Re: [PATCH] mtd: spi-nor: Fix Cadence QSPI page fault kernel panic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On 13/11/18 11:02 PM, thor.thayer@xxxxxxxxxxxxxxx wrote:
> From: Thor Thayer <thor.thayer@xxxxxxxxxxxxxxx>
> 
> The current Cadence QSPI driver caused a kernel panic sporadically
> when writing to QSPI. The problem was caused by writing more bytes
> than needed because the QSPI operated on 4 bytes at a time.
> <snip>
> [   11.202044] Unable to handle kernel paging request at virtual address bffd3000
> [   11.209254] pgd = e463054d
> [   11.211948] [bffd3000] *pgd=2fffb811, *pte=00000000, *ppte=00000000
> [   11.218202] Internal error: Oops: 7 [#1] SMP ARM
> [   11.222797] Modules linked in:
> [   11.225844] CPU: 1 PID: 1317 Comm: systemd-hwdb Not tainted 4.17.7-d0c45cd44a8f
> [   11.235796] Hardware name: Altera SOCFPGA Arria10
> [   11.240487] PC is at __raw_writesl+0x70/0xd4
> [   11.244741] LR is at cqspi_write+0x1a0/0x2cc
> </snip>
> On a page boundary limit the number of bytes copied from the tx buffer
> to remain within the page.
> 
> This patch uses a temporary buffer to hold the 4 bytes to write and then
> copies only the bytes required from the tx buffer. A min() function is
> used to limit the length to prevent buffer indexing overflows.
> 
> Reported-by: Adrian Amborzewicz <adrian.ambrozewicz@xxxxxxxxx>
> Signed-off-by: Thor Thayer <thor.thayer@xxxxxxxxxxxxxxx>
> ---
>  drivers/mtd/spi-nor/cadence-quadspi.c | 19 ++++++++++++++++---
>  1 file changed, 16 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/mtd/spi-nor/cadence-quadspi.c b/drivers/mtd/spi-nor/cadence-quadspi.c
> index d846428ef038..3659d94b4d2f 100644
> --- a/drivers/mtd/spi-nor/cadence-quadspi.c
> +++ b/drivers/mtd/spi-nor/cadence-quadspi.c
> @@ -644,9 +644,23 @@ static int cqspi_indirect_write_execute(struct spi_nor *nor, loff_t to_addr,
>  		ndelay(cqspi->wr_delay);
>  
>  	while (remaining > 0) {
> +		size_t write_words, mod_bytes;
> +
>  		write_bytes = remaining > page_size ? page_size : remaining;
> -		iowrite32_rep(cqspi->ahb_base, txbuf,
> -			      DIV_ROUND_UP(write_bytes, 4));
> +		write_words = write_bytes / 4;
> +		mod_bytes = write_bytes % 4;
> +		/* Write 4 bytes at a time then single bytes. */
> +		if (write_words) {
> +			iowrite32_rep(cqspi->ahb_base, txbuf, write_words);
> +			txbuf += (write_words * 4);
> +		}
> +		if (mod_bytes) {
> +			unsigned int temp = 0xFFFFFFFF;
> +
> +			memcpy(&temp, txbuf, min(sizeof(temp), mod_bytes));

Sorry, I dont understand why min() is required here since:
	mod_bytes = write_bytes % 4;
Doesn't that ensure mod_bytes < sizeof(temp)?

> +			iowrite32(temp, cqspi->ahb_base);
> +			txbuf += mod_bytes;
> +		}
>  
>  		if (!wait_for_completion_timeout(&cqspi->transfer_complete,
>  					msecs_to_jiffies(CQSPI_TIMEOUT_MS))) {
> @@ -655,7 +669,6 @@ static int cqspi_indirect_write_execute(struct spi_nor *nor, loff_t to_addr,
>  			goto failwr;
>  		}
>  
> -		txbuf += write_bytes;
>  		remaining -= write_bytes;
>  
>  		if (remaining > 0)
> 

-- 
Regards
Vignesh

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux