Wrong cache invalidation in cfi_cmdset0001.c (2.6.21 kernel)

Mon Nov 26 13:36:08 EST 2007

> > We found an issue in cfi_cmdset0001.c file of 2.6.21 kernel.
> > It is related to cache region invalidation in the buffered
> > write procedure.

What was the test setup that uncovered this?  I surprised this wasn't
found earlier.

> > The original code performs cache invalidation from "adr" to "adr + len" in
> > do_write_buffer() while we modify region from "cmd_adr" to "len2"
> > where len2 is equal to initial value of len.
>
> Could use a better name, initial_len or something like that.  And David
> would surely appreciate a Signed-off-by: line.  Otherwise appears to
> make sense.
>
> > The following is the patch to apply for 2.6.21 kernel.
> >
> > --- a/drivers/mtd/chips/cfi_cmdset_0001.c     2007-11-26 18:06:37.000000000 +0100
> > +++ b/drivers/mtd/chips/cfi_cmdset_0001.c     2007-11-26 18:06:44.000000000 +0100
> > @@ -1472,6 +1472,7 @@ static int __xipram do_write_buffer(stru
> >       int ret, wbufsize, word_gap, words;
> >       const struct kvec *vec;
> >       unsigned long vec_seek;
> > +     int len2=len;
> >
> >       wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
> >       adr += chip->start;
> > @@ -1578,7 +1579,7 @@ static int __xipram do_write_buffer(stru
> >       chip->state = FL_WRITING;
> >
> >       ret = INVAL_CACHE_AND_WAIT(map, chip, cmd_adr,
> > -                                adr, len,
> > +                                cmd_adr, len2,
> >                                  chip->buffer_write_time);
> >       if (ret) {
> >               map_write(map, CMD(0x70), cmd_adr);
> >

If cmd_adr <= adr then shouldn't initial_len >=len?  Something like:

initial_len = (len + wbufsize) & ~(wbufsize-1);