Re: [PATCH v2] mtd: nand: omap2: Fix subpage write
From: Boris Brezillon
Date: Fri Oct 20 2017 - 07:25:11 EST
On Fri, 20 Oct 2017 12:59:31 +0300
Roger Quadros <rogerq@xxxxxx> wrote:
> Since v4.12, NAND subpage writes were causing a NULL pointer
> dereference on OMAP platforms (omap2-nand) using OMAP_ECC_BCH4_CODE_HW,
> OMAP_ECC_BCH8_CODE_HW and OMAP_ECC_BCH16_CODE_HW.
>
> This is because for those ECC modes, omap_calculate_ecc_bch()
> generates ECC bytes for the entire (multi-sector) page and this can
> overflow the ECC buffer provided by nand_write_subpage_hwecc()
> as it expects ecc.calculate() to return ECC bytes for just one sector.
>
> However, the root cause of the problem is present much before
> v4.12 but was not seen then as NAND buffers were being allocated
> as one big chunck prior to
> commit 3deb9979c731 ("mtd: nand: allocate aligned buffers if NAND_OWN_BUFFERS is unset")
>
> Fix the issue by providing a OMAP optimized write_subpage() implementation.
>
Fixes: xxxx ("yyyy")
xxx being the commit that introduced the omap_calculate_ecc_bch() and
assign chip->ecc.calculate to it.
> cc: <stable@xxxxxxxxxxxxxxx> # v4.12+
Shouldn't we try to backport the patch to pre-4.12 versions? I mean,
the buffer overflow exist there as well, and we don't know what it
corrupts exactly, but it's potentially harmful.
> Signed-off-by: Roger Quadros <rogerq@xxxxxx>
> ---
> Changelog:
> v2
> - set ecc.calculate() to NULL for BCH4/8/16 with HW correction as in this
> mode we don't support/need single sector ECC calculations to be used by NAND core.
> - call omap_calculate_ecc_bch_multi() directly from omap_read/write_page_bch().
>
> drivers/mtd/nand/omap2.c | 338 +++++++++++++++++++++++++++++++----------------
> 1 file changed, 225 insertions(+), 113 deletions(-)
>
> diff --git a/drivers/mtd/nand/omap2.c b/drivers/mtd/nand/omap2.c
> index 54540c8..a0bd456 100644
> --- a/drivers/mtd/nand/omap2.c
> +++ b/drivers/mtd/nand/omap2.c
> @@ -1133,129 +1133,172 @@ static u8 bch8_polynomial[] = {0xef, 0x51, 0x2e, 0x09, 0xed, 0x93, 0x9a, 0xc2,
> 0x97, 0x79, 0xe5, 0x24, 0xb5};
>
> /**
> - * omap_calculate_ecc_bch - Generate bytes of ECC bytes
> + * _omap_calculate_ecc_bch - Generate ECC bytes for one sector
> * @mtd: MTD device structure
> * @dat: The pointer to data on which ecc is computed
> * @ecc_code: The ecc_code buffer
> + * @i: The sector number (for a multi sector page)
> *
> - * Support calculating of BCH4/8 ecc vectors for the page
> + * Support calculating of BCH4/8/16 ECC vectors for one sector
> + * within a page. Sector number is in @i.
