[v1] mtd: rawnand: meson: check buffer length

Message ID	20230605191047.1820016-1-AVKrasnov@sberdevices.ru (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org> From: Arseniy Krasnov <AVKrasnov@sberdevices.ru> To: Liang Yang <liang.yang@amlogic.com>, Miquel Raynal <miquel.raynal@bootlin.com>, Richard Weinberger <richard@nod.at>, Vignesh Raghavendra <vigneshr@ti.com>, Neil Armstrong <neil.armstrong@linaro.org>, Kevin Hilman <khilman@baylibre.com>, Jerome Brunet <jbrunet@baylibre.com>, Martin Blumenstingl <martin.blumenstingl@googlemail.com> CC: <oxffffaa@gmail.com>, <kernel@sberdevices.ru>, Arseniy Krasnov <AVKrasnov@sberdevices.ru>, <linux-mtd@lists.infradead.org>, <linux-arm-kernel@lists.infradead.org>, <linux-amlogic@lists.infradead.org>, <linux-kernel@vger.kernel.org> Subject: [PATCH v1] mtd: rawnand: meson: check buffer length Date: Mon, 5 Jun 2023 22:10:46 +0300 Message-ID: <20230605191047.1820016-1-AVKrasnov@sberdevices.ru> MIME-Version: 1.0 bases: 2023/06/05 13:50:00 #21435193 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org> Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
Series	[v1] mtd: rawnand: meson: check buffer length \| expand [v1] mtd: rawnand: meson: check buffer length

Message ID

20230605191047.1820016-1-AVKrasnov@sberdevices.ru (mailing list archive)

State

New, archived

Headers

From: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
To: Liang Yang <liang.yang@amlogic.com>, Miquel Raynal
	<miquel.raynal@bootlin.com>, Richard Weinberger <richard@nod.at>, Vignesh
 Raghavendra <vigneshr@ti.com>, Neil Armstrong <neil.armstrong@linaro.org>,
	Kevin Hilman <khilman@baylibre.com>, Jerome Brunet <jbrunet@baylibre.com>,
	Martin Blumenstingl <martin.blumenstingl@googlemail.com>
CC: <oxffffaa@gmail.com>, <kernel@sberdevices.ru>, Arseniy Krasnov
	<AVKrasnov@sberdevices.ru>, <linux-mtd@lists.infradead.org>,
	<linux-arm-kernel@lists.infradead.org>, <linux-amlogic@lists.infradead.org>,
	<linux-kernel@vger.kernel.org>
Subject: [PATCH v1] mtd: rawnand: meson: check buffer length
Date: Mon, 5 Jun 2023 22:10:46 +0300
Message-ID: <20230605191047.1820016-1-AVKrasnov@sberdevices.ru>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

Series

[v1] mtd: rawnand: meson: check buffer length | expand

Commit Message

Arseniy Krasnov June 5, 2023, 7:10 p.m. UTC

Meson NAND controller has limited buffer length, so check it before
command execution to avoid length trim. Also check MTD write size on
chip attach.

Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
---
 drivers/mtd/nand/raw/meson_nand.c | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

Comments

Miquel Raynal June 6, 2023, 7:16 a.m. UTC | #1

Hi Arseniy,

AVKrasnov@sberdevices.ru wrote on Mon, 5 Jun 2023 22:10:46 +0300:

> Meson NAND controller has limited buffer length, so check it before
> command execution to avoid length trim. Also check MTD write size on
> chip attach.

Almost there :)

