diff options
| author | Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com> | 2024-03-06 09:04:04 +0530 |
|---|---|---|
| committer | Michal Simek <michal.simek@amd.com> | 2024-03-12 16:07:24 +0100 |
| commit | 0508653ea65d7b708053c5cb6c2fb8632f68c885 (patch) | |
| tree | 6bf7b9eaaa1d789dd2adb1fe06f959e05ec4b1b6 /drivers/mtd | |
| parent | 602b879efd44eefba5a3b7e956a9dd3df339f82e (diff) | |
| download | u-boot-0508653ea65d7b708053c5cb6c2fb8632f68c885.zip u-boot-0508653ea65d7b708053c5cb6c2fb8632f68c885.tar.gz u-boot-0508653ea65d7b708053c5cb6c2fb8632f68c885.tar.bz2 | |
mtd: nand: arasan: Fix the crash caused by use after free
The below exception observed on QEMU, as it doesn't support
NAND controller.
"Synchronous Abort" handler, esr 0x96000005, far 0x17acfc878
elr: 000000000803ad40 lr : 000000000805f438 (reloc)
elr: 000000007fcb4d40 lr : 000000007fcd9438
x0 : 000000007bbfc880 x1 : 00000000ff100000
x2 : 000000007fcf059c x3 : 000000007bbfc870
x4 : 000000007fd9a388 x5 : 000000017acfc870
x6 : 0000000000000000 x7 : 000000007bbfd0e0
x8 : 0000000000003dd4 x9 : 000000007bbeec0c
x10: 0000000000000001 x11: 0000000000003f8c
x12: 000000007bbeecfc x13: 000000007bbeeeb0
x14: 000000007bbeeeb0 x15: 000000007bbee474
x16: 000000007fcef18c x17: 0000000000000000
x18: 000000007bbf9d70 x19: 000000007bbfc888
x20: 000000007bbfc870 x21: 000000007fd68ddb
x22: 00000000ffffffed x23: 000000007bbfc878
x24: 0000000000000000 x25: 0000000000000000
x26: 0000000000000000 x27: 0000000000000000
x28: 0000000000000000 x29: 000000007bbeed10
Code: 927ff8c1 924000c6 8b010065 f9400887 (f94004a2)
Resetting CPU ...
The crash is caused by the use after free.
Updating the correct return codes rather than hardcoding.
Fixes: 3dd0f8cccd6d ("mtd: nand: Remove hardcoded base address of nand")
Signed-off-by: Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>
Link: https://lore.kernel.org/r/20240306033404.18537-1-venkatesh.abbarapu@amd.com
Signed-off-by: Michal Simek <michal.simek@amd.com>
Diffstat (limited to 'drivers/mtd')
| -rw-r--r-- | drivers/mtd/nand/raw/arasan_nfc.c | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/drivers/mtd/nand/raw/arasan_nfc.c b/drivers/mtd/nand/raw/arasan_nfc.c index 0b1b91f..ffcd963 100644 --- a/drivers/mtd/nand/raw/arasan_nfc.c +++ b/drivers/mtd/nand/raw/arasan_nfc.c @@ -1232,7 +1232,7 @@ static int arasan_probe(struct udevice *dev) struct nand_config *nand = &info->config; struct mtd_info *mtd; ofnode child; - int err = -1; + int ret; const char *str; info->reg = dev_read_addr_ptr(dev); @@ -1259,9 +1259,10 @@ static int arasan_probe(struct udevice *dev) writel(0x0, &info->reg->pgm_reg); /* first scan to find the device and get the page size */ - if (nand_scan_ident(mtd, CONFIG_SYS_NAND_MAX_CHIPS, NULL)) { + ret = nand_scan_ident(mtd, CONFIG_SYS_NAND_MAX_CHIPS, NULL); + if (ret) { printf("%s: nand_scan_ident failed\n", __func__); - goto fail; + return ret; } str = ofnode_read_string(nand_chip->flash_node, "nand-ecc-mode"); @@ -1289,26 +1290,26 @@ static int arasan_probe(struct udevice *dev) nand_chip->ecc.bytes = 0; nand_chip->ecc.layout = &ondie_nand_oob_64; } else { - if (arasan_nand_ecc_init(mtd)) { + ret = arasan_nand_ecc_init(mtd); + if (ret) { printf("%s: nand_ecc_init failed\n", __func__); - goto fail; + return ret; } } - if (nand_scan_tail(mtd)) { + ret = nand_scan_tail(mtd); + if (ret) { printf("%s: nand_scan_tail failed\n", __func__); - goto fail; + return ret; } - if (nand_register(0, mtd)) { + ret = nand_register(0, mtd); + if (ret) { printf("Nand Register Fail\n"); - goto fail; + return ret; } - return 0; -fail: - free(nand); - return err; + return ret; } static const struct udevice_id arasan_nand_dt_ids[] = { |