From: Miquel Raynal <miquel.raynal@bootlin.com>
To: Linus Walleij <linus.walleij@linaro.org>
Cc: Richard Weinberger <richard@nod.at>,
Vignesh Raghavendra <vigneshr@ti.com>,
linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, Nicolas Pitre <nico@fluxnic.net>
Subject: Re: [PATCH v4] mtd: cfi_cmdset_0001: Byte swap OTP info
Date: Mon, 23 Oct 2023 10:25:52 +0200 [thread overview]
Message-ID: <20231023102552.4b053b17@xps-13> (raw)
In-Reply-To: <20231020-mtd-otp-byteswap-v4-1-0d132c06aa9d@linaro.org>
Hi Linus,
linus.walleij@linaro.org wrote on Fri, 20 Oct 2023 22:30:29 +0200:
> Currently the offset into the device when looking for OTP
> bits can go outside of the address of the MTD NOR devices,
> and if that memory isn't readable, bad things happen
> on the IXP4xx (added prints that illustrate the problem before
> the crash):
>
> cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x00000100
> ixp4xx_copy_from copy from 0x00000100 to 0xc880dd78
> cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x12000000
> ixp4xx_copy_from copy from 0x12000000 to 0xc880dd78
> 8<--- cut here ---
> Unable to handle kernel paging request at virtual address db000000
> [db000000] *pgd=00000000
> (...)
>
> This happens in this case because the IXP4xx is big endian and
> the 32- and 16-bit fields in the struct cfi_intelext_otpinfo are not
> properly byteswapped. Compare to how the code in read_pri_intelext()
> byteswaps the fields in struct cfi_pri_intelext.
>
> Adding a small byte swapping loop for the OTP in read_pri_intelext()
> and the crash goes away.
>
> The problem went unnoticed for many years until I enabled
> CONFIG_MTD_OTP on the IXP4xx as well, triggering the bug.
>
> Cc: stable@vger.kernel.org
Would you like to add a Fixes tag as well? Or is this skipped on
purpose?
> Reviewed-by: Nicolas Pitre <nico@fluxnic.net>
> Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
> ---
> ChangeLog v3->v4:
> - Collected Nico's ACK.
> - Stalled since june! Has this been missed?
Our current organization relies on Vignesh to pick-up (or tell me to
pick-up) cfi patches. But he is slightly less active these days, so if I
don't get any feedback from him soon I will take it for the next merge
window.
Sorry for the delay anyway.
Cheers,
Miquèl
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
WARNING: multiple messages have this Message-ID (diff)
From: Miquel Raynal <miquel.raynal@bootlin.com>
To: Linus Walleij <linus.walleij@linaro.org>
Cc: Richard Weinberger <richard@nod.at>,
Vignesh Raghavendra <vigneshr@ti.com>,
linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, Nicolas Pitre <nico@fluxnic.net>
Subject: Re: [PATCH v4] mtd: cfi_cmdset_0001: Byte swap OTP info
Date: Mon, 23 Oct 2023 10:25:52 +0200 [thread overview]
Message-ID: <20231023102552.4b053b17@xps-13> (raw)
In-Reply-To: <20231020-mtd-otp-byteswap-v4-1-0d132c06aa9d@linaro.org>
Hi Linus,
linus.walleij@linaro.org wrote on Fri, 20 Oct 2023 22:30:29 +0200:
> Currently the offset into the device when looking for OTP
> bits can go outside of the address of the MTD NOR devices,
> and if that memory isn't readable, bad things happen
> on the IXP4xx (added prints that illustrate the problem before
> the crash):
>
> cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x00000100
> ixp4xx_copy_from copy from 0x00000100 to 0xc880dd78
> cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x12000000
> ixp4xx_copy_from copy from 0x12000000 to 0xc880dd78
> 8<--- cut here ---
> Unable to handle kernel paging request at virtual address db000000
> [db000000] *pgd=00000000
> (...)
>
> This happens in this case because the IXP4xx is big endian and
> the 32- and 16-bit fields in the struct cfi_intelext_otpinfo are not
> properly byteswapped. Compare to how the code in read_pri_intelext()
> byteswaps the fields in struct cfi_pri_intelext.
>
> Adding a small byte swapping loop for the OTP in read_pri_intelext()
> and the crash goes away.
>
> The problem went unnoticed for many years until I enabled
> CONFIG_MTD_OTP on the IXP4xx as well, triggering the bug.
>
> Cc: stable@vger.kernel.org
Would you like to add a Fixes tag as well? Or is this skipped on
purpose?
> Reviewed-by: Nicolas Pitre <nico@fluxnic.net>
> Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
> ---
> ChangeLog v3->v4:
> - Collected Nico's ACK.
> - Stalled since june! Has this been missed?
Our current organization relies on Vignesh to pick-up (or tell me to
pick-up) cfi patches. But he is slightly less active these days, so if I
don't get any feedback from him soon I will take it for the next merge
window.
Sorry for the delay anyway.
Cheers,
Miquèl
next prev parent reply other threads:[~2023-10-23 8:26 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-20 20:30 [PATCH v4] mtd: cfi_cmdset_0001: Byte swap OTP info Linus Walleij
2023-10-20 20:30 ` Linus Walleij
2023-10-23 8:25 ` Miquel Raynal [this message]
2023-10-23 8:25 ` Miquel Raynal
2023-10-23 8:35 ` Linus Walleij
2023-10-23 8:35 ` Linus Walleij
2023-10-23 8:37 ` Miquel Raynal
2023-10-23 8:37 ` Miquel Raynal
2023-10-27 17:47 ` Miquel Raynal
2023-10-27 17:47 ` Miquel Raynal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231023102552.4b053b17@xps-13 \
--to=miquel.raynal@bootlin.com \
--cc=linus.walleij@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=nico@fluxnic.net \
--cc=richard@nod.at \
--cc=stable@vger.kernel.org \
--cc=vigneshr@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.