Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-24 21:21:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
2ff46e6fea
linux/drivers/mtd
History
Brian Norris 2ff46e6fea mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[] 
Commit 06bb6f5a69 ("mtd: spi-nor: stop (ab)using struct
spi_device_id") converted an array into a pointer, which means that
we should be checking if the pointer goes anywhere, not whether the C
string is empty. To do the latter means we dereference a NULL pointer
when we reach the terminating entry, for which 'name' is now NULL
instead of an array { 0, 0, ... }.

Sample crash:

[    1.101371] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[    1.109457] pgd = c0004000
[    1.112157] [00000000] *pgd=00000000
[    1.115736] Internal error: Oops: 5 [#1] SMP ARM
[    1.120345] Modules linked in:
[    1.123405] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.2.0-next-20150902+ #61
[    1.130611] Hardware name: Rockchip (Device Tree)
[    1.135306] task: ee0b8d40 ti: ee0ba000 task.ti: ee0ba000
[    1.140697] PC is at spi_nor_scan+0x90/0x8c4
[    1.144958] LR is at spi_nor_scan+0xa4/0x8c4
...
[    1.504112] [<c03cc2e0>] (spi_nor_scan) from [<c03cb188>] (m25p_probe+0xc8/0x11c)
[    1.511583] [<c03cb188>] (m25p_probe) from [<c03cd9d8>] (spi_drv_probe+0x60/0x7c)
[    1.519055] [<c03cd9d8>] (spi_drv_probe) from [<c037faa0>] (driver_probe_device+0x1a0/0x444)
[    1.527478] [<c037faa0>] (driver_probe_device) from [<c037fec8>] (__device_attach_driver+0x94/0xa0)
[    1.536507] [<c037fec8>] (__device_attach_driver) from [<c037db3c>] (bus_for_each_drv+0x94/0xa4)
[    1.545277] [<c037db3c>] (bus_for_each_drv) from [<c037f7e4>] (__device_attach+0xa4/0x144)
[    1.553526] [<c037f7e4>] (__device_attach) from [<c0380058>] (device_initial_probe+0x1c/0x20)
[    1.562035] [<c0380058>] (device_initial_probe) from [<c037ec88>] (bus_probe_device+0x38/0x94)
[    1.570631] [<c037ec88>] (bus_probe_device) from [<c037ccf4>] (device_add+0x430/0x558)
[    1.578534] [<c037ccf4>] (device_add) from [<c03d0240>] (spi_add_device+0xe4/0x174)
[    1.586178] [<c03d0240>] (spi_add_device) from [<c03d0a24>] (spi_register_master+0x698/0x7d4)
[    1.594688] [<c03d0a24>] (spi_register_master) from [<c03d0ba0>] (devm_spi_register_master+0x40/0x7c)
[    1.603892] [<c03d0ba0>] (devm_spi_register_master) from [<c03d2fb4>] (rockchip_spi_probe+0x360/0x3f4)
[    1.613182] [<c03d2fb4>] (rockchip_spi_probe) from [<c0381e34>] (platform_drv_probe+0x58/0xa8)
[    1.621779] [<c0381e34>] (platform_drv_probe) from [<c037faa0>] (driver_probe_device+0x1a0/0x444)
[    1.630635] [<c037faa0>] (driver_probe_device) from [<c037fdc4>] (__driver_attach+0x80/0xa4)
[    1.639058] [<c037fdc4>] (__driver_attach) from [<c037e850>] (bus_for_each_dev+0x98/0xac)
[    1.647221] [<c037e850>] (bus_for_each_dev) from [<c037f448>] (driver_attach+0x28/0x30)
[    1.655210] [<c037f448>] (driver_attach) from [<c037ef74>] (bus_add_driver+0x128/0x250)
[    1.663200] [<c037ef74>] (bus_add_driver) from [<c0380c40>] (driver_register+0xac/0xf0)
[    1.671191] [<c0380c40>] (driver_register) from [<c0381d50>] (__platform_driver_register+0x58/0x6c)
[    1.680221] [<c0381d50>] (__platform_driver_register) from [<c0a467c8>] (rockchip_spi_driver_init+0x18/0x20)
[    1.690033] [<c0a467c8>] (rockchip_spi_driver_init) from [<c00098a4>] (do_one_initcall+0x124/0x1dc)
[    1.699063] [<c00098a4>] (do_one_initcall) from [<c0a19f84>] (kernel_init_freeable+0x218/0x2ec)
[    1.707748] [<c0a19f84>] (kernel_init_freeable) from [<c0719ed8>] (kernel_init+0x1c/0xf4)
[    1.715912] [<c0719ed8>] (kernel_init) from [<c000fe50>] (ret_from_fork+0x14/0x24)
[    1.723460] Code: e3510000 159f67c0 0a00000c e5961000 (e5d13000)
[    1.729564] ---[ end trace 95baa6b3b861ce25 ]---