> 
> Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
> ---
>  drivers/mtd/nand/raw/meson_nand.c | 22 +++++++++++++++++++---
>  1 file changed, 19 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c
> index 074e14225c06..bfb5363cac23 100644
> --- a/drivers/mtd/nand/raw/meson_nand.c
> +++ b/drivers/mtd/nand/raw/meson_nand.c
> @@ -108,6 +108,8 @@
>  
>  #define PER_INFO_BYTE		8
>  
> +#define NFC_CMD_RAW_LEN	GENMASK(13, 0)
> +
>  struct meson_nfc_nand_chip {
>  	struct list_head node;
>  	struct nand_chip nand;
> @@ -280,7 +282,7 @@ static void meson_nfc_cmd_access(struct nand_chip *nand, int raw, bool dir,
>  
>  	if (raw) {
>  		len = mtd->writesize + mtd->oobsize;
> -		cmd = (len & GENMASK(13, 0)) | scrambler | DMA_DIR(dir);
> +		cmd = len | scrambler | DMA_DIR(dir);
>  		writel(cmd, nfc->reg_base + NFC_REG_CMD);
>  		return;
>  	}
> @@ -544,7 +546,7 @@ static int meson_nfc_read_buf(struct nand_chip *nand, u8 *buf, int len)
>  	if (ret)
>  		goto out;
>  
> -	cmd = NFC_CMD_N2M | (len & GENMASK(13, 0));
> +	cmd = NFC_CMD_N2M | len;
>  	writel(cmd, nfc->reg_base + NFC_REG_CMD);
>  
>  	meson_nfc_drain_cmd(nfc);
> @@ -568,7 +570,7 @@ static int meson_nfc_write_buf(struct nand_chip *nand, u8 *buf, int len)
>  	if (ret)
>  		return ret;
>  
> -	cmd = NFC_CMD_M2N | (len & GENMASK(13, 0));
> +	cmd = NFC_CMD_M2N | len;
>  	writel(cmd, nfc->reg_base + NFC_REG_CMD);
>  
>  	meson_nfc_drain_cmd(nfc);
> @@ -936,6 +938,9 @@ static int meson_nfc_exec_op(struct nand_chip *nand,
>  			break;
>  
>  		case NAND_OP_DATA_IN_INSTR:
> +			if (instr->ctx.data.len > NFC_CMD_RAW_LEN)
> +				return -EINVAL;

You need to refuse the operation earlier. That's what the check_op
boolean is about. Maybe you can take inspiration from anfc_check_op()
in the arasan controller.

> +
>  			buf = meson_nand_op_get_dma_safe_input_buf(instr);
>  			if (!buf)
>  				return -ENOMEM;
> @@ -944,6 +949,9 @@ static int meson_nfc_exec_op(struct nand_chip *nand,
>  			break;
>  
>  		case NAND_OP_DATA_OUT_INSTR:
> +			if (instr->ctx.data.len > NFC_CMD_RAW_LEN)
> +				return -EINVAL;

Same.

> +
>  			buf = meson_nand_op_get_dma_safe_output_buf(instr);
>  			if (!buf)
>  				return -ENOMEM;
> @@ -1181,6 +1189,7 @@ static int meson_nand_attach_chip(struct nand_chip *nand)
>  	struct meson_nfc_nand_chip *meson_chip = to_meson_nand(nand);
>  	struct mtd_info *mtd = nand_to_mtd(nand);
>  	int nsectors = mtd->writesize / 1024;
> +	int raw_writesize;
>  	int ret;
>  
>  	if (!mtd->name) {
> @@ -1192,6 +1201,13 @@ static int meson_nand_attach_chip(struct nand_chip *nand)
>  			return -ENOMEM;
>  	}
>  
> +	raw_writesize = mtd->writesize + mtd->oobsize;
> +	if (raw_writesize > NFC_CMD_RAW_LEN) {
> +		dev_err(nfc->dev, "too big write size in raw mode: %d > %ld\n",
> +			raw_writesize, NFC_CMD_RAW_LEN);
> +		return -EINVAL;
> +	}
> +
>  	if (nand->bbt_options & NAND_BBT_USE_FLASH)
>  		nand->bbt_options |= NAND_BBT_NO_OOB;
>  


Thanks,
Miquèl

Arseniy Krasnov June 6, 2023, 7:37 a.m. UTC | #2

On 06.06.2023 10:16, Miquel Raynal wrote:
> Hi Arseniy,
> 
> AVKrasnov@sberdevices.ru wrote on Mon, 5 Jun 2023 22:10:46 +0300:
> 
>> Meson NAND controller has limited buffer length, so check it before
>> command execution to avoid length trim. Also check MTD write size on
>> chip attach.
> 
> Almost there :)

Hello Miquel!

You mean to rephrase it? :)

