[PATCH] mmc: arm_pl180: Limit data transfer to U16_MAX
From: max cmax@mailbox.org
Currently fetching files bigger that cause a data transfer greater than U16_MAX fails.
The reason is that the specification defines the datalength register as a 16 bit wide register, but in u-boot it is used as if it is an 32 bit register. Therefore values greater than U16_MAX cause an infinite loop inside u-boot. U-boot expects to get more data from interface/hardware then it will ever get and therefore inifintely waits for more data that will never come.
Signed-off-by: max cmax@mailbox.org Cc: Peng Fan peng.fan@nxp.com Cc: Jaehoon Chung jh80.chung@samsung.com --- drivers/mmc/arm_pl180_mmci.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/drivers/mmc/arm_pl180_mmci.c b/drivers/mmc/arm_pl180_mmci.c index 5cf5502ed5..af2f9a5a84 100644 --- a/drivers/mmc/arm_pl180_mmci.c +++ b/drivers/mmc/arm_pl180_mmci.c @@ -231,6 +231,7 @@ static int do_data_transfer(struct mmc *dev, u32 blksz = 0; u32 data_ctrl = 0; u32 data_len = (u32) (data->blocks * data->blocksize); + assert(data_len < U16_MAX); // should be ensured by arm_pl180_get_b_max
if (!host->version2) { blksz = (ffs(data->blocksize) - 1); @@ -358,6 +359,14 @@ static int host_set_ios(struct mmc *dev) return 0; }
+static int arm_pl180_get_b_max(struct udevice *dev, void *dst, lbaint_t blkcnt) +{ + struct mmc_uclass_priv *upriv = dev_get_uclass_priv(dev); + struct mmc *mmc = upriv->mmc; + + return U16_MAX / mmc->read_bl_len; +} + #ifndef CONFIG_DM_MMC /* MMC uses open drain drivers in the enumeration phase */ static int mmc_host_reset(struct mmc *dev) @@ -373,6 +382,7 @@ static const struct mmc_ops arm_pl180_mmci_ops = { .send_cmd = host_request, .set_ios = host_set_ios, .init = mmc_host_reset, + .get_b_max = arm_pl180_get_b_max, };
/* @@ -531,6 +541,7 @@ static const struct dm_mmc_ops arm_pl180_dm_mmc_ops = { .send_cmd = dm_host_request, .set_ios = dm_host_set_ios, .get_cd = dm_mmc_getcd, + .get_b_max = arm_pl180_get_b_max, };
static int arm_pl180_mmc_of_to_plat(struct udevice *dev)
Quick reminder: Can anyone help to review this? Thanks!
Best Regards, *Lean Sheng Tan*
9elements GmbH, Kortumstraße 19-21, 44787 Bochum, Germany Email: sheng.tan@9elements.com Phone: *+49 234 68 94 188 <+492346894188>* Mobile: *+49 176 76 113842 <+4917676113842>*
Registered office: Bochum Commercial register: Amtsgericht Bochum, HRB 17519 Management: Sebastian German, Eray Bazaar
Data protection information according to Art. 13 GDPR https://9elements.com/privacy
On Tue, 27 Feb 2024 at 22:02, cmax@mailbox.org wrote:
From: max cmax@mailbox.org
Currently fetching files bigger that cause a data transfer greater than U16_MAX fails.
The reason is that the specification defines the datalength register as a 16 bit wide register, but in u-boot it is used as if it is an 32 bit register. Therefore values greater than U16_MAX cause an infinite loop inside u-boot. U-boot expects to get more data from interface/hardware then it will ever get and therefore inifintely waits for more data that will never come.
