JIRA: https://issues.redhat.com/browse/RHEL-60743
CVE: CVE-2024-46853
commit 2a8787c1cdc7be24fdd8953ecd1a8743a1006235
Author: Han Xu <han.xu@nxp.com>
Date: Wed Sep 11 16:11:45 2024 -0500
spi: nxp-fspi: fix the KASAN report out-of-bounds bug
Change the memcpy length to fix the out-of-bounds issue when writing the
data that is not 4 byte aligned to TX FIFO.
To reproduce the issue, write 3 bytes data to NOR chip.
dd if=3b of=/dev/mtd0
[ 36.926103] ==================================================================
[ 36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838
[ 36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455
[ 36.946721]
[ 36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070
[ 36.956185] Hardware name: Freescale i.MX8QM MEK (DT)
[ 36.961260] Call trace:
[ 36.963723] dump_backtrace+0x90/0xe8
[ 36.967414] show_stack+0x18/0x24
[ 36.970749] dump_stack_lvl+0x78/0x90
[ 36.974451] print_report+0x114/0x5cc
[ 36.978151] kasan_report+0xa4/0xf0
[ 36.981670] __asan_report_load_n_noabort+0x1c/0x28
[ 36.986587] nxp_fspi_exec_op+0x26ec/0x2838
[ 36.990800] spi_mem_exec_op+0x8ec/0xd30
[ 36.994762] spi_mem_no_dirmap_read+0x190/0x1e0
[ 36.999323] spi_mem_dirmap_write+0x238/0x32c
[ 37.003710] spi_nor_write_data+0x220/0x374
[ 37.007932] spi_nor_write+0x110/0x2e8
[ 37.011711] mtd_write_oob_std+0x154/0x1f0
[ 37.015838] mtd_write_oob+0x104/0x1d0
[ 37.019617] mtd_write+0xb8/0x12c
[ 37.022953] mtdchar_write+0x224/0x47c
[ 37.026732] vfs_write+0x1e4/0x8c8
[ 37.030163] ksys_write+0xec/0x1d0
[ 37.033586] __arm64_sys_write+0x6c/0x9c
[ 37.037539] invoke_syscall+0x6c/0x258
[ 37.041327] el0_svc_common.constprop.0+0x160/0x22c
[ 37.046244] do_el0_svc+0x44/0x5c
[ 37.049589] el0_svc+0x38/0x78
[ 37.052681] el0t_64_sync_handler+0x13c/0x158
[ 37.057077] el0t_64_sync+0x190/0x194
[ 37.060775]
[ 37.062274] Allocated by task 455:
[ 37.065701] kasan_save_stack+0x2c/0x54
[ 37.069570] kasan_save_track+0x20/0x3c
[ 37.073438] kasan_save_alloc_info+0x40/0x54
[ 37.077736] __kasan_kmalloc+0xa0/0xb8
[ 37.081515] __kmalloc_noprof+0x158/0x2f8
[ 37.085563] mtd_kmalloc_up_to+0x120/0x154
[ 37.089690] mtdchar_write+0x130/0x47c
[ 37.093469] vfs_write+0x1e4/0x8c8
[ 37.096901] ksys_write+0xec/0x1d0
[ 37.100332] __arm64_sys_write+0x6c/0x9c
[ 37.104287] invoke_syscall+0x6c/0x258
[ 37.108064] el0_svc_common.constprop.0+0x160/0x22c
[ 37.112972] do_el0_svc+0x44/0x5c
[ 37.116319] el0_svc+0x38/0x78
[ 37.119401] el0t_64_sync_handler+0x13c/0x158
[ 37.123788] el0t_64_sync+0x190/0x194
[ 37.127474]
[ 37.128977] The buggy address belongs to the object at ffff00081037c2a0
[ 37.128977] which belongs to the cache kmalloc-8 of size 8
[ 37.141177] The buggy address is located 0 bytes inside of
[ 37.141177] allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3)
[ 37.153465]
[ 37.154971] The buggy address belongs to the physical page:
[ 37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c
[ 37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff)
[ 37.175149] page_type: 0xfdffffff(slab)
[ 37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000
[ 37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000
[ 37.194553] page dumped because: kasan: bad access detected
[ 37.200144]
[ 37.201647] Memory state around the buggy address:
[ 37.206460] ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
[ 37.213701] ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc
[ 37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc
[ 37.228186] ^
[ 37.232473] ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 37.239718] ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 37.246962] ==================================================================
[ 37.254394] Disabling lock debugging due to kernel taint
0+1 records in
0+1 records out
3 bytes copied, 0.335911 s, 0.0 kB/s
Fixes: a5356aef6a ("spi: spi-mem: Add driver for NXP FlexSPI controller")
Cc: stable@kernel.org
Signed-off-by: Han Xu <han.xu@nxp.com>
Link: https://patch.msgid.link/20240911211146.3337068-1-han.xu@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2071848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2122415
commit 67a12ae52599c9f2f24ef14adb43fc3b164792b5
Author: Michael Walle <michael@walle.cc>
Date: Fri, 1 Oct 2021 23:27:26 +0200
In commit 7e71b85473 ("arm64: dts: ls1028a: fix node name for the
sysclk") the sysclk node name was renamed and broke the erratum
workaround because it tries to fetch a device tree node by its name,
which is very fragile in general. We don't even need the sysclk node
because the only possible sysclk frequency input is 100MHz. In fact, the
erratum says it applies if SYS_PLL_RAT is 3, not that the platform clock
is 300 MHz. Make the workaround more reliable and just drop the unneeded
sysclk lookup.
