[PATCH] mtd: jedec_probe: Fix crash in jedec_read_mfr()
Linus Walleij
linus.walleij at linaro.org
Tue Mar 27 13:31:51 PDT 2018
On Tue, Mar 27, 2018 at 9:02 PM, Richard Weinberger <richard at nod.at> wrote:
> Am Samstag, 3. März 2018, 23:29:03 CEST schrieb Linus Walleij:
>> It turns out that the loop where we read manufacturer
>> jedec_read_mfd() can under some circumstances get a
>> CFI_MFR_CONTINUATION repeatedly, making the loop go
>> over all banks and eventually hit the end of the
>> map and crash because of an access violation:
>>
>> uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
>> mask = (1 << (cfi->device_type * 8)) - 1;
>> + if (ofs >= map->size)
>> + return 0;
>> result = map_read(map, base + ofs);
>> bank++;
>> } while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);
>
> The fix is legit but I'm not sure whether we should emit a warning in this
> case too since something is obviously wrong.
What is wrong is perhaps our way of probing JEDEC
Flashes: the condition is hit when accessing a device on a
16bit bus in 8bit mode, which is what the probe code tries
before it tries 16bit.
However there are clear comments in the
code (above jedec_match()) indicating that it is impossible
to do a perfect probe routine so this could be expected to
happen to some extent,I am merely amending an issue that
may be unfixable.
Yours,
Linus Walleij
More information about the linux-mtd
mailing list