From 2876709fb7cd5311c5d5dc0e875687d810cea3c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lvaro=20Fern=C3=A1ndez=20Rojas?= Date: Tue, 27 Aug 2019 15:19:26 +0200 Subject: [PATCH] brcm2708: fix DMA leaks in bcm2835-mmc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add patches from https://github.com/raspberrypi/linux/pull/3164 Signed-off-by: Álvaro Fernández Rojas --- ...unmap_sg-calls-to-free-relevant-swio.patch | 46 +++++++++++++++++++ ...ze-under-arm64-or-any-other-platform.patch | 33 +++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 target/linux/brcm2708/patches-4.19/951-0001-Add-missing-dma_unmap_sg-calls-to-free-relevant-swio.patch create mode 100644 target/linux/brcm2708/patches-4.19/952-0002-Limit-max_req_size-under-arm64-or-any-other-platform.patch diff --git a/target/linux/brcm2708/patches-4.19/951-0001-Add-missing-dma_unmap_sg-calls-to-free-relevant-swio.patch b/target/linux/brcm2708/patches-4.19/951-0001-Add-missing-dma_unmap_sg-calls-to-free-relevant-swio.patch new file mode 100644 index 0000000000..3c59d2d322 --- /dev/null +++ b/target/linux/brcm2708/patches-4.19/951-0001-Add-missing-dma_unmap_sg-calls-to-free-relevant-swio.patch @@ -0,0 +1,46 @@ +From 51487e55ceabd24572bdd12ed7fd45e20676f399 Mon Sep 17 00:00:00 2001 +From: Yaroslav Rosomakho +Date: Fri, 23 Aug 2019 11:05:51 +0200 +Subject: [PATCH 1/2] Add missing dma_unmap_sg calls to free relevant swiotlb + bounce buffers. This prevents DMA leaks. + +Signed-off-by: Yaroslav Rosomakho +--- + drivers/mmc/host/bcm2835-mmc.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/mmc/host/bcm2835-mmc.c ++++ b/drivers/mmc/host/bcm2835-mmc.c +@@ -344,16 +344,17 @@ static void bcm2835_mmc_dma_complete(voi + + host->use_dma = false; + +- if (host->data && !(host->data->flags & MMC_DATA_WRITE)) { +- /* otherwise handled in SDHCI IRQ */ ++ if (host->data) { + dma_chan = host->dma_chan_rxtx; +- dir_data = DMA_FROM_DEVICE; +- ++ if (host->data->flags & MMC_DATA_WRITE) ++ dir_data = DMA_TO_DEVICE; ++ else ++ dir_data = DMA_FROM_DEVICE; + dma_unmap_sg(dma_chan->device->dev, + host->data->sg, host->data->sg_len, + dir_data); +- +- bcm2835_mmc_finish_data(host); ++ if (! (host->data->flags & MMC_DATA_WRITE)) ++ bcm2835_mmc_finish_data(host); + } else if (host->wait_for_dma) { + host->wait_for_dma = false; + tasklet_schedule(&host->finish_tasklet); +@@ -539,6 +540,8 @@ static void bcm2835_mmc_transfer_dma(str + spin_unlock_irqrestore(&host->lock, flags); + dmaengine_submit(desc); + dma_async_issue_pending(dma_chan); ++ } else { ++ dma_unmap_sg(dma_chan->device->dev, host->data->sg, len, dir_data); + } + + } diff --git a/target/linux/brcm2708/patches-4.19/952-0002-Limit-max_req_size-under-arm64-or-any-other-platform.patch b/target/linux/brcm2708/patches-4.19/952-0002-Limit-max_req_size-under-arm64-or-any-other-platform.patch new file mode 100644 index 0000000000..7c5806d1a0 --- /dev/null +++ b/target/linux/brcm2708/patches-4.19/952-0002-Limit-max_req_size-under-arm64-or-any-other-platform.patch @@ -0,0 +1,33 @@ +From ea1ecb2257bef3cc0b23c08364436103141999c7 Mon Sep 17 00:00:00 2001 +From: Yaroslav Rosomakho +Date: Fri, 23 Aug 2019 11:02:22 +0200 +Subject: [PATCH 2/2] Limit max_req_size under arm64 (or any other platform + that uses swiotlb) to prevent potential buffer overflow due to bouncing. + +Signed-off-by: Yaroslav Rosomakho +--- + drivers/mmc/host/bcm2835-mmc.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/bcm2835-mmc.c ++++ b/drivers/mmc/host/bcm2835-mmc.c +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + #include "sdhci.h" + +@@ -1377,7 +1378,10 @@ static int bcm2835_mmc_add_host(struct b + } + #endif + mmc->max_segs = 128; +- mmc->max_req_size = 524288; ++ if (swiotlb_max_segment()) ++ mmc->max_req_size = (1 << IO_TLB_SHIFT) * IO_TLB_SEGSIZE; ++ else ++ mmc->max_req_size = 524288; + mmc->max_seg_size = mmc->max_req_size; + mmc->max_blk_size = 512; + mmc->max_blk_count = 65535;