commit
87a73eb5b56fd6e07c8e499fe8608ef2d8912b82 upstream.
It turns out that the loop where we read manufacturer
jedec_read_mfd() can under some circumstances get a
CFI_MFR_CONTINUATION repeatedly, making the loop go
over all banks and eventually hit the end of the
map and crash because of an access violation:
Unable to handle kernel paging request at virtual address
c4980000
pgd = (ptrval)
[
c4980000] *pgd=
03808811, *pte=
00000000, *ppte=
00000000
Internal error: Oops: 7 [#1] PREEMPT ARM
CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc1+ #150
Hardware name: Gemini (Device Tree)
PC is at jedec_probe_chip+0x6ec/0xcd0
LR is at 0x4
pc : [<
c03a2bf4>] lr : [<
00000004>] psr:
60000013
sp :
c382dd18 ip :
0000ffff fp :
00000000
r10:
c0626388 r9 :
00020000 r8 :
c0626340
r7 :
00000000 r6 :
00000001 r5 :
c3a71afc r4 :
c382dd70
r3 :
00000001 r2 :
c4900000 r1 :
00000002 r0 :
00080000
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control:
0000397f Table:
00004000 DAC:
00000053
Process swapper (pid: 1, stack limit = 0x(ptrval))
Fix this by breaking the loop with a return 0 if
the offset exceeds the map size.
Fixes:
5c9c11e1c47c ("[MTD] [NOR] Add support for flash chips with ID in bank other than 0")
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Boris Brezillon <boris.brezillon@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
do {
uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
mask = (1 << (cfi->device_type * 8)) - 1;
+ if (ofs >= map->size)
+ return 0;
result = map_read(map, base + ofs);
bank++;
} while ((result.x[0] & mask) == CFI_MFR_CONTINUATION);