lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID:
 <MN2PR03MB49271E2D022D305BC149BA4FC624A@MN2PR03MB4927.namprd03.prod.outlook.com>
Date: Wed, 30 Jul 2025 07:46:14 +0000
From: "Romli, Khairul Anuar" <khairul.anuar.romli@...era.com>
To: Michael Walle <mwalle@...nel.org>, Tudor Ambarus
	<tudor.ambarus@...aro.org>, Pratyush Yadav <pratyush@...nel.org>, Miquel
 Raynal <miquel.raynal@...tlin.com>, Richard Weinberger <richard@....at>,
	Vignesh Raghavendra <vigneshr@...com>, "open list:SPI NOR SUBSYSTEM"
	<linux-mtd@...ts.infradead.org>, open list <linux-kernel@...r.kernel.org>,
	"Gerlach, Matthew" <matthew.gerlach@...era.com>
Subject: RE: [PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver
 removal with active read or write operations



> -----Original Message-----
> From: Michael Walle <mwalle@...nel.org>
> Sent: Wednesday, 30 July, 2025 3:30 PM
> To: Romli, Khairul Anuar <khairul.anuar.romli@...era.com>; Tudor Ambarus
> <tudor.ambarus@...aro.org>; Pratyush Yadav <pratyush@...nel.org>; Miquel
> Raynal <miquel.raynal@...tlin.com>; Richard Weinberger <richard@....at>;
> Vignesh Raghavendra <vigneshr@...com>; open list:SPI NOR SUBSYSTEM
> <linux-mtd@...ts.infradead.org>; open list <linux-kernel@...r.kernel.org>;
> Gerlach, Matthew <matthew.gerlach@...era.com>
> Subject: Re: [PATCH v3 1/1] mtd: spi-nor: core: Prevent oops during driver
> removal with active read or write operations
> 
> Hi,
> 
> On Wed Jul 30, 2025 at 3:39 AM CEST, Khairul Anuar Romli wrote:
> > From: kromli <khairul.anuar.romli@...era.com>
> >
> > Ensure that the pointer passed to module_put() in spi_nor_put_device()
> > is not NULL before use. This change adds a guard clause to return
> > early, preventing the kernel crash below when the cadence-qspi driver
> > is removed during a dd operation:
> 
> As already asked in v2. This needs a (more detailed) description what is going
> on and what is going wrong.
> 
> -michael

Hi,

We just run the following test we observe the crash. 

time dd if=/dev/mtd1 of=out.img bs=1MB count=1000 &
echo spi0.0 > /sys/bus/spi/drivers/spi-nor/unbind
echo spi0.0 > /sys/bus/spi/drivers/spi-nor/bind

From the observation, the dd is not entirely terminated when the unbind took place.
Maybe there is other changes require to ensure the dd operation gets terminated 
when driver unbind/remove.