Thanks, Arseniy

> 
>>
>> Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
>> ---
>>  drivers/mtd/nand/raw/meson_nand.c | 22 +++++++++++++++++++---
>>  1 file changed, 19 insertions(+), 3 deletions(-)
>>
>> diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c
>> index 074e14225c06..bfb5363cac23 100644
>> --- a/drivers/mtd/nand/raw/meson_nand.c
>> +++ b/drivers/mtd/nand/raw/meson_nand.c
>> @@ -108,6 +108,8 @@
>>  
>>  #define PER_INFO_BYTE		8
>>  
>> +#define NFC_CMD_RAW_LEN	GENMASK(13, 0)
>> +
>>  struct meson_nfc_nand_chip {
>>  	struct list_head node;
>>  	struct nand_chip nand;
>> @@ -280,7 +282,7 @@ static void meson_nfc_cmd_access(struct nand_chip *nand, int raw, bool dir,
>>  
>>  	if (raw) {
>>  		len = mtd->writesize + mtd->oobsize;
>> -		cmd = (len & GENMASK(13, 0)) | scrambler | DMA_DIR(dir);
>> +		cmd = len | scrambler | DMA_DIR(dir);
>>  		writel(cmd, nfc->reg_base + NFC_REG_CMD);
>>  		return;
>>  	}
>> @@ -544,7 +546,7 @@ static int meson_nfc_read_buf(struct nand_chip *nand, u8 *buf, int len)
>>  	if (ret)
>>  		goto out;
>>  
>> -	cmd = NFC_CMD_N2M | (len & GENMASK(13, 0));
>> +	cmd = NFC_CMD_N2M | len;
>>  	writel(cmd, nfc->reg_base + NFC_REG_CMD);
>>  
>>  	meson_nfc_drain_cmd(nfc);
>> @@ -568,7 +570,7 @@ static int meson_nfc_write_buf(struct nand_chip *nand, u8 *buf, int len)
>>  	if (ret)
>>  		return ret;
>>  
>> -	cmd = NFC_CMD_M2N | (len & GENMASK(13, 0));
>> +	cmd = NFC_CMD_M2N | len;
>>  	writel(cmd, nfc->reg_base + NFC_REG_CMD);
>>  
>>  	meson_nfc_drain_cmd(nfc);
>> @@ -936,6 +938,9 @@ static int meson_nfc_exec_op(struct nand_chip *nand,
>>  			break;
>>  
>>  		case NAND_OP_DATA_IN_INSTR:
>> +			if (instr->ctx.data.len > NFC_CMD_RAW_LEN)
>> +				return -EINVAL;
> 
> You need to refuse the operation earlier. That's what the check_op
> boolean is about. Maybe you can take inspiration from anfc_check_op()
> in the arasan controller.

Ok! Thanks!

> 
>> +
>>  			buf = meson_nand_op_get_dma_safe_input_buf(instr);
>>  			if (!buf)
>>  				return -ENOMEM;
>> @@ -944,6 +949,9 @@ static int meson_nfc_exec_op(struct nand_chip *nand,
>>  			break;
>>  
>>  		case NAND_OP_DATA_OUT_INSTR:
>> +			if (instr->ctx.data.len > NFC_CMD_RAW_LEN)
>> +				return -EINVAL;
> 
> Same.
> 
>> +
>>  			buf = meson_nand_op_get_dma_safe_output_buf(instr);
>>  			if (!buf)
>>  				return -ENOMEM;
>> @@ -1181,6 +1189,7 @@ static int meson_nand_attach_chip(struct nand_chip *nand)
>>  	struct meson_nfc_nand_chip *meson_chip = to_meson_nand(nand);
>>  	struct mtd_info *mtd = nand_to_mtd(nand);
>>  	int nsectors = mtd->writesize / 1024;
>> +	int raw_writesize;
>>  	int ret;
>>  
>>  	if (!mtd->name) {
>> @@ -1192,6 +1201,13 @@ static int meson_nand_attach_chip(struct nand_chip *nand)
>>  			return -ENOMEM;
>>  	}
>>  
>> +	raw_writesize = mtd->writesize + mtd->oobsize;
>> +	if (raw_writesize > NFC_CMD_RAW_LEN) {
>> +		dev_err(nfc->dev, "too big write size in raw mode: %d > %ld\n",
>> +			raw_writesize, NFC_CMD_RAW_LEN);
>> +		return -EINVAL;
>> +	}
>> +
>>  	if (nand->bbt_options & NAND_BBT_USE_FLASH)
>>  		nand->bbt_options |= NAND_BBT_NO_OOB;
>>  
> 
> 
> Thanks,
> Miquèl

Miquel Raynal June 6, 2023, 7:50 a.m. UTC | #3

Hi Arseniy,

avkrasnov@sberdevices.ru wrote on Tue, 6 Jun 2023 10:37:43 +0300:

> On 06.06.2023 10:16, Miquel Raynal wrote:
> > Hi Arseniy,
> > 
> > AVKrasnov@sberdevices.ru wrote on Mon, 5 Jun 2023 22:10:46 +0300:
> >   
> >> Meson NAND controller has limited buffer length, so check it before
> >> command execution to avoid length trim. Also check MTD write size on
> >> chip attach.  
> > 
> > Almost there :)  
> 
> Hello Miquel!
> 
> You mean to rephrase it? :)

Not at all, I meant: there is something to change in this file (see
below) but the patch is close to be ready.

