| Message ID | 1468831158-6172-1-git-send-email-hector.palacios@digi.com |
|---|---|
| State | Accepted |
| Commit | 144f4c98399e2c0ca60eb414c15a2c68125c18b8 |
| Headers | show |
On Mon, 18 Jul 2016 10:39:18 +0200 Hector Palacios <hector.palacios@digi.com> wrote: > nand_do_write_ops() determines if it is writing a partial page with the > formula: > part_pagewr = (column || writelen < (mtd->writesize - 1)) > > When 'writelen' is exactly 1 byte less than the NAND page size the formula > equates to zero, so the code doesn't process it as a partial write, > although it should. > As a consequence the function remains in the while(1) loop with 'writelen' > becoming 0xffffffff and iterating endlessly. > > The bug may not be easy to reproduce in Linux since user space tools > usually force the padding or round-up the write size to a page-size > multiple. > This was discovered in U-Boot where the issue can be reproduced by > writing any size that is 1 byte less than a page-size multiple. > For example, on a NAND with 2K page (0x800): > => nand erase.part <partition> > => nand write $loadaddr <partition> 7ff > > Signed-off-by: Hector Palacios <hector.palacios@digi.com> Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com> Brian, can you take this patch in your tree. As usual, I'm unsure whether we should Cc stable or not, but we should at least add Fixes: 66507c7bc8895 ("mtd: nand: Add support to use nand_base poi databuf as bounce buffer") > --- > drivers/mtd/nand/nand_base.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c > index 0b0dc29d2af7..77533f7f2429 100644 > --- a/drivers/mtd/nand/nand_base.c > +++ b/drivers/mtd/nand/nand_base.c > @@ -2610,7 +2610,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to, > int cached = writelen > bytes && page != blockmask; > uint8_t *wbuf = buf; > int use_bufpoi; > - int part_pagewr = (column || writelen < (mtd->writesize - 1)); > + int part_pagewr = (column || writelen < mtd->writesize); > > if (part_pagewr) > use_bufpoi = 1;
+ Kamal, FYI On Mon, Jul 18, 2016 at 11:04:32AM +0200, Boris Brezillon wrote: > On Mon, 18 Jul 2016 10:39:18 +0200 > Hector Palacios <hector.palacios@digi.com> wrote: > > > nand_do_write_ops() determines if it is writing a partial page with the > > formula: > > part_pagewr = (column || writelen < (mtd->writesize - 1)) > > > > When 'writelen' is exactly 1 byte less than the NAND page size the formula > > equates to zero, so the code doesn't process it as a partial write, > > although it should. > > As a consequence the function remains in the while(1) loop with 'writelen' > > becoming 0xffffffff and iterating endlessly. > > > > The bug may not be easy to reproduce in Linux since user space tools > > usually force the padding or round-up the write size to a page-size > > multiple. > > This was discovered in U-Boot where the issue can be reproduced by > > writing any size that is 1 byte less than a page-size multiple. > > For example, on a NAND with 2K page (0x800): > > => nand erase.part <partition> > > => nand write $loadaddr <partition> 7ff > > > > Signed-off-by: Hector Palacios <hector.palacios@digi.com> > > Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com> > > Brian, can you take this patch in your tree. > > As usual, I'm unsure whether we should Cc stable or not, but we > should at least add > > Fixes: 66507c7bc8895 ("mtd: nand: Add support to use nand_base poi databuf as bounce buffer") Applied to l2-mtd.git with Fixes and stable tags. Thanks! > > --- > > drivers/mtd/nand/nand_base.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c > > index 0b0dc29d2af7..77533f7f2429 100644 > > --- a/drivers/mtd/nand/nand_base.c > > +++ b/drivers/mtd/nand/nand_base.c > > @@ -2610,7 +2610,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to, > > int cached = writelen > bytes && page != blockmask; > > uint8_t *wbuf = buf; > > int use_bufpoi; > > - int part_pagewr = (column || writelen < (mtd->writesize - 1)); > > + int part_pagewr = (column || writelen < mtd->writesize); > > > > if (part_pagewr) > > use_bufpoi = 1; >
