From patchwork Wed Apr 5 11:57:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Loehle X-Patchwork-Id: 670679 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89860C7619A for ; Wed, 5 Apr 2023 11:57:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237330AbjDEL5e convert rfc822-to-8bit (ORCPT ); Wed, 5 Apr 2023 07:57:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42912 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232985AbjDEL5d (ORCPT ); Wed, 5 Apr 2023 07:57:33 -0400 Received: from mail5.swissbit.com (mail5.swissbit.com [148.251.244.252]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F5583A9F; Wed, 5 Apr 2023 04:57:32 -0700 (PDT) Received: from mail5.swissbit.com (localhost [127.0.0.1]) by DDEI (Postfix) with ESMTP id AA3223A2A48; Wed, 5 Apr 2023 13:57:30 +0200 (CEST) Received: from mail5.swissbit.com (localhost [127.0.0.1]) by DDEI (Postfix) with ESMTP id 9F7493A2A2E; Wed, 5 Apr 2023 13:57:30 +0200 (CEST) X-TM-AS-ERS: 10.181.10.102-127.5.254.253 X-TM-AS-SMTP: 1.0 bXgyLmRtei5zd2lzc2JpdC5jb20= Y2xvZWhsZUBoeXBlcnN0b25lLmNvb Q== X-DDEI-TLS-USAGE: Used Received: from mx2.dmz.swissbit.com (mx2.dmz.swissbit.com [10.181.10.102]) by mail5.swissbit.com (Postfix) with ESMTPS; Wed, 5 Apr 2023 13:57:30 +0200 (CEST) From: =?iso-8859-1?q?Christian_L=F6hle?= To: Ulf Hansson , Adrian Hunter , "linux-mmc@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Avri Altman Subject: [PATCH 2/3] mmc: block: ioctl: do write error check for spi Thread-Topic: [PATCH 2/3] mmc: block: ioctl: do write error check for spi Thread-Index: AdlntXn494MEXcKXSfqeBK92Asvg4Q== Date: Wed, 5 Apr 2023 11:57:29 +0000 Message-ID: <4bdab00c5b6f4f8f95b53e586552acfa@hyperstone.com> Accept-Language: en-US, de-DE Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: MIME-Version: 1.0 X-TMASE-Version: DDEI-5.1-9.0.1002-27546.007 X-TMASE-Result: 10--4.347800-10.000000 X-TMASE-MatchedRID: w2TFuZOvAtcQGnUKwIl68khwlOfYeSqxNYERielKfYUN76LiU8zntr8F Hrw7frluf146W0iUu2vw/CbUDQShN4XAE/PjVlh/9k5nZzZVBSCZIt4iAQN6PzYnGCpPrrgS1Ie ckOrbKEzJk6fP3XeBhftIw293QqFjJBgtEIxUn4HwgrvJFY9E0bv20oRSy8wlmyiLZetSf8lRfL aSAVDtyiq2rl3dzGQ1t+hBIx76WOATnqbUC7CCRIv294R2X7x+V9n+w3jzGffJhriFTHyEkg== X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0 X-TMASE-INERTIA: 0-0;;;; X-TMASE-XGENCLOUD: 8a8d3480-9faf-4afb-9436-8b4aa079d621-0-0-200-0 Precedence: bulk List-ID: X-Mailing-List: linux-mmc@vger.kernel.org SPI doesn't have the usual PROG path we can check for error bits after moving back to TRAN. Instead it holds the line LOW until completion. We can then check if the card shows any errors or is in IDLE state, indicating the line is no longer LOW because the card was reset. Signed-off-by: Christian Loehle --- drivers/mmc/core/block.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c index 16e262ddc954..35ff7101cbb1 100644 --- a/drivers/mmc/core/block.c +++ b/drivers/mmc/core/block.c @@ -182,6 +182,7 @@ static void mmc_blk_rw_rq_prep(struct mmc_queue_req *mqrq, int recovery_mode, struct mmc_queue *mq); static void mmc_blk_hsq_req_done(struct mmc_request *mrq); +static int mmc_spi_err_check(struct mmc_card *card); static struct mmc_blk_data *mmc_blk_get(struct gendisk *disk) { @@ -553,7 +554,7 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md, /* If it's an R1B response we need some more preparations. */ busy_timeout_ms = idata->ic.cmd_timeout_ms ? : MMC_BLK_TIMEOUT_MS; r1b_resp = (cmd.flags & MMC_RSP_R1B) == MMC_RSP_R1B; - if (r1b_resp) + if (r1b_resp && !mmc_host_is_spi(card->host)) use_r1b_resp = mmc_prepare_busy_cmd(card->host, &cmd, busy_timeout_ms); @@ -612,8 +613,12 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md, if ((card->host->caps & MMC_CAP_WAIT_WHILE_BUSY) && use_r1b_resp) return 0; + if (mmc_host_is_spi(card->host)) { + if (idata->ic.write_flag) + err = mmc_spi_err_check(card); + } /* Ensure RPMB/R1B command has completed by polling with CMD13. */ - if (idata->rpmb || r1b_resp) + else if (idata->rpmb || r1b_resp) err = mmc_poll_for_busy(card, busy_timeout_ms, false, MMC_BUSY_IO); From patchwork Wed Apr 5 11:57:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Loehle X-Patchwork-Id: 670678 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id ABA1DC76188 for ; Wed, 5 Apr 2023 11:57:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237682AbjDEL5v convert rfc822-to-8bit (ORCPT ); Wed, 5 Apr 2023 07:57:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43302 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237236AbjDEL5v (ORCPT ); Wed, 5 Apr 2023 07:57:51 -0400 Received: from mail6.swissbit.com (mail5.swissbit.com [148.251.244.252]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3F6B5B97; Wed, 5 Apr 2023 04:57:45 -0700 (PDT) Received: from mail6.swissbit.com (localhost [127.0.0.1]) by DDEI (Postfix) with ESMTP id 1B2F822293F; Wed, 5 Apr 2023 13:57:43 +0200 (CEST) Received: from mail6.swissbit.com (localhost [127.0.0.1]) by DDEI (Postfix) with ESMTP id 107BF22293E; Wed, 5 Apr 2023 13:57:43 +0200 (CEST) X-TM-AS-ERS: 10.181.10.103-127.5.254.253 X-TM-AS-SMTP: 1.0 bXgxLmRtei5zd2lzc2JpdC5jb20= Y2xvZWhsZUBoeXBlcnN0b25lLmNvb Q== X-DDEI-TLS-USAGE: Used Received: from mx1.dmz.swissbit.com (mx.dmz.swissbit.com [10.181.10.103]) by mail6.swissbit.com (Postfix) with ESMTPS; Wed, 5 Apr 2023 13:57:43 +0200 (CEST) From: =?iso-8859-1?q?Christian_L=F6hle?= To: Ulf Hansson , Adrian Hunter , "linux-mmc@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Avri Altman Subject: [PATCH 3/3] mmc: block: ioctl: Add error aggregation flag Thread-Topic: [PATCH 3/3] mmc: block: ioctl: Add error aggregation flag Thread-Index: AdlntYltCGNgWPv+Tc2Z1o0i39Q1Tw== Date: Wed, 5 Apr 2023 11:57:42 +0000 Message-ID: <043d49e37e254eb8aa8a2c5fc56a028b@hyperstone.com> Accept-Language: en-US, de-DE Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: MIME-Version: 1.0 X-TMASE-Version: DDEI-5.1-9.0.1002-27546.007 X-TMASE-Result: 10--14.227800-10.000000 X-TMASE-MatchedRID: xIhOSkOSohUus6wjYQDwl+MHaG2Ylcw4P8UQejhp29r+Aw16GgqpO+rY +Oi+MMnCoVdOwqgtIOQOe6UQgyI8eels+BWysLH80e7jfBjhB8eycrvYxo9KpwMFD5cGHhglvKM 8qO1jo77m0eJn7rM8KqY70l+keWg+/eT7aGGj1S8AOAItanHFjxDqmKczPoNZVxk27EKh25KQlA lLGkMei48eV9xXSOFA5p98cjyQCaIdj9vNGYhpkZGA/MAGSrEgOq7d0z5iEVEsTMNBTJAZWdmwQ de3CIwaU0KpEEMLs4TCN+UcWNKgRshjol69azi+vf5DDPstHFESwak5eNXy+/z/XKldQEaVGNtH 9cKwddbAcr4J7vYhfQykqSdZGSoeaTkWqXcVprvwlvzzUUaf2d+flRfRwfynmyiLZetSf8lRfLa SAVDtyiq2rl3dzGQ1cgtnoyKqmR8bRa+09G7SJ6HrN+v4E0LX1sGv+JRZAUcUMFEy21VpTg== X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0 X-TMASE-INERTIA: 0-0;;;; X-TMASE-XGENCLOUD: 6a3572b5-5152-4cec-a209-ad5f3ebe1d51-0-0-200-0 Precedence: bulk List-ID: X-Mailing-List: linux-mmc@vger.kernel.org Userspace currently has no way of checking for error bits of detection mode X. These are error bits that are only detected by the card when executing the command. For e.g. a sanitize operation this may be minutes after the RSP was seen by the host. Currently userspace programs cannot see these error bits reliably. They could issue a multi ioctl cmd with a CMD13 immediately following it, but since errors of detection mode X are automatically