| Message ID | 1490861708-27813-3-git-send-email-yamada.masahiro@socionext.com |
|---|---|
| State | Accepted |
| Delegated to: | Boris Brezillon |
| Headers | show |
On Thu, Mar 30, 2017 at 11:15 AM, Masahiro Yamada <yamada.masahiro@socionext.com> wrote: > > Some NAND controllers are using DMA engine requiring a specific > buffer alignment. The core provides no guarantee on the nand_buffers > pointers, which forces some drivers to allocate their own buffers > and pass the NAND_OWN_BUFFERS flag. > > Rework the nand_buffers allocation logic to allocate each buffer > independently. This should make most NAND controllers/DMA engine > happy, and allow us to get rid of these custom buf allocation in > NAND controller drivers. > > Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> > @@ -4914,8 +4930,12 @@ void nand_cleanup(struct nand_chip *chip) > > /* Free bad block table memory */ > kfree(chip->bbt); > - if (!(chip->options & NAND_OWN_BUFFERS)) > + if (!(chip->options & NAND_OWN_BUFFERS)) { > + kfree(chip->buffers->databuf); > + kfree(chip->buffers->ecccode); > + kfree(chip->buffers->ecccalc); > kfree(chip->buffers); > + } It seems that chip->buffers might not be allocated at this point, for example if nand_cleanup is called during a failed probe. You should check if (chip->buffers != NULL) before freeing stuff inside it. When attempting to run linux-next on various imx6qdl-sabreauto boards they now panic on boot. This happens because they have nand chips in devicetree which are not physically populated on the board. This normally fails in nand_scan_ident but now crashes later in nand_cleanup. -- Regards, Leonard
Hi Leonard, 2017-04-06 23:08 GMT+09:00 Leonard Crestez <leonard.crestez@nxp.com>: > On Thu, Mar 30, 2017 at 11:15 AM, Masahiro Yamada <yamada.masahiro@socionext.com> wrote: >> >> Some NAND controllers are using DMA engine requiring a specific >> buffer alignment. The core provides no guarantee on the nand_buffers >> pointers, which forces some drivers to allocate their own buffers >> and pass the NAND_OWN_BUFFERS flag. >> >> Rework the nand_buffers allocation logic to allocate each buffer >> independently. This should make most NAND controllers/DMA engine >> happy, and allow us to get rid of these custom buf allocation in >> NAND controller drivers. >> >> Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> > >> @@ -4914,8 +4930,12 @@ void nand_cleanup(struct nand_chip *chip) >> > /* Free bad block table memory */ >> kfree(chip->bbt); >> - if (!(chip->options & NAND_OWN_BUFFERS)) >> + if (!(chip->options & NAND_OWN_BUFFERS)) { >> + kfree(chip->buffers->databuf); >> + kfree(chip->buffers->ecccode); >> + kfree(chip->buffers->ecccalc); >> kfree(chip->buffers); >> + } > > It seems that chip->buffers might not be allocated at this point, for > example if nand_cleanup is called during a failed probe. You should > check if (chip->buffers != NULL) before freeing stuff inside it. You are right. The failure path in NAND drivers is messy. :-( nand_cleanup() may be called before nand_scan_tail() finishes successfully... I will send a fixup patch. Thanks!
