From nobody Wed Feb 11 10:52:15 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA7BDC7EE23 for ; Wed, 10 May 2023 11:14:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236810AbjEJLOK (ORCPT ); Wed, 10 May 2023 07:14:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39602 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236726AbjEJLNz (ORCPT ); Wed, 10 May 2023 07:13:55 -0400 Received: from mx.sberdevices.ru (mx.sberdevices.ru [45.89.227.171]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 27155449C for ; Wed, 10 May 2023 04:13:48 -0700 (PDT) Received: from s-lin-edge02.sberdevices.ru (localhost [127.0.0.1]) by mx.sberdevices.ru (Postfix) with ESMTP id 793D15FD25; Wed, 10 May 2023 14:13:46 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sberdevices.ru; s=mail; t=1683717226; bh=t19ScH83QlOV2MoLDXmhWB2urLyNhAs8wD4po+eanN4=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=AtGeo1BpEMLlVbwYhweKX4DFHWzRug4w9xBqGr0l6LmSNocnqgfq02B2X28xNAxtj J6CugNMTQyz8Mt+DSueaXl7HFXeIISOyaz4GY62G4Runx2t0biadIXT2S3e+l+0/mi TMaUfEPzTZ20jrIZzY9+ANVCkTWRs0lSqYITD6fSEE5/xzoN4znMZijXHUM9CIOCZK VejqI5PFJ3JhENwm8MkqClJKDk+gaP/nptOGr3AsxNEhVmLEfwVb5ObM4TQKzUhR6S bb3liHAXo4xIlHeWumfIwXs73qFKIRw9IdEITf8eUxBXefNYc52WHsuR0/RvV5vNyu jncobylzRLf/Q== Received: from S-MS-EXCH01.sberdevices.ru (S-MS-EXCH01.sberdevices.ru [172.16.1.4]) by mx.sberdevices.ru (Postfix) with ESMTP; Wed, 10 May 2023 14:13:46 +0300 (MSK) From: Arseniy Krasnov To: Liang Yang , Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , Neil Armstrong , Kevin Hilman , Jerome Brunet , Martin Blumenstingl , Jianxin Pan , Yixun Lan CC: , , Arseniy Krasnov , , , , Subject: [PATCH v3 4/6] mtd: rawnand: meson: check buffer length Date: Wed, 10 May 2023 14:08:32 +0300 Message-ID: <20230510110835.26115-5-AVKrasnov@sberdevices.ru> X-Mailer: git-send-email 2.35.0 In-Reply-To: <20230510110835.26115-1-AVKrasnov@sberdevices.ru> References: <20230510110835.26115-1-AVKrasnov@sberdevices.ru> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [172.16.1.6] X-ClientProxiedBy: S-MS-EXCH01.sberdevices.ru (172.16.1.4) To S-MS-EXCH01.sberdevices.ru (172.16.1.4) X-KSMG-Rule-ID: 4 X-KSMG-Message-Action: clean X-KSMG-AntiSpam-Status: not scanned, disabled by settings X-KSMG-AntiSpam-Interceptor-Info: not scanned X-KSMG-AntiPhishing: not scanned, disabled by settings X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 1.1.2.30, bases: 2023/05/10 09:03:00 #21252424 X-KSMG-AntiVirus-Status: Clean, skipped Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This NAND controller has limited buffer length, so check it before command execution to avoid length trim. Also check MTD write size on chip attach. Signed-off-by: Arseniy Krasnov --- drivers/mtd/nand/raw/meson_nand.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson= _nand.c index 331377a2c5dc..ed7ec1bfd07e 100644 --- a/drivers/mtd/nand/raw/meson_nand.c +++ b/drivers/mtd/nand/raw/meson_nand.c @@ -111,6 +111,8 @@ #define NFC_USER_BYTES 2 #define NFC_OOB_PER_ECC(nand) ((nand)->ecc.bytes + NFC_USER_BYTES) =20 +#define NFC_CMD_RAW_LEN GENMASK(13, 0) + struct meson_nfc_nand_chip { struct list_head node; struct nand_chip nand; @@ -284,7 +286,7 @@ static void meson_nfc_cmd_access(struct nand_chip *nand= , int raw, bool dir, =20 if (raw) { len =3D mtd->writesize + mtd->oobsize; - cmd =3D (len & GENMASK(13, 0)) | scrambler | DMA_DIR(dir); + cmd =3D len | scrambler | DMA_DIR(dir); writel(cmd, nfc->reg_base + NFC_REG_CMD); return; } @@ -562,6 +564,9 @@ static int meson_nfc_read_buf(struct nand_chip *nand, u= 8 *buf, int len) u32 cmd; u8 *info; =20 + if (len > NFC_CMD_RAW_LEN) + return -EINVAL; + info =3D kzalloc(PER_INFO_BYTE, GFP_KERNEL); if (!info) return -ENOMEM; @@ -571,7 +576,7 @@ static int meson_nfc_read_buf(struct nand_chip *nand, u= 8 *buf, int len) if (ret) goto out; =20 - cmd =3D NFC_CMD_N2M | (len & GENMASK(13, 0)); + cmd =3D NFC_CMD_N2M | len; writel(cmd, nfc->reg_base + NFC_REG_CMD); =20 meson_nfc_drain_cmd(nfc); @@ -590,12 +595,15 @@ static int meson_nfc_write_buf(struct nand_chip *nand= , u8 *buf, int len) int ret =3D 0; u32 cmd; =20 + if (len > NFC_CMD_RAW_LEN) + return -EINVAL; + ret =3D meson_nfc_dma_buffer_setup(nand, buf, len, NULL, 0, DMA_TO_DEVICE); if (ret) return ret; =20 - cmd =3D NFC_CMD_M2N | (len & GENMASK(13, 0)); + cmd =3D NFC_CMD_M2N | len; writel(cmd, nfc->reg_base + NFC_REG_CMD); =20 meson_nfc_drain_cmd(nfc); @@ -1328,6 +1336,7 @@ static int meson_nand_attach_chip(struct nand_chip *n= and) struct meson_nfc_nand_chip *meson_chip =3D to_meson_nand(nand); struct mtd_info *mtd =3D nand_to_mtd(nand); int nsectors =3D mtd->writesize / 1024; + int raw_writesize; int ret; =20 if (!mtd->name) { @@ -1339,6 +1348,13 @@ static int meson_nand_attach_chip(struct nand_chip *= nand) return -ENOMEM; } =20 + raw_writesize =3D mtd->writesize + mtd->oobsize; + if (raw_writesize > NFC_CMD_RAW_LEN) { + dev_err(nfc->dev, "too big write size in raw mode: %d > %ld\n", + raw_writesize, NFC_CMD_RAW_LEN); + return -EINVAL; + } + if (nand->bbt_options & NAND_BBT_USE_FLASH) nand->bbt_options |=3D NAND_BBT_NO_OOB; =20 --=20 2.35.0