From owner-svn-src-head@FreeBSD.ORG  Wed Nov 20 11:10:24 2013
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 95F0D3D1;
 Wed, 20 Nov 2013 11:10:24 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 763A721C3;
 Wed, 20 Nov 2013 11:10:24 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rAKBAOqL061216;
 Wed, 20 Nov 2013 11:10:24 GMT (envelope-from gber@svn.freebsd.org)
Received: (from gber@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id rAKBAOMY061212;
 Wed, 20 Nov 2013 11:10:24 GMT (envelope-from gber@svn.freebsd.org)
Message-Id: <201311201110.rAKBAOMY061212@svn.freebsd.org>
From: Grzegorz Bernacki <gber@FreeBSD.org>
Date: Wed, 20 Nov 2013 11:10:24 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r258387 - head/sys/dev/nand
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 11:10:24 -0000

Author: gber
Date: Wed Nov 20 11:10:23 2013
New Revision: 258387
URL: http://svnweb.freebsd.org/changeset/base/258387

Log:
  Split raw reading/programming into smaller chunks to avoid allocating too
  big chunk of kernel memory. Validate size of data. Add error handling to
  avoid calling copyout() when data has not been read correctly.
  
  Reviewed by:    zbb
  Reported by:    x90c <geinblues@gmail.com>
  MFC after:      2 days

Modified:
  head/sys/dev/nand/nand_cdev.c
  head/sys/dev/nand/nand_geom.c

Modified: head/sys/dev/nand/nand_cdev.c
==============================================================================
--- head/sys/dev/nand/nand_cdev.c	Wed Nov 20 11:09:12 2013	(r258386)
+++ head/sys/dev/nand/nand_cdev.c	Wed Nov 20 11:10:23 2013	(r258387)
@@ -294,19 +294,39 @@ nand_ioctl(struct cdev *dev, u_long cmd,
     struct thread *td)
 {
 	struct nand_chip *chip;
+	struct chip_geom  *cg;
 	struct nand_oob_rw *oob_rw = NULL;
 	struct nand_raw_rw *raw_rw = NULL;
 	device_t nandbus;
+	size_t bufsize, len, raw_size;
+	off_t off;
 	uint8_t *buf = NULL;
 	int ret = 0;
 	uint8_t status;
 
 	chip = (struct nand_chip *)dev->si_drv1;
+	cg = &chip->chip_geom;
 	nandbus = device_get_parent(chip->dev);
 
 	if ((cmd == NAND_IO_RAW_READ) || (cmd == NAND_IO_RAW_PROG)) {
 		raw_rw = (struct nand_raw_rw *)data;
-		buf = malloc(raw_rw->len, M_NAND, M_WAITOK);
+		raw_size =  cg->pgs_per_blk * (cg->page_size + cg->oob_size);
+
+		/* Check if len is not bigger than chip size */
+		if (raw_rw->len > raw_size)
+			return (EFBIG);
+
+		/*
+		 * Do not ask for too much memory, in case of large transfers
+		 * read/write in 16-pages chunks
+		 */
+		bufsize = 16 * (cg->page_size + cg->oob_size);
+		if (raw_rw->len < bufsize)
+			bufsize = raw_rw->len;
+
+		buf = malloc(bufsize, M_NAND, M_WAITOK);
+		len = raw_rw->len;
+		off = 0;
 	}
 	switch(cmd) {
 	case NAND_IO_ERASE:
@@ -335,19 +355,37 @@ nand_ioctl(struct cdev *dev, u_long cmd,
 		break;
 
 	case NAND_IO_RAW_PROG:
-		ret = copyin(raw_rw->data, buf, raw_rw->len);
-		if (ret)
-			break;
-		ret = nand_prog_pages_raw(chip, raw_rw->off, buf,
-		    raw_rw->len);
+		while (len > 0) {
+			if (len < bufsize)
+				bufsize = len;
+			ret = copyin(raw_rw->data + off, buf, bufsize);
+			if (ret)
+				break;
+			ret = nand_prog_pages_raw(chip, raw_rw->off + off, buf,
+			    bufsize);
+			if (ret)
+				break;
+			len -= bufsize;
+			off += bufsize;
+		}
 		break;
 
