lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20190207160630.GB17445@ulmo>
Date:   Thu, 7 Feb 2019 17:06:30 +0100
From:   Thierry Reding <thierry.reding@...il.com>
To:     Dmitry Osipenko <digetx@...il.com>
Cc:     Sowjanya Komatineni <skomatineni@...dia.com>,
        Jonathan Hunter <jonathanh@...dia.com>,
        Mantravadi Karthik <mkarthik@...dia.com>,
        Shardar Mohammed <smohammed@...dia.com>,
        Timo Alho <talho@...dia.com>,
        "linux-tegra@...r.kernel.org" <linux-tegra@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-i2c@...r.kernel.org" <linux-i2c@...r.kernel.org>
Subject: Re: [PATCH V14 3/5] i2c: tegra: Add DMA support

On Thu, Feb 07, 2019 at 07:01:45PM +0300, Dmitry Osipenko wrote:
> 07.02.2019 18:23, Sowjanya Komatineni пишет:
> > 
> >> It became apparent to me that there is a problem here. The size of dma_buf is 4096 bytes and maximum message length is 4096 too, we have pushed 12 bytes packet_header to the buffer >and now there are 4084 bytes left for the message in the buffer. Hence transfer of 4KB will cause buffer overflow and either crash kernel or corrupt memory. One solution is to just always >push packet_header using PIO, other to reduce max_write_len or increase dma_buf size.
> > 
> > Yes, This is known to me and I will add separate patch for this to update quirks to take care for t186 and t194 to exclude packet hdr lengths
> > There was separate patch when quirks were added and it got merged already from 5.0-rc1 but don’t want to sneak that here. Will send separate patch to take care of this.
> > Need to update quirk to exclude packet header
> > 
> 
> No. This is a bug of this patch, it must be fixed in this patch as well. 
> 
> Please include this snippet into the next version of this patch.
> 
> diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c
> index 7921d3e6237d..0ed8162a37e4 100644
> --- a/drivers/i2c/busses/i2c-tegra.c
> +++ b/drivers/i2c/busses/i2c-tegra.c
> @@ -1293,7 +1293,7 @@ static const struct i2c_algorithm tegra_i2c_algo = {
>  static const struct i2c_adapter_quirks tegra_i2c_quirks = {
>         .flags = I2C_AQ_NO_ZERO_LEN,
>         .max_read_len = 4096,
> -       .max_write_len = 4096,
> +       .max_write_len = 4096 - I2C_PACKET_HEADER_SIZE,
>  };
>  
>  static const struct i2c_adapter_quirks tegra194_i2c_quirks = {
> @@ -1545,7 +1545,7 @@ static int tegra_i2c_probe(struct platform_device *pdev)
>         i2c_dev->is_dvc = of_device_is_compatible(pdev->dev.of_node,
>                                                   "nvidia,tegra20-i2c-dvc");
>         i2c_dev->adapter.quirks = i2c_dev->hw->quirks;
> -       i2c_dev->dma_buf_size = i2c_dev->adapter.quirks->max_write_len;
> +       i2c_dev->dma_buf_size = i2c_dev->adapter.quirks->max_read_len;
>         init_completion(&i2c_dev->msg_complete);
>         init_completion(&i2c_dev->dma_complete);
>         spin_lock_init(&i2c_dev->xfer_lock);

I'm not sure we actually need this. My understanding is that it's really
the payload size that's 4 KiB and 64 KiB, respectively. I don't think
that includes the header.

Thierry

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