On Mon, 2016-07-18 at 11:04 +0200, Boris Brezillon wrote: > On Mon, 18 Jul 2016 10:39:18 +0200 > Hector Palacios <hector.palacios@digi.com> wrote: > > > > > nand_do_write_ops() determines if it is writing a partial page with the > > formula: > > part_pagewr = (column || writelen < (mtd->writesize - 1)) > > > > When 'writelen' is exactly 1 byte less than the NAND page size the formula > > equates to zero, so the code doesn't process it as a partial write, > > although it should. > > As a consequence the function remains in the while(1) loop with 'writelen' > > becoming 0xffffffff and iterating endlessly. > > > > The bug may not be easy to reproduce in Linux since user space tools > > usually force the padding or round-up the write size to a page-size > > multiple. > > This was discovered in U-Boot where the issue can be reproduced by > > writing any size that is 1 byte less than a page-size multiple. > > For example, on a NAND with 2K page (0x800): > > => nand erase.part <partition> > > => nand write $loadaddr <partition> 7ff > > > > Signed-off-by: Hector Palacios <hector.palacios@digi.com> > Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com> > > Brian, can you take this patch in your tree. > > As usual, I'm unsure whether we should Cc stable or not, but we > should at least add > > Fixes: 66507c7bc8895 ("mtd: nand: Add support to use nand_base poi databuf > as bounce buffer") That commit just moved the bad test; it was introduced in 29072b96078ffde3 ("[MTD] NAND: add subpage write support"). -Scott
On Mon, Jul 18, 2016 at 05:37:22PM -0500, Scott Wood wrote: > On Mon, 2016-07-18 at 11:04 +0200, Boris Brezillon wrote: > > On Mon, 18 Jul 2016 10:39:18 +0200 > > Hector Palacios <hector.palacios@digi.com> wrote: > > > > > > > > nand_do_write_ops() determines if it is writing a partial page with the > > > formula: > > > part_pagewr = (column || writelen < (mtd->writesize - 1)) > > > > > > When 'writelen' is exactly 1 byte less than the NAND page size the formula > > > equates to zero, so the code doesn't process it as a partial write, > > > although it should. > > > As a consequence the function remains in the while(1) loop with 'writelen' > > > becoming 0xffffffff and iterating endlessly. > > > > > > The bug may not be easy to reproduce in Linux since user space tools > > > usually force the padding or round-up the write size to a page-size > > > multiple. > > > This was discovered in U-Boot where the issue can be reproduced by > > > writing any size that is 1 byte less than a page-size multiple. > > > For example, on a NAND with 2K page (0x800): > > > => nand erase.part <partition> > > > => nand write $loadaddr <partition> 7ff > > > > > > Signed-off-by: Hector Palacios <hector.palacios@digi.com> > > Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com> > > > > Brian, can you take this patch in your tree. > > > > As usual, I'm unsure whether we should Cc stable or not, but we > > should at least add > > > > Fixes: 66507c7bc8895 ("mtd: nand: Add support to use nand_base poi databuf > > as bounce buffer") > > That commit just moved the bad test; it was introduced in 29072b96078ffde3 > ("[MTD] NAND: add subpage write support"). Indeed. I've update the Fixes tag and added an additional comment in the commit message. Thanks, Brian
diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c index 0b0dc29d2af7..77533f7f2429 100644 --- a/drivers/mtd/nand/nand_base.c +++ b/drivers/mtd/nand/nand_base.c @@ -2610,7 +2610,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to, int cached = writelen > bytes && page != blockmask; uint8_t *wbuf = buf; int use_bufpoi; - int part_pagewr = (column || writelen < (mtd->writesize - 1)); + int part_pagewr = (column || writelen < mtd->writesize); if (part_pagewr) use_bufpoi = 1;
nand_do_write_ops() determines if it is writing a partial page with the formula: part_pagewr = (column || writelen < (mtd->writesize - 1)) When 'writelen' is exactly 1 byte less than the NAND page size the formula equates to zero, so the code doesn't process it as a partial write, although it should. As a consequence the function remains in the while(1) loop with 'writelen' becoming 0xffffffff and iterating endlessly. The bug may not be easy to reproduce in Linux since user space tools usually force the padding or round-up the write size to a page-size multiple. This was discovered in U-Boot where the issue can be reproduced by writing any size that is 1 byte less than a page-size multiple. For example, on a NAND with 2K page (0x800): => nand erase.part <partition> => nand write $loadaddr <partition> 7ff Signed-off-by: Hector Palacios <hector.palacios@digi.com> --- drivers/mtd/nand/nand_base.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)