From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=linux.ibm.com (client-ip=148.163.156.1; helo=mx0a-001b2d01.pphosted.com; envelope-from=eajames@linux.ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.ibm.com Received: from mx0a-001b2d01.pphosted.com (mx0a-001b2d01.pphosted.com [148.163.156.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 48sNSX309XzDqNg for ; Wed, 1 Apr 2020 08:56:11 +1100 (AEDT) Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 02VLXqJV012729; Tue, 31 Mar 2020 17:56:08 -0400 Received: from ppma01dal.us.ibm.com (83.d6.3fa9.ip4.static.sl-reverse.com [169.63.214.131]) by mx0a-001b2d01.pphosted.com with ESMTP id 3020we4uc3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 31 Mar 2020 17:56:08 -0400 Received: from pps.filterd (ppma01dal.us.ibm.com [127.0.0.1]) by ppma01dal.us.ibm.com (8.16.0.27/8.16.0.27) with SMTP id 02VLoMwe007515; Tue, 31 Mar 2020 21:56:07 GMT Received: from b03cxnp07028.gho.boulder.ibm.com (b03cxnp07028.gho.boulder.ibm.com [9.17.130.15]) by ppma01dal.us.ibm.com with ESMTP id 301x77b554-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 31 Mar 2020 21:56:07 +0000 Received: from b03ledav005.gho.boulder.ibm.com (b03ledav005.gho.boulder.ibm.com [9.17.130.236]) by b03cxnp07028.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 02VLu51m45220122 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 31 Mar 2020 21:56:05 GMT Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2E77DBE051; Tue, 31 Mar 2020 21:56:05 +0000 (GMT) Received: from b03ledav005.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DFA49BE05A; Tue, 31 Mar 2020 21:56:04 +0000 (GMT) Received: from ghost4.ibm.com (unknown [9.211.150.185]) by b03ledav005.gho.boulder.ibm.com (Postfix) with ESMTP; Tue, 31 Mar 2020 21:56:04 +0000 (GMT) From: Eddie James To: openbmc@lists.ozlabs.org Cc: joel@jms.id.au, Eddie James Subject: [PATCH linux dev-5.4] soc: aspeed: xdma: Fix command buffer overrun Date: Tue, 31 Mar 2020 16:56:00 -0500 Message-Id: <20200331215600.5507-1-eajames@linux.ibm.com> X-Mailer: git-send-email 2.24.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-03-31_07:2020-03-31, 2020-03-31 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 impostorscore=0 priorityscore=1501 malwarescore=0 phishscore=0 mlxlogscore=999 adultscore=0 suspectscore=1 bulkscore=0 mlxscore=0 lowpriorityscore=0 clxscore=1015 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2003310171 X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2020 21:56:12 -0000 In the case of an operation requiring two commands, it was possible to copy the second command into the user's memory space, which also prevents the command from completing since the first doesn't trigger an interrupt. Test for this special case and prevent it. Signed-off-by: Eddie James --- drivers/soc/aspeed/aspeed-xdma.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/soc/aspeed/aspeed-xdma.c b/drivers/soc/aspeed/aspeed-xdma.c index 5d97919d38cf..d0a56a5a81ae 100644 --- a/drivers/soc/aspeed/aspeed-xdma.c +++ b/drivers/soc/aspeed/aspeed-xdma.c @@ -436,6 +436,13 @@ static void aspeed_xdma_start(struct aspeed_xdma *ctx, mutex_lock(&ctx->start_lock); + if ((rc == 2) && (ctx->cmd_idx == (XDMA_NUM_CMDS - 1))) { + aspeed_xdma_writel(ctx, ctx->chip->regs.bmc_cmdq_readp, + XDMA_BMC_CMDQ_READP_RESET); + aspeed_xdma_writel(ctx, ctx->chip->regs.bmc_cmdq_writep, 0); + ctx->cmd_idx = 0; + } + memcpy(&ctx->cmdq[ctx->cmd_idx], cmds, rc * sizeof(struct aspeed_xdma_cmd)); ctx->cmd_idx = (ctx->cmd_idx + rc) % XDMA_NUM_CMDS; -- 2.24.0