| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Mar 2024 15:26:22 -0700
From: William Zhang <william.zhang@...adcom.com>
To: Linux MTD List <linux-mtd@...ts.infradead.org>
Cc: Broadcom Kernel List <bcm-kernel-feedback-list@...adcom.com>,
joel.peshkin@...adcom.com,
f.fainelli@...il.com,
miquel.raynal@...tlin.com,
dregan@...l.com,
kamal.dasu@...adcom.com,
kursad.oney@...adcom.com,
William Zhang <william.zhang@...adcom.com>,
Florian Fainelli <florian.fainelli@...adcom.com>,
linux-kernel@...r.kernel.org,
Vignesh Raghavendra <vigneshr@...com>,
Brian Norris <computersforpeace@...il.com>,
Richard Weinberger <richard@....at>,
David Regan <dregan@...adcom.com>
Subject: [PATCH] mtd: rawnand: brcmnand: Fix data access violation for STB chip
Florian reported the following kernel NULL pointer dereference issue on
a BCM7250 board:
[ 2.829744] Unable to handle kernel NULL pointer dereference at virtual address 0000000c when read
[ 2.838740] [0000000c] *pgd=80000000004003, *pmd=00000000
[ 2.844178] Internal error: Oops: 206 [#1] SMP ARM
[ 2.848990] Modules linked in:
[ 2.852061] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.8.0-next-20240305-gd95fcdf4961d #66
[ 2.860436] Hardware name: Broadcom STB (Flattened Device Tree)
[ 2.866371] PC is at brcmnand_read_by_pio+0x180/0x278
[ 2.871449] LR is at __wait_for_common+0x9c/0x1b0
[ 2.876178] pc : [<c094b6cc>] lr : [<c0e66310>] psr: 60000053
[ 2.882460] sp : f0811a80 ip : 00000012 fp : 00000000
[ 2.887699] r10: 00000000 r9 : 00000000 r8 : c3790000
[ 2.892936] r7 : 00000000 r6 : 00000000 r5 : c35db440 r4 : ffe00000
[ 2.899479] r3 : f15cb814 r2 : 00000000 r1 : 00000000 r0 : 00000000
The issue only happens when dma mode is disabled or not supported on STB
chip. The pio mode transfer calls brcmnand_read_data_bus function which
dereferences ctrl->soc->read_data_bus. But the soc member in STB chip is
NULL hence triggers the access violation. The function needs to check
the soc pointer first.
Fixes: 546e42599120 ("mtd: rawnand: brcmnand: Add BCMBCA read data bus interface")
Reported-by: Florian Fainelli <florian.fainelli@...adcom.com>
Tested-by: Florian Fainelli <florian.fainelli@...adcom.com>
Signed-off-by: William Zhang <william.zhang@...adcom.com>
---
drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
index a8d12c71f987..1b2ec0fec60c 100644
--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
@@ -857,7 +857,7 @@ static inline void brcmnand_read_data_bus(struct brcmnand_controller *ctrl,
struct brcmnand_soc *soc = ctrl->soc;
int i;
- if (soc->read_data_bus) {
+ if (soc && soc->read_data_bus) {
soc->read_data_bus(soc, flash_cache, buffer, fc_words);
} else {
for (i = 0; i < fc_words; i++)
--
2.37.3
Powered by blists - more mailing lists