From patchwork Sat Jul 29 18:07:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pierre Bourdon X-Patchwork-Id: 1814537 X-Patchwork-Delegate: dario.binacchi@amarulasolutions.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=85.214.62.61; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20221208 header.b=TDSeHqbs; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RCstp3GgKz1ybX for ; Sun, 30 Jul 2023 04:08:15 +1000 (AEST) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 345898682C; Sat, 29 Jul 2023 20:08:08 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="TDSeHqbs"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id C3285861A8; Sat, 29 Jul 2023 20:08:06 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3FAA7861A8 for ; Sat, 29 Jul 2023 20:08:02 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=delroth@gmail.com Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-3fbab0d0b88so29923345e9.0 for ; Sat, 29 Jul 2023 11:08:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690654081; x=1691258881; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=XEOsuT7K4llVvI57Q4JhdkGZmHHwzvo6GAcD9Bw4MD8=; b=TDSeHqbs8h9WGxdZfo9bn7ukYu1kFSt3X8NGq0jFF3cTaUJAjyYZkGCcKWI8kH3zI2 aWT2t32t4/Ovittvsdv/HYmZZsdNTMSybe1yarJQO4l/UPFo5b+tvBeiu0XO3nJAgvGW FcTad6nShvznxsQn7lgs6jIAhqoJzk7I1eZE/UPBH117zN8lzvFWcyhh+jOpD1WiUjD4 6L5933rN2Vkrfu8u54+RRLwBIFxnrlA6zrmzRWykheveOmz2tO3RIo+1DM0BXCUFbYAh xSrsecGSPtHJkgD2ozu7Ip/yskjkptFiwJKPfo6UWPan4I9++Kcjoekoa5/HMUwZriIB KQTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690654081; x=1691258881; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XEOsuT7K4llVvI57Q4JhdkGZmHHwzvo6GAcD9Bw4MD8=; b=DN3De9rwmTfu8w0l5z8KrQhNa/PkQdDs1PFiSHevD70fgm/YawR8skzuD4pRcoyrh5 RhdEte8tBouC8VE1RVB4Uwa+lCr31fkD2iCsfjeLLPZI8XFurmmHto9jcx6MRpzLpOZa qVOUWivbHvdqdVIquWszjkiFa0/+Va13V1U8TtxrUxn67amci+CE4Hos2SzA3ZCRtC12 +iShWlzwhZ9euqlZdrnBJHv1ZtU4DUGgwQMrBVvkIHfm/jh6p0BNHGnAK5kUcXQ7ieY2 T3WuqL6fPHU1rLr0Io1SMwzWG1KDCS/uhX864+BYnZKj1HEXGyI5LQvmShA+xFfeN06M G3RQ== X-Gm-Message-State: ABy/qLZdsCplg/y4vZuWFapWfHpBV8AeyLWMTX567En82SIjYAXRGBuy NcTMk9F6QTBDT1UNdr3P3uabT8+4g+I= X-Google-Smtp-Source: APBJJlFKWEEFISwePsSJx6bx1XwPjCDcifJoavwSjOjWoicprZFZxmkngJ0Uk+aZKAbQqfQFUNcNww== X-Received: by 2002:adf:cd91:0:b0:317:671f:4d40 with SMTP id q17-20020adfcd91000000b00317671f4d40mr4543809wrj.20.1690654081019; Sat, 29 Jul 2023 11:08:01 -0700 (PDT) Received: from lowell.delroth.net ([2a02:168:6426::10]) by smtp.gmail.com with ESMTPSA id r6-20020adfce86000000b003179b3fd837sm752393wrn.33.2023.07.29.11.07.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 29 Jul 2023 11:08:00 -0700 (PDT) From: Pierre Bourdon To: u-boot@lists.denx.de Cc: Pierre Bourdon , Dario Binacchi , Jagan Teki , Michael Trimarchi , Miquel Raynal Subject: [PATCH] mtd: nand: pxa3xx: Fix buffer overflow during raw reads Date: Sat, 29 Jul 2023 20:07:18 +0200 Message-ID: <20230729180732.4056248-1-delroth@gmail.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Chunked raw reads get accumulated to the data buffer, but in some ECC configurations they can end up being larger than the originally computed size (write page size + OOB size). For example: 4K page size, ECC strength 8: - Normal reads: writesize (4096B) + oobsize (128B) = 4224 bytes. - Chunked raw reads: 4 chunks of 1024B + 1 final spare area of 64B + 5 ECC areas of 32B = 4320B. Fixes: 6293b0361d9 ("mtd: nand: pxa3xx: add raw read support") Signed-off-by: Pierre Bourdon --- drivers/mtd/nand/raw/pxa3xx_nand.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/pxa3xx_nand.c b/drivers/mtd/nand/raw/pxa3xx_nand.c index d502e967f9..2894ababbe 100644 --- a/drivers/mtd/nand/raw/pxa3xx_nand.c +++ b/drivers/mtd/nand/raw/pxa3xx_nand.c @@ -1471,6 +1471,19 @@ static void pxa3xx_nand_detect_config(struct pxa3xx_nand_info *info) static int pxa3xx_nand_init_buff(struct pxa3xx_nand_info *info) { + unsigned int chunk_size; + unsigned int last_chunk_size; + + /* + * The data buffer needs to not only be large enough for normal + OOB + * reads, but also for raw reads. The raw reads can end up taking more + * space due to the chunking scheme. + */ + chunk_size = info->chunk_size + info->spare_size + info->ecc_size; + last_chunk_size = + info->last_chunk_size + info->last_spare_size + info->ecc_size; + info->buf_size = info->nfullchunks * chunk_size + last_chunk_size; + info->data_buff = kmalloc(info->buf_size, GFP_KERNEL); if (info->data_buff == NULL) return -ENOMEM; @@ -1661,7 +1674,6 @@ static int pxa3xx_nand_scan(struct mtd_info *mtd) kfree(info->data_buff); /* allocate the real data + oob buffer */ - info->buf_size = mtd->writesize + mtd->oobsize; ret = pxa3xx_nand_init_buff(info); if (ret) return ret;