[PATCH] mtd: nand: fix bug writing 1 byte less than page size

[PATCH] mtd: nand: fix bug writing 1 byte less than page size

[Hector Palacios]

nand_do_write_ops() determines if it is writing a partial page with the
formula:
	part_pagewr = (column || writelen < (mtd->writesize - 1))

When 'writelen' is exactly 1 byte less than the NAND page size the formula
equates to zero, so the code doesn't process it as a partial write,
although it should.
As a consequence the function remains in the while(1) loop with 'writelen'
becoming 0xffffffff and iterating endlessly.

The bug may not be easy to reproduce in Linux since user space tools
usually force the padding or round-up the write size to a page-size
multiple.
This was discovered in U-Boot where the issue can be reproduced by
writing any size that is 1 byte less than a page-size multiple.
For example, on a NAND with 2K page (0x800):
	=> nand erase.part <partition>
	=> nand write $loadaddr <partition> 7ff

Signed-off-by: Hector Palacios <hector.palacios@digi.com>
---
 drivers/mtd/nand/nand_base.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
index 0b0dc29d2af7..77533f7f2429 100644
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -2610,7 +2610,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
 		int cached = writelen > bytes && page != blockmask;
 		uint8_t *wbuf = buf;
 		int use_bufpoi;
-		int part_pagewr = (column || writelen < (mtd->writesize - 1));
+		int part_pagewr = (column || writelen < mtd->writesize);
 
 		if (part_pagewr)
 			use_bufpoi = 1;

Re: [PATCH] mtd: nand: fix bug writing 1 byte less than page size

[Boris Brezillon]

On Mon, 18 Jul 2016 10:39:18 +0200
Hector Palacios <hector.palacios@digi.com> wrote:

> nand_do_write_ops() determines if it is writing a partial page with the
> formula:
> 	part_pagewr = (column || writelen < (mtd->writesize - 1))
> 
> When 'writelen' is exactly 1 byte less than the NAND page size the formula
> equates to zero, so the code doesn't process it as a partial write,
> although it should.
> As a consequence the function remains in the while(1) loop with 'writelen'
> becoming 0xffffffff and iterating endlessly.
> 
> The bug may not be easy to reproduce in Linux since user space tools
> usually force the padding or round-up the write size to a page-size
> multiple.
> This was discovered in U-Boot where the issue can be reproduced by
> writing any size that is 1 byte less than a page-size multiple.
> For example, on a NAND with 2K page (0x800):
> 	=> nand erase.part <partition>
> 	=> nand write $loadaddr <partition> 7ff  
> 
> Signed-off-by: Hector Palacios <hector.palacios@digi.com>

Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>

Brian, can you take this patch in your tree.

As usual, I'm unsure whether we should Cc stable or not, but we
should at least add

Fixes: 66507c7bc8895 ("mtd: nand: Add support to use nand_base poi databuf as bounce buffer")

> ---
>  drivers/mtd/nand/nand_base.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
> index 0b0dc29d2af7..77533f7f2429 100644
> --- a/drivers/mtd/nand/nand_base.c
> +++ b/drivers/mtd/nand/nand_base.c
> @@ -2610,7 +2610,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
>  		int cached = writelen > bytes && page != blockmask;
>  		uint8_t *wbuf = buf;
>  		int use_bufpoi;
> -		int part_pagewr = (column || writelen < (mtd->writesize - 1));
> +		int part_pagewr = (column || writelen < mtd->writesize);
>  
>  		if (part_pagewr)
>  			use_bufpoi = 1;

Re: [PATCH] mtd: nand: fix bug writing 1 byte less than page size

[Brian Norris]

+ Kamal, FYI

On Mon, Jul 18, 2016 at 11:04:32AM +0200, Boris Brezillon wrote:
> On Mon, 18 Jul 2016 10:39:18 +0200
> Hector Palacios <hector.palacios@digi.com> wrote:
> 
> > nand_do_write_ops() determines if it is writing a partial page with the
> > formula:
> > 	part_pagewr = (column || writelen < (mtd->writesize - 1))
> > 
> > When 'writelen' is exactly 1 byte less than the NAND page size the formula
> > equates to zero, so the code doesn't process it as a partial write,
> > although it should.
> > As a consequence the function remains in the while(1) loop with 'writelen'
> > becoming 0xffffffff and iterating endlessly.
> > 
> > The bug may not be easy to reproduce in Linux since user space tools
> > usually force the padding or round-up the write size to a page-size
> > multiple.
> > This was discovered in U-Boot where the issue can be reproduced by
> > writing any size that is 1 byte less than a page-size multiple.
> > For example, on a NAND with 2K page (0x800):
> > 	=> nand erase.part <partition>
> > 	=> nand write $loadaddr <partition> 7ff  
> > 
> > Signed-off-by: Hector Palacios <hector.palacios@digi.com>
> 
> Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
> 
> Brian, can you take this patch in your tree.
> 
> As usual, I'm unsure whether we should Cc stable or not, but we
> should at least add
> 
> Fixes: 66507c7bc8895 ("mtd: nand: Add support to use nand_base poi databuf as bounce buffer")

Applied to l2-mtd.git with Fixes and stable tags. Thanks!

