drivers/mtd/nand/spi/core.c | 88 ++++++++++++++++++++++++++++--------- 1 file changed, 68 insertions(+), 20 deletions(-)
Continuous reading mode is broken for some spi controllers. There are two
possible bug scenarios:
1) "continuous mode" flash and spi controller without dirmap support,
but with restriction on transfer length in adjust_op_size()
2) "continuous mode" flash and spi controller with dirmap support for a
single flash page
In the first case, any read that exceeds the limit specified in adjust_op_size()
will result in an EIO error. The limit may even be less than a size of a single
flash page. In this case, any read will result in an error.
In the second case, any read larger than flash page size will result in an EIO
error or spinand driver spoofing (because the spi controller driver returns
more bytes than were actually read).
This patch series tries to fix continuous reading (spinand driver side).
Unfortunately these fixes can't resolve "spinand driver spoofing" case.
Spi controller drivers might need fixes as well.
Changes v2:
* added helper to create reading dirmap descriptor
* fix spelling
* error code is not used for regular reading fallback anymore
* it's possible (but very unlucky) that someone will do raw reading
of the flash in continuous mode (i.e. without OOB), so fix dirmap
creation for that case as well.
Changes v3:
* improve description
* move airoha spi controller driver fix to a separate airoha spi fix series
Changes v4:
* the period '.' at the end of the commit title was removed
Mikhail Kshevetskiy (3):
mtd: spinand: fix direct mapping creation sizes
mtd: spinand: try a regular dirmap if creating a dirmap for continuous
reading fails
mtd: spinand: repeat reading in regular mode if continuous reading
fails
drivers/mtd/nand/spi/core.c | 88 ++++++++++++++++++++++++++++---------
1 file changed, 68 insertions(+), 20 deletions(-)
--
2.50.1
Continuous reading mode is broken for some spi controllers. There are two
possible bug scenarios:
1) "continuous mode" flash and spi controller without dirmap support,
but with restriction on transfer length in adjust_op_size()
2) "continuous mode" flash and spi controller with dirmap support for a
single flash page
In the first case, any read that exceeds the limit specified in adjust_op_size()
will result in an EIO error. The limit may even be less than a size of a single
flash page. In this case, any read will result in an error.
In the second case, any read larger than flash page size will result in an EIO
error or spinand driver spoofing (because the spi controller driver returns
more bytes than were actually read).
This patch series tries to fix continuous reading (spinand driver side).
Unfortunately these fixes can't resolve "spinand driver spoofing" case.
Spi controller drivers might need fixes as well.
Changes v2:
* added helper to create reading dirmap descriptor
* fix spelling
* error code is not used for regular reading fallback anymore
* it's possible (but very unlucky) that someone will do raw reading
of the flash in continuous mode (i.e. without OOB), so fix dirmap
creation for that case as well.
Changes v3:
* improve description
* move airoha spi controller driver fix to a separate airoha spi fix series
Changes v4:
* the period '.' at the end of the commit title was removed
Changes v5:
* rename spinand_create_rdesc_helper() to spinand_create_rdesc()
* get rid of controller_is_buggy boolean
Mikhail Kshevetskiy (3):
mtd: spinand: fix direct mapping creation sizes
mtd: spinand: try a regular dirmap if creating a dirmap for continuous
reading fails
mtd: spinand: repeat reading in regular mode if continuous reading
fails
drivers/mtd/nand/spi/core.c | 74 +++++++++++++++++++++++++++++--------
1 file changed, 59 insertions(+), 15 deletions(-)
--
2.50.1
Miquel, is there any comments? Best regards, Mikhail Kshevetskiy On 24.08.2025 21:18, Mikhail Kshevetskiy wrote: > Continuous reading mode is broken for some spi controllers. There are two > possible bug scenarios: > > 1) "continuous mode" flash and spi controller without dirmap support, > but with restriction on transfer length in adjust_op_size() > > 2) "continuous mode" flash and spi controller with dirmap support for a > single flash page > > In the first case, any read that exceeds the limit specified in adjust_op_size() > will result in an EIO error. The limit may even be less than a size of a single > flash page. In this case, any read will result in an error. > > In the second case, any read larger than flash page size will result in an EIO > error or spinand driver spoofing (because the spi controller driver returns > more bytes than were actually read). > > This patch series tries to fix continuous reading (spinand driver side). > Unfortunately these fixes can't resolve "spinand driver spoofing" case. > Spi controller drivers might need fixes as well. > > Changes v2: > * added helper to create reading dirmap descriptor > * fix spelling > * error code is not used for regular reading fallback anymore > * it's possible (but very unlucky) that someone will do raw reading > of the flash in continuous mode (i.e. without OOB), so fix dirmap > creation for that case as well. > > Changes v3: > * improve description > * move airoha spi controller driver fix to a separate airoha spi fix series > > Changes v4: > * the period '.' at the end of the commit title was removed > > Changes v5: > * rename spinand_create_rdesc_helper() to spinand_create_rdesc() > * get rid of controller_is_buggy boolean > > Mikhail Kshevetskiy (3): > mtd: spinand: fix direct mapping creation sizes > mtd: spinand: try a regular dirmap if creating a dirmap for continuous > reading fails > mtd: spinand: repeat reading in regular mode if continuous reading > fails > > drivers/mtd/nand/spi/core.c | 74 +++++++++++++++++++++++++++++-------- > 1 file changed, 59 insertions(+), 15 deletions(-) >
Continuous mode is only supported for data reads, thus writing
requires only single flash page mapping.
Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
---
drivers/mtd/nand/spi/core.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
index b0898990b2a5..09dd6e40e308 100644
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -1097,18 +1097,13 @@ static int spinand_create_dirmap(struct spinand_device *spinand,
unsigned int plane)
{
struct nand_device *nand = spinand_to_nand(spinand);
- struct spi_mem_dirmap_info info = {
- .length = nanddev_page_size(nand) +
- nanddev_per_page_oobsize(nand),
- };
+ struct spi_mem_dirmap_info info = { 0 };
struct spi_mem_dirmap_desc *desc;
- if (spinand->cont_read_possible)
- info.length = nanddev_eraseblock_size(nand);
-
/* The plane number is passed in MSB just above the column address */
info.offset = plane << fls(nand->memorg.pagesize);
+ info.length = nanddev_page_size(nand) + nanddev_per_page_oobsize(nand);
info.op_tmpl = *spinand->op_templates.update_cache;
desc = devm_spi_mem_dirmap_create(&spinand->spimem->spi->dev,
spinand->spimem, &info);
@@ -1117,6 +1112,8 @@ static int spinand_create_dirmap(struct spinand_device *spinand,
spinand->dirmaps[plane].wdesc = desc;
+ if (spinand->cont_read_possible)
+ info.length = nanddev_eraseblock_size(nand);
info.op_tmpl = *spinand->op_templates.read_cache;
desc = devm_spi_mem_dirmap_create(&spinand->spimem->spi->dev,
spinand->spimem, &info);
@@ -1132,6 +1129,7 @@ static int spinand_create_dirmap(struct spinand_device *spinand,
return 0;
}
+ info.length = nanddev_page_size(nand) + nanddev_per_page_oobsize(nand);
info.op_tmpl = *spinand->op_templates.update_cache;
info.op_tmpl.data.ecc = true;
desc = devm_spi_mem_dirmap_create(&spinand->spimem->spi->dev,
@@ -1141,6 +1139,8 @@ static int spinand_create_dirmap(struct spinand_device *spinand,
spinand->dirmaps[plane].wdesc_ecc = desc;
+ if (spinand->cont_read_possible)
+ info.length = nanddev_eraseblock_size(nand);
info.op_tmpl = *spinand->op_templates.read_cache;
info.op_tmpl.data.ecc = true;
desc = devm_spi_mem_dirmap_create(&spinand->spimem->spi->dev,
--
2.50.1Continuous reading may result in multiple flash pages reading in one
operation. Typically only one flash page has read/written (a little bit
more than 2-4 Kb), but continuous reading requires the spi controller
to read up to 512 Kb in one operation without toggling CS in beetween.
Roughly speaking spi controllers can be divided on 2 categories:
* spi controllers without dirmap acceleration support
* spi controllers with dirmap acceleration support
Firt of them will have issues with continuous reading if restriction on
the transfer length is implemented in the adjust_op_size() handler.
Second group often supports acceleration of single page only reading.
Thus enabling of continuous reading can break flash reading.
This patch tries to create dirmap for continuous reading first and
fallback to regular reading if spi controller refuses to create it.
Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
---
drivers/mtd/nand/spi/core.c | 43 ++++++++++++++++++++++++++++++-------
1 file changed, 35 insertions(+), 8 deletions(-)
diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
index 09dd6e40e308..02e322490110 100644
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -1093,6 +1093,39 @@ static int spinand_mtd_block_isreserved(struct mtd_info *mtd, loff_t offs)
return ret;
}
+static struct spi_mem_dirmap_desc *spinand_create_rdesc(
+ struct spinand_device *spinand,
+ struct spi_mem_dirmap_info *info)
+{
+ struct nand_device *nand = spinand_to_nand(spinand);
+ struct spi_mem_dirmap_desc *desc = NULL;
+
+ if (spinand->cont_read_possible) {
+ /*
+ * spi controller may return an error if info->length is
+ * too large
+ */
+ info->length = nanddev_eraseblock_size(nand);
+ desc = devm_spi_mem_dirmap_create(&spinand->spimem->spi->dev,
+ spinand->spimem, info);
+ }
+
+ if (IS_ERR_OR_NULL(desc)) {
+ /*
+ * continuous reading is not supported by flash or
+ * its spi controller, use regular reading
+ */
+ spinand->cont_read_possible = false;
+
+ info->length = nanddev_page_size(nand) +
+ nanddev_per_page_oobsize(nand);
+ desc = devm_spi_mem_dirmap_create(&spinand->spimem->spi->dev,
+ spinand->spimem, info);
+ }
+
+ return desc;
+}
+
static int spinand_create_dirmap(struct spinand_device *spinand,
unsigned int plane)
{
@@ -1112,11 +1145,8 @@ static int spinand_create_dirmap(struct spinand_device *spinand,
spinand->dirmaps[plane].wdesc = desc;
- if (spinand->cont_read_possible)
- info.length = nanddev_eraseblock_size(nand);
info.op_tmpl = *spinand->op_templates.read_cache;
- desc = devm_spi_mem_dirmap_create(&spinand->spimem->spi->dev,
- spinand->spimem, &info);
+ desc = spinand_create_rdesc(spinand, &info);
if (IS_ERR(desc))
return PTR_ERR(desc);
@@ -1139,12 +1169,9 @@ static int spinand_create_dirmap(struct spinand_device *spinand,
spinand->dirmaps[plane].wdesc_ecc = desc;
- if (spinand->cont_read_possible)
- info.length = nanddev_eraseblock_size(nand);
info.op_tmpl = *spinand->op_templates.read_cache;
info.op_tmpl.data.ecc = true;
- desc = devm_spi_mem_dirmap_create(&spinand->spimem->spi->dev,
- spinand->spimem, &info);
+ desc = spinand_create_rdesc(spinand, &info);
if (IS_ERR(desc))
return PTR_ERR(desc);
--
2.50.1Continuous reading may result in multiple flash pages reading in one
operation. Unfortunately, not all spinand controllers support such
large reading. They will read less data. Unfortunately, the operation
can't be continued.
In this case:
* disable continuous reading on this (not good enough) spi controller
* repeat reading in regular mode.
Signed-off-by: Mikhail Kshevetskiy <mikhail.kshevetskiy@iopsys.eu>
---
drivers/mtd/nand/spi/core.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/drivers/mtd/nand/spi/core.c b/drivers/mtd/nand/spi/core.c
index 02e322490110..8bbcc80aede0 100644
--- a/drivers/mtd/nand/spi/core.c
+++ b/drivers/mtd/nand/spi/core.c
@@ -430,8 +430,16 @@ static int spinand_read_from_cache_op(struct spinand_device *spinand,
* Dirmap accesses are allowed to toggle the CS.
* Toggling the CS during a continuous read is forbidden.
*/
- if (nbytes && req->continuous)
- return -EIO;
+ if (nbytes && req->continuous) {
+ /*
+ * Spi controller with broken support of continuous
+ * reading was detected. Disable future use of
+ * continuous reading and return -EAGAIN to retry
+ * reading within regular mode.
+ */
+ spinand->cont_read_possible = false;
+ return -EAGAIN;
+ }
}
if (req->datalen)
@@ -899,10 +907,19 @@ static int spinand_mtd_read(struct mtd_info *mtd, loff_t from,
old_stats = mtd->ecc_stats;
- if (spinand_use_cont_read(mtd, from, ops))
+ if (spinand_use_cont_read(mtd, from, ops)) {
ret = spinand_mtd_continuous_page_read(mtd, from, ops, &max_bitflips);
- else
+ if (ret == -EAGAIN && !spinand->cont_read_possible) {
+ /*
+ * Spi controller with broken support of continuous
+ * reading was detected (see spinand_read_from_cache_op()),
+ * repeat reading in regular mode.
+ */
+ ret = spinand_mtd_regular_page_read(mtd, from, ops, &max_bitflips);
+ }
+ } else {
ret = spinand_mtd_regular_page_read(mtd, from, ops, &max_bitflips);
+ }
if (ops->stats) {
ops->stats->uncorrectable_errors +=
--
2.50.1© 2016 - 2025 Red Hat, Inc.