linux-imx/drivers
Linus Walleij 0b8479056e mtd: jedec_probe: Fix crash in jedec_read_mfr()
commit 87a73eb5b5 upstream.

It turns out that the loop where we read manufacturer
jedec_read_mfd() can under some circumstances get a
CFI_MFR_CONTINUATION repeatedly, making the loop go
over all banks and eventually hit the end of the
map and crash because of an access violation:

Unable to handle kernel paging request at virtual address c4980000
pgd = (ptrval)
[c4980000] *pgd=03808811, *pte=00000000, *ppte=00000000
Internal error: Oops: 7 [#1] PREEMPT ARM
CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
Hardware name: Gemini (Device Tree)
PC is at jedec_probe_chip+0x6ec/0xcd0
LR is at 0x4
pc : [<c03a2bf4>]    lr : [<00000004>]    psr: 60000013
sp : c382dd18  ip : 0000ffff  fp : 00000000
r10: c0626388  r9 : 00020000  r8 : c0626340
r7 : 00000000  r6 : 00000001  r5 : c3a71afc  r4 : c382dd70
r3 : 00000001  r2 : c4900000  r1 : 00000002  r0 : 00080000
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 0000397f  Table: 00004000  DAC: 00000053
Process swapper (pid: 1, stack limit = 0x(ptrval))

Fix this by breaking the loop with a return 0 if
the offset exceeds the map size.