> 
> Thanks, Arseniy
> 
> >   
> >>
> >> Signed-off-by: Arseniy Krasnov <AVKrasnov@sberdevices.ru>
> >> ---
> >>  drivers/mtd/nand/raw/meson_nand.c | 22 +++++++++++++++++++---
> >>  1 file changed, 19 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c
> >> index 074e14225c06..bfb5363cac23 100644
> >> --- a/drivers/mtd/nand/raw/meson_nand.c
> >> +++ b/drivers/mtd/nand/raw/meson_nand.c
> >> @@ -108,6 +108,8 @@
> >>  
> >>  #define PER_INFO_BYTE		8
> >>  
> >> +#define NFC_CMD_RAW_LEN	GENMASK(13, 0)
> >> +
> >>  struct meson_nfc_nand_chip {
> >>  	struct list_head node;
> >>  	struct nand_chip nand;
> >> @@ -280,7 +282,7 @@ static void meson_nfc_cmd_access(struct nand_chip *nand, int raw, bool dir,
> >>  
> >>  	if (raw) {
> >>  		len = mtd->writesize + mtd->oobsize;
> >> -		cmd = (len & GENMASK(13, 0)) | scrambler | DMA_DIR(dir);
> >> +		cmd = len | scrambler | DMA_DIR(dir);
> >>  		writel(cmd, nfc->reg_base + NFC_REG_CMD);
> >>  		return;
> >>  	}
> >> @@ -544,7 +546,7 @@ static int meson_nfc_read_buf(struct nand_chip *nand, u8 *buf, int len)
> >>  	if (ret)
> >>  		goto out;
> >>  
> >> -	cmd = NFC_CMD_N2M | (len & GENMASK(13, 0));
> >> +	cmd = NFC_CMD_N2M | len;
> >>  	writel(cmd, nfc->reg_base + NFC_REG_CMD);
> >>  
> >>  	meson_nfc_drain_cmd(nfc);
> >> @@ -568,7 +570,7 @@ static int meson_nfc_write_buf(struct nand_chip *nand, u8 *buf, int len)
> >>  	if (ret)
> >>  		return ret;
> >>  
> >> -	cmd = NFC_CMD_M2N | (len & GENMASK(13, 0));
> >> +	cmd = NFC_CMD_M2N | len;
> >>  	writel(cmd, nfc->reg_base + NFC_REG_CMD);
> >>  
> >>  	meson_nfc_drain_cmd(nfc);
> >> @@ -936,6 +938,9 @@ static int meson_nfc_exec_op(struct nand_chip *nand,
> >>  			break;
> >>  
> >>  		case NAND_OP_DATA_IN_INSTR:
> >> +			if (instr->ctx.data.len > NFC_CMD_RAW_LEN)
> >> +				return -EINVAL;  
> > 
> > You need to refuse the operation earlier. That's what the check_op
> > boolean is about. Maybe you can take inspiration from anfc_check_op()
> > in the arasan controller.  
> 
> Ok! Thanks!
> 
> >   
> >> +
> >>  			buf = meson_nand_op_get_dma_safe_input_buf(instr);
> >>  			if (!buf)
> >>  				return -ENOMEM;
> >> @@ -944,6 +949,9 @@ static int meson_nfc_exec_op(struct nand_chip *nand,
> >>  			break;
> >>  
> >>  		case NAND_OP_DATA_OUT_INSTR:
> >> +			if (instr->ctx.data.len > NFC_CMD_RAW_LEN)
> >> +				return -EINVAL;  
> > 
> > Same.
> >   
> >> +
> >>  			buf = meson_nand_op_get_dma_safe_output_buf(instr);
> >>  			if (!buf)
> >>  				return -ENOMEM;
> >> @@ -1181,6 +1189,7 @@ static int meson_nand_attach_chip(struct nand_chip *nand)
> >>  	struct meson_nfc_nand_chip *meson_chip = to_meson_nand(nand);
> >>  	struct mtd_info *mtd = nand_to_mtd(nand);
> >>  	int nsectors = mtd->writesize / 1024;
> >> +	int raw_writesize;
> >>  	int ret;
> >>  
> >>  	if (!mtd->name) {
> >> @@ -1192,6 +1201,13 @@ static int meson_nand_attach_chip(struct nand_chip *nand)
> >>  			return -ENOMEM;
> >>  	}
> >>  
> >> +	raw_writesize = mtd->writesize + mtd->oobsize;
> >> +	if (raw_writesize > NFC_CMD_RAW_LEN) {
> >> +		dev_err(nfc->dev, "too big write size in raw mode: %d > %ld\n",
> >> +			raw_writesize, NFC_CMD_RAW_LEN);
> >> +		return -EINVAL;
> >> +	}
> >> +
> >>  	if (nand->bbt_options & NAND_BBT_USE_FLASH)
> >>  		nand->bbt_options |= NAND_BBT_NO_OOB;
> >>    
> > 
> > 
> > Thanks,
> > Miquèl  