For reference, the error during the bootup is the following:
[ 4.898400] nxp-fspi 20c0000.spi: Errata cannot be executed. Read via IP bus may not work
Fixes: 82ce7d0e74 ("spi: spi-nxp-fspi: Implement errata workaround for LS1028A")
Cc: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Michael Walle <michael@walle.cc>
Link: https://lore.kernel.org/r/20211001212726.159437-1-michael@walle.cc
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Mark Salter <msalter@redhat.com>
Move the register operation after the clock enable, otherwise system
will stuck when this driver probe.
Fixes: 71d80563b0 ("spi: spi-nxp-fspi: fix fspi panic by unexpected interrupts")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Link: https://lore.kernel.org/r/1623317073-25158-1-git-send-email-haibo.chen@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Errata ERR050568 description says that "Flash access by FlexSPI AHB
command may not work with platform frequency equal to 300 MHz" on
LS1028A.
By default, smaller length reads(equal to RX FIFO size) are done by IP
bus and larger length reads using AHB bus. For adding errata workaround,
use IP bus to read entire flash contents and disable AHB path when
platform frequency is 300Mhz.
Signed-off-by: Kuldeep Singh <kuldeep.singh@nxp.com>
Link: https://lore.kernel.org/r/20210302124936.1972546-5-kuldeep.singh@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Add driver support for imx8dxl which support read through IP bus only
and disable AHB bus due to an IC errata. Use the pre-defined quirk
FSPI_QUIRK_USE_IP_ONLY directly in device-type data to disable AHB read.
Signed-off-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Kuldeep Singh <kuldeep.singh@nxp.com>
Link: https://lore.kernel.org/r/20210302124936.1972546-4-kuldeep.singh@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Add support for disabling AHB bus and read entire flash contents via IP
bus only. Please note, this enables IP bus read using a quirk which can
be enabled directly in device-type data or in existence of an errata
where AHB bus may need to be disabled.
Signed-off-by: Kuldeep Singh <kuldeep.singh@nxp.com>
Link: https://lore.kernel.org/r/20210302124936.1972546-2-kuldeep.singh@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Given the case that bootloader(such as UEFI)'s FSPI driver might not
handle all interrupts before loading kernel, those legacy interrupts
would assert immidiately once kernel's FSPI driver enable them. Further,
if it was FSPI_INTR_IPCMDDONE, the irq handler nxp_fspi_irq_handler()
would call complete(&f->c) to notify others. However, f->c might not be
initialized yet at that time, then cause kernel panic.
Of cause, we should fix this issue within bootloader. But it would be
better to have this pacth to make dirver more robust (by clearing all
interrupt status bits before enabling interrupts).
Suggested-by: Han Xu <han.xu@nxp.com>
Signed-off-by: Ran Wang <ran.wang_1@nxp.com>
Link: https://lore.kernel.org/r/20201123025715.14635-1-ran.wang_1@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Currently NXP fspi driver has support of DT only. Adding ACPI
support to the driver so that it can be used by UEFI firmware
booting in ACPI mode. This driver will be probed if any firmware
will expose HID "NXP0009" in DSDT table.
Signed-off-by: kuldip dwivedi <kuldip.dwivedi@puresoftware.com>
Reviewed-by: Ashish Kumar <Ashish.Kumar@nxp.com>
Link: https://lore.kernel.org/r/20200911130331.6313-1-kuldip.dwivedi@puresoftware.com
Signed-off-by: Mark Brown <broonie@kernel.org>
The platform_get_resource_byname() function returns NULL on error, it
doesn't return error pointers.