On Fri, 7 Apr 2017 15:49:23 +0900 Masahiro Yamada <yamada.masahiro@socionext.com> wrote: > Hi Leonard, > > 2017-04-06 23:08 GMT+09:00 Leonard Crestez <leonard.crestez@nxp.com>: > > On Thu, Mar 30, 2017 at 11:15 AM, Masahiro Yamada <yamada.masahiro@socionext.com> wrote: > >> > >> Some NAND controllers are using DMA engine requiring a specific > >> buffer alignment. The core provides no guarantee on the nand_buffers > >> pointers, which forces some drivers to allocate their own buffers > >> and pass the NAND_OWN_BUFFERS flag. > >> > >> Rework the nand_buffers allocation logic to allocate each buffer > >> independently. This should make most NAND controllers/DMA engine > >> happy, and allow us to get rid of these custom buf allocation in > >> NAND controller drivers. > >> > >> Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> > > > >> @@ -4914,8 +4930,12 @@ void nand_cleanup(struct nand_chip *chip) > >> > /* Free bad block table memory */ > >> kfree(chip->bbt); > >> - if (!(chip->options & NAND_OWN_BUFFERS)) > >> + if (!(chip->options & NAND_OWN_BUFFERS)) { > >> + kfree(chip->buffers->databuf); > >> + kfree(chip->buffers->ecccode); > >> + kfree(chip->buffers->ecccalc); > >> kfree(chip->buffers); > >> + } > > > > It seems that chip->buffers might not be allocated at this point, for > > example if nand_cleanup is called during a failed probe. You should > > check if (chip->buffers != NULL) before freeing stuff inside it. > > You are right. > > The failure path in NAND drivers is messy. :-( Totally agree, and that's partly because of the complex/non-trivial NAND APIs :-/. > nand_cleanup() may be called before nand_scan_tail() > finishes successfully... Actually, I think the real bug is in the GPMI driver which is not using nand_release() appropriately. nand_release() is supposed to be called on a registered NAND device, so it's wrong to call it before mtd_register() has been called and returned 0. Note that nand_cleanup() can only be called after nand_scan_tail() has returned 0 (which unfortunately is not obvious :-/). I still plan to take Masahiro's fixup patch because the more precautions we take the better it is, but I still think the real bug is in the GPMI driver. One last comment: a bug still exists in the GPMI driver when nand_scan_ident() fails after NAND buffers allocation because it never sets chip->buffers back to NULL (see [1]). [1]http://lxr.free-electrons.com/source/drivers/mtd/nand/nand_base.c#L4834
diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c index f828ad7..e9d3195 100644 --- a/drivers/mtd/nand/nand_base.c +++ b/drivers/mtd/nand/nand_base.c @@ -4613,13 +4613,25 @@ int nand_scan_tail(struct mtd_info *mtd) } if (!(chip->options & NAND_OWN_BUFFERS)) { - nbuf = kzalloc(sizeof(*nbuf) + mtd->writesize - + mtd->oobsize * 3, GFP_KERNEL); + nbuf = kzalloc(sizeof(*nbuf), GFP_KERNEL); if (!nbuf) return -ENOMEM; - nbuf->ecccalc = (uint8_t *)(nbuf + 1); - nbuf->ecccode = nbuf->ecccalc + mtd->oobsize; - nbuf->databuf = nbuf->ecccode + mtd->oobsize; + nbuf->ecccalc = kmalloc(mtd->oobsize, GFP_KERNEL); + if (!nbuf->ecccalc) { + ret = -EINVAL; + goto err_free; + } + nbuf->ecccode = kmalloc(mtd->oobsize, GFP_KERNEL); + if (!nbuf->ecccode) { + ret = -EINVAL; + goto err_free; + } + nbuf->databuf = kmalloc(mtd->writesize + mtd->oobsize, + GFP_KERNEL); + if (!nbuf->databuf) { + ret = -EINVAL; + goto err_free; + } chip->buffers = nbuf; } else { @@ -4862,8 +4874,12 @@ int nand_scan_tail(struct mtd_info *mtd) /* Build bad block table */ return chip->scan_bbt(mtd); err_free: - if (!(chip->options & NAND_OWN_BUFFERS)) + if (!(chip->options & NAND_OWN_BUFFERS)) { + kfree(chip->buffers->databuf); + kfree(chip->buffers->ecccode); + kfree(chip->buffers->ecccalc); kfree(chip->buffers); + } return ret; } EXPORT_SYMBOL(nand_scan_tail); @@ -4914,8 +4930,12 @@ void nand_cleanup(struct nand_chip *chip) /* Free bad block table memory */ kfree(chip->bbt); - if (!(chip->options & NAND_OWN_BUFFERS)) + if (!(chip->options & NAND_OWN_BUFFERS)) { + kfree(chip->buffers->databuf); + kfree(chip->buffers->ecccode); + kfree(chip->buffers->ecccalc); kfree(chip->buffers); + } /* Free bad block descriptor memory */ if (chip->badblock_pattern && chip->badblock_pattern->options
Some NAND controllers are using DMA engine requiring a specific buffer alignment. The core provides no guarantee on the nand_buffers pointers, which forces some drivers to allocate their own buffers and pass the NAND_OWN_BUFFERS flag. Rework the nand_buffers allocation logic to allocate each buffer independently. This should make most NAND controllers/DMA engine happy, and allow us to get rid of these custom buf allocation in NAND controller drivers. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> --- Changes in v3: - Reword git-log Changes in v2: - Newly added drivers/mtd/nand/nand_base.c | 34 +++++++++++++++++++++++++++------- 1 file changed, 27 insertions(+), 7 deletions(-)