From a5265497a4f6da158e95d6a450cb2cb6dc085cab Mon Sep 17 00:00:00 2001
From: =?utf8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
Date: Tue, 4 Oct 2022 12:04:37 +0200
Subject: [PATCH] kernel: fix possible mtd NULL pointer dereference
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Fixes: 1a9ee367343ed ("kernel: backport mtd dynamic partition patch")
Signed-off-by: RafaÅ MiÅecki <rafal@milecki.pl>
---
 ...e-check-partition-before-dereference.patch | 30 +++++++++++++++++++
 ...e-check-partition-before-dereference.patch | 30 +++++++++++++++++++
 ...rans-call-add-disks-after-mtd-device.patch |  2 +-
 .../410-block-fit-partition-parser.patch      |  1 +
 .../420-mtd-set-rootfs-to-be-root-dev.patch   |  2 +-
 ...rans-call-add-disks-after-mtd-device.patch |  2 +-
 .../420-mtd-set-rootfs-to-be-root-dev.patch   |  2 +-
 7 files changed, 65 insertions(+), 4 deletions(-)
 create mode 100644 target/linux/generic/backport-5.10/415-v6.0-mtd-core-check-partition-before-dereference.patch
 create mode 100644 target/linux/generic/backport-5.15/404-v6.0-mtd-core-check-partition-before-dereference.patch

diff --git a/target/linux/generic/backport-5.10/415-v6.0-mtd-core-check-partition-before-dereference.patch b/target/linux/generic/backport-5.10/415-v6.0-mtd-core-check-partition-before-dereference.patch
new file mode 100644
index 0000000000..65789ddf2d
--- /dev/null
+++ b/target/linux/generic/backport-5.10/415-v6.0-mtd-core-check-partition-before-dereference.patch
@@ -0,0 +1,30 @@
+From 7ec4cdb321738d44ae5d405e7b6ac73dfbf99caa Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 25 Jul 2022 22:49:25 +0900
+Subject: [PATCH] mtd: core: check partition before dereference
+
+syzbot is reporting NULL pointer dereference at mtd_check_of_node() [1],
+for mtdram test device (CONFIG_MTD_MTDRAM) is not partition.
+
+Link: https://syzkaller.appspot.com/bug?extid=fe013f55a2814a9e8cfd [1]
+Reported-by: syzbot <syzbot+fe013f55a2814a9e8cfd@syzkaller.appspotmail.com>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Fixes: ad9b10d1eaada169 ("mtd: core: introduce of support for dynamic partitions")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+CC: stable@vger.kernel.org
+Signed-off-by: Richard Weinberger <richard@nod.at>
+---
+ drivers/mtd/mtdcore.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -574,6 +574,8 @@ static void mtd_check_of_node(struct mtd
+ 		return;
+ 
+ 	/* Check if a partitions node exist */
++	if (!mtd_is_partition(mtd))
++		return;
+ 	parent = mtd->parent;
+ 	parent_dn = dev_of_node(&parent->dev);
+ 	if (!parent_dn)
diff --git a/target/linux/generic/backport-5.15/404-v6.0-mtd-core-check-partition-before-dereference.patch b/target/linux/generic/backport-5.15/404-v6.0-mtd-core-check-partition-before-dereference.patch
new file mode 100644
index 0000000000..e45e2ab48e
--- /dev/null
+++ b/target/linux/generic/backport-5.15/404-v6.0-mtd-core-check-partition-before-dereference.patch
@@ -0,0 +1,30 @@
+From 7ec4cdb321738d44ae5d405e7b6ac73dfbf99caa Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 25 Jul 2022 22:49:25 +0900
+Subject: [PATCH] mtd: core: check partition before dereference
+
+syzbot is reporting NULL pointer dereference at mtd_check_of_node() [1],
+for mtdram test device (CONFIG_MTD_MTDRAM) is not partition.
+
+Link: https://syzkaller.appspot.com/bug?extid=fe013f55a2814a9e8cfd [1]
+Reported-by: syzbot <syzbot+fe013f55a2814a9e8cfd@syzkaller.appspotmail.com>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Fixes: ad9b10d1eaada169 ("mtd: core: introduce of support for dynamic partitions")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+CC: stable@vger.kernel.org
+Signed-off-by: Richard Weinberger <richard@nod.at>
+---
+ drivers/mtd/mtdcore.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/mtdcore.c
++++ b/drivers/mtd/mtdcore.c
+@@ -577,6 +577,8 @@ static void mtd_check_of_node(struct mtd
+ 		return;
+ 
+ 	/* Check if a partitions node exist */
++	if (!mtd_is_partition(mtd))
++		return;
+ 	parent = mtd->parent;
+ 	parent_dn = dev_of_node(&parent->dev);
+ 	if (!parent_dn)
diff --git a/target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch b/target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
index 7de27fddb1..55388aa40c 100644
--- a/target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
+++ b/target/linux/generic/hack-5.10/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
@@ -77,7 +77,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  
  #include "mtdcore.h"
  
