linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH next] mtd: maps: physmap: Fix infinite loop crash in ROM type probing
@ 2018-11-06 21:44 Geert Uytterhoeven
  2018-11-06 21:58 ` Boris Brezillon
  0 siblings, 1 reply; 5+ messages in thread
From: Geert Uytterhoeven @ 2018-11-06 21:44 UTC (permalink / raw)
  To: Ricardo Ribalda Delgado, David Woodhouse, Brian Norris,
	Boris Brezillon, Marek Vasut, Richard Weinberger, Linus Walleij
  Cc: linux-mtd, linux-mips, linux-kernel, Geert Uytterhoeven

On Toshiba RBTX4927, where map_probe is supposed to fail:

    Creating 2 MTD partitions on "physmap-flash.0":
    0x000000c00000-0x000001000000 : "boot"
    0x000000000000-0x000000c00000 : "user"
    physmap-flash physmap-flash.1: physmap platform flash device: [mem 0x1e000000-0x1effffff]
    CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 80320f40, ra == 80321004
    ...
    Call Trace:
    [<80320f40>] get_mtd_chip_driver+0x30/0x8c
    [<80321004>] do_map_probe+0x20/0x90
    [<80328448>] physmap_flash_probe+0x484/0x4ec

The access to rom_probe_types[] was changed from a sentinel-based loop
to an infinite loop, causing a crash when reaching the sentinel.

Fix this by:
  - Removing the no longer needed sentinel,
  - Limiting the number of loop iterations to the actual number of ROM
    types.

Fixes: c7afe08496fa463e ("mtd: maps: physmap: Invert logic on if/else branch")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
---
 drivers/mtd/maps/physmap-core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/mtd/maps/physmap-core.c b/drivers/mtd/maps/physmap-core.c
index 33b77bd9022ce251..e8c3b250d8421edc 100644
--- a/drivers/mtd/maps/physmap-core.c
+++ b/drivers/mtd/maps/physmap-core.c
@@ -396,7 +396,7 @@ static int physmap_flash_of_init(struct platform_device *dev)
 #endif /* IS_ENABLED(CONFIG_MTD_PHYSMAP_OF) */
 
 static const char * const rom_probe_types[] = {
-	"cfi_probe", "jedec_probe", "qinfo_probe", "map_rom", NULL
+	"cfi_probe", "jedec_probe", "qinfo_probe", "map_rom",
 };
 
 static const char * const part_probe_types[] = {
@@ -524,7 +524,7 @@ static int physmap_flash_probe(struct platform_device *dev)
 		} else {
 			int j;
 
-			for (j = 0; ARRAY_SIZE(rom_probe_types); j++) {
+			for (j = 0; j < ARRAY_SIZE(rom_probe_types); j++) {
 				info->mtds[i] = do_map_probe(rom_probe_types[j],
 							     &info->maps[i]);
 				if (info->mtds[i])
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH next] mtd: maps: physmap: Fix infinite loop crash in ROM type probing
  2018-11-06 21:44 [PATCH next] mtd: maps: physmap: Fix infinite loop crash in ROM type probing Geert Uytterhoeven
@ 2018-11-06 21:58 ` Boris Brezillon
  2018-11-06 22:19   ` Geert Uytterhoeven
  0 siblings, 1 reply; 5+ messages in thread
From: Boris Brezillon @ 2018-11-06 21:58 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: Ricardo Ribalda Delgado, David Woodhouse, Brian Norris,
	Marek Vasut, Richard Weinberger, Linus Walleij, linux-mtd,
	linux-mips, linux-kernel

On Tue,  6 Nov 2018 22:44:16 +0100
Geert Uytterhoeven <geert@linux-m68k.org> wrote:

> On Toshiba RBTX4927, where map_probe is supposed to fail:
> 
>     Creating 2 MTD partitions on "physmap-flash.0":
>     0x000000c00000-0x000001000000 : "boot"
>     0x000000000000-0x000000c00000 : "user"
>     physmap-flash physmap-flash.1: physmap platform flash device: [mem 0x1e000000-0x1effffff]
>     CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 80320f40, ra == 80321004
>     ...
>     Call Trace:
>     [<80320f40>] get_mtd_chip_driver+0x30/0x8c
>     [<80321004>] do_map_probe+0x20/0x90
>     [<80328448>] physmap_flash_probe+0x484/0x4ec
> 
> The access to rom_probe_types[] was changed from a sentinel-based loop
> to an infinite loop, causing a crash when reaching the sentinel.

