From patchwork Tue Feb 21 11:13:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Righi X-Patchwork-Id: 1745502 X-Patchwork-Delegate: tudor.ambarus@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=i+1/gumw; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=QnwpGe9x; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4PLcBP24pXz240n for ; Tue, 21 Feb 2023 22:14:37 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=GGrZzXhxvOhF5jvnm+UvlMvxyN48vS/odhBZiaAvyzw=; b=i+1/gumwaFIc4+ b7g+is0A1UzagdjWpNg+avyqIQc9vEPt2f64xbWWqiCPwyjfjb+LHxXeilSWYxy2wdv89b1TQS/S+ i+KqAxsVEu+8WMGGZoA4rYPllUhQoUjRp+gXw6kNnPY/mEVYLKRzfWDLrnWdU2nARobVHfPHiH+5G BPOGr4vvyAjyKpA9i7eoQqplI/3pF/8NLb+FeLEglQGqK0K+hZTiSM1JjfNHj4opPu2jdvVL71wDp GlmWqSBaWVKHOSrphZUQkPcy+6pL6sjemAw7NIv+Bgd05KM4HXqo3I8qOvAeixYA7boYh5wJpOnoh VBh46bkwzsRw7j88rwKQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pUQay-007XA8-KV; Tue, 21 Feb 2023 11:14:04 +0000 Received: from smtp-relay-internal-0.canonical.com ([185.125.188.122]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pUQau-007X8j-DV for linux-mtd@lists.infradead.org; Tue, 21 Feb 2023 11:14:02 +0000 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 012BB3F583 for ; Tue, 21 Feb 2023 11:13:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1676978034; bh=ro4x+56p6k4eFwybCxILtCF2vhcwpYTnKWiQ2Fw4Iq4=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=QnwpGe9xRsZhbTFijauqOnXr8lefQT/X6BdUd9ANKN84M7HyMOF2bX8lx7W5HA/p6 jENkP4kEHsDHzbVhHvdP27U+DuC3+H19rPRT/ir8gzfNMwVaHV5nTlJRMDTou9JNF9 1Dm0/1IFIFI2V2kmVMTPvYJzLrl46Et71t0B4DCgkvyDB2IO7vD27rVdxmoLkwyZyx mI4fBCFeTFc15rzY9wVQWMC+yjoPblDuiVFpavEHIwY8pujWHEIOvmDOHSzNb4xdKK X8Sw7jrGOzAcYUFvBhEP+rPZnqTxV+V5hCXqVPpkJLZ3X1HYPb8EHcUDuz6JLq19Zo Xoj7yOTE5PsSA== Received: by mail-ed1-f70.google.com with SMTP id er17-20020a056402449100b004ad793116d5so3889789edb.23 for ; Tue, 21 Feb 2023 03:13:53 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ro4x+56p6k4eFwybCxILtCF2vhcwpYTnKWiQ2Fw4Iq4=; b=exhWuTgMmVtcxBRQ/a8hw4IkVQQz2szAdkH1Vi4OaG8O2EfhaIuBZtyUTe4yGkN7Qg +nTb6rQeDPBS+LKbXYDpBymOQABrOrekjMosxxj+4TPROd9bV1VXUSEt6vUvF7aeZj2Z UR5i1EUTk6W+nsTa+6doa6Qw40b3X48YDHmMaW9oAlVaiFu/nbWvV6n+/TPtaph4bd4p /ca4egPbbCqxgkmmqlHbC1FvwH2HJf5Q9RJz9o3WQeqi7/qNyOzVBHOnutYHhBHVs15N pVFv6UnldQ+jWXMv4s/OF5ef7utVVoXLTUXY0E6eyUbJR3z8v96mVWcuTenNLUBH84OV qo/A== X-Gm-Message-State: AO0yUKWxoPu6SiqjI6OY97IkxgxA/1nUc1C3nMn0fZZ28CRNraaCUn7z Xgiu7w2BSIwQSdstGml8iK6g21n1RVGk4ICyWmxurgKKwYgljfsMvCpNNHnGndq5hw+6AK1zW9N 726DB4A+MjXPtMYydQ1qYGLn7bBdkPOHNqzvcR971qZs= X-Received: by 2002:a17:907:c297:b0:8aa:6edf:2a9 with SMTP id tk23-20020a170907c29700b008aa6edf02a9mr13089945ejc.69.1676978033507; Tue, 21 Feb 2023 03:13:53 -0800 (PST) X-Google-Smtp-Source: AK7set9qGtS26yt0C3R8UVON9AwCXrJoOkhG6nyRf+nsk0tAcFExR5s6BvJMjzCmiEfCTQYQ1KHnCg== X-Received: by 2002:a17:907:c297:b0:8aa:6edf:2a9 with SMTP id tk23-20020a170907c29700b008aa6edf02a9mr13089925ejc.69.1676978033219; Tue, 21 Feb 2023 03:13:53 -0800 (PST) Received: from localhost.localdomain (host-79-44-179-55.retail.telecomitalia.it. [79.44.179.55]) by smtp.gmail.com with ESMTPSA id t14-20020a1709066bce00b008cff300cf47sm2804832ejs.72.2023.02.21.03.13.