/linux

Permalink
Browse files

spi-nor: intel-spi: Fix broken software sequencing codes 

There are two bugs in current intel_spi_sw_cycle():

- The 'data byte count' field should be the number of bytes
  transferred minus 1
- SSFSTS_CTL is the offset from ispi->sregs, not ispi->base

Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Cc: <stable@vger.kernel.org> # v4.11+
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>
  • Loading branch information...
1 parent e58348b commit 9d63f17661e25fd28714dac94bdebc4ff5b75f09 @lbmeng lbmeng committed with Cyrille Pitchen Sep 11, 2017
Unified Split
Showing with 2 additions and 2 deletions.
  1. +2 −2 drivers/mtd/spi-nor/intel-spi.c
View
4 drivers/mtd/spi-nor/intel-spi.c
@@ -426,7 +426,7 @@ static int intel_spi_sw_cycle(struct intel_spi *ispi, u8 opcode, int len)
if (ret < 0)
return ret;
- val = (len << SSFSTS_CTL_DBC_SHIFT) | SSFSTS_CTL_DS;
+ val = ((len - 1) << SSFSTS_CTL_DBC_SHIFT) | SSFSTS_CTL_DS;
@sladen

sladen Dec 21, 2017
Edited 1 time

James Courtier-Dutton noted len is not being validated, particularly against being zero.

It should probably at a minimum have HSFSTS_CTL_FDBC_MASK applied after the shift, and preferable validating that len is within the allowed range (1..64?).
val |= ret << SSFSTS_CTL_COP_SHIFT;
val |= SSFSTS_CTL_FCERR | SSFSTS_CTL_FDONE;
val |= SSFSTS_CTL_SCGO;
@@ -436,7 +436,7 @@ static int intel_spi_sw_cycle(struct intel_spi *ispi, u8 opcode, int len)
if (ret)
return ret;
- status = readl(ispi->base + SSFSTS_CTL);
+ status = readl(ispi->sregs + SSFSTS_CTL);
if (status & SSFSTS_CTL_FCERR)
return -EIO;
else if (status & SSFSTS_CTL_AEL)

0 comments on commit 9d63f17

Please sign in to comment.