From: Boris Brezillon <boris.brezillon@bootlin.com>
To: <Tudor.Ambarus@microchip.com>
Cc: <marek.vasut@gmail.com>, <dwmw2@infradead.org>,
<computersforpeace@gmail.com>, <richard@nod.at>,
<linux-mtd@lists.infradead.org>, <linux-kernel@vger.kernel.org>,
<yogeshnarayan.gaur@nxp.com>, <cyrille.pitchen@wedev4u.fr>
Subject: Re: [PATCH 2/7] mtd: spi-nor: fix iteration over smpt array
Date: Thu, 8 Nov 2018 13:50:38 +0100 [thread overview]
Message-ID: <20181108135038.3fb9e995@bbrezillon> (raw)
In-Reply-To: <20181108110653.21063-3-tudor.ambarus@microchip.com>
On Thu, 8 Nov 2018 11:07:09 +0000
<Tudor.Ambarus@microchip.com> wrote:
> Iterate over smpt array using its starting address and length
> instead of the blindly iterations that used data found in the array.
^blind
>
> This prevents possible memory accesses outside of the smpt array
> boundaries in case software, or manufacturers, misrepresent smpt
> array fields.
>
> Suggested-by: Boris Brezillon <boris.brezillon@bootlin.com>
> Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
I think we should consider this patch as a fix. Would you mind adding a
Fixes tag?
> ---
> drivers/mtd/spi-nor/spi-nor.c | 39 +++++++++++++++++++++++++++++----------
> 1 file changed, 29 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
> index 2cdf96013689..59dcedb08691 100644
> --- a/drivers/mtd/spi-nor/spi-nor.c
> +++ b/drivers/mtd/spi-nor/spi-nor.c
> @@ -2860,12 +2860,15 @@ static u8 spi_nor_smpt_read_dummy(const struct spi_nor *nor, const u32 settings)
> * spi_nor_get_map_in_use() - get the configuration map in use
> * @nor: pointer to a 'struct spi_nor'
> * @smpt: pointer to the sector map parameter table
> + * @smpt_len: sector map parameter table length
> */
> -static const u32 *spi_nor_get_map_in_use(struct spi_nor *nor, const u32 *smpt)
> +static const u32 *spi_nor_get_map_in_use(struct spi_nor *nor, const u32 *smpt,
> + u8 smpt_len)
> {
> const u32 *ret = NULL;
> - u32 i, addr;
> + u32 addr;
> int err;
> + u8 i;
> u8 addr_width, read_opcode, read_dummy;
> u8 read_data_mask, data_byte, map_id;
>
> @@ -2874,9 +2877,10 @@ static const u32 *spi_nor_get_map_in_use(struct spi_nor *nor, const u32 *smpt)
> read_opcode = nor->read_opcode;
>
> map_id = 0;
> - i = 0;
> /* Determine if there are any optional Detection Command Descriptors */
> - while (!(smpt[i] & SMPT_DESC_TYPE_MAP)) {
> + for (i = 0; i < smpt_len; i += 2) {
> + if (smpt[i] & SMPT_DESC_TYPE_MAP)
> + break;
nit: add a blank line here.
> read_data_mask = SMPT_CMD_READ_DATA(smpt[i]);
> nor->addr_width = spi_nor_smpt_addr_width(nor, smpt[i]);
> nor->read_dummy = spi_nor_smpt_read_dummy(nor, smpt[i]);
> @@ -2892,18 +2896,33 @@ static const u32 *spi_nor_get_map_in_use(struct spi_nor *nor, const u32 *smpt)
> * Configuration that is currently in use.
> */
> map_id = map_id << 1 | !!(data_byte & read_data_mask);
> - i = i + 2;
> }
>
> - /* Find the matching configuration map */
> - while (SMPT_MAP_ID(smpt[i]) != map_id) {
> + /*
> + * If command descriptors are provided, they always precede map
> + * descriptors in the table. There is no need to start the iteration
> + * over smpt array all over again.
> + *
> + * Find the matching configuration map.
> + */
> + while (i < smpt_len) {
> + if (SMPT_MAP_ID(smpt[i]) == map_id) {
> + ret = smpt + i;
> + break;
> + }
> +
> + /*
> + * If there are no more configuration map descriptors and no
> + * configuration ID matched the configuration identifier, the
> + * sector address map is unknown.
> + */
> if (smpt[i] & SMPT_DESC_END)
> - goto out;
> + break;
> +
> /* increment the table index to the next map */
> i += SMPT_MAP_REGION_COUNT(smpt[i]) + 1;
> }
>
> - ret = smpt + i;
> /* fall through */
> out:
> nor->addr_width = addr_width;
> @@ -3025,7 +3044,7 @@ static int spi_nor_parse_smpt(struct spi_nor *nor,
> for (i = 0; i < smpt_header->length; i++)
> smpt[i] = le32_to_cpu(smpt[i]);
>
> - sector_map = spi_nor_get_map_in_use(nor, smpt);
> + sector_map = spi_nor_get_map_in_use(nor, smpt, smpt_header->length);
> if (!sector_map) {
> ret = -EINVAL;
> goto out;
next prev parent reply other threads:[~2018-11-08 12:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-08 11:07 [PATCH 0/7] mtd: spi-nor: fixes found when debugging smpt Tudor.Ambarus
2018-11-08 11:07 ` [PATCH 1/7] mtd: spi-nor: don't drop sfdp data if optional parsers fail Tudor.Ambarus
2018-11-08 11:07 ` [PATCH 2/7] mtd: spi-nor: fix iteration over smpt array Tudor.Ambarus
2018-11-08 12:50 ` Boris Brezillon [this message]
2018-11-08 11:07 ` [PATCH 3/7] mtd: spi-nor: add restriction for nmaps in smpt parser Tudor.Ambarus
2018-11-08 12:54 ` Boris Brezillon
2018-11-08 13:08 ` Boris Brezillon
2018-11-08 13:58 ` Tudor.Ambarus
2018-11-08 14:15 ` Boris Brezillon
2018-11-08 14:48 ` Tudor.Ambarus
2018-11-08 14:54 ` Boris Brezillon
2018-11-08 15:00 ` Tudor.Ambarus
2018-11-08 11:07 ` [PATCH 4/7] mtd: spi-nor: don't overwrite errno in spi_nor_get_map_in_use() Tudor.Ambarus
2018-11-08 11:07 ` [PATCH 5/7] mtd: spi_nor: pass DMA-able buffer to spi_nor_read_raw() Tudor.Ambarus
2018-11-08 13:01 ` Boris Brezillon
2018-11-08 11:07 ` [PATCH 6/7] mtd: spi-nor: ensure memory used for nor->read() is DMA safe Tudor.Ambarus
2018-11-08 13:03 ` Boris Brezillon
2018-11-08 11:07 ` [PATCH 7/7] mtd: spi-nor: remove unneeded smpt zeroization Tudor.Ambarus
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181108135038.3fb9e995@bbrezillon \
--to=boris.brezillon@bootlin.com \
--cc=Tudor.Ambarus@microchip.com \
--cc=computersforpeace@gmail.com \
--cc=cyrille.pitchen@wedev4u.fr \
--cc=dwmw2@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=marek.vasut@gmail.com \
--cc=richard@nod.at \
--cc=yogeshnarayan.gaur@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).