| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <07a0fbce-d1fa-6ac0-0428-3123c19cd89b@ti.com>
Date: Wed, 14 Nov 2018 17:30:15 +0530
From: Vignesh R <vigneshr@...com>
To: <thor.thayer@...ux.intel.com>, <marek.vasut@...il.com>,
<dwmw2@...radead.org>, <computersforpeace@...il.com>,
<boris.brezillon@...tlin.com>, <richard@....at>
CC: <linux-mtd@...ts.infradead.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] mtd: spi-nor: Fix Cadence QSPI page fault kernel panic
Hi,
On 13/11/18 11:02 PM, thor.thayer@...ux.intel.com wrote:
> From: Thor Thayer <thor.thayer@...ux.intel.com>
>
> The current Cadence QSPI driver caused a kernel panic sporadically
> when writing to QSPI. The problem was caused by writing more bytes
> than needed because the QSPI operated on 4 bytes at a time.
> <snip>
> [ 11.202044] Unable to handle kernel paging request at virtual address bffd3000
> [ 11.209254] pgd = e463054d
> [ 11.211948] [bffd3000] *pgd=2fffb811, *pte=00000000, *ppte=00000000
> [ 11.218202] Internal error: Oops: 7 [#1] SMP ARM
> [ 11.222797] Modules linked in:
> [ 11.225844] CPU: 1 PID: 1317 Comm: systemd-hwdb Not tainted 4.17.7-d0c45cd44a8f
> [ 11.235796] Hardware name: Altera SOCFPGA Arria10
> [ 11.240487] PC is at __raw_writesl+0x70/0xd4
> [ 11.244741] LR is at cqspi_write+0x1a0/0x2cc
> </snip>
> On a page boundary limit the number of bytes copied from the tx buffer
> to remain within the page.
>
> This patch uses a temporary buffer to hold the 4 bytes to write and then
> copies only the bytes required from the tx buffer. A min() function is
> used to limit the length to prevent buffer indexing overflows.
>
> Reported-by: Adrian Amborzewicz <adrian.ambrozewicz@...el.com>
> Signed-off-by: Thor Thayer <thor.thayer@...ux.intel.com>
> ---
> drivers/mtd/spi-nor/cadence-quadspi.c | 19 ++++++++++++++++---
> 1 file changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/mtd/spi-nor/cadence-quadspi.c b/drivers/mtd/spi-nor/cadence-quadspi.c
> index d846428ef038..3659d94b4d2f 100644
> --- a/drivers/mtd/spi-nor/cadence-quadspi.c
> +++ b/drivers/mtd/spi-nor/cadence-quadspi.c
> @@ -644,9 +644,23 @@ static int cqspi_indirect_write_execute(struct spi_nor *nor, loff_t to_addr,
> ndelay(cqspi->wr_delay);
>
> while (remaining > 0) {
> + size_t write_words, mod_bytes;
> +
> write_bytes = remaining > page_size ? page_size : remaining;
> - iowrite32_rep(cqspi->ahb_base, txbuf,
> - DIV_ROUND_UP(write_bytes, 4));
> + write_words = write_bytes / 4;
> + mod_bytes = write_bytes % 4;
> + /* Write 4 bytes at a time then single bytes. */
> + if (write_words) {
> + iowrite32_rep(cqspi->ahb_base, txbuf, write_words);
> + txbuf += (write_words * 4);
> + }
> + if (mod_bytes) {
> + unsigned int temp = 0xFFFFFFFF;
> +
> + memcpy(&temp, txbuf, min(sizeof(temp), mod_bytes));
Sorry, I dont understand why min() is required here since:
mod_bytes = write_bytes % 4;
Doesn't that ensure mod_bytes < sizeof(temp)?
> + iowrite32(temp, cqspi->ahb_base);
> + txbuf += mod_bytes;
> + }
>
> if (!wait_for_completion_timeout(&cqspi->transfer_complete,
> msecs_to_jiffies(CQSPI_TIMEOUT_MS))) {
> @@ -655,7 +669,6 @@ static int cqspi_indirect_write_execute(struct spi_nor *nor, loff_t to_addr,
> goto failwr;
> }
>
> - txbuf += write_bytes;
> remaining -= write_bytes;
>
> if (remaining > 0)
>
--
Regards
Vignesh
Powered by blists - more mailing lists