cleared (they are all clear condition B). mmc_poll_for_busy of the first ioctl may have already hidden such an error flag. In case of the security operations: sanitize, secure erases and RPMB writes, this could lead to the operation not being performed successfully by the card with the user not knowing. If the user trusts that this operation is completed (e.g. their data is sanitized), this could be a security issue. An attacker could e.g. provoke a eMMC (VCC) flash fail, where a successful sanitize of a card is not possible. A card may move out of PROG state but issue a bit 19 R1 error. This patch therefore will also have the consequence of a mmc-utils patch, which enables the bit for the security-sensitive operations. Signed-off-by: Christian Loehle --- drivers/mmc/core/block.c | 34 ++++++++++++++++++++++++++++++++-- include/uapi/linux/mmc/ioctl.h | 2 ++ 2 files changed, 34 insertions(+), 2 deletions(-) diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c index 35ff7101cbb1..386a508bd720 100644 --- a/drivers/mmc/core/block.c +++ b/drivers/mmc/core/block.c @@ -457,7 +457,7 @@ static int mmc_blk_ioctl_copy_to_user(struct mmc_ioc_cmd __user *ic_ptr, sizeof(ic->response))) return -EFAULT; - if (!idata->ic.write_flag) { + if (!idata->ic.write_flag && idata->buf) { if (copy_to_user((void __user *)(unsigned long)ic->data_ptr, idata->buf, idata->buf_bytes)) return -EFAULT; @@ -610,13 +610,43 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md, usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us); /* No need to poll when using HW busy detection. */ - if ((card->host->caps & MMC_CAP_WAIT_WHILE_BUSY) && use_r1b_resp) + if ((card->host->caps & MMC_CAP_WAIT_WHILE_BUSY) && use_r1b_resp && + !(idata->ic.write_flag & MMC_AGGREGATE_PROG_ERRORS)) return 0; if (mmc_host_is_spi(card->host)) { if (idata->ic.write_flag) err = mmc_spi_err_check(card); } + /* + * We want to receive a meaningful R1 response for errors of detection + * type X, which are only set after the card has executed the command. + * In that case poll CMD13 until PROG is left and return the + * accumulated error bits. + * If we're lucky host controller has busy detection for R1B and + * this is just a single CMD13. + * We can abuse resp[1] as the post-PROG R1 here, as all commands + * that go through PRG have an R1 response and therefore only + * use resp[0]. + */ + else if (idata->ic.write_flag & MMC_AGGREGATE_PROG_ERRORS) { + unsigned long timeout = jiffies + + msecs_to_jiffies(busy_timeout_ms); + bool done = false; + unsigned long delay_ms = 1; + u32 status; + + do { + done = time_after(jiffies, timeout); + msleep(delay_ms++); + err = __mmc_send_status(card, &status, 1); + if (err) + return err; + idata->ic.response[1] |= status; + } while (R1_CURRENT_STATE(status) != R1_STATE_TRAN && !done); + if (done) + return -ETIMEDOUT; + } /* Ensure RPMB/R1B command has completed by polling with CMD13. */ else if (idata->rpmb || r1b_resp) err = mmc_poll_for_busy(card, busy_timeout_ms, false, diff --git a/include/uapi/linux/mmc/ioctl.h b/include/uapi/linux/mmc/ioctl.h index b2ff7f5be87b..a9d84ae8d57d 100644 --- a/include/uapi/linux/mmc/ioctl.h +++ b/include/uapi/linux/mmc/ioctl.h @@ -8,9 +8,11 @@ struct mmc_ioc_cmd { /* * Direction of data: nonzero = write, zero = read. + * Bit 30 selects error aggregation post-PROG state. * Bit 31 selects 'Reliable Write' for RPMB. */ int write_flag; +#define MMC_AGGREGATE_PROG_ERRORS (1 << 30) #define MMC_RPMB_RELIABLE_WRITE (1 << 31) /* Application-specific command. true = precede with CMD55 */