[4.4.y-cip,74/83] mmc: tmio-mmc: fix bad pointer math

Message ID	1573115572-13513-75-git-send-email-biju.das@bp.renesas.com (mailing list archive)
State	Changes Requested
Headers	show Return-Path: <SRS0=jsJ3=Y7=lists.cip-project.org=cip-dev-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E8EB621D7B From: Biju Das <biju.das@bp.renesas.com> To: cip-dev@lists.cip-project.org, Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>, Pavel Machek <pavel@denx.de> Date: Thu, 7 Nov 2019 08:32:43 +0000 Message-Id: <1573115572-13513-75-git-send-email-biju.das@bp.renesas.com> In-Reply-To: <1573115572-13513-1-git-send-email-biju.das@bp.renesas.com> References: <1573115572-13513-1-git-send-email-biju.das@bp.renesas.com> Cc: Biju Das <biju.das@bp.renesas.com> Subject: [cip-dev] [PATCH 4.4.y-cip 74/83] mmc: tmio-mmc: fix bad pointer math Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: cip-dev-bounces@lists.cip-project.org Errors-To: cip-dev-bounces@lists.cip-project.org
Series	Add RZ/G1C SD/eMMC support \| expand [4.4.y-cip,00/83] Add RZ/G1C SD/eMMC support [4.4.y-cip,01/83] mmc: tmio_mmc_dma: don't print invalid DMA cookie [4.4.y-cip,02/83] mmc: tmio_dma: remove debug messages with little information [4.4.y-cip,03/83] mmc: tmio: add flag to reduce delay after changing clock status [4.4.y-cip,04/83] mmc: tmio: remove stale comments [4.4.y-cip,05/83] mmc: tmio: refactor set_clock a little [4.4.y-cip,06/83] mmc: tmio: disable clock before changing it [4.4.y-cip,07/83] mmc: sdhi: use faster clock handling on RCar Gen2 [4.4.y-cip,08/83] mmc: sdhi: error message on ENOMEM is superfluous [4.4.y-cip,09/83] mmc: sdhi: Add r8a7795 support [4.4.y-cip,10/83] mmc: tmio, sh_mobile_sdhi: Pass tmio_mmc_host ptr to clk_{enable, disable} ops [4.4.y-cip,11/83] mmc: tmio, sh_mobile_sdhi: Add support for variable input clock frequency [4.4.y-cip,12/83] mmc: tmio: Add UHS-I mode support [4.4.y-cip,13/83] mmc: sh_mobile_sdhi: Add UHS-I mode support [4.4.y-cip,14/83] mmc: tmio: always start clock after frequency calculation [4.4.y-cip,15/83] mmc: tmio: stop clock when 0Hz is requested [4.4.y-cip,16/83] mmc: tmio: Remove redundant runtime PM calls [4.4.y-cip,17/83] mmc: sh_mobile_sdhi: remove obsolete irq_by_name registration [4.4.y-cip,18/83] mmc: tmio: remove now unneeded seperate irq handlers [4.4.y-cip,19/83] mmc: tmio: simplify irq handler [4.4.y-cip,20/83] mmc: tmio: merge distributed include files [4.4.y-cip,21/83] mmc: tmio: give read32/write32 functions more descriptive names [4.4.y-cip,22/83] mmc: tmio: use BIT() within defines [4.4.y-cip,23/83] mmc: tmio: use CTL_STATUS consistently [4.4.y-cip,24/83] mmc: tmio/sdhi: distinguish between SCLKDIVEN and ILL_FUNC [4.4.y-cip,25/83] mmc: tmio: document CTL_STATUS handling [4.4.y-cip,26/83] mmc: tmio/sdhi: introduce flag for RCar 2+ specific features [4.4.y-cip,27/83] mmc: sh_mobile_sdhi: make clk_update function more compact [4.4.y-cip,28/83] mmc: sh_mobile_sdhi: only change the clock on RCar Gen2+ [4.4.y-cip,29/83] mmc: sh_mobile_sdhi: check return value when changing clk [4.4.y-cip,30/83] mmc: sh_mobile_sdhi: properly document R-Car versions [4.4.y-cip,31/83] mmc: host: sh_mobile_sdhi: move card_busy from tmio to sdhi [4.4.y-cip,32/83] mmc: host: sh_mobile_sdhi: don't populate unneeded functions [4.4.y-cip,33/83] mmc: tmio: add eMMC support [4.4.y-cip,34/83] mmc: tmio-mmc: add support for 32bit data port [4.4.y-cip,35/83] mmc: add define for R1 response without CRC [4.4.y-cip,36/83] mmc: sh_mobile_sdhi: add ocr_mask option [4.4.y-cip,37/83] mmc: tmio: enhance illegal sequence handling [4.4.y-cip,38/83] mmc: tmio: document mandatory and optional callbacks [4.4.y-cip,39/83] mmc: tmio: Add hw reset support [4.4.y-cip,40/83] mmc: core: Add helper to see if a host can be retuned [4.4.y-cip,41/83] mmc: tmio: Add tuning support [4.4.y-cip,42/83] mmc: sh_mobile_sdhi: Add tuning support [4.4.y-cip,43/83] mmc: tmio: fix wrong bitmask for SDIO irqs [4.4.y-cip,44/83] mmc: tmio: remove SDIO from TODO list [4.4.y-cip,45/83] mmc: tmio: use SDIO master interrupt bit only when allowed [4.4.y-cip,46/83] mmc: sh_mobile_sdhi: simplify accessing DT data [4.4.y-cip,47/83] mmc: sh_mobile_sdhi: improve prerequisite for hw_reset [4.4.y-cip,48/83] mmc: sh_mobile_sdhi: remove superfluous check in hw_reset [4.4.y-cip,49/83] mmc: sh_mobile_sdhi: improve prerequisites for tuning [4.4.y-cip,50/83] mmc: sh_mobile_sdhi: remove superfluous check in SCC error check [4.4.y-cip,51/83] mmc: sh_mobile_sdhi: remove superfluous check in init_tuning [4.4.y-cip,52/83] mmc: sh_mobile_sdhi: enable HS200 [4.4.y-cip,53/83] mmc: host: tmio: drop superfluous exit path [4.4.y-cip,54/83] mmc: tmio: Remove redundant check of mmc->slot.cd_irq [4.4.y-cip,55/83] mmc: host: tmio: disable clocks when unbinding [4.4.y-cip,56/83] mmc: host: tmio: refactor calls to sdio irq [4.4.y-cip,57/83] mmc: host: tmio: SDIO_STATUS_QUIRK is rather SDIO_STATUS_SETBITS [4.4.y-cip,58/83] mmc: tmio: discard obsolete SDIO irqs before enabling irqs [4.4.y-cip,59/83] mmc: tmio: ensure end of DMA and SD access are in sync [4.4.y-cip,60/83] mmc: host: tmio: use defines for CTL_STOP_INTERNAL_ACTION values [4.4.y-cip,61/83] mmc: host: tmio: don't BUG on unsupported stop commands [4.4.y-cip,62/83] mmc: host: tmio: fill in response from auto cmd12 [4.4.y-cip,63/83] mmc: tmio: always get number of taps [4.4.y-cip,64/83] mmc: tmio: drop filenames from comment at top of source [4.4.y-cip,65/83] mmc: renesas-sdhi, tmio: make dma more modular [4.4.y-cip,66/83] mmc: tmio: rename tmio_mmc_{pio => core}.c [4.4.y-cip,67/83] mmc: renesas-sdhi: rename tmio_mmc_dma.c => renesas_sdhi_sys_dmac.c [4.4.y-cip,68/83] mmc: renesas-sdhi: rename sh_mobile_sdhi.c => renesas_sdhi_core.c [4.4.y-cip,69/83] mmc: renesas-sdhi: make renesas_sdhi_sys_dmac main module file [4.4.y-cip,70/83] mmc: renesas-sdhi: improve checkpatch cleanness [4.4.y-cip,71/83] mmc: tmio, renesas-sdhi: add max_{segs, blk_count} to tmio_mmc_data [4.4.y-cip,72/83] mmc: tmio, renesas-sdhi: add dataend to DMA ops [4.4.y-cip,73/83] mmc: renesas-sdhi: add support for R-Car Gen3 SDHI DMAC [4.4.y-cip,74/83] mmc: tmio-mmc: fix bad pointer math [4.4.y-cip,75/83] mmc: renesas_sdhi: consolidate DMAC CONFIG options [4.4.y-cip,76/83] dt-bindings: mmc: renesas_sdhi: add R-Car Gen[123] fallback compatibility strings [4.4.y-cip,77/83] mmc: renesas_sdhi: implement R-Car Gen[123] fallback compatibility strings [4.4.y-cip,78/83] dt-bindings: mmc: renesas_sdhi: Add r8a77470 support [4.4.y-cip,79/83] mmc: renesas_sdhi: Add r8a77470 SDHI1 support [4.4.y-cip,80/83] ARM: dts: r8a77470: Add SDHI2 support [4.4.y-cip,81/83] ARM: dts: r8a77470: Add SDHI0 support [4.4.y-cip,82/83] ARM: dts: r8a77470: Add SDHI1 support [4.4.y-cip,83/83] ARM: dts: iwg23s-sbc: Add uSD and eMMC support