> */
> -static int __maybe_unused omap_calculate_ecc_bch(struct mtd_info *mtd,
> - const u_char *dat, u_char *ecc_calc)
> +static int _omap_calculate_ecc_bch(struct mtd_info *mtd,
> + const u_char *dat, u_char *ecc_calc, int i)
> {
> struct omap_nand_info *info = mtd_to_omap(mtd);
> int eccbytes = info->nand.ecc.bytes;
> struct gpmc_nand_regs *gpmc_regs = &info->reg;
> u8 *ecc_code;
> - unsigned long nsectors, bch_val1, bch_val2, bch_val3, bch_val4;
> + unsigned long bch_val1, bch_val2, bch_val3, bch_val4;
> u32 val;
> - int i, j;
> + int j;
> +
> + ecc_code = ecc_calc;
> + switch (info->ecc_opt) {
> + case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
> + case OMAP_ECC_BCH8_CODE_HW:
> + bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
> + bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
> + bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]);
> + bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]);
> + *ecc_code++ = (bch_val4 & 0xFF);
> + *ecc_code++ = ((bch_val3 >> 24) & 0xFF);
> + *ecc_code++ = ((bch_val3 >> 16) & 0xFF);
> + *ecc_code++ = ((bch_val3 >> 8) & 0xFF);
> + *ecc_code++ = (bch_val3 & 0xFF);
> + *ecc_code++ = ((bch_val2 >> 24) & 0xFF);
> + *ecc_code++ = ((bch_val2 >> 16) & 0xFF);
> + *ecc_code++ = ((bch_val2 >> 8) & 0xFF);
> + *ecc_code++ = (bch_val2 & 0xFF);
> + *ecc_code++ = ((bch_val1 >> 24) & 0xFF);
> + *ecc_code++ = ((bch_val1 >> 16) & 0xFF);
> + *ecc_code++ = ((bch_val1 >> 8) & 0xFF);
> + *ecc_code++ = (bch_val1 & 0xFF);
> + break;
> + case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
> + case OMAP_ECC_BCH4_CODE_HW:
> + bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
> + bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
> + *ecc_code++ = ((bch_val2 >> 12) & 0xFF);
> + *ecc_code++ = ((bch_val2 >> 4) & 0xFF);
> + *ecc_code++ = ((bch_val2 & 0xF) << 4) |
> + ((bch_val1 >> 28) & 0xF);
> + *ecc_code++ = ((bch_val1 >> 20) & 0xFF);
> + *ecc_code++ = ((bch_val1 >> 12) & 0xFF);
> + *ecc_code++ = ((bch_val1 >> 4) & 0xFF);
> + *ecc_code++ = ((bch_val1 & 0xF) << 4);
> + break;
> + case OMAP_ECC_BCH16_CODE_HW:
> + val = readl(gpmc_regs->gpmc_bch_result6[i]);
> + ecc_code[0] = ((val >> 8) & 0xFF);
> + ecc_code[1] = ((val >> 0) & 0xFF);
> + val = readl(gpmc_regs->gpmc_bch_result5[i]);
> + ecc_code[2] = ((val >> 24) & 0xFF);
> + ecc_code[3] = ((val >> 16) & 0xFF);
> + ecc_code[4] = ((val >> 8) & 0xFF);
> + ecc_code[5] = ((val >> 0) & 0xFF);
> + val = readl(gpmc_regs->gpmc_bch_result4[i]);
> + ecc_code[6] = ((val >> 24) & 0xFF);
> + ecc_code[7] = ((val >> 16) & 0xFF);
> + ecc_code[8] = ((val >> 8) & 0xFF);
> + ecc_code[9] = ((val >> 0) & 0xFF);
> + val = readl(gpmc_regs->gpmc_bch_result3[i]);
