From: Rafał Miłecki <rafal@milecki.pl>
Date: Tue, 4 Oct 2022 10:04:37 +0000 (+0200)
Subject: kernel: fix possible mtd NULL pointer dereference
X-Git-Tag: v21.02.4~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=221c6242deceb49b04da9886761d28c18202609a;p=thirdparty%2Fopenwrt.git

kernel: fix possible mtd NULL pointer dereference

Fixes: edf3363959d3c ("kernel: backport mtd dynamic partition patch")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit a5265497a4f6da158e95d6a450cb2cb6dc085cab)
---

diff --git a/target/linux/generic/backport-5.4/415-v6.0-mtd-core-check-partition-before-dereference.patch b/target/linux/generic/backport-5.4/415-v6.0-mtd-core-check-partition-before-dereference.patch
new file mode 100644
index 00000000000..028f5baaaa5
--- /dev/null
+++ b/target/linux/generic/backport-5.4/415-v6.0-mtd-core-check-partition-before-dereference.patch
@@ -0,0 +1,30 @@
+From 7ec4cdb321738d44ae5d405e7b6ac73dfbf99caa Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 25 Jul 2022 22:49:25 +0900
+Subject: [PATCH] mtd: core: check partition before dereference
+
+syzbot is reporting NULL pointer dereference at mtd_check_of_node() [1],
+for mtdram test device (CONFIG_MTD_MTDRAM) is not partition.
+
+Link: https://syzkaller.appspot.com/bug?extid=fe013f55a2814a9e8cfd [1]
+Reported-by: syzbot <syzbot+fe013f55a2814a9e8cfd@syzkaller.appspotmail.com>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Fixes: ad9b10d1eaada169 ("mtd: core: introduce of support for dynamic partitions")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+CC: stable@vger.kernel.org
+Signed-off-by: Richard Weinberger <richard@nod.at>
+---
+ drivers/mtd/mtdcore.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -602,6 +602,8 @@ static void mtd_check_of_node(struct mtd
+ 		return;
+ 
+ 	/* Check if a partitions node exist */
++	if (!mtd_is_partition(mtd))
++		return;
+ 	parent = mtd_get_master(mtd);
+ 	parent_dn = dev_of_node(&parent->dev);
+ 	if (!parent_dn)
diff --git a/target/linux/generic/pending-5.4/480-mtd-set-rootfs-to-be-root-dev.patch b/target/linux/generic/pending-5.4/480-mtd-set-rootfs-to-be-root-dev.patch
index 1189ce0f89f..2544fa4b69a 100644
--- a/target/linux/generic/pending-5.4/480-mtd-set-rootfs-to-be-root-dev.patch
+++ b/target/linux/generic/pending-5.4/480-mtd-set-rootfs-to-be-root-dev.patch
@@ -20,7 +20,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
  #include <linux/nvmem-provider.h>
  
  #include <linux/mtd/mtd.h>
-@@ -760,6 +761,15 @@ int add_mtd_device(struct mtd_info *mtd)
+@@ -762,6 +763,15 @@ int add_mtd_device(struct mtd_info *mtd)
  	   of this try_ nonsense, and no bitching about it
  	   either. :) */
  	__module_get(THIS_MODULE);
diff --git a/target/linux/generic/pending-5.4/495-mtd-core-add-get_mtd_device_by_node.patch b/target/linux/generic/pending-5.4/495-mtd-core-add-get_mtd_device_by_node.patch
index a73775783eb..ada14158534 100644
--- a/target/linux/generic/pending-5.4/495-mtd-core-add-get_mtd_device_by_node.patch
+++ b/target/linux/generic/pending-5.4/495-mtd-core-add-get_mtd_device_by_node.patch
@@ -17,7 +17,7 @@ Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
 
 --- a/drivers/mtd/mtdcore.c
 +++ b/drivers/mtd/mtdcore.c
-@@ -1142,6 +1142,44 @@ out_unlock:
+@@ -1144,6 +1144,44 @@ out_unlock:
  }
  EXPORT_SYMBOL_GPL(get_mtd_device_nm);