Oops. Do you mind if I fix that in-place (squash your changes in
Ricardo's original commit)?

> 
> Fix this by:
>   - Removing the no longer needed sentinel,
>   - Limiting the number of loop iterations to the actual number of ROM
>     types.
> 
> Fixes: c7afe08496fa463e ("mtd: maps: physmap: Invert logic on if/else branch")
> Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
> ---
>  drivers/mtd/maps/physmap-core.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/mtd/maps/physmap-core.c b/drivers/mtd/maps/physmap-core.c
> index 33b77bd9022ce251..e8c3b250d8421edc 100644
> --- a/drivers/mtd/maps/physmap-core.c
> +++ b/drivers/mtd/maps/physmap-core.c
> @@ -396,7 +396,7 @@ static int physmap_flash_of_init(struct platform_device *dev)
>  #endif /* IS_ENABLED(CONFIG_MTD_PHYSMAP_OF) */
>  
>  static const char * const rom_probe_types[] = {
> -	"cfi_probe", "jedec_probe", "qinfo_probe", "map_rom", NULL
> +	"cfi_probe", "jedec_probe", "qinfo_probe", "map_rom",
>  };
>  
>  static const char * const part_probe_types[] = {
> @@ -524,7 +524,7 @@ static int physmap_flash_probe(struct platform_device *dev)
>  		} else {
>  			int j;
>  
> -			for (j = 0; ARRAY_SIZE(rom_probe_types); j++) {
> +			for (j = 0; j < ARRAY_SIZE(rom_probe_types); j++) {
>  				info->mtds[i] = do_map_probe(rom_probe_types[j],
>  							     &info->maps[i]);
>  				if (info->mtds[i])


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH next] mtd: maps: physmap: Fix infinite loop crash in ROM type probing
  2018-11-06 21:58 ` Boris Brezillon
@ 2018-11-06 22:19   ` Geert Uytterhoeven
  2018-11-06 22:34     ` Boris Brezillon
  0 siblings, 1 reply; 5+ messages in thread
From: Geert Uytterhoeven @ 2018-11-06 22:19 UTC (permalink / raw)
  To: Boris Brezillon
  Cc: Ricardo Ribalda Delgado, David Woodhouse, Brian Norris,
	Marek Vasut, Richard Weinberger, Linus Walleij, MTD Maling List,
	Linux MIPS Mailing List, Linux Kernel Mailing List

Hi Boris,

On Tue, Nov 6, 2018 at 10:58 PM Boris Brezillon
<boris.brezillon@bootlin.com> wrote:
> On Tue,  6 Nov 2018 22:44:16 +0100
> Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> > On Toshiba RBTX4927, where map_probe is supposed to fail:
> >
> >     Creating 2 MTD partitions on "physmap-flash.0":
> >     0x000000c00000-0x000001000000 : "boot"
> >     0x000000000000-0x000000c00000 : "user"
> >     physmap-flash physmap-flash.1: physmap platform flash device: [mem 0x1e000000-0x1effffff]
> >     CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 80320f40, ra == 80321004
> >     ...
> >     Call Trace:
> >     [<80320f40>] get_mtd_chip_driver+0x30/0x8c
> >     [<80321004>] do_map_probe+0x20/0x90
> >     [<80328448>] physmap_flash_probe+0x484/0x4ec
> >
> > The access to rom_probe_types[] was changed from a sentinel-based loop
> > to an infinite loop, causing a crash when reaching the sentinel.
>
> Oops. Do you mind if I fix that in-place (squash your changes in
> Ricardo's original commit)?

No problem. Thanks!

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH next] mtd: maps: physmap: Fix infinite loop crash in ROM type probing
  2018-11-06 22:19   ` Geert Uytterhoeven
@ 2018-11-06 22:34     ` Boris Brezillon
  2018-11-07  7:33       ` Ricardo Ribalda Delgado
  0 siblings, 1 reply; 5+ messages in thread
From: Boris Brezillon @ 2018-11-06 22:34 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: Ricardo Ribalda Delgado, David Woodhouse, Brian Norris,
	Marek Vasut, Richard Weinberger, Linus Walleij, MTD Maling List,
	Linux MIPS Mailing List, Linux Kernel Mailing List

