Bug 207001 - Kernel panic: null pointer dereference in cfi_check_err_status
Summary: Kernel panic: null pointer dereference in cfi_check_err_status
Status: NEW
Alias: None
Product: Drivers
Classification: Unclassified
Component: Flash/Memory Technology Devices (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: David Woodhouse
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-27 14:53 UTC by Ewald Comhaire
Modified: 2020-03-27 14:53 UTC (History)
0 users

See Also:
Kernel Version: 5.4.x and later
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Patch (844 bytes, patch)
2020-03-27 14:53 UTC, Ewald Comhaire 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Ewald Comhaire 2020-03-27 14:53:10 UTC 
Created attachment 288093 [details]
Patch

Certain JEDEC compliant flash chips e.g. SST 39LF040 cause a kernel panic when being written to (e.g. simple fw_setenv command).  Those chips all confirm to the AMD command set (cfi_cmdset_0002).

The problem was identified a section from /drivers/mtd/chips/cfi_cmdset_0002.c:

static int cfi_use_status_reg(struct cfi_private *cfi)
{
	struct cfi_pri_amdstd *extp = cfi->cmdset_priv;
	u8 poll_mask = CFI_POLL_STATUS_REG | CFI_POLL_DQ;

	return extp->MinorVersion >= '5' &&
		(extp->SoftwareFeatures & poll_mask) == CFI_POLL_STATUS_REG;


It turns out that "extp" is not being initialized for all chips in this family and thus possibly (often) a null pointer.

The problem was introduced with commit 99a125f: https://github.com/torvalds/linux/commit/99a125f8edec391e423962847c6fd1d6994f0ad8#diff-ce19a4da6dab0e4e75d69a371602658d

Verified patch in attachment. Note that it is not needed to inline the function, but in my case performance was down compared to kernel 4.x (e.g. 4.19.x) since this function is called thousands of times per second in my use case.
Anyhow, the C compiler will decide whether to inline depending on chosen optimization mode.
Note You need to log in before you can comment on or make changes to this bug.