Message ID

1573115572-13513-75-git-send-email-biju.das@bp.renesas.com (mailing list archive)

State

Changes Requested

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E8EB621D7B
From: Biju Das <biju.das@bp.renesas.com>
To: cip-dev@lists.cip-project.org,
	Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>,
	Pavel Machek <pavel@denx.de>
Date: Thu,  7 Nov 2019 08:32:43 +0000
Message-Id: <1573115572-13513-75-git-send-email-biju.das@bp.renesas.com>
In-Reply-To: <1573115572-13513-1-git-send-email-biju.das@bp.renesas.com>
References: <1573115572-13513-1-git-send-email-biju.das@bp.renesas.com>
Cc: Biju Das <biju.das@bp.renesas.com>
Subject: [cip-dev] [PATCH 4.4.y-cip 74/83] mmc: tmio-mmc: fix bad pointer
	math
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: cip-dev-bounces@lists.cip-project.org
Errors-To: cip-dev-bounces@lists.cip-project.org

Series

Add RZ/G1C SD/eMMC support | expand

Commit Message

Biju Das Nov. 7, 2019, 8:32 a.m. UTC

From: Chris Brandt <chris.brandt@renesas.com>

commit b5dd7985e8d3357ff9537c0be231190ab1a131fe upstream.

commit 9c284c41c0886f09e75c323a16278b6d353b0b4a upstream.

