0cc970c
>>> | r10: 000000a3  r9 : 00000000  r8 : 00000040
>>> | r7 : c16f6a00  r6 : 00000090  r5 : 00000004  r4 :c14ee040
>>> | r3 : 00000000  r2 : 0000000b  r1 : 00000000  r0 :c14ee040
>>> | Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM Segment none
>>> | Control: 10c5387d  Table: 8020406a  DAC: 00000051
>>> | Register r0 information: slab kmalloc-2k start c14ee000 pointer offset
>>>    64 size 2048
>>> | Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
>>> | nandc_set_reg from qcom_nandc_command+0x20c/0x5d0
>>> | qcom_nandc_command from nand_readid_op+0x198/0x1e8
>>> | nand_readid_op from hynix_nand_has_valid_jedecid+0x30/0x78
>>> | hynix_nand_has_valid_jedecid from hynix_nand_init+0xb8/0x454
>>> | hynix_nand_init from nand_scan_with_ids+0xa30/0x14a8
>>> | nand_scan_with_ids from qcom_nandc_probe+0x648/0x7b0
>>> | qcom_nandc_probe from platform_probe+0x58/0xac
>>>
>>> The problem is that the nand_scan()'s qcom_nand_attach_chip callback
>>> is updating the nandc->max_cwperpage from 1 to 4.This causes the
>>> sg_init_table of clear_bam_transaction() in the driver's
>>> qcom_nandc_command() to memset much more than what was initially
>>> allocated by alloc_bam_transaction().
>>>
>>> This patch will update nandc->max_cwperpage 1 to 4 after nand_scan()
>>> returns, and remove updating nandc->max_cwperpage from
>>> qcom_nand_attach_chip call back.
>> Please update also the commit log.
>>
>> Fixes: ?
>> Cc: stable ?
> Also please add Reported-by to credit Konrad.
    Updated in V3 patch.
>
> Thanks,
> Mani
>
>>> Signed-off-by: Md Sadre Alam <quic_mdalam@...cinc.com>
>>> Signed-off-by: Sricharan R <quic_srichara@...cinc.com>
>>> ---
>>> [V2]
>> Thanks,
>> Miquèl

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