From nobody Sun Feb 8 21:06:46 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9983BC7EE24 for ; Mon, 5 Jun 2023 19:16:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235290AbjFETQL (ORCPT ); Mon, 5 Jun 2023 15:16:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229580AbjFETQJ (ORCPT ); Mon, 5 Jun 2023 15:16:09 -0400 Received: from mx.sberdevices.ru (mx.sberdevices.ru [45.89.227.171]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE1CAA7 for ; Mon, 5 Jun 2023 12:16:05 -0700 (PDT) Received: from s-lin-edge02.sberdevices.ru (localhost [127.0.0.1]) by mx.sberdevices.ru (Postfix) with ESMTP id D666F5FD20; Mon, 5 Jun 2023 22:16:02 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sberdevices.ru; s=mail; t=1685992562; bh=G6c6j8iAcdDSpK0GLScKOrdhbGc4x8WhHl8LdEBggUo=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=ph1/Z7289OW3MlYDjIPY3ymnd754+Fc+LM4w90GVoZvQt50+TOLtGQQCJhmum0Jtr Yw2tCnJGI1BTqEK+c2w8WNipSIchj4D+GB4st9OfZ3jQzseRWAcpxJoV8Zl2rpGBlF gnahOoM81pABGHi4HKKNYIhNBovbrN+LeTKq0s6dmi+lVLf5NHsCwXjBABDrxvs5IO KsVgogDJPRNz7UmGP+Q7+f+PccfLxpOF0zVd4ZWO3wTPyFzfI5KreTXAg35NqSb8br 1JwQ7QJGe3KDsjvIwRe8bYsEeAJbTFqxdLK3r1NxmRrSganbZ/fRRvED6Wa6VpZF3r EJkoJi5xyvUGg== Received: from S-MS-EXCH01.sberdevices.ru (S-MS-EXCH01.sberdevices.ru [172.16.1.4]) by mx.sberdevices.ru (Postfix) with ESMTP; Mon, 5 Jun 2023 22:16:00 +0300 (MSK) From: Arseniy Krasnov To: Liang Yang , Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , Neil Armstrong , Kevin Hilman , Jerome Brunet , Martin Blumenstingl CC: , , Arseniy Krasnov , , , , Subject: [PATCH v1] mtd: rawnand: meson: check buffer length Date: Mon, 5 Jun 2023 22:10:46 +0300 Message-ID: <20230605191047.1820016-1-AVKrasnov@sberdevices.ru> X-Mailer: git-send-email 2.35.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [172.16.1.6] X-ClientProxiedBy: S-MS-EXCH01.sberdevices.ru (172.16.1.4) To S-MS-EXCH01.sberdevices.ru (172.16.1.4) X-KSMG-Rule-ID: 4 X-KSMG-Message-Action: clean X-KSMG-AntiSpam-Status: not scanned, disabled by settings X-KSMG-AntiSpam-Interceptor-Info: not scanned X-KSMG-AntiPhishing: not scanned, disabled by settings X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 1.1.2.30, bases: 2023/06/05 13:50:00 #21435193 X-KSMG-AntiVirus-Status: Clean, skipped Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Meson NAND controller has limited buffer length, so check it before command execution to avoid length trim. Also check MTD write size on chip attach. Signed-off-by: Arseniy Krasnov --- drivers/mtd/nand/raw/meson_nand.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson= _nand.c index 074e14225c06..bfb5363cac23 100644 --- a/drivers/mtd/nand/raw/meson_nand.c +++ b/drivers/mtd/nand/raw/meson_nand.c @@ -108,6 +108,8 @@ =20 #define PER_INFO_BYTE 8 =20 +#define NFC_CMD_RAW_LEN GENMASK(13, 0) + struct meson_nfc_nand_chip { struct list_head node; struct nand_chip nand; @@ -280,7 +282,7 @@ static void meson_nfc_cmd_access(struct nand_chip *nand= , int raw, bool dir, =20 if (raw) { len =3D mtd->writesize + mtd->oobsize; - cmd =3D (len & GENMASK(13, 0)) | scrambler | DMA_DIR(dir); + cmd =3D len | scrambler | DMA_DIR(dir); writel(cmd, nfc->reg_base + NFC_REG_CMD); return; } @@ -544,7 +546,7 @@ static int meson_nfc_read_buf(struct nand_chip *nand, u= 8 *buf, int len) if (ret) goto out; =20 - cmd =3D NFC_CMD_N2M | (len & GENMASK(13, 0)); + cmd =3D NFC_CMD_N2M | len; writel(cmd, nfc->reg_base + NFC_REG_CMD); =20 meson_nfc_drain_cmd(nfc); @@ -568,7 +570,7 @@ static int meson_nfc_write_buf(struct nand_chip *nand, = u8 *buf, int len) if (ret) return ret; =20 - cmd =3D NFC_CMD_M2N | (len & GENMASK(13, 0)); + cmd =3D NFC_CMD_M2N | len; writel(cmd, nfc->reg_base + NFC_REG_CMD); =20 meson_nfc_drain_cmd(nfc); @@ -936,6 +938,9 @@ static int meson_nfc_exec_op(struct nand_chip *nand, break; =20 case NAND_OP_DATA_IN_INSTR: + if (instr->ctx.data.len > NFC_CMD_RAW_LEN) + return -EINVAL; + buf =3D meson_nand_op_get_dma_safe_input_buf(instr); if (!buf) return -ENOMEM; @@ -944,6 +949,9 @@ static int meson_nfc_exec_op(struct nand_chip *nand, break; =20 case NAND_OP_DATA_OUT_INSTR: + if (instr->ctx.data.len > NFC_CMD_RAW_LEN) + return -EINVAL; + buf =3D meson_nand_op_get_dma_safe_output_buf(instr); if (!buf) return -ENOMEM; @@ -1181,6 +1189,7 @@ static int meson_nand_attach_chip(struct nand_chip *n= and) struct meson_nfc_nand_chip *meson_chip =3D to_meson_nand(nand); struct mtd_info *mtd =3D nand_to_mtd(nand); int nsectors =3D mtd->writesize / 1024; + int raw_writesize; int ret; =20 if (!mtd->name) { @@ -1192,6 +1201,13 @@ static int meson_nand_attach_chip(struct nand_chip *= nand) return -ENOMEM; } =20 + raw_writesize =3D mtd->writesize + mtd->oobsize; + if (raw_writesize > NFC_CMD_RAW_LEN) { + dev_err(nfc->dev, "too big write size in raw mode: %d > %ld\n", + raw_writesize, NFC_CMD_RAW_LEN); + return -EINVAL; + } + if (nand->bbt_options & NAND_BBT_USE_FLASH) nand->bbt_options |=3D NAND_BBT_NO_OOB; =20 --=20 2.35.0