> + ecc_code[10] = ((val >> 24) & 0xFF);
> + ecc_code[11] = ((val >> 16) & 0xFF);
> + ecc_code[12] = ((val >> 8) & 0xFF);
> + ecc_code[13] = ((val >> 0) & 0xFF);
> + val = readl(gpmc_regs->gpmc_bch_result2[i]);
> + ecc_code[14] = ((val >> 24) & 0xFF);
> + ecc_code[15] = ((val >> 16) & 0xFF);
> + ecc_code[16] = ((val >> 8) & 0xFF);
> + ecc_code[17] = ((val >> 0) & 0xFF);
> + val = readl(gpmc_regs->gpmc_bch_result1[i]);
> + ecc_code[18] = ((val >> 24) & 0xFF);
> + ecc_code[19] = ((val >> 16) & 0xFF);
> + ecc_code[20] = ((val >> 8) & 0xFF);
> + ecc_code[21] = ((val >> 0) & 0xFF);
> + val = readl(gpmc_regs->gpmc_bch_result0[i]);
> + ecc_code[22] = ((val >> 24) & 0xFF);
> + ecc_code[23] = ((val >> 16) & 0xFF);
> + ecc_code[24] = ((val >> 8) & 0xFF);
> + ecc_code[25] = ((val >> 0) & 0xFF);
> + break;
> + default:
> + return -EINVAL;
> + }
> +
> + /* ECC scheme specific syndrome customizations */
> + switch (info->ecc_opt) {
> + case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
> + /* Add constant polynomial to remainder, so that
> + * ECC of blank pages results in 0x0 on reading back
> + */
> + for (j = 0; j < eccbytes; j++)
> + ecc_calc[j] ^= bch4_polynomial[j];
> + break;
> + case OMAP_ECC_BCH4_CODE_HW:
> + /* Set 8th ECC byte as 0x0 for ROM compatibility */
> + ecc_calc[eccbytes - 1] = 0x0;
> + break;
> + case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
> + /* Add constant polynomial to remainder, so that
> + * ECC of blank pages results in 0x0 on reading back
> + */
> + for (j = 0; j < eccbytes; j++)
> + ecc_calc[j] ^= bch8_polynomial[j];
> + break;
> + case OMAP_ECC_BCH8_CODE_HW:
> + /* Set 14th ECC byte as 0x0 for ROM compatibility */
> + ecc_calc[eccbytes - 1] = 0x0;
> + break;
> + case OMAP_ECC_BCH16_CODE_HW:
> + break;
> + default:
> + return -EINVAL;
> + }
> +
> + return 0;
> +}
> +
> +/**
> + * omap_calculate_ecc_bch_sw - ECC generator for sector for SW based correction
> + * @mtd: MTD device structure
> + * @dat: The pointer to data on which ecc is computed
> + * @ecc_code: The ecc_code buffer
> + *
> + * Support calculating of BCH4/8/16 ECC vectors for one sector. This is used
> + * when SW based correction is required as ECC is required for one sector
> + * at a time.
> + */
> +static int omap_calculate_ecc_bch_sw(struct mtd_info *mtd,
> + const u_char *dat, u_char *ecc_calc)
> +{
> + return _omap_calculate_ecc_bch(mtd, dat, ecc_calc, 0);
> +}
> +
> +/**
> + * omap_calculate_ecc_bch_multi - Generate ECC for multiple sectors
> + * @mtd: MTD device structure
> + * @dat: The pointer to data on which ecc is computed
> + * @ecc_code: The ecc_code buffer
> + *
> + * Support calculating of BCH4/8/16 ecc vectors for the entire page in one go.
