kernel: fix possible mtd NULL pointer dereference

Fixes: cae4d089bc ("kernel: backport mtd dynamic partition patch") Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit a5265497a4)
2022-10-04 12:04:37 +02:00 · 2022-10-04 12:04:37 +02:00 · 977f6f36a0
commit 977f6f36a0
parent 562894b39d
4 changed files with 33 additions and 3 deletions
--- a/target/linux/generic/backport-5.10/415-v6.0-mtd-core-check-partition-before-dereference.patch
+++ b/target/linux/generic/backport-5.10/415-v6.0-mtd-core-check-partition-before-dereference.patch
@ -0,0 +1,30 @@
+From 7ec4cdb321738d44ae5d405e7b6ac73dfbf99caa Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 25 Jul 2022 22:49:25 +0900
+Subject: [PATCH] mtd: core: check partition before dereference
+
+syzbot is reporting NULL pointer dereference at mtd_check_of_node() [1],
+for mtdram test device (CONFIG_MTD_MTDRAM) is not partition.
+
+Link: https://syzkaller.appspot.com/bug?extid=fe013f55a2814a9e8cfd [1]
+Reported-by: syzbot <syzbot+fe013f55a2814a9e8cfd@syzkaller.appspotmail.com>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Fixes: ad9b10d1eaada169 ("mtd: core: introduce of support for dynamic partitions")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+CC: stable@vger.kernel.org
+Signed-off-by: Richard Weinberger <richard@nod.at>
+---
+ drivers/mtd/mtdcore.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/mtdcore.c
+++ b/drivers/mtd/mtdcore.c
+@@ -574,6 +574,8 @@ static void mtd_check_of_node(struct mtd
+ 		return;
+ 
+ 	/* Check if a partitions node exist */
+	if (!mtd_is_partition(mtd))
+		return;
+ 	parent = mtd->parent;
+ 	parent_dn = dev_of_node(&parent->dev);
+ 	if (!parent_dn)
--- a/target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
+++ b/target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
@ -77,7 +77,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
 
 #include "mtdcore.h"
 
-@@ -922,6 +923,8 @@ int mtd_device_parse_register(struct mtd
+@@ -924,6 +925,8 @@ int mtd_device_parse_register(struct mtd
 		register_reboot_notifier(&mtd->reboot_notifier);
 	}
 
--- a/target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch
+++ b/target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch
@ -20,7 +20,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
 #include <linux/nvmem-provider.h>
 
 #include <linux/mtd/mtd.h>
-@@ -765,6 +766,19 @@ int add_mtd_device(struct mtd_info *mtd)
+@@ -767,6 +768,19 @@ int add_mtd_device(struct mtd_info *mtd)
 	   of this try_ nonsense, and no bitching about it
 	   either. :) */
 	__module_get(THIS_MODULE);
--- a/target/linux/generic/pending-5.10/495-mtd-core-add-get_mtd_device_by_node.patch
+++ b/target/linux/generic/pending-5.10/495-mtd-core-add-get_mtd_device_by_node.patch
@ -17,7 +17,7 @@ Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>

 --- a/drivers/mtd/mtdcore.c
 +++ b/drivers/mtd/mtdcore.c
-@@ -1145,6 +1145,44 @@ out_unlock:
+@@ -1147,6 +1147,44 @@ out_unlock:
 }
 EXPORT_SYMBOL_GPL(get_mtd_device_nm);