The existing code gives an incorrect pointer value.
The buffer pointer 'buf' was of type unsigned short *, and 'count' was a
number in bytes. A cast of buf should have been used.

However, instead of casting, just change the code to use u32 pointers.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 8185e51f358a: ("mmc: tmio-mmc: add support for 32bit data port")
Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Biju Das <biju.das@bp.renesas.com>
---
 drivers/mmc/host/tmio_mmc_core.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

Comments

Pavel Machek Nov. 8, 2019, 10:38 a.m. UTC | #1

Hi!

> From: Chris Brandt <chris.brandt@renesas.com>
> 
> commit b5dd7985e8d3357ff9537c0be231190ab1a131fe upstream.
> 
> commit 9c284c41c0886f09e75c323a16278b6d353b0b4a upstream.
> 
> The existing code gives an incorrect pointer value.
> The buffer pointer 'buf' was of type unsigned short *, and 'count' was a
> number in bytes. A cast of buf should have been used.
> 
> However, instead of casting, just change the code to use u32
> pointers.

Yep, I see, nasty; silent data corruption. Could this be merged to the
patch that introduces the problem, or the original patch somehow
modified that it will not corrupt data ... for example during bisection?

> +++ b/drivers/mmc/host/tmio_mmc_core.c
> @@ -446,30 +446,29 @@ static void tmio_mmc_transfer_data(struct tmio_mmc_host *host,
>  	 * Transfer the data
>  	 */
>  	if (host->pdata->flags & TMIO_MMC_32BIT_DATA_PORT) {
> -		u8 data[4] = { };
> +		u32 data = 0;
> +		u32 *buf32 = (u32 *)buf;
>  
>  		if (is_read)
> -			sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT, (u32 *)buf,
> +			sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT, buf32,
>  					   count >> 2);
>  		else
> -			sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT, (u32 *)buf,
> +			sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT, buf32,
>  					    count >> 2);
>  
>  		/* if count was multiple of 4 */
>  		if (!(count & 0x3))
>  			return;
>  
> -		buf8 = (u8 *)(buf + (count >> 2));
> +		buf32 += count >> 2;
>  		count %= 4;

Can we do count &= 0x3, to keep style of if () above? Actually you can
do 

    count &= 0x3;
    if (!count) return;

Plus, there's code handling 16 bit case just below this; it is
different in style, and by using

    *buf8 = sd_ctrl_read16(host, CTL_SD_DATA_PORT) & 0xff;

instead of read16_rep(), it is buggy on big endian (as comment
says). Perhaps synchronizing to similar, non-buggy version would be
good?

Best regards,
								Pavel

diff --git a/drivers/mmc/host/tmio_mmc_core.c b/drivers/mmc/host/tmio_mmc_core.c
index 43209ea28..b6500a6 100644
--- a/drivers/mmc/host/tmio_mmc_core.c
+++ b/drivers/mmc/host/tmio_mmc_core.c
@@ -446,30 +446,29 @@  static void tmio_mmc_transfer_data(struct tmio_mmc_host *host,
 	 * Transfer the data
 	 */
 	if (host->pdata->flags & TMIO_MMC_32BIT_DATA_PORT) {
-		u8 data[4] = { };
+		u32 data = 0;
+		u32 *buf32 = (u32 *)buf;
 
 		if (is_read)
-			sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT, (u32 *)buf,
+			sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT, buf32,
 					   count >> 2);
 		else
-			sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT, (u32 *)buf,
+			sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT, buf32,
 					    count >> 2);
 
 		/* if count was multiple of 4 */
 		if (!(count & 0x3))
 			return;
 
-		buf8 = (u8 *)(buf + (count >> 2));
+		buf32 += count >> 2;
 		count %= 4;
 
 		if (is_read) {
-			sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT,
-					   (u32 *)data, 1);
-			memcpy(buf8, data, count);
+			sd_ctrl_read32_rep(host, CTL_SD_DATA_PORT, &data, 1);
+			memcpy(buf32, &data, count);
 		} else {
-			memcpy(data, buf8, count);
-			sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT,
-					    (u32 *)data, 1);
+			memcpy(&data, buf32, count);
+			sd_ctrl_write32_rep(host, CTL_SD_DATA_PORT, &data, 1);
 		}
 
 		return;

[4.4.y-cip,74/83] mmc: tmio-mmc: fix bad pointer math

Commit Message

Comments

Patch