> + */
> +static int omap_calculate_ecc_bch_multi(struct mtd_info *mtd,
> + const u_char *dat, u_char *ecc_calc)
> +{
> + struct omap_nand_info *info = mtd_to_omap(mtd);
> + int eccbytes = info->nand.ecc.bytes;
> + unsigned long nsectors;
> + int i, ret;
>
> nsectors = ((readl(info->reg.gpmc_ecc_config) >> 4) & 0x7) + 1;
> for (i = 0; i < nsectors; i++) {
> - ecc_code = ecc_calc;
> - switch (info->ecc_opt) {
> - case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
> - case OMAP_ECC_BCH8_CODE_HW:
> - bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
> - bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
> - bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]);
> - bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]);
> - *ecc_code++ = (bch_val4 & 0xFF);
> - *ecc_code++ = ((bch_val3 >> 24) & 0xFF);
> - *ecc_code++ = ((bch_val3 >> 16) & 0xFF);
> - *ecc_code++ = ((bch_val3 >> 8) & 0xFF);
> - *ecc_code++ = (bch_val3 & 0xFF);
> - *ecc_code++ = ((bch_val2 >> 24) & 0xFF);
> - *ecc_code++ = ((bch_val2 >> 16) & 0xFF);
> - *ecc_code++ = ((bch_val2 >> 8) & 0xFF);
> - *ecc_code++ = (bch_val2 & 0xFF);
> - *ecc_code++ = ((bch_val1 >> 24) & 0xFF);
> - *ecc_code++ = ((bch_val1 >> 16) & 0xFF);
> - *ecc_code++ = ((bch_val1 >> 8) & 0xFF);
> - *ecc_code++ = (bch_val1 & 0xFF);
> - break;
> - case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
> - case OMAP_ECC_BCH4_CODE_HW:
> - bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]);
> - bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]);
> - *ecc_code++ = ((bch_val2 >> 12) & 0xFF);
> - *ecc_code++ = ((bch_val2 >> 4) & 0xFF);
> - *ecc_code++ = ((bch_val2 & 0xF) << 4) |
> - ((bch_val1 >> 28) & 0xF);
> - *ecc_code++ = ((bch_val1 >> 20) & 0xFF);
> - *ecc_code++ = ((bch_val1 >> 12) & 0xFF);
> - *ecc_code++ = ((bch_val1 >> 4) & 0xFF);
> - *ecc_code++ = ((bch_val1 & 0xF) << 4);
> - break;
> - case OMAP_ECC_BCH16_CODE_HW:
> - val = readl(gpmc_regs->gpmc_bch_result6[i]);
> - ecc_code[0] = ((val >> 8) & 0xFF);
> - ecc_code[1] = ((val >> 0) & 0xFF);
> - val = readl(gpmc_regs->gpmc_bch_result5[i]);
> - ecc_code[2] = ((val >> 24) & 0xFF);
> - ecc_code[3] = ((val >> 16) & 0xFF);
> - ecc_code[4] = ((val >> 8) & 0xFF);
> - ecc_code[5] = ((val >> 0) & 0xFF);
> - val = readl(gpmc_regs->gpmc_bch_result4[i]);
> - ecc_code[6] = ((val >> 24) & 0xFF);
> - ecc_code[7] = ((val >> 16) & 0xFF);
> - ecc_code[8] = ((val >> 8) & 0xFF);
> - ecc_code[9] = ((val >> 0) & 0xFF);
> - val = readl(gpmc_regs->gpmc_bch_result3[i]);
> - ecc_code[10] = ((val >> 24) & 0xFF);
> - ecc_code[11] = ((val >> 16) & 0xFF);
> - ecc_code[12] = ((val >> 8) & 0xFF);
> - ecc_code[13] = ((val >> 0) & 0xFF);
> - val = readl(gpmc_regs->gpmc_bch_result2[i]);
> - ecc_code[14] = ((val >> 24) & 0xFF);
> - ecc_code[15] = ((val >> 16) & 0xFF);
