WSL2-Linux-Kernel/drivers/mtd
Md Sadre Alam ba7542eb2d mtd: rawnand: qcom: fix memory corruption that causes panic
This patch fixes a memory corruption that occurred in the
nand_scan() path for Hynix nand device.

On boot, for Hynix nand device will panic at a weird place:
| Unable to handle kernel NULL pointer dereference at virtual
  address 00000070
| [00000070] *pgd=00000000
| Internal error: Oops: 5 [#1] PREEMPT SMP ARM
| Modules linked in:
| CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.0-01473-g13ae1769cfb0
  #38
| Hardware name: Generic DT based system
| PC is at nandc_set_reg+0x8/0x1c
| LR is at qcom_nandc_command+0x20c/0x5d0
| pc : [<c088b74c>]    lr : [<c088d9c8>]    psr: 00000113
| sp : c14adc50  ip : c14ee208  fp : c0cc970c
| r10: 000000a3  r9 : 00000000  r8 : 00000040
| r7 : c16f6a00  r6 : 00000090  r5 : 00000004  r4 :c14ee040
| r3 : 00000000  r2 : 0000000b  r1 : 00000000  r0 :c14ee040
| Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM Segment none
| Control: 10c5387d  Table: 8020406a  DAC: 00000051
| Register r0 information: slab kmalloc-2k start c14ee000 pointer offset
  64 size 2048
| Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
| nandc_set_reg from qcom_nandc_command+0x20c/0x5d0
| qcom_nandc_command from nand_readid_op+0x198/0x1e8
| nand_readid_op from hynix_nand_has_valid_jedecid+0x30/0x78
| hynix_nand_has_valid_jedecid from hynix_nand_init+0xb8/0x454
| hynix_nand_init from nand_scan_with_ids+0xa30/0x14a8
| nand_scan_with_ids from qcom_nandc_probe+0x648/0x7b0
| qcom_nandc_probe from platform_probe+0x58/0xac

The problem is that the nand_scan()'s qcom_nand_attach_chip callback
is updating the nandc->max_cwperpage from 1 to 4 or 8 based on page size.
This causes the sg_init_table of clear_bam_transaction() in the driver's
qcom_nandc_command() to memset much more than what was initially
allocated by alloc_bam_transaction().

This patch will update nandc->max_cwperpage 1 to 4 or 8 based on page
size in qcom_nand_attach_chip call back after freeing the previously
allocated memory for bam txn as per nandc->max_cwperpage = 1 and then
again allocating bam txn as per nandc->max_cwperpage = 4 or 8 based on
page size in qcom_nand_attach_chip call back itself.

Cc: stable@vger.kernel.org
Fixes: 6a3cec64f1 ("mtd: rawnand: qcom: convert driver to nand_scan()")
Reported-by: Konrad Dybcio <konrad.dybcio@somainline.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Co-developed-by: Sricharan R <quic_srichara@quicinc.com>
Signed-off-by: Sricharan R <quic_srichara@quicinc.com>
Signed-off-by: Md Sadre Alam <quic_mdalam@quicinc.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/1650268107-5363-1-git-send-email-quic_mdalam@quicinc.com
2022-04-21 09:29:07 +02:00
..
chips mtd: gen_probe: Use bitmap_zalloc() when applicable 2021-12-09 17:52:29 +01:00
devices Core MTD changes: 2022-03-25 13:35:34 -07:00
hyperbus mtd: hyperbus: HBMC_AM654 should depend on ARCH_K3 2022-03-14 17:01:58 +01:00
lpddr mtd: lpddr: fix excessive stack usage with clang 2020-08-27 14:36:07 +02:00
maps MIPS: TXX9: Remove rbtx4939 board support 2022-01-02 14:10:40 +01:00
nand mtd: rawnand: qcom: fix memory corruption that causes panic 2022-04-21 09:29:07 +02:00
parsers SPI NOR core changes: 2022-03-18 20:14:42 +01:00
spi-nor Core MTD changes: 2022-03-25 13:35:34 -07:00
tests mtd: tests: Fix eraseblock read speed miscalculation for lower partition sizes 2022-03-14 17:01:47 +01:00
ubi This pull request contains fixes for JFFS2, UBI and UBIFS 2022-03-31 16:09:41 -07:00
Kconfig mtdblock: Add comment about UBI block devices 2021-08-06 22:05:13 +02:00
Makefile mtd: Support kmsg dumper based on pstore/blk 2020-05-31 19:49:01 -07:00
ftl.c mtd/ftl: don't cast away the type when calling add_mtd_blktrans_dev 2021-08-23 10:01:04 +02:00
inftlcore.c mtd: inftlcore: Use module_mtd_blktrans to register driver 2021-03-11 09:37:48 +01:00
inftlmount.c mtd: inftl: remove unnecessary oom message 2021-06-11 20:44:21 +02:00
mtd_blkdevs.c mtd_blkdevs: avoid soft lockups with some mtd/spi devices 2022-01-26 11:43:02 +01:00
mtdblock.c mtdblock: Warn if added for a NAND device 2021-08-17 18:41:59 +02:00
mtdblock_ro.c mtdblock: Warn if added for a NAND device 2021-08-17 18:41:59 +02:00
mtdchar.c mtdchar: prevent unbounded allocation in MEMWRITE ioctl 2021-12-09 17:52:29 +01:00
mtdconcat.c mtd: mtdconcat: Check _read, _write callbacks existence before assignment 2021-08-17 18:43:33 +02:00
mtdcore.c Char/Misc and other driver updates for 5.18-rc1 2022-03-28 12:27:35 -07:00
mtdcore.h mtd: Provide fs_context-aware mount_mtd() replacement 2019-09-05 14:34:23 -04:00
mtdoops.c mtd: mtdoops: remove unnecessary oom message 2021-06-11 20:43:46 +02:00
mtdpart.c mtd: Fixed breaking list in __mtd_del_partition. 2021-12-03 14:27:18 +01:00
mtdpstore.c pstore/blk: Include zone in pstore_device_info 2021-06-16 21:09:31 -07:00
mtdsuper.c mm: don't include <linux/blkdev.h> in <linux/backing-dev.h> 2021-10-18 06:17:01 -06:00
mtdswap.c block: remove genhd.h 2022-02-02 07:49:59 -07:00
nftlcore.c mtd: nftlcore: remove set but rewrite variables 2021-05-10 12:11:46 +02:00
nftlmount.c mtd: nftl: remove unnecessary oom message 2021-06-11 20:43:26 +02:00
rfd_ftl.c mtd/rfd_ftl: don't cast away the type when calling add_mtd_blktrans_dev 2021-08-23 10:01:06 +02:00
sm_ftl.c drivers: mtd: sm_ftl: Fix alignment of block comment 2021-05-10 12:49:00 +02:00
sm_ftl.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ssfdc.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00