From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CECE1C433FE
	for <linux-kernel@archiver.kernel.org>; Mon, 18 Apr 2022 05:19:59 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236646AbiDRFWb (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Mon, 18 Apr 2022 01:22:31 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48146 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235281AbiDRFW1 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 18 Apr 2022 01:22:27 -0400
Received: from alexa-out-sd-01.qualcomm.com (alexa-out-sd-01.qualcomm.com [199.106.114.38])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0FA702DD6;
        Sun, 17 Apr 2022 22:19:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim;
  t=1650259190; x=1681795190;
  h=message-id:date:mime-version:subject:to:cc:references:
   from:in-reply-to:content-transfer-encoding;
  bh=PhylthLBQ2glQtoRReWB3UsVRn+3t3bqEnBQKi8vT3U=;
  b=ixCS5lkeFRyxYdV7xJrqMStNDXkxEQ0uPD0W1L+LPNP/DgZul+YpFDH4
   1y9xXp2ltJmwjsrPf7pHBJxhgCjFY21h+ufPOEOmyBexfOroMfFMC7vgf
   +w+gkSZU2jBgPeUorqG4pjSG872tKMUTRQC1kzKM0Wk6JUOh1Tg+Byi69
   I=;
Received: from unknown (HELO ironmsg05-sd.qualcomm.com) ([10.53.140.145])
  by alexa-out-sd-01.qualcomm.com with ESMTP; 17 Apr 2022 22:19:49 -0700
X-QCInternal: smtphost
Received: from unknown (HELO nasanex01a.na.qualcomm.com) ([10.52.223.231])
  by ironmsg05-sd.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Apr 2022 22:19:49 -0700
Received: from [10.201.2.159] (10.80.80.8) by nasanex01a.na.qualcomm.com
 (10.52.223.231) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Sun, 17 Apr
 2022 22:19:46 -0700
Message-ID: <8140244d-81d8-6837-7fb9-728b042c115f@quicinc.com>
Date:   Mon, 18 Apr 2022 10:49:43 +0530
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.8.0
Subject: Re: [PATCH V2] mtd: rawnand: qcom: fix memory corruption that causes
 panic
Content-Language: en-US
To:     Manivannan Sadhasivam <mani@kernel.org>,
        Miquel Raynal <miquel.raynal@bootlin.com>
CC:     <richard@nod.at>, <vigneshr@ti.com>,
        <linux-mtd@lists.infradead.org>, <linux-arm-msm@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>, <konrad.dybcio@somainline.org>,
        <quic_srichara@quicinc.com>
References: <1649950217-32272-1-git-send-email-quic_mdalam@quicinc.com>
 <20220414173642.56baedf5@xps13> <20220414155319.GB20493@thinkpad>
From:   Md Sadre Alam <quic_mdalam@quicinc.com>
In-Reply-To: <20220414155319.GB20493@thinkpad>
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.80.80.8]
X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
 nasanex01a.na.qualcomm.com (10.52.223.231)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 4/14/2022 9:23 PM, Manivannan Sadhasivam wrote:
> WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
>
> On Thu, Apr 14, 2022 at 05:36:42PM +0200, Miquel Raynal wrote:
>> Hi Md,
>>
>> quic_mdalam@quicinc.com wrote on Thu, 14 Apr 2022 21:00:17 +0530:
>>
>>> This patch fixes a memory corruption that occurred in the
>>> nand_scan() path for Hynix nand device.
>>>
>>> On boot, for Hynix nand device will panic at a weird place:
>>> | Unable to handle kernel NULL pointer dereference at virtual
>>>    address 00000070
>>> | [00000070] *pgd=00000000
>>> | Internal error: Oops: 5 [#1] PREEMPT SMP ARM
>>> | Modules linked in:
>>> | CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.0-01473-g13ae1769cfb0
>>>    #38
>>> | Hardware name: Generic DT based system
>>> | PC is at nandc_set_reg+0x8/0x1c
>>> | LR is at qcom_nandc_command+0x20c/0x5d0
>>> | pc : [<c088b74c>]    lr : [<c088d9c8>]    psr: 00000113
>>> | sp : c14adc50  ip : c14ee208  fp : c0cc970c
>>> | r10: 000000a3  r9 : 00000000  r8 : 00000040
>>> | r7 : c16f6a00  r6 : 00000090  r5 : 00000004  r4 :c14ee040
>>> | r3 : 00000000  r2 : 0000000b  r1 : 00000000  r0 :c14ee040
>>> | Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM Segment none
>>> | Control: 10c5387d  Table: 8020406a  DAC: 00000051
>>> | Register r0 information: slab kmalloc-2k start c14ee000 pointer offset
>>>    64 size 2048
>>> | Process swapper/0 (pid: 1, stack limit = 0x(ptrval))
>>> | nandc_set_reg from qcom_nandc_command+0x20c/0x5d0
>>> | qcom_nandc_command from nand_readid_op+0x198/0x1e8
>>> | nand_readid_op from hynix_nand_has_valid_jedecid+0x30/0x78
>>> | hynix_nand_has_valid_jedecid from hynix_nand_init+0xb8/0x454
>>> | hynix_nand_init from nand_scan_with_ids+0xa30/0x14a8
>>> | nand_scan_with_ids from qcom_nandc_probe+0x648/0x7b0
>>> | qcom_nandc_probe from platform_probe+0x58/0xac
>>>
>>> The problem is that the nand_scan()'s qcom_nand_attach_chip callback
>>> is updating the nandc->max_cwperpage from 1 to 4.This causes the
>>> sg_init_table of clear_bam_transaction() in the driver's
>>> qcom_nandc_command() to memset much more than what was initially
>>> allocated by alloc_bam_transaction().
>>>
>>> This patch will update nandc->max_cwperpage 1 to 4 after nand_scan()
>>> returns, and remove updating nandc->max_cwperpage from
>>> qcom_nand_attach_chip call back.
>> Please update also the commit log.
>>
>> Fixes: ?
>> Cc: stable ?
> Also please add Reported-by to credit Konrad.
    Updated in V3 patch.
>
> Thanks,
> Mani
>
>>> Signed-off-by: Md Sadre Alam <quic_mdalam@quicinc.com>
>>> Signed-off-by: Sricharan R <quic_srichara@quicinc.com>
>>> ---
>>> [V2]
>> Thanks,
>> Miquèl