> - ecc_code[16] = ((val >> 8) & 0xFF);
> - ecc_code[17] = ((val >> 0) & 0xFF);
> - val = readl(gpmc_regs->gpmc_bch_result1[i]);
> - ecc_code[18] = ((val >> 24) & 0xFF);
> - ecc_code[19] = ((val >> 16) & 0xFF);
> - ecc_code[20] = ((val >> 8) & 0xFF);
> - ecc_code[21] = ((val >> 0) & 0xFF);
> - val = readl(gpmc_regs->gpmc_bch_result0[i]);
> - ecc_code[22] = ((val >> 24) & 0xFF);
> - ecc_code[23] = ((val >> 16) & 0xFF);
> - ecc_code[24] = ((val >> 8) & 0xFF);
> - ecc_code[25] = ((val >> 0) & 0xFF);
> - break;
> - default:
> - return -EINVAL;
> - }
> -
> - /* ECC scheme specific syndrome customizations */
> - switch (info->ecc_opt) {
> - case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW:
> - /* Add constant polynomial to remainder, so that
> - * ECC of blank pages results in 0x0 on reading back */
> - for (j = 0; j < eccbytes; j++)
> - ecc_calc[j] ^= bch4_polynomial[j];
> - break;
> - case OMAP_ECC_BCH4_CODE_HW:
> - /* Set 8th ECC byte as 0x0 for ROM compatibility */
> - ecc_calc[eccbytes - 1] = 0x0;
> - break;
> - case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW:
> - /* Add constant polynomial to remainder, so that
> - * ECC of blank pages results in 0x0 on reading back */
> - for (j = 0; j < eccbytes; j++)
> - ecc_calc[j] ^= bch8_polynomial[j];
> - break;
> - case OMAP_ECC_BCH8_CODE_HW:
> - /* Set 14th ECC byte as 0x0 for ROM compatibility */
> - ecc_calc[eccbytes - 1] = 0x0;
> - break;
> - case OMAP_ECC_BCH16_CODE_HW:
> - break;
> - default:
> - return -EINVAL;
> - }
> + ret = _omap_calculate_ecc_bch(mtd, dat, ecc_calc, i);
> + if (ret)
> + return ret;
>
> - ecc_calc += eccbytes;
> + ecc_calc += eccbytes;
> }
>
> return 0;
> @@ -1509,6 +1552,72 @@ static int omap_write_page_bch(struct mtd_info *mtd, struct nand_chip *chip,
> }
>
> /**
> + * omap_write_subpage_bch - BCH hardware ECC based subpage write
> + * @mtd: mtd info structure
> + * @chip: nand chip info structure
> + * @offset: column address of subpage within the page
> + * @data_len: data length
> + * @buf: data buffer
> + * @oob_required: must write chip->oob_poi to OOB
> + * @page: page number to write
> + *
> + * OMAP optimized subpage write method.
> + */
> +static int omap_write_subpage_bch(struct mtd_info *mtd,
> + struct nand_chip *chip, u32 offset,
> + u32 data_len, const u8 *buf,
> + int oob_required, int page)
> +{
> + u8 *ecc_calc = chip->buffers->ecccalc;
> + int ecc_size = chip->ecc.size;
> + int ecc_bytes = chip->ecc.bytes;
> + int ecc_steps = chip->ecc.steps;
> + u32 start_step = offset / ecc_size;
> + u32 end_step = (offset + data_len - 1) / ecc_size;
> + int step, ret = 0;
> +
> + /*
> + * Write entire page at one go as it would be optimal
> + * as ECC is calculated by hardware.
> + * ECC is calculated for all subpages but we choose
> + * only what we want.
