From: Pratyush Yadav <pratyush@kernel.org>
To: Gabor Juhos <j4g8y7@gmail.com>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
Santhosh Kumar K <s-k6@ti.com>,
Richard Weinberger <richard@nod.at>,
Vignesh Raghavendra <vigneshr@ti.com>,
linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, Daniel Golle <daniel@makrotopia.org>
Subject: Re: [PATCH v2] mtd: core: always verify OOB offset in mtd_check_oob_ops()
Date: Thu, 11 Sep 2025 15:03:58 +0200 [thread overview]
Message-ID: <mafs0v7lpi1j5.fsf@kernel.org> (raw)
In-Reply-To: <a208824c-acf6-4a48-8fde-f9926a6e4db5@gmail.com>
On Thu, Sep 11 2025, Gabor Juhos wrote:
> Hi Miquel, Santhosh,
>
> 2025. 09. 11. 10:00 keltezéssel, Miquel Raynal írta:
>> Hello,
>>
>> On 11/09/2025 at 11:52:27 +0530, Santhosh Kumar K <s-k6@ti.com> wrote:
>>
>>> Hello,
>>>
>>> On 05/09/25 20:25, Miquel Raynal wrote:
>>>> On Mon, 01 Sep 2025 16:24:35 +0200, Gabor Juhos wrote:
>>>>> Using an OOB offset past end of the available OOB data is invalid,
>>>>> irregardless of whether the 'ooblen' is set in the ops or not. Move
>>>>> the relevant check out from the if statement to always verify that.
>>>>>
>>>>> The 'oobtest' module executes four tests to verify how reading/writing
>>>>> OOB data past end of the devices is handled. It expects errors in case
>>>>> of these tests, but this expectation fails in the last two tests on
>>>>> MTD devices, which have no OOB bytes available.
>>>>>
>>>>> [...]
>>>> Applied to mtd/next, thanks!
>>>> [1/1] mtd: core: always verify OOB offset in mtd_check_oob_ops()
>>>> commit: bf7d0543b2602be5cb450d8ec5a8710787806f88
>>>
>>> I'm seeing a failure in SPI NOR flashes due to this patch:
>>> (Tested on AM62x SK with S28HS512T OSPI NOR flash)
>
> Sorry for the inconvenience.
>
>> Gabor, can you check what happens with mtdblock?
My guess from a quick look at the code is that NOR devices have
mtd->oobsize == 0 and mtd_read() sets ops->ooboffs and ops->ooblen to 0.
So now that this check is not guarded by if (ops->ooblen), it gets
triggered for NOR devices on the mtd_read() path and essentially turns
into an if (0 >= 0), returning -EINVAL.
Maybe a better check is if ((ops->ooboffs + ops->ooblen) > mtd_oobavail())?
Note that the equality is not an error in this case. I haven't worked
with the OOB code much so I am not sure if this condition makes sense,
but seems to do so at first glance at least.
[...]
--
Regards,
Pratyush Yadav
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
WARNING: multiple messages have this Message-ID (diff)
From: Pratyush Yadav <pratyush@kernel.org>
To: Gabor Juhos <j4g8y7@gmail.com>
Cc: Miquel Raynal <miquel.raynal@bootlin.com>,
Santhosh Kumar K <s-k6@ti.com>,
Richard Weinberger <richard@nod.at>,
Vignesh Raghavendra <vigneshr@ti.com>,
linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, Daniel Golle <daniel@makrotopia.org>
Subject: Re: [PATCH v2] mtd: core: always verify OOB offset in mtd_check_oob_ops()
Date: Thu, 11 Sep 2025 15:03:58 +0200 [thread overview]
Message-ID: <mafs0v7lpi1j5.fsf@kernel.org> (raw)
In-Reply-To: <a208824c-acf6-4a48-8fde-f9926a6e4db5@gmail.com>
On Thu, Sep 11 2025, Gabor Juhos wrote:
> Hi Miquel, Santhosh,
>
> 2025. 09. 11. 10:00 keltezéssel, Miquel Raynal írta:
>> Hello,
>>
>> On 11/09/2025 at 11:52:27 +0530, Santhosh Kumar K <s-k6@ti.com> wrote:
>>
>>> Hello,
>>>
>>> On 05/09/25 20:25, Miquel Raynal wrote:
>>>> On Mon, 01 Sep 2025 16:24:35 +0200, Gabor Juhos wrote:
>>>>> Using an OOB offset past end of the available OOB data is invalid,
>>>>> irregardless of whether the 'ooblen' is set in the ops or not. Move
>>>>> the relevant check out from the if statement to always verify that.
>>>>>
>>>>> The 'oobtest' module executes four tests to verify how reading/writing
>>>>> OOB data past end of the devices is handled. It expects errors in case
>>>>> of these tests, but this expectation fails in the last two tests on
>>>>> MTD devices, which have no OOB bytes available.
>>>>>
>>>>> [...]
>>>> Applied to mtd/next, thanks!
>>>> [1/1] mtd: core: always verify OOB offset in mtd_check_oob_ops()
>>>> commit: bf7d0543b2602be5cb450d8ec5a8710787806f88
>>>
>>> I'm seeing a failure in SPI NOR flashes due to this patch:
>>> (Tested on AM62x SK with S28HS512T OSPI NOR flash)
>
> Sorry for the inconvenience.
>
>> Gabor, can you check what happens with mtdblock?
My guess from a quick look at the code is that NOR devices have
mtd->oobsize == 0 and mtd_read() sets ops->ooboffs and ops->ooblen to 0.
So now that this check is not guarded by if (ops->ooblen), it gets
triggered for NOR devices on the mtd_read() path and essentially turns
into an if (0 >= 0), returning -EINVAL.
Maybe a better check is if ((ops->ooboffs + ops->ooblen) > mtd_oobavail())?
Note that the equality is not an error in this case. I haven't worked
with the OOB code much so I am not sure if this condition makes sense,
but seems to do so at first glance at least.
[...]
--
Regards,
Pratyush Yadav
next prev parent reply other threads:[~2025-09-11 13:04 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-01 14:24 [PATCH v2] mtd: core: always verify OOB offset in mtd_check_oob_ops() Gabor Juhos
2025-09-01 14:24 ` Gabor Juhos
2025-09-05 14:55 ` Miquel Raynal
2025-09-05 14:55 ` Miquel Raynal
2025-09-11 6:22 ` Santhosh Kumar K
2025-09-11 6:22 ` Santhosh Kumar K
2025-09-11 8:00 ` Miquel Raynal
2025-09-11 8:00 ` Miquel Raynal
2025-09-11 8:33 ` Gabor Juhos
2025-09-11 8:33 ` Gabor Juhos
2025-09-11 13:03 ` Pratyush Yadav [this message]
2025-09-11 13:03 ` Pratyush Yadav
2025-09-11 14:05 ` Miquel Raynal
2025-09-11 14:05 ` Miquel Raynal
2025-09-11 15:33 ` Miquel Raynal
2025-09-11 15:33 ` Miquel Raynal
2025-09-11 14:03 ` Miquel Raynal
2025-09-11 14:03 ` Miquel Raynal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=mafs0v7lpi1j5.fsf@kernel.org \
--to=pratyush@kernel.org \
--cc=daniel@makrotopia.org \
--cc=j4g8y7@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=miquel.raynal@bootlin.com \
--cc=richard@nod.at \
--cc=s-k6@ti.com \
--cc=stable@vger.kernel.org \
--cc=vigneshr@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.