From: Alan Mikhak <[email protected]>
Function dw_pcie_prog_outbound_atu_unroll() does not program the upper
32-bit ATU limit register. Since ATU programming functions limit the
size of the translated region to 4GB by using a u32 size parameter,
these issues may combine into undefined behavior for resource sizes
with non-zero upper 32-bits.
For example, a 128GB address space starting at physical CPU address of
0x2000000000 with size of 0x2000000000 needs the following values
programmed into the lower and upper 32-bit limit registers:
0x3fffffff in the upper 32-bit limit register
0xffffffff in the lower 32-bit limit register
Currently, only the lower 32-bit limit register is programmed with a
value of 0xffffffff but the upper 32-bit limit register is not being
programmed. As a result, the upper 32-bit limit register remains at its
default value after reset of 0x0.
These issues may combine to produce undefined behavior since the ATU
limit address may be lower than the ATU base address. Programming the
upper ATU limit address register prevents such undefined behavior despite
the region size getting truncated due to the 32-bit size limit.
Signed-off-by: Alan Mikhak <[email protected]>
---
drivers/pci/controller/dwc/pcie-designware.c | 7 +++++--
drivers/pci/controller/dwc/pcie-designware.h | 3 ++-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c
index 681548c88282..c92496e36fd5 100644
--- a/drivers/pci/controller/dwc/pcie-designware.c
+++ b/drivers/pci/controller/dwc/pcie-designware.c
@@ -244,13 +244,16 @@ static void dw_pcie_prog_outbound_atu_unroll(struct dw_pcie *pci, int index,
u64 pci_addr, u32 size)
{
u32 retries, val;
+ u64 limit_addr = cpu_addr + size - 1;
dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_BASE,
lower_32_bits(cpu_addr));
dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_BASE,
upper_32_bits(cpu_addr));
- dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LIMIT,
- lower_32_bits(cpu_addr + size - 1));
+ dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_LIMIT,
+ lower_32_bits(limit_addr));
+ dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_LIMIT,
+ upper_32_bits(limit_addr));
dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_TARGET,
lower_32_bits(pci_addr));
dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_TARGET,
diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h
index a22ea5982817..5ce1aef706c5 100644
--- a/drivers/pci/controller/dwc/pcie-designware.h
+++ b/drivers/pci/controller/dwc/pcie-designware.h
@@ -112,9 +112,10 @@
#define PCIE_ATU_UNR_REGION_CTRL2 0x04
#define PCIE_ATU_UNR_LOWER_BASE 0x08
#define PCIE_ATU_UNR_UPPER_BASE 0x0C
-#define PCIE_ATU_UNR_LIMIT 0x10
+#define PCIE_ATU_UNR_LOWER_LIMIT 0x10
#define PCIE_ATU_UNR_LOWER_TARGET 0x14
#define PCIE_ATU_UNR_UPPER_TARGET 0x18
+#define PCIE_ATU_UNR_UPPER_LIMIT 0x20
/*
* The default address offset between dbi_base and atu_base. Root controller
--
2.7.4
On Wed, Apr 01, 2020 at 04:58:13PM -0700, Alan Mikhak wrote:
> From: Alan Mikhak <[email protected]>
>
> Function dw_pcie_prog_outbound_atu_unroll() does not program the upper
> 32-bit ATU limit register. Since ATU programming functions limit the
> size of the translated region to 4GB by using a u32 size parameter,
> these issues may combine into undefined behavior for resource sizes
> with non-zero upper 32-bits.
>
> For example, a 128GB address space starting at physical CPU address of
> 0x2000000000 with size of 0x2000000000 needs the following values
> programmed into the lower and upper 32-bit limit registers:
> 0x3fffffff in the upper 32-bit limit register
> 0xffffffff in the lower 32-bit limit register
>
> Currently, only the lower 32-bit limit register is programmed with a
> value of 0xffffffff but the upper 32-bit limit register is not being
> programmed. As a result, the upper 32-bit limit register remains at its
> default value after reset of 0x0.
>
> These issues may combine to produce undefined behavior since the ATU
> limit address may be lower than the ATU base address. Programming the
> upper ATU limit address register prevents such undefined behavior despite
> the region size getting truncated due to the 32-bit size limit.