> > [  200.448732] Unable to handle kernel NULL pointer deref erence at
> > virtual address 0000000000000010 [  200.457576] Mem abort info:
> > [  200.460370]   ESR = 0x0000000096000004
> > [  200.464136]   EC = 0x25: DABT (current EL), IL = 32 bits
> > [  200.469527]   SET = 0, FnV = 0
> > [  200.472609]   EA = 0, S1PTW = 0
> > [  200.475904]   FSC = 0x04: level 0 translation fault
> > [  200.480786] Data abort info:
> > [  200.483659]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> > [  200.489141]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> > [  200.494189]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> > [  200.499500] user pgtable: 4k pages, 48-bit VAs,
> > pgdp=0000000185df8000 [  200.505932] [0000000000000010]
> > pgd=0000000000000000, p4d=0000000000000000 [  200.512720]
> Internal
> > error: Oops: 0000000096000004 [#1] PREEMPT SMP [  200.518968]
> Modules
> > linked in: 8021q garp mrp stp llc bluetooth ecdh_generic ecc rfkill
> > crct10dif_ce rtc_ds1307 at24 stratix10_soc soc64_hwmon gpio_altera of
> > _fpga_region fpga_region fpga_bridge uio_pdrv_genirq uio fuse drm
> > backlight ipv6 [  200.540016] CPU: 0 UID: 0 PID: 372 Comm: dd Not
> > tainted 6.12.19-altera-gb6b26
> > c4179a6 #1
> > [  200.547996] Hardware name: SoCFPGA Stratix 10 SoCDK (DT) [
> > 200.553292] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS
> > BTYPE=--) [  200.560234] pc : spi_nor_put_device+0x30/0x60 [
> > 200.564594] lr : __put_mtd_device+0x8c/0x120 [  200.568856] sp :
> > ffff80008411bc20 [  200.572161] x29: ffff80008411bc20 x28:
> > ffff000185e2c500 x27: 0000000000000000 [  200.579282] x26:
> > 0000000000000000 x25: ffff000185e2cb00 x24: ffff000185e2cc88 [
> > 200.586404] x23: ffff00018034c620 x22: 0000000000000001 x21:
> > ffff00018873e080 [  200.593524] x20: 0000000000000000 x19:
> > ffff00018873e080 x18: ffffffffffffffff [  200.600645] x17:
> > 0030393d524f4a41 x16: 4d0064746d3d4d45 x15: ffff000185757700 [
> > 200.607767] x14: 0000000000000000 x13: ffff000180045010 x12:
> > ffff0001857576c0 [  200.614888] x11: 000000000000003a x10:
> > ffff000180045018 x9 : ffff000180045010 [  200.622009] x8 :
> > ffff80008411bb70 x7 : 0000000000000000 x6 : ffff000181325048 [
> > 200.629129] x5 : 00000000820001cf x4 : fffffdffc60095e0 x3 :
> 0000000000000000 [  200.636250] x2 : 0000000000000000 x1 :
> ffff00018873e080 x0 : 0000000000000000 [  200.643371] Call trace:
> > [  200.645811]  spi_nor_put_device+0x30/0x60 [  200.649816]
> > __put_mtd_device+0x8c/0x120 [  200.653731]
> put_mtd_device+0x30/0x48 [
> > 200.657387]  mtdchar_close+0x30/0x78 [  200.660958]
> __fput+0xc8/0x2d0
> > [  200.664011]  ____fput+0x14/0x20 [  200.667146]
> > task_work_run+0x70/0xdc [  200.670718]  do_exit+0x2b4/0x8e4 [
> > 200.673944]  do_group_exit+0x34/0x90 [  200.677512]
> > pid_child_should_wake+0x0/0x60 [  200.681686]
> > invoke_syscall+0x48/0x104 [  200.685432]
> > el0_svc_common.constprop.0+0xc0/0xe0
> > [  200.690128]  do_el0_svc+0x1c/0x28
> > [  200.693439]  el0_svc+0x30/0xcc
> > [  200.696454] dw_mmc ff808000.mmc: Unexpected interrupt latency [
> > 200.696485]  el0t_64_sync_handler+0x120/0x12c [  200.706552]
> > el0t_64_sync+0x190/0x194 [  200.710213] Code: f9400000 f9417c00
> > f9402000 f9403400 (f9400800) [  200.716290] ---[ end trace
> > 0000000000000000 ]--- [  200.720948] Fixing recursive fault but reboot
> > is needed!
> >
> > Fixes: be94215be1ab ("mtd: spi-nor: core: Fix an issue of releasing
> > resources during read/write")
> > CC: stable@...r.kernel.org # 6.12+
> > Signed-off-by: Khairul Anuar Romli <khairul.anuar.romli@...era.com>
> > Reviewed-by: Matthew Gerlach <matthew.gerlach@...era.com>
> > ---
> > Changes in v3:
> >     - exclude !dev && !dev->driver check in spi_nor_get_device to
> >       resolve kernel test robot smatchwarnings.
> > Changes in v2:
> >     - Move the null check prior to try_module_get().
> > ---
> >  drivers/mtd/spi-nor/core.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
> > index ac4b960101cc..eb21d660036b 100644
> > --- a/drivers/mtd/spi-nor/core.c
> > +++ b/drivers/mtd/spi-nor/core.c
> > @@ -3210,6 +3210,9 @@ static int spi_nor_get_device(struct mtd_info
> *mtd)
> >  	else
> >  		dev = nor->dev;
> >
> > +	if (!dev->driver->owner)
> > +		return -EINVAL;
> > +
> >  	if (!try_module_get(dev->driver->owner))
> >  		return -ENODEV;
> >
> > @@ -3227,7 +3230,8 @@ static void spi_nor_put_device(struct mtd_info
> *mtd)
> >  	else
> >  		dev = nor->dev;
> >
> > -	module_put(dev->driver->owner);
> > +	if (dev && dev->driver && dev->driver->owner)
> > +		module_put(dev->driver->owner);
> >  }
> >
> >  static void spi_nor_restore(struct spi_nor *nor)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