-@@ -922,6 +923,8 @@ int mtd_device_parse_register(struct mtd
+@@ -924,6 +925,8 @@ int mtd_device_parse_register(struct mtd
  		register_reboot_notifier(&mtd->reboot_notifier);
  	}
  
diff --git a/target/linux/generic/hack-5.10/410-block-fit-partition-parser.patch b/target/linux/generic/hack-5.10/410-block-fit-partition-parser.patch
index 00c8d255fc..405cc9d0d4 100644
--- a/target/linux/generic/hack-5.10/410-block-fit-partition-parser.patch
+++ b/target/linux/generic/hack-5.10/410-block-fit-partition-parser.patch
@@ -248,3 +248,4 @@ Submitted-by: Daniel Golle <daniel@makrotopia.org>
 +	FIT_PARTITION = 0x2e,		/* U-Boot uImage.FIT */
  	SOLARIS_X86_PARTITION =	0x82,	/* also Linux swap partitions */
  	NEW_SOLARIS_X86_PARTITION = 0xbf,
+ 
diff --git a/target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch b/target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch
index ad68d52c72..5529bba12c 100644
--- a/target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch
+++ b/target/linux/generic/hack-5.10/420-mtd-set-rootfs-to-be-root-dev.patch
@@ -20,7 +20,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
  #include <linux/nvmem-provider.h>
  
  #include <linux/mtd/mtd.h>
-@@ -765,6 +766,19 @@ int add_mtd_device(struct mtd_info *mtd)
+@@ -767,6 +768,19 @@ int add_mtd_device(struct mtd_info *mtd)
  	   of this try_ nonsense, and no bitching about it
  	   either. :) */
  	__module_get(THIS_MODULE);
diff --git a/target/linux/generic/hack-5.15/402-mtd-blktrans-call-add-disks-after-mtd-device.patch b/target/linux/generic/hack-5.15/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
index 011f790fa7..eaba093376 100644
--- a/target/linux/generic/hack-5.15/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
+++ b/target/linux/generic/hack-5.15/402-mtd-blktrans-call-add-disks-after-mtd-device.patch
@@ -77,7 +77,7 @@ Signed-off-by: Daniel Golle <daniel@makrotopia.org>
  
  #include "mtdcore.h"
  
-@@ -1073,6 +1074,8 @@ int mtd_device_parse_register(struct mtd
+@@ -1075,6 +1076,8 @@ int mtd_device_parse_register(struct mtd
  
  	ret = mtd_otp_nvmem_add(mtd);
  
diff --git a/target/linux/generic/hack-5.15/420-mtd-set-rootfs-to-be-root-dev.patch b/target/linux/generic/hack-5.15/420-mtd-set-rootfs-to-be-root-dev.patch
index 90254c63bf..8bf8288bbd 100644
--- a/target/linux/generic/hack-5.15/420-mtd-set-rootfs-to-be-root-dev.patch
+++ b/target/linux/generic/hack-5.15/420-mtd-set-rootfs-to-be-root-dev.patch
@@ -20,7 +20,7 @@ Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
  #include <linux/nvmem-provider.h>
  
  #include <linux/mtd/mtd.h>
-@@ -768,6 +769,16 @@ int add_mtd_device(struct mtd_info *mtd)
+@@ -770,6 +771,16 @@ int add_mtd_device(struct mtd_info *mtd)
  	   of this try_ nonsense, and no bitching about it
  	   either. :) */
  	__module_get(THIS_MODULE);
-- 
2.30.2