Signed-off-by: max cmax@mailbox.org Cc: Peng Fan peng.fan@nxp.com Cc: Jaehoon Chung jh80.chung@samsung.com
drivers/mmc/arm_pl180_mmci.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/drivers/mmc/arm_pl180_mmci.c b/drivers/mmc/arm_pl180_mmci.c index 5cf5502ed5..af2f9a5a84 100644 --- a/drivers/mmc/arm_pl180_mmci.c +++ b/drivers/mmc/arm_pl180_mmci.c @@ -231,6 +231,7 @@ static int do_data_transfer(struct mmc *dev, u32 blksz = 0; u32 data_ctrl = 0; u32 data_len = (u32) (data->blocks * data->blocksize);
assert(data_len < U16_MAX); // should be ensured byarm_pl180_get_b_max
if (!host->version2) { blksz = (ffs(data->blocksize) - 1);@@ -358,6 +359,14 @@ static int host_set_ios(struct mmc *dev) return 0; }
+static int arm_pl180_get_b_max(struct udevice *dev, void *dst, lbaint_t blkcnt) +{
struct mmc_uclass_priv *upriv = dev_get_uclass_priv(dev);struct mmc *mmc = upriv->mmc;return U16_MAX / mmc->read_bl_len;+}
#ifndef CONFIG_DM_MMC /* MMC uses open drain drivers in the enumeration phase */ static int mmc_host_reset(struct mmc *dev) @@ -373,6 +382,7 @@ static const struct mmc_ops arm_pl180_mmci_ops = { .send_cmd = host_request, .set_ios = host_set_ios, .init = mmc_host_reset,
.get_b_max = arm_pl180_get_b_max,};
/* @@ -531,6 +541,7 @@ static const struct dm_mmc_ops arm_pl180_dm_mmc_ops = { .send_cmd = dm_host_request, .set_ios = dm_host_set_ios, .get_cd = dm_mmc_getcd,
.get_b_max = arm_pl180_get_b_max,};
static int arm_pl180_mmc_of_to_plat(struct udevice *dev)
2.43.0
+ @Simon
Best Regards, *Lean Sheng Tan*
9elements GmbH, Kortumstraße 19-21, 44787 Bochum, Germany Email: sheng.tan@9elements.com Phone: *+49 234 68 94 188 <+492346894188>* Mobile: *+49 176 76 113842 <+4917676113842>*
Registered office: Bochum Commercial register: Amtsgericht Bochum, HRB 17519 Management: Sebastian German, Eray Bazaar
Data protection information according to Art. 13 GDPR https://9elements.com/privacy
On Mon 4. Mar 2024 at 16:39, Lean Sheng Tan sheng.tan@9elements.com wrote:
Quick reminder: Can anyone help to review this? Thanks!
Best Regards, *Lean Sheng Tan*
9elements GmbH, Kortumstraße 19-21, 44787 Bochum, Germany Email: sheng.tan@9elements.com Phone: *+49 234 68 94 188 <+492346894188>* Mobile: *+49 176 76 113842 <+4917676113842>*
Registered office: Bochum Commercial register: Amtsgericht Bochum, HRB 17519 Management: Sebastian German, Eray Bazaar
Data protection information according to Art. 13 GDPR https://9elements.com/privacy
On Tue, 27 Feb 2024 at 22:02, cmax@mailbox.org wrote:
From: max cmax@mailbox.org
Currently fetching files bigger that cause a data transfer greater than U16_MAX fails.
The reason is that the specification defines the datalength register as a 16 bit wide register, but in u-boot it is used as if it is an 32 bit register. Therefore values greater than U16_MAX cause an infinite loop inside u-boot. U-boot expects to get more data from interface/hardware then it will ever get and therefore inifintely waits for more data that will never come.
Signed-off-by: max cmax@mailbox.org Cc: Peng Fan peng.fan@nxp.com Cc: Jaehoon Chung jh80.chung@samsung.com
drivers/mmc/arm_pl180_mmci.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/drivers/mmc/arm_pl180_mmci.c b/drivers/mmc/arm_pl180_mmci.c index 5cf5502ed5..af2f9a5a84 100644 --- a/drivers/mmc/arm_pl180_mmci.c +++ b/drivers/mmc/arm_pl180_mmci.c @@ -231,6 +231,7 @@ static int do_data_transfer(struct mmc *dev, u32 blksz = 0; u32 data_ctrl = 0; u32 data_len = (u32) (data->blocks * data->blocksize);
assert(data_len < U16_MAX); // should be ensured byarm_pl180_get_b_max
if (!host->version2) { blksz = (ffs(data->blocksize) - 1);@@ -358,6 +359,14 @@ static int host_set_ios(struct mmc *dev) return 0; }
+static int arm_pl180_get_b_max(struct udevice *dev, void *dst, lbaint_t blkcnt) +{
struct mmc_uclass_priv *upriv = dev_get_uclass_priv(dev);struct mmc *mmc = upriv->mmc;return U16_MAX / mmc->read_bl_len;+}
#ifndef CONFIG_DM_MMC /* MMC uses open drain drivers in the enumeration phase */ static int mmc_host_reset(struct mmc *dev) @@ -373,6 +382,7 @@ static const struct mmc_ops arm_pl180_mmci_ops = { .send_cmd = host_request, .set_ios = host_set_ios, .init = mmc_host_reset,
.get_b_max = arm_pl180_get_b_max,};
/* @@ -531,6 +541,7 @@ static const struct dm_mmc_ops arm_pl180_dm_mmc_ops = { .send_cmd = dm_host_request, .set_ios = dm_host_set_ios, .get_cd = dm_mmc_getcd,
.get_b_max = arm_pl180_get_b_max,};
static int arm_pl180_mmc_of_to_plat(struct udevice *dev)
2.43.0
Hi,
On 2/28/24 05:18, cmax@mailbox.org wrote:
From: max cmax@mailbox.org
Currently fetching files bigger that cause a data transfer greater than U16_MAX fails.