Thanks,
Miquèl

diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c
index 074e14225c06..bfb5363cac23 100644
--- a/drivers/mtd/nand/raw/meson_nand.c
+++ b/drivers/mtd/nand/raw/meson_nand.c
@@ -108,6 +108,8 @@ 
 
 #define PER_INFO_BYTE		8
 
+#define NFC_CMD_RAW_LEN	GENMASK(13, 0)
+
 struct meson_nfc_nand_chip {
 	struct list_head node;
 	struct nand_chip nand;
@@ -280,7 +282,7 @@  static void meson_nfc_cmd_access(struct nand_chip *nand, int raw, bool dir,
 
 	if (raw) {
 		len = mtd->writesize + mtd->oobsize;
-		cmd = (len & GENMASK(13, 0)) | scrambler | DMA_DIR(dir);
+		cmd = len | scrambler | DMA_DIR(dir);
 		writel(cmd, nfc->reg_base + NFC_REG_CMD);
 		return;
 	}
@@ -544,7 +546,7 @@  static int meson_nfc_read_buf(struct nand_chip *nand, u8 *buf, int len)
 	if (ret)
 		goto out;
 
-	cmd = NFC_CMD_N2M | (len & GENMASK(13, 0));
+	cmd = NFC_CMD_N2M | len;
 	writel(cmd, nfc->reg_base + NFC_REG_CMD);
 
 	meson_nfc_drain_cmd(nfc);
@@ -568,7 +570,7 @@  static int meson_nfc_write_buf(struct nand_chip *nand, u8 *buf, int len)
 	if (ret)
 		return ret;
 
-	cmd = NFC_CMD_M2N | (len & GENMASK(13, 0));
+	cmd = NFC_CMD_M2N | len;
 	writel(cmd, nfc->reg_base + NFC_REG_CMD);
 
 	meson_nfc_drain_cmd(nfc);
@@ -936,6 +938,9 @@  static int meson_nfc_exec_op(struct nand_chip *nand,
 			break;
 
 		case NAND_OP_DATA_IN_INSTR:
+			if (instr->ctx.data.len > NFC_CMD_RAW_LEN)
+				return -EINVAL;
+
 			buf = meson_nand_op_get_dma_safe_input_buf(instr);
 			if (!buf)
 				return -ENOMEM;
@@ -944,6 +949,9 @@  static int meson_nfc_exec_op(struct nand_chip *nand,
 			break;
 
 		case NAND_OP_DATA_OUT_INSTR:
+			if (instr->ctx.data.len > NFC_CMD_RAW_LEN)
+				return -EINVAL;
+
 			buf = meson_nand_op_get_dma_safe_output_buf(instr);
 			if (!buf)
 				return -ENOMEM;
@@ -1181,6 +1189,7 @@  static int meson_nand_attach_chip(struct nand_chip *nand)
 	struct meson_nfc_nand_chip *meson_chip = to_meson_nand(nand);
 	struct mtd_info *mtd = nand_to_mtd(nand);
 	int nsectors = mtd->writesize / 1024;
+	int raw_writesize;
 	int ret;
 
 	if (!mtd->name) {
@@ -1192,6 +1201,13 @@  static int meson_nand_attach_chip(struct nand_chip *nand)
 			return -ENOMEM;
 	}
 
+	raw_writesize = mtd->writesize + mtd->oobsize;
+	if (raw_writesize > NFC_CMD_RAW_LEN) {
+		dev_err(nfc->dev, "too big write size in raw mode: %d > %ld\n",
+			raw_writesize, NFC_CMD_RAW_LEN);
+		return -EINVAL;
+	}
+
 	if (nand->bbt_options & NAND_BBT_USE_FLASH)
 		nand->bbt_options |= NAND_BBT_NO_OOB;

[v1] mtd: rawnand: meson: check buffer length

Commit Message

Comments

Patch