> > ---
> >  drivers/mtd/nand/nand_base.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
> > index 0b0dc29d2af7..77533f7f2429 100644
> > --- a/drivers/mtd/nand/nand_base.c
> > +++ b/drivers/mtd/nand/nand_base.c
> > @@ -2610,7 +2610,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
> >  		int cached = writelen > bytes && page != blockmask;
> >  		uint8_t *wbuf = buf;
> >  		int use_bufpoi;
> > -		int part_pagewr = (column || writelen < (mtd->writesize - 1));
> > +		int part_pagewr = (column || writelen < mtd->writesize);
> >  
> >  		if (part_pagewr)
> >  			use_bufpoi = 1;
> 

Re: [PATCH] mtd: nand: fix bug writing 1 byte less than page size

[Scott Wood]

On Mon, 2016-07-18 at 11:04 +0200, Boris Brezillon wrote:
> On Mon, 18 Jul 2016 10:39:18 +0200
> Hector Palacios <hector.palacios@digi.com> wrote:
> 
> > 
> > nand_do_write_ops() determines if it is writing a partial page with the
> > formula:
> > 	part_pagewr = (column || writelen < (mtd->writesize - 1))
> > 
> > When 'writelen' is exactly 1 byte less than the NAND page size the formula
> > equates to zero, so the code doesn't process it as a partial write,
> > although it should.
> > As a consequence the function remains in the while(1) loop with 'writelen'
> > becoming 0xffffffff and iterating endlessly.
> > 
> > The bug may not be easy to reproduce in Linux since user space tools
> > usually force the padding or round-up the write size to a page-size
> > multiple.
> > This was discovered in U-Boot where the issue can be reproduced by
> > writing any size that is 1 byte less than a page-size multiple.
> > For example, on a NAND with 2K page (0x800):
> > 	=> nand erase.part <partition>
> > 	=> nand write $loadaddr <partition> 7ff  
> > 
> > Signed-off-by: Hector Palacios <hector.palacios@digi.com>
> Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
> 
> Brian, can you take this patch in your tree.
> 
> As usual, I'm unsure whether we should Cc stable or not, but we
> should at least add
> 
> Fixes: 66507c7bc8895 ("mtd: nand: Add support to use nand_base poi databuf
> as bounce buffer")

That commit just moved the bad test; it was introduced in 29072b96078ffde3
("[MTD] NAND: add subpage write support").

-Scott

Re: [PATCH] mtd: nand: fix bug writing 1 byte less than page size

[Brian Norris]

On Mon, Jul 18, 2016 at 05:37:22PM -0500, Scott Wood wrote:
> On Mon, 2016-07-18 at 11:04 +0200, Boris Brezillon wrote:
> > On Mon, 18 Jul 2016 10:39:18 +0200
> > Hector Palacios <hector.palacios@digi.com> wrote:
> > 
> > > 
> > > nand_do_write_ops() determines if it is writing a partial page with the
> > > formula:
> > > 	part_pagewr = (column || writelen < (mtd->writesize - 1))
> > > 
> > > When 'writelen' is exactly 1 byte less than the NAND page size the formula
> > > equates to zero, so the code doesn't process it as a partial write,
> > > although it should.
> > > As a consequence the function remains in the while(1) loop with 'writelen'
> > > becoming 0xffffffff and iterating endlessly.
> > > 
> > > The bug may not be easy to reproduce in Linux since user space tools
> > > usually force the padding or round-up the write size to a page-size
> > > multiple.
> > > This was discovered in U-Boot where the issue can be reproduced by
> > > writing any size that is 1 byte less than a page-size multiple.
> > > For example, on a NAND with 2K page (0x800):
> > > 	=> nand erase.part <partition>
> > > 	=> nand write $loadaddr <partition> 7ff  
> > > 
> > > Signed-off-by: Hector Palacios <hector.palacios@digi.com>
> > Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
> > 
> > Brian, can you take this patch in your tree.
> > 
> > As usual, I'm unsure whether we should Cc stable or not, but we
> > should at least add
> > 
> > Fixes: 66507c7bc8895 ("mtd: nand: Add support to use nand_base poi databuf
> > as bounce buffer")
> 
> That commit just moved the bad test; it was introduced in 29072b96078ffde3
> ("[MTD] NAND: add subpage write support").

Indeed. I've update the Fixes tag and added an additional comment in the
commit message.

Thanks,
Brian