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Feb 2023 03:13:52 -0800 (PST) From: Andrea Righi To: Tudor Ambarus , Pratyush Yadav Cc: Michael Walle , Miquel Raynal , Richard Weinberger , Vignesh Raghavendra , Cristian Birsan , Boris Brezillon , Emil Renner Berthing , linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] mtd: spi-nor: fix shift-out-of-bounds in spi_nor_set_erase_type() Date: Tue, 21 Feb 2023 12:13:46 +0100 Message-Id: <20230221111346.34268-1-andrea.righi@canonical.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230221_031400_897102_5DCA1666 X-CRM114-Status: GOOD ( 14.32 ) X-Spam-Score: -2.7 (--) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: It seems that according to JEDEC JESD216B Standard erase size needs to be a power of 2, but sometimes we set the size to 0 (e.g., in spi_nor_parse_4bait()) causing UBSAN warnings like the following: UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2026:24 shift exponent 4294967295 is too large for 32-bit type 'int' Hardware name: Dell Inc. XPS 13 9300/077Y9N, BIOS 1.11.0 03/22/2022 Call [...] Content analysis details: (-2.7 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [185.125.188.122 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.2 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org It seems that according to JEDEC JESD216B Standard erase size needs to be a power of 2, but sometimes we set the size to 0 (e.g., in spi_nor_parse_4bait()) causing UBSAN warnings like the following: UBSAN: shift-out-of-bounds in drivers/mtd/spi-nor/core.c:2026:24 shift exponent 4294967295 is too large for 32-bit type 'int' Hardware name: Dell Inc. XPS 13 9300/077Y9N, BIOS 1.11.0 03/22/2022 Call Trace: show_stack+0x4e/0x61 dump_stack_lvl+0x4a/0x6f dump_stack+0x10/0x18 ubsan_epilogue+0x9/0x3a __ubsan_handle_shift_out_of_bounds.cold+0x61/0xef spi_nor_set_erase_type.cold+0x16/0x1e [spi_nor] spi_nor_parse_4bait+0x270/0x380 [spi_nor] spi_nor_parse_sfdp+0x47f/0x610 [spi_nor] Fix by checking if size is a power when setting struct spi_nor_erase_type, otherwise consider size, mask and shift as invalid. Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories") Reported-by: Emil Renner Berthing Signed-off-by: Andrea Righi --- drivers/mtd/spi-nor/core.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c index d67c926bca8b..3c5b5bf9cbd1 100644 --- a/drivers/mtd/spi-nor/core.c +++ b/drivers/mtd/spi-nor/core.c @@ -2019,11 +2019,17 @@ spi_nor_spimem_adjust_hwcaps(struct spi_nor *nor, u32 *hwcaps) void spi_nor_set_erase_type(struct spi_nor_erase_type *erase, u32 size, u8 opcode) { - erase->size = size; erase->opcode = opcode; /* JEDEC JESD216B Standard imposes erase sizes to be power of 2. */ - erase->size_shift = ffs(erase->size) - 1; - erase->size_mask = (1 << erase->size_shift) - 1; + if (likely(is_power_of_2(size))) { + erase->size = size; + erase->size_shift = ffs(erase->size) - 1; + erase->size_mask = (1 << erase->size_shift) - 1; + } else { + erase->size = 0u; + erase->size_shift = ~0u; + erase->size_mask = ~0u; + } } /**