[U-Boot] [PATCH] pci: fix address range check in __pci_hose_phys_to_bus()
The address range check may overflow if the memory region is located at the top of the 32-bit address space. This can e.g. be seen on TK1 if using the E1000 gigabit Ethernet driver where start and size are both 0x80000000 leading to the following messages:
Apalis TK1 # tftpboot $loadaddr test_file Using e1000#0 device TFTP from server 192.168.10.1; our IP address is 192.168.10.2 Filename 'test_file'. Load address: 0x80408000 Loading: pci_hose_phys_to_bus: invalid physical address
This patch fixes this by changing the order of the addition vs. subtraction in the range check just like already done in __pci_hose_bus_to_phys().
Reported-by: Ivan Mercier ivan.mercier@nexvision.fr Signed-off-by: Marcel Ziswiler marcel.ziswiler@toradex.com ---
drivers/pci/pci_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/pci_common.c b/drivers/pci/pci_common.c index a64792f..2a14902 100644 --- a/drivers/pci/pci_common.c +++ b/drivers/pci/pci_common.c @@ -268,7 +268,7 @@ int __pci_hose_phys_to_bus(struct pci_controller *hose, bus_addr = phys_addr - res->phys_start + res->bus_start;
if (bus_addr >= res->bus_start && - bus_addr < res->bus_start + res->size) { + (bus_addr - res->bus_start) < res->size) { *ba = bus_addr; return 0; }
On Wed, Nov 18, 2015 at 10:05 PM, Marcel Ziswiler marcel.ziswiler@toradex.com wrote:
The address range check may overflow if the memory region is located at the top of the 32-bit address space. This can e.g. be seen on TK1 if using the E1000 gigabit Ethernet driver where start and size are both 0x80000000 leading to the following messages:
Apalis TK1 # tftpboot $loadaddr test_file Using e1000#0 device TFTP from server 192.168.10.1; our IP address is 192.168.10.2 Filename 'test_file'. Load address: 0x80408000 Loading: pci_hose_phys_to_bus: invalid physical address
This patch fixes this by changing the order of the addition vs. subtraction in the range check just like already done in __pci_hose_bus_to_phys().
Reported-by: Ivan Mercier ivan.mercier@nexvision.fr Signed-off-by: Marcel Ziswiler marcel.ziswiler@toradex.com
drivers/pci/pci_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/pci_common.c b/drivers/pci/pci_common.c index a64792f..2a14902 100644 --- a/drivers/pci/pci_common.c +++ b/drivers/pci/pci_common.c @@ -268,7 +268,7 @@ int __pci_hose_phys_to_bus(struct pci_controller *hose, bus_addr = phys_addr - res->phys_start + res->bus_start;
if (bus_addr >= res->bus_start &&
bus_addr < res->bus_start + res->size) {
(bus_addr - res->bus_start) < res->size) { *ba = bus_addr; return 0; }--
Reviewed-by: Bin Meng bmeng.cn@gmail.com
Well done Marcel! I didn't have much more time to investigate on it. OK with nvidia jetson TK1 with i210 AND RTL8169.
On 18/11/2015 15:19, Bin Meng wrote:
On Wed, Nov 18, 2015 at 10:05 PM, Marcel Ziswiler marcel.ziswiler@toradex.com wrote:
The address range check may overflow if the memory region is located at the top of the 32-bit address space. This can e.g. be seen on TK1 if using the E1000 gigabit Ethernet driver where start and size are both 0x80000000 leading to the following messages:
Apalis TK1 # tftpboot $loadaddr test_file Using e1000#0 device TFTP from server 192.168.10.1; our IP address is 192.168.10.2 Filename 'test_file'. Load address: 0x80408000 Loading: pci_hose_phys_to_bus: invalid physical address
This patch fixes this by changing the order of the addition vs. subtraction in the range check just like already done in __pci_hose_bus_to_phys().
