| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7903580d-685c-14e6-5572-81a4cb31cced@amlogic.com>
Date: Thu, 8 Jun 2023 14:42:53 +0800
From: Liang Yang <liang.yang@...ogic.com>
To: Arseniy Krasnov <avkrasnov@...rdevices.ru>,
Miquel Raynal <miquel.raynal@...tlin.com>,
Richard Weinberger <richard@....at>,
Vignesh Raghavendra <vigneshr@...com>,
Neil Armstrong <neil.armstrong@...aro.org>,
Kevin Hilman <khilman@...libre.com>,
Jerome Brunet <jbrunet@...libre.com>,
Martin Blumenstingl <martin.blumenstingl@...glemail.com>
Cc: oxffffaa@...il.com, kernel@...rdevices.ru,
linux-mtd@...ts.infradead.org,
linux-arm-kernel@...ts.infradead.org,
linux-amlogic@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] mtd: rawnand: meson: check buffer length
Hi Arseniy,
On 2023/6/8 5:17, Arseniy Krasnov wrote:
> [ EXTERNAL EMAIL ]
>
> Hi again Miquel, Liang!
>
> What do You think about this patch?
>
> Thanks, Arseniy
>
> On 06.06.2023 19:29, Arseniy Krasnov wrote:
>> Sorry, here is changelog:
>> v1 -> v2:
>> * Move checks from 'switch/case' which executes commands in 'meson_nfc_exec_op()' to a special
>> separated function 'meson_nfc_check_op()' which is called before commands processing.
>>
>> On 06.06.2023 13:16, Arseniy Krasnov wrote:
>>> Meson NAND controller has limited buffer length, so check it before
>>> command execution to avoid length trim. Also check MTD write size on
>>> chip attach.
>>>
>>> Signed-off-by: Arseniy Krasnov <AVKrasnov@...rdevices.ru>
>>> ---
>>> drivers/mtd/nand/raw/meson_nand.c | 47 +++++++++++++++++++++++++++----
>>> 1 file changed, 42 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c
>>> index 23a73268421b..db6b18753071 100644
>>> --- a/drivers/mtd/nand/raw/meson_nand.c
>>> +++ b/drivers/mtd/nand/raw/meson_nand.c
>>> @@ -111,6 +111,8 @@
>>>
>>> #define PER_INFO_BYTE 8
>>>
>>> +#define NFC_CMD_RAW_LEN GENMASK(13, 0)
>>> +
>>> struct meson_nfc_nand_chip {
>>> struct list_head node;
>>> struct nand_chip nand;
>>> @@ -284,7 +286,7 @@ static void meson_nfc_cmd_access(struct nand_chip *nand, int raw, bool dir,
>>>
>>> if (raw) {
>>> len = mtd->writesize + mtd->oobsize;
>>> - cmd = (len & GENMASK(13, 0)) | scrambler | DMA_DIR(dir);
>>> + cmd = len | scrambler | DMA_DIR(dir);
>>> writel(cmd, nfc->reg_base + NFC_REG_CMD);
I think we could keep "& GENMASK(13, 0)". it is better here to indicate
how many bits of length in this command and don't destory the command
once we don't check the "len" outside of this function. or the code "if
(len > NFC_CMD_RAW_LEN)" is better to put inside this function nearly.
Thanks.
>>> return;
>>> }
>>> @@ -573,7 +575,7 @@ static int meson_nfc_read_buf(struct nand_chip *nand, u8 *buf, int len)
>>> if (ret)
>>> goto out;
>>>
>>> - cmd = NFC_CMD_N2M | (len & GENMASK(13, 0));
>>> + cmd = NFC_CMD_N2M | len;
>>> writel(cmd, nfc->reg_base + NFC_REG_CMD);
>>>
>>> meson_nfc_drain_cmd(nfc);
>>> @@ -597,7 +599,7 @@ static int meson_nfc_write_buf(struct nand_chip *nand, u8 *buf, int len)
>>> if (ret)
>>> return ret;
>>>
>>> - cmd = NFC_CMD_M2N | (len & GENMASK(13, 0));
>>> + cmd = NFC_CMD_M2N | len;
>>> writel(cmd, nfc->reg_base + NFC_REG_CMD);
>>>
>>> meson_nfc_drain_cmd(nfc);
>>> @@ -1007,6 +1009,31 @@ meson_nand_op_put_dma_safe_output_buf(const struct nand_op_instr *instr,
>>> kfree(buf);
>>> }
>>>
>>> +static int meson_nfc_check_op(struct nand_chip *chip,
>>> + const struct nand_operation *op)
>>> +{
>>> + int op_id;
>>> +
>>> + for (op_id = 0; op_id < op->ninstrs; op_id++) {
>>> + const struct nand_op_instr *instr;
>>> +
>>> + instr = &op->instrs[op_id];
>>> +
>>> + switch (instr->type) {
>>> + case NAND_OP_DATA_IN_INSTR:
>>> + case NAND_OP_DATA_OUT_INSTR:
>>> + if (instr->ctx.data.len > NFC_CMD_RAW_LEN)
>>> + return -ENOTSUPP;
>>> +
>>> + break;
>>> + default:
>>> + break;
>>> + }
>>> + }
>>> +
>>> + return 0;
>>> +}
>>> +
>>> static int meson_nfc_exec_op(struct nand_chip *nand,
>>> const struct nand_operation *op, bool check_only)
>>> {
>>> @@ -1015,10 +1042,12 @@ static int meson_nfc_exec_op(struct nand_chip *nand,
>>> const struct nand_op_instr *instr = NULL;
>>> void *buf;
>>> u32 op_id, delay_idle, cmd;
>>> + int err;
>>> int i;
>>>
>>> - if (check_only)
>>> - return 0;
>>> + err = meson_nfc_check_op(nand, op);
>>> + if (err || check_only)
>>> + return err;
>>>
>>> meson_nfc_select_chip(nand, op->cs);
>>> for (op_id = 0; op_id < op->ninstrs; op_id++) {
>>> @@ -1293,6 +1322,7 @@ static int meson_nand_attach_chip(struct nand_chip *nand)
>>> struct meson_nfc_nand_chip *meson_chip = to_meson_nand(nand);
>>> struct mtd_info *mtd = nand_to_mtd(nand);
>>> int nsectors = mtd->writesize / 1024;
>>> + int raw_writesize;
>>> int ret;
>>>
>>> if (!mtd->name) {
>>> @@ -1304,6 +1334,13 @@ static int meson_nand_attach_chip(struct nand_chip *nand)
>>> return -ENOMEM;
>>> }
>>>
>>> + raw_writesize = mtd->writesize + mtd->oobsize;
>>> + if (raw_writesize > NFC_CMD_RAW_LEN) {
>>> + dev_err(nfc->dev, "too big write size in raw mode: %d > %ld\n",
>>> + raw_writesize, NFC_CMD_RAW_LEN);
>>> + return -EINVAL;
>>> + }
>>> +
>>> if (nand->bbt_options & NAND_BBT_USE_FLASH)
>>> nand->bbt_options |= NAND_BBT_NO_OOB;
>>>
Powered by blists - more mailing lists