Patchwork mtd: mtdchar: Exit write loop when hitting end of OTP memory

login
register
mail settings
Submitter Christian Riesch
Date April 26, 2013, 5:56 p.m.
Message ID <29483dd6-387c-4b28-b689-88795e0bbbde@mary.at.omicron.at>
Download mbox | patch
Permalink /patch/239897/
State New
Headers show

Comments

Christian Riesch - April 26, 2013, 5:56 p.m.
If a write to one time programmable memory (OTP) hits the end
of this memory area, no more data can be written and count does not
decrease anymore. We are trapped in the loop forever.

Therefore drop the remaining data if retlen != len.

Signed-off-by: Christian Riesch <christian.riesch@omicron.at>
---
 drivers/mtd/mtdchar.c |    4 ++++
 1 file changed, 4 insertions(+)
Artem Bityutskiy - May 29, 2013, 7:08 a.m.
On Fri, 2013-04-26 at 19:56 +0200, Christian Riesch wrote:
> If a write to one time programmable memory (OTP) hits the end
> of this memory area, no more data can be written and count does not
> decrease anymore. We are trapped in the loop forever.
> 
> Therefore drop the remaining data if retlen != len.
> 
> Signed-off-by: Christian Riesch <christian.riesch@omicron.at>
> ---
>  drivers/mtd/mtdchar.c |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
> index e0e59bf..70c18c2 100644
> --- a/drivers/mtd/mtdchar.c
> +++ b/drivers/mtd/mtdchar.c
> @@ -321,6 +321,10 @@ static ssize_t mtdchar_write(struct file *file, const char __user *buf, size_t c
>  		case MTD_FILE_MODE_OTP_USER:
>  			ret = mtd_write_user_prot_reg(mtd, *ppos, len,
>  						      &retlen, kbuf);
> +
> +			/* if we hit the end of otp memory, drop the rest */
> +			if (retlen != len)
> +				count -= len - retlen;
>  			break;

I think the problem is that 'mtd_write_user_prot_reg()' should return an
error if you try to write more data than it is available. At least this
is the behavior of 'mtd_write()'.
Christian Riesch - May 29, 2013, 1:19 p.m.
Artem,
Thank you again for your comments.

On 2013-05-29 09:08, Artem Bityutskiy wrote:
> On Fri, 2013-04-26 at 19:56 +0200, Christian Riesch wrote:
>> If a write to one time programmable memory (OTP) hits the end
>> of this memory area, no more data can be written and count does not
>> decrease anymore. We are trapped in the loop forever.
>>
>> Therefore drop the remaining data if retlen != len.
>>
>> Signed-off-by: Christian Riesch <christian.riesch@omicron.at>
>> ---
>>   drivers/mtd/mtdchar.c |    4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
>> index e0e59bf..70c18c2 100644
>> --- a/drivers/mtd/mtdchar.c
>> +++ b/drivers/mtd/mtdchar.c
>> @@ -321,6 +321,10 @@ static ssize_t mtdchar_write(struct file *file, const char __user *buf, size_t c
>>   		case MTD_FILE_MODE_OTP_USER:
>>   			ret = mtd_write_user_prot_reg(mtd, *ppos, len,
>>   						      &retlen, kbuf);
>> +
>> +			/* if we hit the end of otp memory, drop the rest */
>> +			if (retlen != len)
>> +				count -= len - retlen;
>>   			break;
>
> I think the problem is that 'mtd_write_user_prot_reg()' should return an
> error if you try to write more data than it is available. At least this
> is the behavior of 'mtd_write()'.
>

The OTP code for the AMD command set in my recent patchset is modeled 
after the existing code in drivers/mtd/chips/cfi_cmdset_0001.c. 
Therefore it has a ...walk() function that walks from chip to chip and 
tries to write as much data as possible into the OTP memories of these 
chips. Until the last iteration of this loop it does not know how much 
OTP memory is available. Therefore, a check for insufficient OTP memory 
and returning an error before writing any data is not possible.

Of course I could change my code to obtain the available OTP memory 
before writing any data. But then the code in cfi_cmdset_0001.c would 
still suffer from this issue.

What do you think?

Best regards, Christian
Artem Bityutskiy - May 29, 2013, 1:56 p.m.
On Wed, 2013-05-29 at 15:19 +0200, Christian Riesch wrote:
> The OTP code for the AMD command set in my recent patchset is modeled 
> after the existing code in drivers/mtd/chips/cfi_cmdset_0001.c. 
> Therefore it has a ...walk() function that walks from chip to chip and 
> tries to write as much data as possible into the OTP memories of these 
> chips. Until the last iteration of this loop it does not know how much 
> OTP memory is available. Therefore, a check for insufficient OTP memory 
> and returning an error before writing any data is not possible.
> 
> Of course I could change my code to obtain the available OTP memory 
> before writing any data. But then the code in cfi_cmdset_0001.c would 
> still suffer from this issue.