Reported-by: Ivan Mercier ivan.mercier@nexvision.fr Signed-off-by: Marcel Ziswiler marcel.ziswiler@toradex.com
drivers/pci/pci_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/pci_common.c b/drivers/pci/pci_common.c index a64792f..2a14902 100644 --- a/drivers/pci/pci_common.c +++ b/drivers/pci/pci_common.c @@ -268,7 +268,7 @@ int __pci_hose_phys_to_bus(struct pci_controller *hose, bus_addr = phys_addr - res->phys_start + res->bus_start;
if (bus_addr >= res->bus_start &&
bus_addr < res->bus_start + res->size) {
(bus_addr - res->bus_start) < res->size) { *ba = bus_addr; return 0; }--
Reviewed-by: Bin Meng bmeng.cn@gmail.com
On Wed, Nov 18, 2015 at 10:05 PM, Marcel Ziswiler marcel.ziswiler@toradex.com wrote:
The address range check may overflow if the memory region is located at the top of the 32-bit address space. This can e.g. be seen on TK1 if using the E1000 gigabit Ethernet driver where start and size are both 0x80000000 leading to the following messages:
Apalis TK1 # tftpboot $loadaddr test_file Using e1000#0 device TFTP from server 192.168.10.1; our IP address is 192.168.10.2 Filename 'test_file'. Load address: 0x80408000 Loading: pci_hose_phys_to_bus: invalid physical address
This patch fixes this by changing the order of the addition vs. subtraction in the range check just like already done in __pci_hose_bus_to_phys().
Reported-by: Ivan Mercier ivan.mercier@nexvision.fr Signed-off-by: Marcel Ziswiler marcel.ziswiler@toradex.com
drivers/pci/pci_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/pci_common.c b/drivers/pci/pci_common.c index a64792f..2a14902 100644 --- a/drivers/pci/pci_common.c +++ b/drivers/pci/pci_common.c @@ -268,7 +268,7 @@ int __pci_hose_phys_to_bus(struct pci_controller *hose, bus_addr = phys_addr - res->phys_start + res->bus_start;
if (bus_addr >= res->bus_start &&
bus_addr < res->bus_start + res->size) {
(bus_addr - res->bus_start) < res->size) { *ba = bus_addr; return 0; }--
For some reason, this patch did not show up on patchwork for sometime and it lost my 'Reviewed-by' tag. Here it is:
Reviewed-by: Bin Meng bmeng.cn@gmail.com
On 11/18/2015 07:05 AM, Marcel Ziswiler wrote:
The address range check may overflow if the memory region is located at the top of the 32-bit address space. This can e.g. be seen on TK1 if using the E1000 gigabit Ethernet driver where start and size are both 0x80000000 leading to the following messages:
Apalis TK1 # tftpboot $loadaddr test_file Using e1000#0 device TFTP from server 192.168.10.1; our IP address is 192.168.10.2 Filename 'test_file'. Load address: 0x80408000 Loading: pci_hose_phys_to_bus: invalid physical address
This patch fixes this by changing the order of the addition vs. subtraction in the range check just like already done in __pci_hose_bus_to_phys().
Reviewed-by: Stephen Warren swarren@nvidia.com
On 19 November 2015 at 09:40, Stephen Warren swarren@wwwdotorg.org wrote:
On 11/18/2015 07:05 AM, Marcel Ziswiler wrote:
The address range check may overflow if the memory region is located at the top of the 32-bit address space. This can e.g. be seen on TK1 if using the E1000 gigabit Ethernet driver where start and size are both 0x80000000 leading to the following messages:
Apalis TK1 # tftpboot $loadaddr test_file Using e1000#0 device TFTP from server 192.168.10.1; our IP address is 192.168.10.2 Filename 'test_file'. Load address: 0x80408000 Loading: pci_hose_phys_to_bus: invalid physical address
This patch fixes this by changing the order of the addition vs. subtraction in the range check just like already done in __pci_hose_bus_to_phys().
Reviewed-by: Stephen Warren swarren@nvidia.com
Acked-by: Simon Glass sjg@chromium.org
On Wed, Nov 18, 2015 at 03:05:06PM +0100, Marcel Ziswiler wrote:
The address range check may overflow if the memory region is located at the top of the 32-bit address space. This can e.g. be seen on TK1 if using the E1000 gigabit Ethernet driver where start and size are both 0x80000000 leading to the following messages:
Apalis TK1 # tftpboot $loadaddr test_file Using e1000#0 device TFTP from server 192.168.10.1; our IP address is 192.168.10.2 Filename 'test_file'. Load address: 0x80408000 Loading: pci_hose_phys_to_bus: invalid physical address
This patch fixes this by changing the order of the addition vs. subtraction in the range check just like already done in __pci_hose_bus_to_phys().
Reported-by: Ivan Mercier ivan.mercier@nexvision.fr Signed-off-by: Marcel Ziswiler marcel.ziswiler@toradex.com Reviewed-by: Bin Meng bmeng.cn@gmail.com Reviewed-by: Stephen Warren swarren@nvidia.com Acked-by: Simon Glass sjg@chromium.org
Applied to u-boot/master, thanks!
participants (6)
-
Bin Meng -
Ivan Mercier -
Marcel Ziswiler -
Simon Glass -
Stephen Warren -
Tom Rini