[PATCH] mtd: cfi_cmdset_0001: Do not check for OTP outside device
Linus Walleij
linus.walleij at linaro.org
Tue May 30 13:51:46 PDT 2023
Currently the offset into the device when looking for OTP
bits can go outside of the address of the MTD NOR devices,
and if that memory isn't readable, bad things happen
on the IXP4xx (added prints that illustrate the problem before
the crash):
cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x00000100
ixp4xx_copy_from copy from 0x00000100 to 0xc880dd78
cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x12000000
ixp4xx_copy_from copy from 0x12000000 to 0xc880dd78
8<--- cut here ---
Unable to handle kernel paging request at virtual address db000000
[db000000] *pgd=00000000
(...)
This happens in this case because the flash memory ends at
0x11ffffff, so 0x12000000 is outside the range of the MTD
device.
Breaking the while loop of we offset outside the size of the
MTD device fixes the issue.
Cc: Nicolas Pitre <npitre at baylibre.com>
Signed-off-by: Linus Walleij <linus.walleij at linaro.org>
---
drivers/mtd/chips/cfi_cmdset_0001.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c
index 54f92d09d9cf..a979e0316b31 100644
--- a/drivers/mtd/chips/cfi_cmdset_0001.c
+++ b/drivers/mtd/chips/cfi_cmdset_0001.c
@@ -2352,6 +2352,9 @@ static int cfi_intelext_otp_walk(struct mtd_info *mtd, loff_t from, size_t len,
reg_fact_size *= cfi->interleave;
reg_user_size *= cfi->interleave;
+ if (reg_prot_offset >= mtd->size)
+ break;
+
if (user_regs) {
groups = reg_user_groups;
groupsize = reg_user_size;
--
2.40.1
More information about the linux-mtd
mailing list