Could you please check OneNAND and other drivers which implement OTP and
see whether they check for space availability?

On the first glance, I'd say that 0001 should be amended as well. But if
all OTP writers behave this way, then may be we can document this
clearly at least somewhere in a commentary.
Christian Riesch - May 29, 2013, 2:27 p.m.
[cc'ed the author of onenand otp support]

On 2013-05-29 15:56, Artem Bityutskiy wrote:
> On Wed, 2013-05-29 at 15:19 +0200, Christian Riesch wrote:
>> The OTP code for the AMD command set in my recent patchset is modeled
>> after the existing code in drivers/mtd/chips/cfi_cmdset_0001.c.
>> Therefore it has a ...walk() function that walks from chip to chip and
>> tries to write as much data as possible into the OTP memories of these
>> chips. Until the last iteration of this loop it does not know how much
>> OTP memory is available. Therefore, a check for insufficient OTP memory
>> and returning an error before writing any data is not possible.
>>
>> Of course I could change my code to obtain the available OTP memory
>> before writing any data. But then the code in cfi_cmdset_0001.c would
>> still suffer from this issue.
>
> Could you please check OneNAND and other drivers which implement OTP and
> see whether they check for space availability?

mtd->_write_user_prot_reg is currently implemented by 
drivers/mtd/chips/cfi_cmdset_0001.c, drivers/mtd/onenand/onenand_base.c, 
and drivers/mtd/devices/mtd_dataflash.c.

mtd_dataflash checks if the offset is larger than 64 and returns -EINVAL 
in this case. If offset <= 64, but offset + len > 64, len is decreased 
to fit into the OTP memory, the number of actually written bytes is 
returned. It therefore suffers from the same issue in mtdchar.c as the 
Intel command set.

onenand seems to do some kind of length check (although I do not fully 
understand why it does not include the offset in 'from' in this check if 
the factory OTP is addressed), but if the data does not fit into the 
memory it returns 0 instead of an error code, resulting in an infinite 
loop as well.

Regards, Christian

>
> On the first glance, I'd say that 0001 should be amended as well. But if
> all OTP writers behave this way, then may be we can document this
> clearly at least somewhere in a commentary.
>
Artem Bityutskiy - June 3, 2013, 9:39 a.m.
On Wed, 2013-05-29 at 16:27 +0200, Christian Riesch wrote:
> [cc'ed the author of onenand otp support]
> 
> On 2013-05-29 15:56, Artem Bityutskiy wrote:
> > On Wed, 2013-05-29 at 15:19 +0200, Christian Riesch wrote:
> >> The OTP code for the AMD command set in my recent patchset is modeled
> >> after the existing code in drivers/mtd/chips/cfi_cmdset_0001.c.
> >> Therefore it has a ...walk() function that walks from chip to chip and
> >> tries to write as much data as possible into the OTP memories of these
> >> chips. Until the last iteration of this loop it does not know how much
> >> OTP memory is available. Therefore, a check for insufficient OTP memory
> >> and returning an error before writing any data is not possible.
> >>
> >> Of course I could change my code to obtain the available OTP memory
> >> before writing any data. But then the code in cfi_cmdset_0001.c would
> >> still suffer from this issue.
> >
> > Could you please check OneNAND and other drivers which implement OTP and
> > see whether they check for space availability?
> 
> mtd->_write_user_prot_reg is currently implemented by 
> drivers/mtd/chips/cfi_cmdset_0001.c, drivers/mtd/onenand/onenand_base.c, 
> and drivers/mtd/devices/mtd_dataflash.c.
> 
> mtd_dataflash checks if the offset is larger than 64 and returns -EINVAL 
> in this case. If offset <= 64, but offset + len > 64, len is decreased 
> to fit into the OTP memory, the number of actually written bytes is 
> returned. It therefore suffers from the same issue in mtdchar.c as the 
> Intel command set.
> 
> onenand seems to do some kind of length check (although I do not fully 
> understand why it does not include the offset in 'from' in this check if 
> the factory OTP is addressed), but if the data does not fit into the 
> memory it returns 0 instead of an error code, resulting in an infinite 
> loop as well.

Would you be able to harmonize the implementations and switch them all
to the interface which is consistent with normal read/write, i.e., has
the retlen parameter?

Patch

diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index e0e59bf..70c18c2 100644
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -321,6 +321,10 @@  static ssize_t mtdchar_write(struct file *file, const char __user *buf, size_t c
 		case MTD_FILE_MODE_OTP_USER:
 			ret = mtd_write_user_prot_reg(mtd, *ppos, len,
 						      &retlen, kbuf);
+
+			/* if we hit the end of otp memory, drop the rest */
+			if (retlen != len)
+				count -= len - retlen;
 			break;
 
 		case MTD_FILE_MODE_RAW: