[openwrt/openwrt] kernel: fix possible mtd NULL pointer dereference

LEDE Commits lede-commits at lists.infradead.org
Tue Oct 4 09:54:24 PDT 2022 

rmilecki pushed a commit to openwrt/openwrt.git, branch openwrt-22.03:
https://git.openwrt.org/977f6f36a0121b213f9eee4a7deb7fdf073320e4

commit 977f6f36a0121b213f9eee4a7deb7fdf073320e4
Author: Rafał Miłecki <rafal at milecki.pl>
AuthorDate: Tue Oct 4 12:04:37 2022 +0200

    kernel: fix possible mtd NULL pointer dereference
    
    Fixes: cae4d089bc1d3 ("kernel: backport mtd dynamic partition patch")
    Signed-off-by: Rafał Miłecki <rafal at milecki.pl>
    (cherry picked from commit a5265497a4f6da158e95d6a450cb2cb6dc085cab)
---
 ...d-core-check-partition-before-dereference.patch | 30 ++++++++++++++++++++++
 ...-blktrans-call-add-disks-after-mtd-device.patch |  2 +-
 .../420-mtd-set-rootfs-to-be-root-dev.patch        |  2 +-
 .../495-mtd-core-add-get_mtd_device_by_node.patch  |  2 +-
 4 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/target/linux/generic/backport-5.10/415-v6.0-mtd-core-check-partition-before-dereference.patch b/target/linux/generic/backport-5.10/415-v6.0-mtd-core-check-partition-before-dereference.patch
new file mode 100644
index 0000000000..65789ddf2d
--- /dev/null
+++ b/target/linux/generic/backport-5.10/415-v6.0-mtd-core-check-partition-before-dereference.patch
@@ -0,0 +1,30 @@
+From 7ec4cdb321738d44ae5d405e7b6ac73dfbf99caa Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+Date: Mon, 25 Jul 2022 22:49:25 +0900
+Subject: [PATCH] mtd: core: check partition before dereference
+
+syzbot is reporting NULL pointer dereference at mtd_check_of_node() [1],
+for mtdram test device (CONFIG_MTD_MTDRAM) is not partition.
+
+Link: https://syzkaller.appspot.com/bug?extid=fe013f55a2814a9e8cfd [1]
+Reported-by: syzbot <syzbot+fe013f55a2814a9e8cfd at syzkaller.appspotmail.com>
+Reported-by: kernel test robot <oliver.sang at intel.com>
+Fixes: ad9b10d1eaada169 ("mtd: core: introduce of support for dynamic partitions")
+Signed-off-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
+CC: stable at vger.kernel.org
+Signed-off-by: Richard Weinberger <richard at nod.at>
+---
+ drivers/mtd/mtdcore.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -574,6 +574,8 @@ static void mtd_check_of_node(struct mtd
+ 		return;
+ 
+ 	/* Check if a partitions node exist */
++	if (!mtd_is_partition(mtd))
++		return;
+ 	parent = mtd->parent;
+ 	parent_dn = dev_of_node(&parent->dev);
+ 	if (!parent_dn)
diff --git a/target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch b/target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
index 7de27fddb1..55388aa40c 100644
--- a/target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
+++ b/target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
@@ -77,7 +77,7 @@ Signed-off-by: Daniel Golle <daniel at makrotopia.org>
  
  #include "mtdcore.h"
  
-@@ -922,6 +923,8 @@ int mtd_device_parse_register(struct mtd
+@@ -924,6 +925,8 @@ int mtd_device_parse_register(struct mtd
  		register_reboot_notifier(&mtd->reboot_notifier);
  	}
  
diff --git a/target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch b/target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch
index ad68d52c72..5529bba12c 100644
--- a/target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch
+++ b/target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch
@@ -20,7 +20,7 @@ Signed-off-by: Gabor Juhos <juhosg at openwrt.org>
  #include <linux/nvmem-provider.h>
  
  #include <linux/mtd/mtd.h>
-@@ -765,6 +766,19 @@ int add_mtd_device(struct mtd_info *mtd)
+@@ -767,6 +768,19 @@ int add_mtd_device(struct mtd_info *mtd)
  	   of this try_ nonsense, and no bitching about it
  	   either. :) */
  	__module_get(THIS_MODULE);
diff --git a/target/linux/generic/pending-5.10/495-mtd-core-add-get_mtd_device_by_node.patch b/target/linux/generic/pending-5.10/495-mtd-core-add-get_mtd_device_by_node.patch
index 66017e1648..909d4c5d41 100644
--- a/target/linux/generic/pending-5.10/495-mtd-core-add-get_mtd_device_by_node.patch
+++ b/target/linux/generic/pending-5.10/495-mtd-core-add-get_mtd_device_by_node.patch
@@ -17,7 +17,7 @@ Reviewed-by: Miquel Raynal <miquel.raynal at bootlin.com>
 
 --- a/drivers/mtd/mtdcore.c
 +++ b/drivers/mtd/mtdcore.c
-@@ -1145,6 +1145,44 @@ out_unlock:
+@@ -1147,6 +1147,44 @@ out_unlock:
  }
  EXPORT_SYMBOL_GPL(get_mtd_device_nm);

More information about the lede-commits mailing list