nand_flash_detect_onfi error

Ezequiel Garcia ezequiel at vanguardiasur.com.ar
Tue Nov 3 08:56:16 PST 2015


On 3 November 2015 at 13:27, Renaud Barbier <renaud.barbier at ge.com> wrote:
> In the file drivers/mtd/nand/nand_base.c, in function
> nand_flash_detect_onfi  reading the ONFI data can be run up to 3 times
> when there is a CRC error detected in the onfi data:
>
> The function call chip->cmdfunc(mtd, NAND_CMD_PARAM, 0, -1); is located
> outside the first for loop:
>
> chip->cmdfunc(mtd, NAND_CMD_PARAM, 0, -1);
> for (i = 0; i < 3; i++) {
>         for (j = 0; j < sizeof(*p); j++)
>                 ((uint8_t *)p)[j] = chip->read_byte(mtd);
>         if (onfi_crc16(ONFI_CRC_BASE, (uint8_t *)p, 254) ==
>                         le16_to_cpu(p->crc)) {
>                 break;
>         }
> }
>
> This results in a read beyond buffer error if the data have to be read
> more than once.
>
> This error can also be found in U-boot and barebox.
>

Hi Renaud,

NAND_CMD_PARAM is supposed to read one parameter page,
plus the two redundant parameter pages as well. That's why the NAND core
code reading sizeof(parameter page) x 3 bytes safely.

If you take a look at the ONFI 3.0 spec you'll see the parameter page
is specified to be 767 bytes long, i.e. three redundant parameter pages
can be read.

If you are seeing this kind of bug with a NAND controller, then you need
to extend your CMD_PARAM read to fetch all the copies of the parameter page.

-- 
Ezequiel García, VanguardiaSur
www.vanguardiasur.com.ar



More information about the linux-mtd mailing list