[PATCH v2 1/2] hw/sd/sdhci: Fix boundary_count overflow in sdhci_sdma_transfer_multi_blocks

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jamin Lin via <qemu-devel@nongnu.org>
To: "Philippe Mathieu-Daudé" <philmd@linaro.org>,
	"Bin Meng" <bmeng.cn@gmail.com>,
	"open list:SD (Secure Card)" <qemu-block@nongnu.org>,
	"open list:All patches CC here" <qemu-devel@nongnu.org>
Cc: <jamin_lin@aspeedtech.com>, <troy_lee@aspeedtech.com>,
	<yunlin.tang@aspeedtech.com>
Subject: [PATCH v2 1/2] hw/sd/sdhci: Fix boundary_count overflow in sdhci_sdma_transfer_multi_blocks
Date: Fri, 13 Dec 2024 11:12:04 +0800	[thread overview]
Message-ID: <20241213031205.641009-2-jamin_lin@aspeedtech.com> (raw)
In-Reply-To: <20241213031205.641009-1-jamin_lin@aspeedtech.com>

How to reproduce it:
1. The value of "s->blksie" was 0x7200. The bits[14:12] was "111", so the buffer
   boundary was 0x80000.(512Kbytes). This SDMA buffer boundary was the same as
   u-boot default value.
   The bit[11:0] was "001000000000", so the block size was 0x200.(512bytes)
2. The SDMA address was 0x83123456 which was not page aligned and
   "s->sdmasysad % boundary_chk" was 0x23456. The value of boundary_count was
   0x5cbaa.("boundary_chk - (s->sdmasysad % boundary_chk)" -->
   "(0x80000 - 0x23456)")

However, boundary_count did not align the block size 512 bytes and the SDMA
address was not page aligned(0x80000), so the following if-statement never be true,
```
if (((boundary_count + begin) < block_size) && page_aligned)
````

Finally, it caused boundary_count overflow because its data type was uint32_t.
Ex: the last boundary_count was 0x1aa and "0x1aa - 0x200" became "0xffffffaa".
It is the wrong behavior.

To fix it, change to check boundary_count smaller than block size if system
address did not page align

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
---
 hw/sd/sdhci.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 37875c02c3..f1a329fdaf 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -618,7 +618,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
                 sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
             }
             begin = s->data_count;
-            if (((boundary_count + begin) < block_size) && page_aligned) {
+            if (((boundary_count + begin) < block_size) && !page_aligned) {
                 s->data_count = boundary_count + begin;
                 boundary_count = 0;
              } else {
@@ -634,7 +634,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
             if (s->data_count == block_size) {
                 s->data_count = 0;
             }
-            if (page_aligned && boundary_count == 0) {
+            if (boundary_count == 0) {
                 break;
             }
         }
@@ -642,7 +642,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
         s->prnsts |= SDHC_DOING_WRITE;
         while (s->blkcnt) {
             begin = s->data_count;
-            if (((boundary_count + begin) < block_size) && page_aligned) {
+            if (((boundary_count + begin) < block_size) && !page_aligned) {
                 s->data_count = boundary_count + begin;
                 boundary_count = 0;
              } else {
@@ -659,7 +659,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
                     s->blkcnt--;
                 }
             }
-            if (page_aligned && boundary_count == 0) {
+            if (boundary_count == 0) {
                 break;
             }
         }
-- 
2.34.1

next prev parent reply	other threads:[~2024-12-13  3:13 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-13  3:12 [PATCH v2 0/2] sd:sdhci Fix data transfer did not complete Jamin Lin via
2024-12-13  3:12 ` Jamin Lin via [this message]
2024-12-13  3:12 ` [PATCH v2 2/2] hw/sd/sdhci: Fix data transfer did not complete if data size is bigger than SDMA Buffer Boundary Jamin Lin via
2025-01-07  7:10   ` Bernhard Beschow
2025-01-07 10:36     ` Philippe Mathieu-Daudé
2025-01-02  2:36 ` [PATCH v2 0/2] sd:sdhci Fix data transfer did not complete Jamin Lin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:37875c02c dfblob:f1a329fda )
 OR (
bs:"[PATCH v2 1/2] hw/sd/sdhci: Fix boundary_count overflow in sdhci_sdma_transfer_multi_blocks" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241213031205.641009-2-jamin_lin@aspeedtech.com \
    --to=qemu-devel@nongnu.org \
    --cc=bmeng.cn@gmail.com \
    --cc=jamin_lin@aspeedtech.com \
    --cc=philmd@linaro.org \
    --cc=qemu-block@nongnu.org \
    --cc=troy_lee@aspeedtech.com \
    --cc=yunlin.tang@aspeedtech.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.