The reason is that the specification defines the datalength register as a 16 bit wide register, but in u-boot it is used as if it is an 32 bit register. Therefore values greater than U16_MAX cause an infinite loop inside u-boot. U-boot expects to get more data from interface/hardware then it will ever get and therefore inifintely waits for more data that will never come.
Signed-off-by: max cmax@mailbox.org
Could you add your full name as Signed-off's tag?
Cc: Peng Fan peng.fan@nxp.com Cc: Jaehoon Chung jh80.chung@samsung.com
drivers/mmc/arm_pl180_mmci.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/drivers/mmc/arm_pl180_mmci.c b/drivers/mmc/arm_pl180_mmci.c index 5cf5502ed5..af2f9a5a84 100644 --- a/drivers/mmc/arm_pl180_mmci.c +++ b/drivers/mmc/arm_pl180_mmci.c @@ -231,6 +231,7 @@ static int do_data_transfer(struct mmc *dev, u32 blksz = 0; u32 data_ctrl = 0; u32 data_len = (u32) (data->blocks * data->blocksize);
- assert(data_len < U16_MAX); // should be ensured by arm_pl180_get_b_max
Add the comment at above with "/* ... */"
/* Should be ensured by arm_pl180_get_b_max */ assert(data_len < U16_MAX);
Best Regards, Jaehoon Chung
if (!host->version2) { blksz = (ffs(data->blocksize) - 1); @@ -358,6 +359,14 @@ static int host_set_ios(struct mmc *dev) return 0; }
+static int arm_pl180_get_b_max(struct udevice *dev, void *dst, lbaint_t blkcnt) +{
- struct mmc_uclass_priv *upriv = dev_get_uclass_priv(dev);
- struct mmc *mmc = upriv->mmc;
- return U16_MAX / mmc->read_bl_len;
+}
#ifndef CONFIG_DM_MMC /* MMC uses open drain drivers in the enumeration phase */ static int mmc_host_reset(struct mmc *dev) @@ -373,6 +382,7 @@ static const struct mmc_ops arm_pl180_mmci_ops = { .send_cmd = host_request, .set_ios = host_set_ios, .init = mmc_host_reset,
- .get_b_max = arm_pl180_get_b_max,
};
/* @@ -531,6 +541,7 @@ static const struct dm_mmc_ops arm_pl180_dm_mmc_ops = { .send_cmd = dm_host_request, .set_ios = dm_host_set_ios, .get_cd = dm_mmc_getcd,
- .get_b_max = arm_pl180_get_b_max,
};
static int arm_pl180_mmc_of_to_plat(struct udevice *dev)
From: Maximilian Brune maximilian.brune@9elements.com
Currently fetching files bigger that cause a data transfer greater than U16_MAX fails.
The reason is that the specification defines the datalength register as a 16 bit wide register, but in u-boot it is used as if it is an 32 bit register. Therefore values greater than U16_MAX cause an infinite loop inside u-boot. U-boot expects to get more data from interface/hardware then it will ever get and therefore inifintely waits for more data that will never come.
Signed-off-by: Maximilian Brune maximilian.brune@9elements.com Cc: Peng Fan peng.fan@nxp.com Cc: Jaehoon Chung jh80.chung@samsung.com --- drivers/mmc/arm_pl180_mmci.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/drivers/mmc/arm_pl180_mmci.c b/drivers/mmc/arm_pl180_mmci.c index 5cf5502ed5..cad73ea106 100644 --- a/drivers/mmc/arm_pl180_mmci.c +++ b/drivers/mmc/arm_pl180_mmci.c @@ -231,6 +231,7 @@ static int do_data_transfer(struct mmc *dev, u32 blksz = 0; u32 data_ctrl = 0; u32 data_len = (u32) (data->blocks * data->blocksize); + assert(data_len < U16_MAX); /* should be ensured by arm_pl180_get_b_max */
if (!host->version2) { blksz = (ffs(data->blocksize) - 1); @@ -358,6 +359,14 @@ static int host_set_ios(struct mmc *dev) return 0; }
+static int arm_pl180_get_b_max(struct udevice *dev, void *dst, lbaint_t blkcnt) +{ + struct mmc_uclass_priv *upriv = dev_get_uclass_priv(dev); + struct mmc *mmc = upriv->mmc; + + return U16_MAX / mmc->read_bl_len; +} + #ifndef CONFIG_DM_MMC /* MMC uses open drain drivers in the enumeration phase */ static int mmc_host_reset(struct mmc *dev) @@ -373,6 +382,7 @@ static const struct mmc_ops arm_pl180_mmci_ops = { .send_cmd = host_request, .set_ios = host_set_ios, .init = mmc_host_reset, + .get_b_max = arm_pl180_get_b_max, };
/* @@ -531,6 +541,7 @@ static const struct dm_mmc_ops arm_pl180_dm_mmc_ops = { .send_cmd = dm_host_request, .set_ios = dm_host_set_ios, .get_cd = dm_mmc_getcd, + .get_b_max = arm_pl180_get_b_max, };
static int arm_pl180_mmc_of_to_plat(struct udevice *dev)
Hi,
-----Original Message----- From: cmax@mailbox.org cmax@mailbox.org Sent: Thursday, April 4, 2024 3:58 PM To: u-boot@lists.denx.de Cc: Maximilian Brune maximilian.brune@9elements.com; Peng Fan peng.fan@nxp.com; Jaehoon Chung jh80.chung@samsung.com Subject: [PATCH v2] mmc: arm_pl180: Limit data transfer to U16_MAX
From: Maximilian Brune maximilian.brune@9elements.com
Currently fetching files bigger that cause a data transfer greater than U16_MAX fails.
The reason is that the specification defines the datalength register as a 16 bit wide register, but in u-boot it is used as if it is an 32 bit register. Therefore values greater than U16_MAX cause an infinite loop inside u-boot. U-boot expects to get more data from interface/hardware then it will ever get and therefore inifintely waits for more data that will never come.
Signed-off-by: Maximilian Brune maximilian.brune@9elements.com
Reviewed-by: Jaehoon Chung jh80.chung@samsung.com
Best Regards, Jaehoon Chung
Cc: Peng Fan peng.fan@nxp.com Cc: Jaehoon Chung jh80.chung@samsung.com
drivers/mmc/arm_pl180_mmci.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/drivers/mmc/arm_pl180_mmci.c b/drivers/mmc/arm_pl180_mmci.c index 5cf5502ed5..cad73ea106 100644 --- a/drivers/mmc/arm_pl180_mmci.c +++ b/drivers/mmc/arm_pl180_mmci.c @@ -231,6 +231,7 @@ static int do_data_transfer(struct mmc *dev, u32 blksz = 0; u32 data_ctrl = 0; u32 data_len = (u32) (data->blocks * data->blocksize);
assert(data_len < U16_MAX); /* should be ensured by arm_pl180_get_b_max */
if (!host->version2) { blksz = (ffs(data->blocksize) - 1);
@@ -358,6 +359,14 @@ static int host_set_ios(struct mmc *dev) return 0; }
+static int arm_pl180_get_b_max(struct udevice *dev, void *dst, lbaint_t blkcnt) +{
- struct mmc_uclass_priv *upriv = dev_get_uclass_priv(dev);
- struct mmc *mmc = upriv->mmc;
- return U16_MAX / mmc->read_bl_len;
+}
#ifndef CONFIG_DM_MMC /* MMC uses open drain drivers in the enumeration phase */ static int mmc_host_reset(struct mmc *dev) @@ -373,6 +382,7 @@ static const struct mmc_ops arm_pl180_mmci_ops = { .send_cmd = host_request, .set_ios = host_set_ios, .init = mmc_host_reset,
- .get_b_max = arm_pl180_get_b_max,
};
/* @@ -531,6 +541,7 @@ static const struct dm_mmc_ops arm_pl180_dm_mmc_ops = { .send_cmd = dm_host_request, .set_ios = dm_host_set_ios, .get_cd = dm_mmc_getcd,
- .get_b_max = arm_pl180_get_b_max,
};
static int arm_pl180_mmc_of_to_plat(struct udevice *dev)
2.44.0
From: Maximilian Brune maximilian.brune@9elements.com
Currently fetching files bigger that cause a data transfer greater than U16_MAX fails.
The reason is that the specification defines the datalength register as a 16 bit wide register, but in u-boot it is used as if it is an 32 bit register. Therefore values greater than U16_MAX cause an infinite loop inside u-boot. U-boot expects to get more data from interface/hardware then it will ever get and therefore inifintely waits for more data that will never come.
