[openwrt/openwrt] uboot-lantiq: fix out of bounds cache invalidate
LEDE Commits
lede-commits at lists.infradead.org
Sun Nov 14 11:22:57 PST 2021
mkresin pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/87b8f095af9f7e6ff5edae6778d967f91e779cf2
commit 87b8f095af9f7e6ff5edae6778d967f91e779cf2
Author: Mathias Kresin <dev at kresin.me>
AuthorDate: Tue Nov 2 22:20:28 2021 +0100
uboot-lantiq: fix out of bounds cache invalidate
With gcc10 the variables are placed more tightly to each other, which
uncovers a long existing bug in the lantiq DMA code. It can be observed
when using tftpboot with the filename parameter, which gets reset during
the tftpboot execution.
NetRxPackets[] points to cache line size aligned addresses. In
ltq_eth_rx_packet_align() the address NetRxPackets[] points to is
increased by LTQ_ETH_IP_ALIGN and the resulting not cache aligned
address is used further on. While doing so, the length/size is never
updated.
The "not cache aligned address" + len/size for a cache aligned address
is passed to invalidate_dcache_range(). Hence, invalidate_dcache_range()
invalidates the next 32 bit as well, which flashes the BootFile variable
as well.
variable BootFile is at address: 0x83ffe12c
NetRxPackets[] points to 0x83ffdb20 (len is 0x600)
data points to: 0x83ffdb22 (len is 0x600)
ltq_dma_dcache_inv: 0x83ffdb22 (for len 0x600)
invalidate_dcache_range: 0x83ffdb20 to 0x83ffe120 (size: 32)
invalidate_dcache_range: 0x83ffdb20 to 0x83ffdb40 (Bootfile: a.bin)
...
invalidate_dcache_range: 0x83ffe100 to 0x83ffe120 (Bootfile: a.bin)
invalidate_dcache_range: 0x83ffe120 to 0x83ffe140 (Bootfile: )
In ltq_dma_tx_map() and ltq_dma_rx_map() the start address passed to
ltq_dma_dcache_wb_inv() is incorrect. By considering the offset, the
start address passed to flush_dcache_range() is always aligned to 32, 64
or 128 bytes dependent on configured DMA burst size.
Fixes: FS#4113
Signed-off-by: Mathias Kresin <dev at kresin.me>
---
...lantiq-fix-out-of-bounds-cache-invalidate.patch | 62 ++++++++++++++++++++++
1 file changed, 62 insertions(+)
diff --git a/package/boot/uboot-lantiq/patches/0031-dma-lantiq-fix-out-of-bounds-cache-invalidate.patch b/package/boot/uboot-lantiq/patches/0031-dma-lantiq-fix-out-of-bounds-cache-invalidate.patch
new file mode 100644
index 0000000000..b99b07292c
--- /dev/null
+++ b/package/boot/uboot-lantiq/patches/0031-dma-lantiq-fix-out-of-bounds-cache-invalidate.patch
@@ -0,0 +1,62 @@
+From d9527989b2d63749d6c6678fa3a1b658eb26c225 Mon Sep 17 00:00:00 2001
+From: Mathias Kresin <dev at kresin.me>
+Date: Tue, 2 Nov 2021 21:24:29 +0100
+Subject: [PATCH] dma: lantiq: fix out of bounds cache invalidate
+
+With gcc10 the variables are placed more tightly to each other, which
+uncovers a long existing bug in the lantiq DMA code. It can be observed
+when using tftpboot with the filename parameter, which gets reset during
+the tftpboot execution.
+
+NetRxPackets[] points to cache line size aligned addresses. In
+ltq_eth_rx_packet_align() the address NetRxPackets[] points to is
+increased by LTQ_ETH_IP_ALIGN and the resulting not cache aligned
+address is used further on. While doing so, the length/size is never
+updated.
+
+The "not cache aligned address" + len/size for a cache aligned address
+is passed to invalidate_dcache_range(). Hence, invalidate_dcache_range()
+invalidates the next 32 bit as well, which flashes the BootFile variable
+as well.
+
+ variable BootFile is at address: 0x83ffe12c
+ NetRxPackets[] points to 0x83ffdb20 (len is 0x600)
+ data points to: 0x83ffdb22 (len is 0x600)
+
+ ltq_dma_dcache_inv: 0x83ffdb22 (for len 0x600)
+ invalidate_dcache_range: 0x83ffdb20 to 0x83ffe120 (size: 32)
+ invalidate_dcache_range: 0x83ffdb20 to 0x83ffdb40 (Bootfile: a.bin)
+ ...
+ invalidate_dcache_range: 0x83ffe100 to 0x83ffe120 (Bootfile: a.bin)
+ invalidate_dcache_range: 0x83ffe120 to 0x83ffe140 (Bootfile: )
+
+In ltq_dma_tx_map() and ltq_dma_rx_map() the start address passed to
+ltq_dma_dcache_wb_inv() is incorrect. By considering the offset, the
+start address passed to flush_dcache_range() is always aligned to 32, 64
+or 128 bytes dependent on configured DMA burst size.
+
+Signed-off-by: Mathias Kresin <dev at kresin.me>
+---
+ drivers/dma/lantiq_dma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/dma/lantiq_dma.c
++++ b/drivers/dma/lantiq_dma.c
+@@ -280,7 +280,7 @@ int ltq_dma_rx_map(struct ltq_dma_device
+
+ offset = dma_addr % ltq_dma_burst_align(dev->rx_burst_len);
+
+- ltq_dma_dcache_inv(data, len);
++ ltq_dma_dcache_inv(data - offset, len);
+
+ #if 0
+ printf("%s: index %d, data %p, dma_addr %08x, offset %u, len %d\n",
+@@ -355,7 +355,7 @@ int ltq_dma_tx_map(struct ltq_dma_device
+ __func__, index, desc, data, dma_addr, offset, len);
+ #endif
+
+- ltq_dma_dcache_wb_inv(data, len);
++ ltq_dma_dcache_wb_inv(data - offset, len);
+
+ desc->addr = dma_addr - offset;
+ desc->ctl = DMA_DESC_OWN | DMA_DESC_SOP | DMA_DESC_EOP |
More information about the lede-commits
mailing list