www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Gabor Juhos <j4g8y7@gmail.com>
	Wed, 18 Jun 2025 20:22:50 +0000 (22:22 +0200)
committer	Mark Brown <broonie@kernel.org>
	Sun, 29 Jun 2025 21:10:47 +0000 (22:10 +0100)
commit	ddaad4ad774d4ae02047ef873a8e38f62a4b7b01
tree	84cc229445f96c5db70e8418938687a1c168f941	tree
parent	d85d0380292a7e618915069c3579ae23c7c80339	commit \| diff

mtd: nand: qpic_common: prevent out of bounds access of BAM arrays

The common QPIC code does not do any boundary checking when it handles
the command elements and scatter gater list arrays of a BAM transaction,
thus it allows to access out of bounds elements in those.

Although it is the responsibility of the given driver to allocate enough
space for all possible BAM transaction variations, however there can be
mistakes in the driver code which can lead to hidden memory corruption
issues which are hard to debug.

This kind of problem has been observed during testing the 'spi-qpic-snand'
driver. Although the driver has been fixed with a preceding patch, but it
still makes sense to reduce the chance of having such errors again later.

In order to prevent such errors, change the qcom_alloc_bam_transaction()
function to store the number of elements of the arrays in the
'bam_transaction' strucutre during allocation. Also, add sanity checks to
the qcom_prep_bam_dma_desc_{cmd,data}() functions to avoid using out of
bounds indices for the arrays.

Tested-by: Lakshmi Sowjanya D <quic_laksd@quicinc.com> # on SDX75
Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://patch.msgid.link/20250618-qpic-snand-avoid-mem-corruption-v3-2-319c71296cda@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>

drivers/mtd/nand/qpic_common.c		diff \| blob \| history
include/linux/mtd/nand-qpic-common.h		diff \| blob \| history