> + */
> +
> + /* Enable GPMC ECC engine */
> + chip->ecc.hwctl(mtd, NAND_ECC_WRITE);
> +
> + /* Write data */
> + chip->write_buf(mtd, buf, mtd->writesize);
> +
> + for (step = 0; step < ecc_steps; step++) {
> + /* mask ECC of un-touched subpages by padding 0xFF */
> + if (step < start_step || step > end_step)
> + memset(ecc_calc, 0xff, ecc_bytes);
> + else
> + ret = _omap_calculate_ecc_bch(mtd, buf, ecc_calc, step);
> +
> + if (ret)
> + return ret;
> +
> + buf += ecc_size;
> + ecc_calc += ecc_bytes;
> + }
> +
> + /* copy calculated ECC for whole page to chip->buffer->oob */
> + /* this include masked-value(0xFF) for unwritten subpages */
> + ecc_calc = chip->buffers->ecccalc;
> + ret = mtd_ooblayout_set_eccbytes(mtd, ecc_calc, chip->oob_poi, 0,
> + chip->ecc.total);
> + if (ret)
> + return ret;
> +
> + /* write OOB buffer to NAND device */
> + chip->write_buf(mtd, chip->oob_poi, mtd->oobsize);
> +
> + return 0;
> +}
> +
> +/**
> * omap_read_page_bch - BCH ecc based page read function for entire page
> * @mtd: mtd info structure
> * @chip: nand chip info structure
> @@ -2044,7 +2153,7 @@ static int omap_nand_probe(struct platform_device *pdev)
> nand_chip->ecc.strength = 4;
> nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
> nand_chip->ecc.correct = nand_bch_correct_data;
> - nand_chip->ecc.calculate = omap_calculate_ecc_bch;
> + nand_chip->ecc.calculate = omap_calculate_ecc_bch_sw;
> mtd_set_ooblayout(mtd, &omap_sw_ooblayout_ops);
> /* Reserve one byte for the OMAP marker */
> oobbytes_per_step = nand_chip->ecc.bytes + 1;
> @@ -2066,9 +2175,10 @@ static int omap_nand_probe(struct platform_device *pdev)
> nand_chip->ecc.strength = 4;
> nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
> nand_chip->ecc.correct = omap_elm_correct_data;
> - nand_chip->ecc.calculate = omap_calculate_ecc_bch;
> + nand_chip->ecc.calculate = omap_calculate_ecc_bch_multi;
It's still wrong. Didn't you say you would leave ecc->calculate
unassigned in this case?
> nand_chip->ecc.read_page = omap_read_page_bch;
> nand_chip->ecc.write_page = omap_write_page_bch;
> + nand_chip->ecc.write_subpage = omap_write_subpage_bch;
> mtd_set_ooblayout(mtd, &omap_ooblayout_ops);
> oobbytes_per_step = nand_chip->ecc.bytes;
>
> @@ -2087,7 +2197,7 @@ static int omap_nand_probe(struct platform_device *pdev)
> nand_chip->ecc.strength = 8;
> nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
> nand_chip->ecc.correct = nand_bch_correct_data;
> - nand_chip->ecc.calculate = omap_calculate_ecc_bch;
> + nand_chip->ecc.calculate = omap_calculate_ecc_bch_sw;
> mtd_set_ooblayout(mtd, &omap_sw_ooblayout_ops);
> /* Reserve one byte for the OMAP marker */
> oobbytes_per_step = nand_chip->ecc.bytes + 1;
> @@ -2109,9 +2219,10 @@ static int omap_nand_probe(struct platform_device *pdev)
> nand_chip->ecc.strength = 8;
> nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
> nand_chip->ecc.correct = omap_elm_correct_data;
> - nand_chip->ecc.calculate = omap_calculate_ecc_bch;
> + nand_chip->ecc.calculate = omap_calculate_ecc_bch_multi;
> nand_chip->ecc.read_page = omap_read_page_bch;
> nand_chip->ecc.write_page = omap_write_page_bch;
> + nand_chip->ecc.write_subpage = omap_write_subpage_bch;
> mtd_set_ooblayout(mtd, &omap_ooblayout_ops);
> oobbytes_per_step = nand_chip->ecc.bytes;
>
> @@ -2131,9 +2242,10 @@ static int omap_nand_probe(struct platform_device *pdev)
> nand_chip->ecc.strength = 16;
> nand_chip->ecc.hwctl = omap_enable_hwecc_bch;
> nand_chip->ecc.correct = omap_elm_correct_data;
> - nand_chip->ecc.calculate = omap_calculate_ecc_bch;
> + nand_chip->ecc.calculate = omap_calculate_ecc_bch_multi;
> nand_chip->ecc.read_page = omap_read_page_bch;
> nand_chip->ecc.write_page = omap_write_page_bch;
> + nand_chip->ecc.write_subpage = omap_write_subpage_bch;
> mtd_set_ooblayout(mtd, &omap_ooblayout_ops);
> oobbytes_per_step = nand_chip->ecc.bytes;
>