From: Miquel Raynal <miquel.raynal@bootlin.com>
To: Gabor Juhos <j4g8y7@gmail.com>
Cc: Mark Brown <broonie@kernel.org>,
Md Sadre Alam <quic_mdalam@quicinc.com>,
Varadarajan Narayanan <quic_varada@quicinc.com>,
Sricharan Ramabadhran <quic_srichara@quicinc.com>,
Richard Weinberger <richard@nod.at>,
Vignesh Raghavendra <vigneshr@ti.com>,
linux-spi@vger.kernel.org, linux-mtd@lists.infradead.org,
linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds access of BAM arrays
Date: Mon, 26 May 2025 11:27:45 +0200 [thread overview]
Message-ID: <87cybv2032.fsf@bootlin.com> (raw)
In-Reply-To: <20250525-qpic-snand-avoid-mem-corruption-v1-2-5fe528def7fb@gmail.com> (Gabor Juhos's message of "Sun, 25 May 2025 19:05:36 +0200")
Hi Gabor,
On 25/05/2025 at 19:05:36 +02, Gabor Juhos <j4g8y7@gmail.com> wrote:
> The common QPIC code does not do any boundary checking when it handles
> the command elements and scatter gater list arrays of a BAM transaction,
> thus it allows to access out of bounds elements in those.
>
> Although it is the responsibility of the given driver to allocate enough
> space for all possible BAM transaction variations, however there can be
> mistakes in the driver code which can lead to hidden memory corruption
> issues which are hard to debug.
>
> This kind of problem has been observed during testing the 'spi-qpic-snand'
> driver. Although the driver has been fixed with a preceding patch, but it
> still makes sense to reduce the chance of having such errors again later.
>
> In order to prevent such errors, change the qcom_alloc_bam_transaction()
> function to store the number of elements of the arrays in the
> 'bam_transaction' strucutre during allocation. Also, add sanity checks to
> the qcom_prep_bam_dma_desc_{cmd,data}() functions to avoid using out of
> bounds indices for the arrays.
>
> Tested with the 'spi-qpic-snand' driver only.
>
> Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
> ---
> Preferably, this should go in via the SPI tree along with the previous
> patch. It is not a strict requirement though, in the case it gets
> included separately through the mtd tree it reveals the bug fixed in
> the first patch.
Sorry, didn't see that in the first place. Fine by me.
> ---
> drivers/mtd/nand/qpic_common.c | 28 ++++++++++++++++++++++++----
> include/linux/mtd/nand-qpic-common.h | 8 ++++++++
> 2 files changed, 32 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/mtd/nand/qpic_common.c b/drivers/mtd/nand/qpic_common.c
> index e0ed25b5afea9b289b767cd3d9c2d7572ed52008..fb1f81e4bdacaa3e81660a20e164926c64633513 100644
> --- a/drivers/mtd/nand/qpic_common.c
> +++ b/drivers/mtd/nand/qpic_common.c
> @@ -15,6 +15,13 @@
> #include <linux/slab.h>
> #include <linux/mtd/nand-qpic-common.h>
>
> +static inline int qcom_err_bam_array_full(struct qcom_nand_controller *nandc,
> + const char *name)
> +{
> + dev_err(nandc->dev, "BAM %s array is full\n", name);
> + return -EINVAL;
> +}
This is rather uncommon, I don't know if it's very relevant to do
that. Please drop this static inline function.
Thanks,
Miquèl
WARNING: multiple messages have this Message-ID (diff)
From: Miquel Raynal <miquel.raynal@bootlin.com>
To: Gabor Juhos <j4g8y7@gmail.com>
Cc: Mark Brown <broonie@kernel.org>,
Md Sadre Alam <quic_mdalam@quicinc.com>,
Varadarajan Narayanan <quic_varada@quicinc.com>,
Sricharan Ramabadhran <quic_srichara@quicinc.com>,
Richard Weinberger <richard@nod.at>,
Vignesh Raghavendra <vigneshr@ti.com>,
linux-spi@vger.kernel.org, linux-mtd@lists.infradead.org,
linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds access of BAM arrays
Date: Mon, 26 May 2025 11:27:45 +0200 [thread overview]
Message-ID: <87cybv2032.fsf@bootlin.com> (raw)
In-Reply-To: <20250525-qpic-snand-avoid-mem-corruption-v1-2-5fe528def7fb@gmail.com> (Gabor Juhos's message of "Sun, 25 May 2025 19:05:36 +0200")
Hi Gabor,
On 25/05/2025 at 19:05:36 +02, Gabor Juhos <j4g8y7@gmail.com> wrote:
> The common QPIC code does not do any boundary checking when it handles
> the command elements and scatter gater list arrays of a BAM transaction,
> thus it allows to access out of bounds elements in those.