Fixes: 06bb6f5a69 ("mtd: spi-nor: stop (ab)using struct spi_device_id")
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Cc: Rafał Miłecki <zajec5@gmail.com>
2015-09-02 16:34:35 -07:00
..
chips mtd: chips: fixup dependencies, to prevent build error 2015-05-28 11:07:48 -07:00
devices mtd: dataflash: Export OF module alias information 2015-08-21 18:01:42 -07:00
lpddr mtd: lpddr: fix Kconfig dependency, for I/O accessors 2014-05-26 10:38:25 -07:00
maps mtd: physmap_of: fix null pointer deference when kzalloc returns null 2015-08-18 17:57:19 -07:00
nand mtd: nand: omap2: Rename shippable module to omap2_nand 2015-09-02 14:04:49 -07:00
onenand mtd: samsung: Constify platform_device_id 2015-05-07 00:13:24 -07:00
spi-nor mtd: spi-nor: fix NULL dereference when no match found in spi_nor_ids[] 2015-09-02 16:34:35 -07:00
tests mtd: mtd_oobtest: Fix the address offset with vary_offset case 2015-08-27 16:30:01 -07:00
ubi Minor merge needed, due to function move. 2015-07-01 10:49:25 -07:00
afs.c mtd: make register_mtd_parser return void 2014-01-03 11:22:22 -08:00
ar7part.c mtd: make register_mtd_parser return void 2014-01-03 11:22:22 -08:00
bcm47xxpart.c mtd: bcm47xxpart: support SquashFS with an original magic 2015-01-07 12:24:23 -08:00
bcm63xxpart.c mtd: make register_mtd_parser return void 2014-01-03 11:22:22 -08:00
cmdlinepart.c mtd: cmdlinepart: Spelling s/trucate/truncate/ 2014-07-02 15:17:15 -07:00
ftl.c mtd/ftl: fix the double free of the buffers allocated in build_maps() 2014-07-14 18:41:20 -07:00
inftlcore.c mtd: nand: add a helper to detect the nand type 2013-10-27 16:27:06 -07:00
inftlmount.c mtd: intflmount: fix off by one error in INFTL_dumpVUchains() 2014-11-05 13:19:21 -08:00
Kconfig mtd: part: Create the master device node when partitioned 2015-04-05 17:44:01 -07:00
Makefile mtd: spi-nor: shorten Kconfig naming 2014-04-14 11:23:01 -07:00
mtd_blkdevs.c mtd: blkdevs: fix switch-bool compilation warning 2015-08-25 13:58:10 -07:00
mtdblock_ro.c mtd: Move major number definitions to major.h 2013-11-06 23:32:59 -08:00
mtdblock.c mtd: mtdblock: remove the needless mtdblks_lock 2015-01-07 12:51:56 -08:00
mtdchar.c fs: introduce f_op->mmap_capabilities for nommu mmap support 2015-01-20 14:02:58 -07:00
mtdconcat.c MTD updates for 3.20-rc1 2015-02-18 08:01:44 -08:00
mtdcore.c mtd: propagate error codes from add_mtd_device() 2015-06-16 18:47:06 -07:00
mtdcore.h mtd: merge mtdchar module with mtdcore 2013-04-05 13:16:54 +01:00
mtdoops.c
mtdpart.c mtd: part: Remove partition overlap checks 2015-04-05 17:44:03 -07:00
mtdsuper.c mtd: Move major number definitions to major.h 2013-11-06 23:32:59 -08:00
mtdswap.c mtd: use __packed shorthand 2014-08-19 11:53:08 -07:00
nftlcore.c mtd: nand: add a helper to detect the nand type 2013-10-27 16:27:06 -07:00
nftlmount.c mtd: nftl: reorganize operations in condition check 2015-01-09 15:26:29 -08:00
ofpart.c mtd: make register_mtd_parser return void 2014-01-03 11:22:22 -08:00
redboot.c mtd: make register_mtd_parser return void 2014-01-03 11:22:22 -08:00
rfd_ftl.c mtd: remove some duplicative checks 2014-03-10 22:42:25 -07:00
sm_ftl.c mtd: sm_ftl: initialize error code 2014-08-19 11:53:07 -07:00
sm_ftl.h
ssfdc.c mtd: nand: add a helper to detect the nand type 2013-10-27 16:27:06 -07:00