On Tue, 6 Nov 2018 23:19:14 +0100
Geert Uytterhoeven <geert@linux-m68k.org> wrote:

> Hi Boris,
> 
> On Tue, Nov 6, 2018 at 10:58 PM Boris Brezillon
> <boris.brezillon@bootlin.com> wrote:
> > On Tue,  6 Nov 2018 22:44:16 +0100
> > Geert Uytterhoeven <geert@linux-m68k.org> wrote:  
> > > On Toshiba RBTX4927, where map_probe is supposed to fail:
> > >
> > >     Creating 2 MTD partitions on "physmap-flash.0":
> > >     0x000000c00000-0x000001000000 : "boot"
> > >     0x000000000000-0x000000c00000 : "user"
> > >     physmap-flash physmap-flash.1: physmap platform flash device: [mem 0x1e000000-0x1effffff]
> > >     CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 80320f40, ra == 80321004
> > >     ...
> > >     Call Trace:
> > >     [<80320f40>] get_mtd_chip_driver+0x30/0x8c
> > >     [<80321004>] do_map_probe+0x20/0x90
> > >     [<80328448>] physmap_flash_probe+0x484/0x4ec
> > >
> > > The access to rom_probe_types[] was changed from a sentinel-based loop
> > > to an infinite loop, causing a crash when reaching the sentinel.  
> >
> > Oops. Do you mind if I fix that in-place (squash your changes in
> > Ricardo's original commit)?

Done.

> 
> No problem. Thanks!

Thanks for reporting/fixing the bug.

Boris


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH next] mtd: maps: physmap: Fix infinite loop crash in ROM type probing
  2018-11-06 22:34     ` Boris Brezillon
@ 2018-11-07  7:33       ` Ricardo Ribalda Delgado
  0 siblings, 0 replies; 5+ messages in thread
From: Ricardo Ribalda Delgado @ 2018-11-07  7:33 UTC (permalink / raw)
  To: Boris Brezillon
  Cc: Geert Uytterhoeven, David Woodhouse, Brian Norris, Marek Vasut,
	Richard Weinberger, Linus Walleij, linux-mtd, linux-mips, LKML

Hi Boris and Geert

On Tue, Nov 6, 2018 at 11:34 PM Boris Brezillon
<boris.brezillon@bootlin.com> wrote:
>
> On Tue, 6 Nov 2018 23:19:14 +0100
> Geert Uytterhoeven <geert@linux-m68k.org> wrote:
>
> > Hi Boris,
> >
> > On Tue, Nov 6, 2018 at 10:58 PM Boris Brezillon
> > <boris.brezillon@bootlin.com> wrote:
> > > On Tue,  6 Nov 2018 22:44:16 +0100
> > > Geert Uytterhoeven <geert@linux-m68k.org> wrote:
> > > > On Toshiba RBTX4927, where map_probe is supposed to fail:
> > > >
> > > >     Creating 2 MTD partitions on "physmap-flash.0":
> > > >     0x000000c00000-0x000001000000 : "boot"
> > > >     0x000000000000-0x000000c00000 : "user"
> > > >     physmap-flash physmap-flash.1: physmap platform flash device: [mem 0x1e000000-0x1effffff]
> > > >     CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 80320f40, ra == 80321004
> > > >     ...
> > > >     Call Trace:
> > > >     [<80320f40>] get_mtd_chip_driver+0x30/0x8c
> > > >     [<80321004>] do_map_probe+0x20/0x90
> > > >     [<80328448>] physmap_flash_probe+0x484/0x4ec
> > > >
> > > > The access to rom_probe_types[] was changed from a sentinel-based loop
> > > > to an infinite loop, causing a crash when reaching the sentinel.
> > >
> > > Oops. Do you mind if I fix that in-place (squash your changes in
> > > Ricardo's original commit)?
>
> Done.
>
> >
> > No problem. Thanks!
>

Thanks to both of you for fixing this .
> Thanks for reporting/fixing the bug.
>
> Boris
>


-- 
Ricardo Ribalda

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-11-07  7:34 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-11-06 21:44 [PATCH next] mtd: maps: physmap: Fix infinite loop crash in ROM type probing Geert Uytterhoeven
2018-11-06 21:58 ` Boris Brezillon
2018-11-06 22:19   ` Geert Uytterhoeven
2018-11-06 22:34     ` Boris Brezillon
2018-11-07  7:33       ` Ricardo Ribalda Delgado

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).