>
> Although it is the responsibility of the given driver to allocate enough
> space for all possible BAM transaction variations, however there can be
> mistakes in the driver code which can lead to hidden memory corruption
> issues which are hard to debug.
>
> This kind of problem has been observed during testing the 'spi-qpic-snand'
> driver. Although the driver has been fixed with a preceding patch, but it
> still makes sense to reduce the chance of having such errors again later.
>
> In order to prevent such errors, change the qcom_alloc_bam_transaction()
> function to store the number of elements of the arrays in the
> 'bam_transaction' strucutre during allocation. Also, add sanity checks to
> the qcom_prep_bam_dma_desc_{cmd,data}() functions to avoid using out of
> bounds indices for the arrays.
>
> Tested with the 'spi-qpic-snand' driver only.
>
> Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
> ---
> Preferably, this should go in via the SPI tree along with the previous
> patch. It is not a strict requirement though, in the case it gets
> included separately through the mtd tree it reveals the bug fixed in
> the first patch.
Sorry, didn't see that in the first place. Fine by me.
> ---
> drivers/mtd/nand/qpic_common.c | 28 ++++++++++++++++++++++++----
> include/linux/mtd/nand-qpic-common.h | 8 ++++++++
> 2 files changed, 32 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/mtd/nand/qpic_common.c b/drivers/mtd/nand/qpic_common.c
> index e0ed25b5afea9b289b767cd3d9c2d7572ed52008..fb1f81e4bdacaa3e81660a20e164926c64633513 100644
> --- a/drivers/mtd/nand/qpic_common.c
> +++ b/drivers/mtd/nand/qpic_common.c
> @@ -15,6 +15,13 @@
> #include <linux/slab.h>
> #include <linux/mtd/nand-qpic-common.h>
>
> +static inline int qcom_err_bam_array_full(struct qcom_nand_controller *nandc,
> + const char *name)
> +{
> + dev_err(nandc->dev, "BAM %s array is full\n", name);
> + return -EINVAL;
> +}
This is rather uncommon, I don't know if it's very relevant to do
that. Please drop this static inline function.
Thanks,
Miquèl
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2025-05-26 9:27 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-25 17:05 [PATCH 0/2] spi: spi-qpic-snand: avoid memory corruption Gabor Juhos
2025-05-25 17:05 ` Gabor Juhos
2025-05-25 17:05 ` [PATCH 1/2] spi: spi-qpic-snand: reallocate BAM transactions Gabor Juhos
2025-05-25 17:05 ` Gabor Juhos
2025-05-26 5:56 ` Md Sadre Alam
2025-05-26 5:56 ` Md Sadre Alam
2025-05-27 11:28 ` Mark Brown
2025-05-27 11:28 ` Mark Brown
2025-05-27 12:23 ` Gabor Juhos
2025-05-27 12:23 ` Gabor Juhos
2025-05-25 17:05 ` [PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds access of BAM arrays Gabor Juhos
2025-05-25 17:05 ` Gabor Juhos
2025-05-26 6:53 ` Md Sadre Alam
2025-05-26 6:53 ` Md Sadre Alam
2025-05-26 20:01 ` Gabor Juhos
2025-05-26 20:01 ` Gabor Juhos
2025-05-28 6:11 ` Lakshmi Sowjanya D (QUIC)
2025-05-28 6:11 ` Lakshmi Sowjanya D (QUIC)
2025-05-26 9:27 ` Miquel Raynal [this message]
2025-05-26 9:27 ` Miquel Raynal
2025-05-26 20:21 ` Gabor Juhos
2025-05-26 20:21 ` Gabor Juhos
2025-05-26 8:13 ` [PATCH 0/2] spi: spi-qpic-snand: avoid memory corruption Miquel Raynal
2025-05-26 8:13 ` Miquel Raynal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87cybv2032.fsf@bootlin.com \
--to=miquel.raynal@bootlin.com \
--cc=broonie@kernel.org \
--cc=j4g8y7@gmail.com \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-spi@vger.kernel.org \
--cc=quic_mdalam@quicinc.com \
--cc=quic_srichara@quicinc.com \
--cc=quic_varada@quicinc.com \
--cc=richard@nod.at \
--cc=vigneshr@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.