Fixes: d166a73503 ("spi: fspi: dynamically alloc AHB memory")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20200312113154.GC20562@mwanda
Signed-off-by: Mark Brown <broonie@kernel.org>
Apply patch from NXP upstream repo to
Enable the octal combination mode in MCR0
Signed-off-by: Adam Ford <aford173@gmail.com>
Signed-off-by: Han Xu <han.xu@nxp.com>
Link: https://lore.kernel.org/r/20200126140913.2139260-3-aford173@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Apply patch from NXP upstream repo to
dynamically allocate AHB memory as needed.
Signed-off-by: Adam Ford <aford173@gmail.com>
Signed-off-by: Han Xu <han.xu@nxp.com>
Link: https://lore.kernel.org/r/20200126140913.2139260-2-aford173@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Pull in this patch from NXP's upstream repo to
enable fspi on imx8qxp and imx8mm
Signed-off-by: Adam Ford <aford173@gmail.com>
Signed-off-by: Han Xu <han.xu@nxp.com>
Link: https://lore.kernel.org/r/20200126140913.2139260-1-aford173@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Make use of a core helper to ensure the desired width is respected
when calling spi-mem operators.
Otherwise only the SPI controller will be matched with the flash chip,
which might lead to wrong widths. Also consider the width specified by
the user in the device tree.
Fixes: a5356aef6a ("spi: spi-mem: Add driver for NXP FlexSPI controller")
Signed-off-by: Michael Walle <michael@walle.cc>
Link: https://lore.kernel.org/r/20191211195730.26794-1-michael@walle.cc
Signed-off-by: Mark Brown <broonie@kernel.org>
This driver forgets to unregister controller when remove.
Use devm API to unregister it automatically to fix it.
Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Link: https://lore.kernel.org/r/20191109075517.29988-1-hslester96@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
We don't need dev_err() messages when platform_get_irq() fails now that
platform_get_irq() prints an error message itself when something goes
wrong. Let's remove these prints with a simple semantic patch.
// <smpl>
@@
expression ret;
struct platform_device *E;
@@
ret =
(
platform_get_irq(E, ...)
|
platform_get_irq_byname(E, ...)
);
if ( \( ret < 0 \| ret <= 0 \) )
{
(
-if (ret != -EPROBE_DEFER)
-{ ...
-dev_err(...);
-... }
|
...
-dev_err(...);
)
...
}
// </smpl>
While we're here, remove braces on if statements that only have one
statement (manually).
Cc: Mark Brown <broonie@kernel.org>
Cc: linux-spi@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Link: https://lore.kernel.org/r/20190730181557.90391-42-swboyd@chromium.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Add MODULE_LICENSE info to fix below warning:
WARNING: modpost: missing MODULE_LICENSE() in drivers/spi/spi-nxp-fspi.o
Typo fix in Boris Brezillon last name.
Fixes: a5356aef6a ("spi: spi-mem: Add driver for NXP FlexSPI controller")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Yogesh Narayan Gaur <yogeshnarayan.gaur@nxp.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Add octal mode flags for octal I/O data transfer support.
NXP FlexSPI controller supports 8 lines Rx/Tx data transfer.
Signed-off-by: Yogesh Narayan Gaur <yogeshnarayan.gaur@nxp.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
- Add driver for NXP FlexSPI host controller
(0) What is the FlexSPI controller?
FlexSPI is a flexsible SPI host controller which supports two SPI
channels and up to 4 external devices. Each channel supports
Single/Dual/Quad/Octal mode data transfer (1/2/4/8 bidirectional
data lines) i.e. FlexSPI acts as an interface to external devices,
maximum 4, each with up to 8 bidirectional data lines.
It uses new SPI memory interface of the SPI framework to issue
flash memory operations to up to four connected flash
devices (2 buses with 2 CS each).
(1) Tested this driver with the mtd_debug and JFFS2 filesystem utility
on NXP LX2160ARDB and LX2160AQDS targets.
LX2160ARDB is having two NOR slave device connected on single bus A
i.e. A0 and A1 (CS0 and CS1).
LX2160AQDS is having two NOR slave device connected on separate buses
one flash on A0 and second on B1 i.e. (CS0 and CS3).
Verified this driver on following SPI NOR flashes:
Micron, mt35xu512ab, [Read - 1 bit mode]
Cypress, s25fl512s, [Read - 1/2/4 bit mode]
Signed-off-by: Yogesh Narayan Gaur <yogeshnarayan.gaur@nxp.com>
Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Reviewed-by: Boris Brezillon <bbrezillon@kernel.org>
Tested-by: Ashish Kumar <Ashish.Kumar@nxp.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
CKI Backport Bot
Mark Salter
Haibo Chen
Heiko Schocher
Kuldeep Singh
Han Xu
Ran Wang
kuldip dwivedi
Dan Carpenter
Michael Walle
Chuhong Yuan
Stephen Boyd
Yogesh Narayan Gaur