Signed-off-by: Maximilian Brune maximilian.brune@9elements.com Cc: Peng Fan peng.fan@nxp.com Cc: Jaehoon Chung jh80.chung@samsung.com --- drivers/mmc/arm_pl180_mmci.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/drivers/mmc/arm_pl180_mmci.c b/drivers/mmc/arm_pl180_mmci.c index 2666b65362..cecc7ad783 100644 --- a/drivers/mmc/arm_pl180_mmci.c +++ b/drivers/mmc/arm_pl180_mmci.c @@ -229,6 +229,7 @@ static int do_data_transfer(struct mmc *dev, u32 blksz = 0; u32 data_ctrl = 0; u32 data_len = (u32) (data->blocks * data->blocksize); + assert(data_len < U16_MAX); /* should be ensured by arm_pl180_get_b_max */
if (!host->version2) { blksz = (ffs(data->blocksize) - 1); @@ -356,6 +357,14 @@ static int host_set_ios(struct mmc *dev) return 0; }
+static int arm_pl180_get_b_max(struct udevice *dev, void *dst, lbaint_t blkcnt) +{ + struct mmc_uclass_priv *upriv = dev_get_uclass_priv(dev); + struct mmc *mmc = upriv->mmc; + + return U16_MAX / mmc->read_bl_len; +} + static void arm_pl180_mmc_init(struct pl180_mmc_host *host) { u32 sdi_u32; @@ -470,6 +479,7 @@ static const struct dm_mmc_ops arm_pl180_dm_mmc_ops = { .send_cmd = dm_host_request, .set_ios = dm_host_set_ios, .get_cd = dm_mmc_getcd, + .get_b_max = arm_pl180_get_b_max, };
static int arm_pl180_mmc_of_to_plat(struct udevice *dev)
-----Original Message----- From: cmax@mailbox.org cmax@mailbox.org Sent: Monday, April 15, 2024 6:53 PM To: u-boot@lists.denx.de Cc: Maximilian Brune maximilian.brune@9elements.com; Peng Fan peng.fan@nxp.com; Jaehoon Chung jh80.chung@samsung.com Subject: [PATCH v2] mmc: arm_pl180: Limit data transfer to U16_MAX
From: Maximilian Brune maximilian.brune@9elements.com
Currently fetching files bigger that cause a data transfer greater than U16_MAX fails.
The reason is that the specification defines the datalength register as a 16 bit wide register, but in u-boot it is used as if it is an 32 bit register. Therefore values greater than U16_MAX cause an infinite loop inside u-boot. U-boot expects to get more data from interface/hardware then it will ever get and therefore inifintely waits for more data that will never come.
Signed-off-by: Maximilian Brune maximilian.brune@9elements.com
Reviewed-by: Jaehoon Chung jh80.chung@samsung.com
Best Regards, Jaehoon Chung
Cc: Peng Fan peng.fan@nxp.com Cc: Jaehoon Chung jh80.chung@samsung.com
drivers/mmc/arm_pl180_mmci.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/drivers/mmc/arm_pl180_mmci.c b/drivers/mmc/arm_pl180_mmci.c index 2666b65362..cecc7ad783 100644 --- a/drivers/mmc/arm_pl180_mmci.c +++ b/drivers/mmc/arm_pl180_mmci.c @@ -229,6 +229,7 @@ static int do_data_transfer(struct mmc *dev, u32 blksz = 0; u32 data_ctrl = 0; u32 data_len = (u32) (data->blocks * data->blocksize);
assert(data_len < U16_MAX); /* should be ensured by arm_pl180_get_b_max */
if (!host->version2) { blksz = (ffs(data->blocksize) - 1);
@@ -356,6 +357,14 @@ static int host_set_ios(struct mmc *dev) return 0; }
+static int arm_pl180_get_b_max(struct udevice *dev, void *dst, lbaint_t blkcnt) +{
- struct mmc_uclass_priv *upriv = dev_get_uclass_priv(dev);
- struct mmc *mmc = upriv->mmc;
- return U16_MAX / mmc->read_bl_len;
+}
static void arm_pl180_mmc_init(struct pl180_mmc_host *host) { u32 sdi_u32; @@ -470,6 +479,7 @@ static const struct dm_mmc_ops arm_pl180_dm_mmc_ops = { .send_cmd = dm_host_request, .set_ios = dm_host_set_ios, .get_cd = dm_mmc_getcd,
- .get_b_max = arm_pl180_get_b_max,
};
static int arm_pl180_mmc_of_to_plat(struct udevice *dev)
2.44.0
participants (3)
-
cmax@mailbox.org -
Jaehoon Chung -
Lean Sheng Tan