Fixes: 5c9c11e1c4 ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2018-06-01 00:30:26 +01:00
..
accessibility
acpi ACPI: sbshc: remove raw pointer from printk() message 2018-03-03 15:51:08 +00:00
amba
ata libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions 2018-06-01 00:30:23 +01:00
atm skb: Add inline helper for getting the skb end offset from head 2014-06-09 13:29:00 +01:00
auxdisplay auxdisplay: ks0108: fix refcount 2015-10-13 03:46:05 +01:00
base sysfs/cpu: Add vulnerability folder 2018-03-19 18:58:29 +00:00
bcma bcma: use (get|put)_device when probing/removing device driver 2017-06-05 21:13:45 +01:00
block pktcdvd: Fix pkt_setup_dev() error path 2018-06-01 00:30:05 +01:00
bluetooth Bluetooth: Add another AR3012 04ca:3018 device 2017-06-05 21:13:49 +01:00
cdrom cdrom: information leak in cdrom_ioctl_media_changed() 2018-06-01 00:30:04 +01:00
char tpm_tis: fix potential buffer overruns caused by bit glitches on the bus 2018-06-01 00:30:19 +01:00
clk
clocksource
connector connector: bump skb->users before callback invocation 2016-05-01 00:05:24 +02:00
cpufreq cpufreq: speedstep-smi: enable interrupts when waiting 2015-05-09 23:16:16 +01:00
cpuidle
crypto crypto: n2 - cure use after free 2018-03-03 15:50:51 +00:00
dca
devfreq
dio
dma dmaengine: ep93xx: Always start from BASE0 2017-09-15 18:30:47 +01:00
edac x86/bitops: Move BIT_64() for a wider use 2018-03-19 18:58:25 +00:00
eisa EISA/PCI: Init EISA early, before PNP 2013-04-10 03:20:07 +01:00
firewire firewire: net: fix fragmented datagram_size off-by-one 2017-02-23 03:50:58 +00:00
firmware firmware: dmi_scan: Fix handling of empty DMI strings 2018-06-01 00:30:12 +01:00
gpio gpio: tegra: fix unbalanced chained_irq_enter/exit 2017-11-11 13:34:28 +00:00
gpu drm/radeon: Don't turn off DP sink when disconnected 2018-06-01 00:30:22 +01:00
hid HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() 2018-06-01 00:30:10 +01:00
hv x86/retpoline/hyperv: Convert assembler indirect jumps 2018-03-19 18:58:32 +00:00
hwmon hwmon: (pmbus) Use 64bit math for DIRECT format values 2018-03-03 15:50:39 +00:00
hwspinlock hwspinlock: fix __hwspin_lock_request error path 2013-04-25 20:25:32 +01:00
i2c i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA 2018-03-03 15:51:01 +00:00
ide
idle intel_idle: Fix a cast to pointer from integer of different size warning in intel_idle 2017-11-11 13:34:44 +00:00
ieee802154
infiniband RDMA/ucma: Check that device exists prior to accessing it 2018-06-01 00:30:26 +01:00
input Input: matrix_keypad - fix race when disabling interrupts 2018-06-01 00:30:14 +01:00
iommu iommu/vt-d: Fix scatterlist offset handling 2018-03-03 15:50:37 +00:00
isdn isdn: hfcpci_softirq: get func return to suppress compiler warning 2017-11-11 13:34:45 +00:00
leds
lguest lguest: fix out-by-one error in address checking. 2015-08-07 00:32:13 +01:00
macintosh windfarm: decrement client count when unregistering 2015-10-13 03:46:05 +01:00
mca
md dm btree: fix serious bug in btree_split_beneath() 2018-03-03 15:51:00 +00:00
media media: cxusb, dib0700: ignore XC2028_I2C_FLUSH 2018-06-01 00:30:11 +01:00
memstick memstick: mspro_block: add missing curly braces 2015-08-07 00:32:06 +01:00
message
mfd mfd: core: Fix device reference leak in mfd_clone_cell 2017-02-23 03:51:00 +00:00
misc eeprom: at24: check at24_read/write arguments 2018-03-03 15:50:41 +00:00
mmc mmc: block: fix updating ext_csd caches on ioctl call 2018-06-01 00:30:22 +01:00
mtd mtd: jedec_probe: Fix crash in jedec_read_mfr() 2018-06-01 00:30:26 +01:00
net net/mlx4_en: Fix mixed PFC and Global pause user control requests 2018-06-01 00:30:26 +01:00
nfc
nubus
of of: fdt: Fix return with value in void function 2018-03-03 15:51:03 +00:00
oprofile
parisc parisc: Hide Diva-built-in serial aux and graphics card 2018-03-03 15:50:48 +00:00
parport parport: parport_pc: remove double PCI ID for NetMos 2014-04-02 00:58:39 +01:00
pci PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() 2018-03-03 15:50:48 +00:00
pcmcia Disable write buffering on Toshiba ToPIC95 2015-08-12 16:33:15 +02:00
pinctrl
platform platform/x86: samsung-laptop: Initialize loca variable 2017-11-11 13:34:46 +00:00
pnp
power power: supply: pda_power: move from timer to delayed_work 2017-08-26 02:14:04 +01:00
pps pps: do not crash when failed to register 2016-11-20 01:01:28 +00:00
ps3
ptp
rapidio rapidio/tsi721: Fix interrupt mask when handling MSI 2013-06-19 02:16:38 +01:00
regulator regulator: tps65910: Work around silicon erratum SWCZ010 2017-02-23 03:50:51 +00:00
rtc rtc: set the alarm to the next expiring timer 2018-02-13 18:32:08 +00:00
s390 s390/qeth: free netdevice when removing a card 2018-06-01 00:30:24 +01:00
sbus bbc-i2c: Fix BBC I2C envctrl on SunBlade 2000 2014-09-13 23:41:50 +01:00
scsi scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info 2018-06-01 00:30:11 +01:00
sfi
sh
sn
spi spi: fix parent-device reference leak 2016-01-22 21:40:05 +00:00
ssb ssb: Fix error routine when fallback SPROM fails 2017-03-16 02:18:26 +00:00
staging staging/wlan-ng: Fix 'Branch condition evaluates to a garbage value' in p80211netdev.c 2018-03-19 18:58:25 +00:00
target iscsi-target: Drop work-around for legacy GlobalSAN initiator 2017-07-18 18:38:40 +01:00
tc
telephony
thermal thermal: hwmon: Properly report critical temperature in sysfs 2017-03-16 02:18:28 +00:00
tty tty: vt: fix up tabstops properly 2018-06-01 00:30:25 +01:00
uio Fix a few incorrectly checked [io_]remap_pfn_range() calls 2013-11-28 14:02:05 +00:00
usb xhci: Fix front USB ports on ASUS PRIME B350M-A 2018-06-01 00:30:21 +01:00
uwb uwb: properly check kthread_run return value 2018-01-01 20:50:49 +00:00
vhost vhost: actually track log eventfd file 2015-08-12 16:33:24 +02:00
video console/dummy: leave .con_font_get set to NULL 2018-06-01 00:30:08 +01:00
virt
virtio virtio_balloon: prevent uninitialized variable use 2017-07-18 18:38:38 +01:00
vlynq
w1 w1: fix w1_send_slave dropping a slave id 2014-04-30 16:23:19 +01:00
watchdog watchdog: pcwd_usb: fix NULL-deref at probe 2017-09-15 18:30:45 +01:00
xen xen: fix bio vec merging 2017-09-15 18:30:57 +01:00
zorro
Kconfig
Makefile usb: Make sure usb/phy/of gets built-in 2017-08-26 02:14:03 +01:00