 	case NAND_IO_RAW_READ:
-		ret = nand_read_pages_raw(chip, raw_rw->off, buf,
-		    raw_rw->len);
-		if (ret)
-			break;
-		ret = copyout(buf, raw_rw->data, raw_rw->len);
+		while (len > 0) {
+			if (len < bufsize)
+				bufsize = len;
+
+			ret = nand_read_pages_raw(chip, raw_rw->off + off, buf,
+			    bufsize);
+			if (ret)
+				break;
+
+			ret = copyout(buf, raw_rw->data + off, bufsize);
+			if (ret)
+				break;
+			len -= bufsize;
+			off += bufsize;
+		}
 		break;
 
 	case NAND_IO_PAGE_STAT:

Modified: head/sys/dev/nand/nand_geom.c
==============================================================================
--- head/sys/dev/nand/nand_geom.c	Wed Nov 20 11:09:12 2013	(r258386)
+++ head/sys/dev/nand/nand_geom.c	Wed Nov 20 11:10:23 2013	(r258387)
@@ -193,20 +193,41 @@ nand_ioctl(struct disk *ndisk, u_long cm
     struct thread *td)
 {
 	struct nand_chip *chip;
+	struct chip_geom  *cg;
 	struct nand_oob_rw *oob_rw = NULL;
 	struct nand_raw_rw *raw_rw = NULL;
 	device_t nandbus;
+	size_t bufsize, len, raw_size;
+	off_t off;
 	uint8_t *buf = NULL;
 	int ret = 0;
 	uint8_t status;
 
 	chip = (struct nand_chip *)ndisk->d_drv1;
+	cg = &chip->chip_geom;
 	nandbus = device_get_parent(chip->dev);
 
 	if ((cmd == NAND_IO_RAW_READ) || (cmd == NAND_IO_RAW_PROG)) {
 		raw_rw = (struct nand_raw_rw *)data;
-		buf = malloc(raw_rw->len, M_NAND, M_WAITOK);
+		raw_size =  cg->pgs_per_blk * (cg->page_size + cg->oob_size);
+
+		/* Check if len is not bigger than chip size */
+		if (raw_rw->len > raw_size)
+			return (EFBIG);
+
+		/*
+		 * Do not ask for too much memory, in case of large transfers
+		 * read/write in 16-pages chunks
+		 */
+		bufsize = 16 * (cg->page_size + cg->oob_size);
+		if (raw_rw->len < bufsize)
+			bufsize = raw_rw->len;
+
+		buf = malloc(bufsize, M_NAND, M_WAITOK);
+		len = raw_rw->len;
+		off = 0;
 	}
+
 	switch (cmd) {
 	case NAND_IO_ERASE:
 		ret = nand_erase_blocks(chip, ((off_t *)data)[0],
@@ -234,15 +255,38 @@ nand_ioctl(struct disk *ndisk, u_long cm
 		break;
 
 	case NAND_IO_RAW_PROG:
-		copyin(raw_rw->data, buf, raw_rw->len);
-		ret = nand_prog_pages_raw(chip, raw_rw->off, buf,
-		    raw_rw->len);
+		while (len > 0) {
+			if (len < bufsize)
+				bufsize = len;
+
+			ret = copyin(raw_rw->data + off, buf, bufsize);
+			if (ret)
+				break;
+			ret = nand_prog_pages_raw(chip, raw_rw->off + off, buf,
+			    bufsize);
+			if (ret)
+				break;
+			len -= bufsize;
+			off += bufsize;
+		}
 		break;
 
 	case NAND_IO_RAW_READ:
-		ret = nand_read_pages_raw(chip, raw_rw->off, buf,
-		    raw_rw->len);
-		copyout(buf, raw_rw->data, raw_rw->len);
+		while (len > 0) {
+			if (len < bufsize)
+				bufsize = len;
+
+			ret = nand_read_pages_raw(chip, raw_rw->off + off, buf,
+			    bufsize);
+			if (ret)
+				break;
+
+			ret = copyout(buf, raw_rw->data + off, bufsize);
+			if (ret)
+				break;
+			len -= bufsize;
+			off += bufsize;
+		}
 		break;
 
 	case NAND_IO_GET_CHIP_PARAM: