Patchwork [11/17] MTD: nand: fix bug that prevented write of more that one page by ->write_oob

login
register
mail settings
Submitter Maxim Levitsky
Date Feb. 4, 2010, 11:30 p.m.
Message ID <1265326257-4446-12-git-send-email-maximlevitsky@gmail.com>
Download mbox | patch
Permalink /patch/44566/
State New
Headers show

Comments

Maxim Levitsky - Feb. 4, 2010, 11:30 p.m.
Although nand_do_write_ops intends to allow such mode, it fails do do so
Probably this was never tested

Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
---
 drivers/mtd/nand/nand_base.c |   16 +++++++++-------
 1 files changed, 9 insertions(+), 7 deletions(-)
Stanley.Miao - Feb. 5, 2010, 2:25 a.m.
ops->ooblen is the oob bytes to write, you add a argument for 
nand_fill_oob to do this,
it is redundant.

I know the bug you want to fix, the ops->ooblen may be illegal. But this 
patch can't this
problem. If (ops->offset + ops->ooblen) > mtd->oobsize, it still will 
write beyond a page.

I think the right method is that nand_do_write_ops do the check like 
nand_do_write_oob,
I have the patch yesterday.

http://patchwork.ozlabs.org/patch/44450/

Stanley.

Maxim Levitsky wrote:
> Although nand_do_write_ops intends to allow such mode, it fails do do so
> Probably this was never tested
>
> Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
> ---
>  drivers/mtd/nand/nand_base.c |   16 +++++++++-------
>  1 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
> index 8ff36be..29e986e 100644
> --- a/drivers/mtd/nand/nand_base.c
> +++ b/drivers/mtd/nand/nand_base.c
> @@ -1879,11 +1879,9 @@ static int nand_write_page(struct mtd_info *mtd, struct nand_chip *chip,
>   * @oob:	oob data buffer
>   * @ops:	oob ops structure
>   */
> -static uint8_t *nand_fill_oob(struct nand_chip *chip, uint8_t *oob,
> -				  struct mtd_oob_ops *ops)
> +static uint8_t *nand_fill_oob(struct nand_chip *chip, uint8_t *oob, size_t len,
> +						struct mtd_oob_ops *ops)
>   

ops->ooblen is the oob bytes to write, you add a prara

>  {
> -	size_t len = ops->ooblen;
> -
>  	switch(ops->mode) {
>  
>  	case MTD_OOB_PLACE:
> @@ -1938,6 +1936,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
>  	int chipnr, realpage, page, blockmask, column;
>  	struct nand_chip *chip = mtd->priv;
>  	uint32_t writelen = ops->len;
> +	uint32_t oobwritelen = ops->ooblen;
>  	uint8_t *oob = ops->oobbuf;
>  	uint8_t *buf = ops->datbuf;
>  	int ret, subpage;
> @@ -1994,8 +1993,11 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
>  			wbuf = chip->buffers->databuf;
>  		}
>  
> -		if (unlikely(oob))
> -			oob = nand_fill_oob(chip, oob, ops);
> +		if (unlikely(oob)) {
> +			size_t len = min(oobwritelen, mtd->oobsize);
> +			oob = nand_fill_oob(chip, oob, len, ops);
> +			oobwritelen -= len;
> +		}
>  
>  		ret = chip->write_page(mtd, chip, wbuf, page, cached,
>  				       (ops->mode == MTD_OOB_RAW));
> @@ -2169,7 +2171,7 @@ static int nand_do_write_oob(struct mtd_info *mtd, loff_t to,
>  		chip->pagebuf = -1;
>  
>  	memset(chip->oob_poi, 0xff, mtd->oobsize);
> -	nand_fill_oob(chip, ops->oobbuf, ops);
> +	nand_fill_oob(chip, ops->oobbuf, ops->ooblen, ops);
>  	status = chip->ecc.write_oob(mtd, chip, page & chip->pagemask);
>  	memset(chip->oob_poi, 0xff, mtd->oobsize);
>  
>
Stanley.Miao - Feb. 5, 2010, 2:34 a.m.
ops->ooblen is the oob bytes to write, you add a argument for
nand_fill_oob to do this, it is redundant.

I know the bug you want to fix, the ops->ooblen may be illegal. But this
patch can't solve this problem. If (ops->offset + ops->ooblen) > 
mtd->oobsize, it still will write beyond one page.

I think the right method to solve it is that nand_do_write_ops do the 
check like nand_do_write_oob. I have sent the patch yesterday.

http://patchwork.ozlabs.org/patch/44450/

Stanley.

Maxim Levitsky wrote:
> Although nand_do_write_ops intends to allow such mode, it fails do do so
> Probably this was never tested
>
> Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
> ---
>  drivers/mtd/nand/nand_base.c |   16 +++++++++-------
>  1 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
> index 8ff36be..29e986e 100644
> --- a/drivers/mtd/nand/nand_base.c
> +++ b/drivers/mtd/nand/nand_base.c
> @@ -1879,11 +1879,9 @@ static int nand_write_page(struct mtd_info *mtd, struct nand_chip *chip,
>   * @oob:	oob data buffer
>   * @ops:	oob ops structure
>   */
> -static uint8_t *nand_fill_oob(struct nand_chip *chip, uint8_t *oob,
> -				  struct mtd_oob_ops *ops)
> +static uint8_t *nand_fill_oob(struct nand_chip *chip, uint8_t *oob, size_t len,
> +						struct mtd_oob_ops *ops)
>   

ops->ooblen is the oob bytes to write, you add a prara

>  {
> -	size_t len = ops->ooblen;
> -
>  	switch(ops->mode) {
>  
>  	case MTD_OOB_PLACE:
> @@ -1938,6 +1936,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
>  	int chipnr, realpage, page, blockmask, column;
>  	struct nand_chip *chip = mtd->priv;
>  	uint32_t writelen = ops->len;
> +	uint32_t oobwritelen = ops->ooblen;
>  	uint8_t *oob = ops->oobbuf;
>  	uint8_t *buf = ops->datbuf;
>  	int ret, subpage;
> @@ -1994,8 +1993,11 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
>  			wbuf = chip->buffers->databuf;
>  		}
>  
> -		if (unlikely(oob))
> -			oob = nand_fill_oob(chip, oob, ops);
> +		if (unlikely(oob)) {
> +			size_t len = min(oobwritelen, mtd->oobsize);
> +			oob = nand_fill_oob(chip, oob, len, ops);
> +			oobwritelen -= len;
> +		}
>  
>  		ret = chip->write_page(mtd, chip, wbuf, page, cached,
>  				       (ops->mode == MTD_OOB_RAW));
> @@ -2169,7 +2171,7 @@ static int nand_do_write_oob(struct mtd_info *mtd, loff_t to,
>  		chip->pagebuf = -1;
>  
>  	memset(chip->oob_poi, 0xff, mtd->oobsize);
> -	nand_fill_oob(chip, ops->oobbuf, ops);
> +	nand_fill_oob(chip, ops->oobbuf, ops->ooblen, ops);
>  	status = chip->ecc.write_oob(mtd, chip, page & chip->pagemask);
>  	memset(chip->oob_poi, 0xff, mtd->oobsize);
>  
>
Maxim Levitsky - Feb. 5, 2010, 9:44 a.m.
On Fri, 2010-02-05 at 10:25 +0800, stanley.miao wrote: 
> ops->ooblen is the oob bytes to write, you add a argument for 
> nand_fill_oob to do this,
> it is redundant.
No its not.
ops->ooblen can be legitimately larger that mtd->oobsize because user
might want to write two or more pages in a row.

I want to be able to write two pages + two oobs in same time.



> 
> I know the bug you want to fix, the ops->ooblen may be illegal. But this 
> patch can't this
> problem. If (ops->offset + ops->ooblen) > mtd->oobsize, it still will 
> write beyond a page.
This is true, I just didn't use the ops->offset....


> 
> I think the right method is that nand_do_write_ops do the check like 
> nand_do_write_oob,
> I have the patch yesterday.
> 
> http://patchwork.ozlabs.org/patch/44450/
This again won't work for multipage writes I have in mind.
However if ops->ooboffs is set, I think multipage write shouldn't be
allowed

This is:

if (ops->ooboffs && (ops->ooboffs + ops->ooblen) > len))

Also check for 'ops->ooboffs >= len' is almost redundant.
Only case it would trigger is when 'ops->ooblen == 0'
But this probably can be dealt with, without error.

Best regards,
Maxim Levitsky

> 
> Stanley.
> 
> Maxim Levitsky wrote:
> > Although nand_do_write_ops intends to allow such mode, it fails do do so
> > Probably this was never tested
> >
> > Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com>
> > ---
> >  drivers/mtd/nand/nand_base.c |   16 +++++++++-------
> >  1 files changed, 9 insertions(+), 7 deletions(-)
> >
> > diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
> > index 8ff36be..29e986e 100644
> > --- a/drivers/mtd/nand/nand_base.c
> > +++ b/drivers/mtd/nand/nand_base.c
> > @@ -1879,11 +1879,9 @@ static int nand_write_page(struct mtd_info *mtd, struct nand_chip *chip,
> >   * @oob:	oob data buffer
> >   * @ops:	oob ops structure
> >   */
> > -static uint8_t *nand_fill_oob(struct nand_chip *chip, uint8_t *oob,
> > -				  struct mtd_oob_ops *ops)
> > +static uint8_t *nand_fill_oob(struct nand_chip *chip, uint8_t *oob, size_t len,
> > +						struct mtd_oob_ops *ops)
> >   
> 
> ops->ooblen is the oob bytes to write, you add a prara
> 
> >  {
> > -	size_t len = ops->ooblen;
> > -
> >  	switch(ops->mode) {
> >  
> >  	case MTD_OOB_PLACE:
> > @@ -1938,6 +1936,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
> >  	int chipnr, realpage, page, blockmask, column;
> >  	struct nand_chip *chip = mtd->priv;
> >  	uint32_t writelen = ops->len;
> > +	uint32_t oobwritelen = ops->ooblen;
> >  	uint8_t *oob = ops->oobbuf;
> >  	uint8_t *buf = ops->datbuf;
> >  	int ret, subpage;
> > @@ -1994,8 +1993,11 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
> >  			wbuf = chip->buffers->databuf;
> >  		}
> >  
> > -		if (unlikely(oob))
> > -			oob = nand_fill_oob(chip, oob, ops);
> > +		if (unlikely(oob)) {
> > +			size_t len = min(oobwritelen, mtd->oobsize);
> > +			oob = nand_fill_oob(chip, oob, len, ops);
> > +			oobwritelen -= len;
> > +		}
> >  
> >  		ret = chip->write_page(mtd, chip, wbuf, page, cached,
> >  				       (ops->mode == MTD_OOB_RAW));
> > @@ -2169,7 +2171,7 @@ static int nand_do_write_oob(struct mtd_info *mtd, loff_t to,
> >  		chip->pagebuf = -1;
> >  
> >  	memset(chip->oob_poi, 0xff, mtd->oobsize);
> > -	nand_fill_oob(chip, ops->oobbuf, ops);
> > +	nand_fill_oob(chip, ops->oobbuf, ops->ooblen, ops);
> >  	status = chip->ecc.write_oob(mtd, chip, page & chip->pagemask);
> >  	memset(chip->oob_poi, 0xff, mtd->oobsize);
> >  
> >   
>

Patch

diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
index 8ff36be..29e986e 100644
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -1879,11 +1879,9 @@  static int nand_write_page(struct mtd_info *mtd, struct nand_chip *chip,
  * @oob:	oob data buffer
  * @ops:	oob ops structure
  */
-static uint8_t *nand_fill_oob(struct nand_chip *chip, uint8_t *oob,
-				  struct mtd_oob_ops *ops)
+static uint8_t *nand_fill_oob(struct nand_chip *chip, uint8_t *oob, size_t len,
+						struct mtd_oob_ops *ops)
 {
-	size_t len = ops->ooblen;
-
 	switch(ops->mode) {
 
 	case MTD_OOB_PLACE:
@@ -1938,6 +1936,7 @@  static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
 	int chipnr, realpage, page, blockmask, column;
 	struct nand_chip *chip = mtd->priv;
 	uint32_t writelen = ops->len;
+	uint32_t oobwritelen = ops->ooblen;
 	uint8_t *oob = ops->oobbuf;
 	uint8_t *buf = ops->datbuf;
 	int ret, subpage;
@@ -1994,8 +1993,11 @@  static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
 			wbuf = chip->buffers->databuf;
 		}
 
-		if (unlikely(oob))
-			oob = nand_fill_oob(chip, oob, ops);
+		if (unlikely(oob)) {
+			size_t len = min(oobwritelen, mtd->oobsize);
+			oob = nand_fill_oob(chip, oob, len, ops);
+			oobwritelen -= len;
+		}
 
 		ret = chip->write_page(mtd, chip, wbuf, page, cached,
 				       (ops->mode == MTD_OOB_RAW));
@@ -2169,7 +2171,7 @@  static int nand_do_write_oob(struct mtd_info *mtd, loff_t to,
 		chip->pagebuf = -1;
 
 	memset(chip->oob_poi, 0xff, mtd->oobsize);
-	nand_fill_oob(chip, ops->oobbuf, ops);
+	nand_fill_oob(chip, ops->oobbuf, ops->ooblen, ops);
 	status = chip->ecc.write_oob(mtd, chip, page & chip->pagemask);
 	memset(chip->oob_poi, 0xff, mtd->oobsize);