>
> Signed-off-by: Alan Mikhak <[email protected]>
> ---
> drivers/pci/controller/dwc/pcie-designware.c | 7 +++++--
> drivers/pci/controller/dwc/pcie-designware.h | 3 ++-
> 2 files changed, 7 insertions(+), 3 deletions(-)
I would appreciate some feedback and possibly and ACK from DWC
maintainers. Should this go to stable kernels ? It seems so,
let me know if we want to add a stable tag.
I will merge it, along with:
https://patchwork.kernel.org/patch/11468465/
Lorenzo
>
> diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c
> index 681548c88282..c92496e36fd5 100644
> --- a/drivers/pci/controller/dwc/pcie-designware.c
> +++ b/drivers/pci/controller/dwc/pcie-designware.c
> @@ -244,13 +244,16 @@ static void dw_pcie_prog_outbound_atu_unroll(struct dw_pcie *pci, int index,
> u64 pci_addr, u32 size)
> {
> u32 retries, val;
> + u64 limit_addr = cpu_addr + size - 1;
>
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_BASE,
> lower_32_bits(cpu_addr));
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_BASE,
> upper_32_bits(cpu_addr));
> - dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LIMIT,
> - lower_32_bits(cpu_addr + size - 1));
> + dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_LIMIT,
> + lower_32_bits(limit_addr));
> + dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_LIMIT,
> + upper_32_bits(limit_addr));
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_TARGET,
> lower_32_bits(pci_addr));
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_TARGET,
> diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h
> index a22ea5982817..5ce1aef706c5 100644
> --- a/drivers/pci/controller/dwc/pcie-designware.h
> +++ b/drivers/pci/controller/dwc/pcie-designware.h
> @@ -112,9 +112,10 @@
> #define PCIE_ATU_UNR_REGION_CTRL2 0x04
> #define PCIE_ATU_UNR_LOWER_BASE 0x08
> #define PCIE_ATU_UNR_UPPER_BASE 0x0C
> -#define PCIE_ATU_UNR_LIMIT 0x10
> +#define PCIE_ATU_UNR_LOWER_LIMIT 0x10
> #define PCIE_ATU_UNR_LOWER_TARGET 0x14
> #define PCIE_ATU_UNR_UPPER_TARGET 0x18
> +#define PCIE_ATU_UNR_UPPER_LIMIT 0x20
>
> /*
> * The default address offset between dbi_base and atu_base. Root controller
> --
> 2.7.4
>
On Thu, Apr 2, 2020 at 0:58:13, Alan Mikhak <[email protected]>
wrote:
> From: Alan Mikhak <[email protected]>
>
> Function dw_pcie_prog_outbound_atu_unroll() does not program the upper
> 32-bit ATU limit register. Since ATU programming functions limit the
> size of the translated region to 4GB by using a u32 size parameter,
> these issues may combine into undefined behavior for resource sizes
> with non-zero upper 32-bits.
>
> For example, a 128GB address space starting at physical CPU address of
> 0x2000000000 with size of 0x2000000000 needs the following values
> programmed into the lower and upper 32-bit limit registers:
> 0x3fffffff in the upper 32-bit limit register
> 0xffffffff in the lower 32-bit limit register
>
> Currently, only the lower 32-bit limit register is programmed with a
> value of 0xffffffff but the upper 32-bit limit register is not being
> programmed. As a result, the upper 32-bit limit register remains at its
> default value after reset of 0x0.
>
> These issues may combine to produce undefined behavior since the ATU
> limit address may be lower than the ATU base address. Programming the
> upper ATU limit address register prevents such undefined behavior despite
> the region size getting truncated due to the 32-bit size limit.
>
> Signed-off-by: Alan Mikhak <[email protected]>
> ---
> drivers/pci/controller/dwc/pcie-designware.c | 7 +++++--
> drivers/pci/controller/dwc/pcie-designware.h | 3 ++-
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c
> index 681548c88282..c92496e36fd5 100644
> --- a/drivers/pci/controller/dwc/pcie-designware.c
> +++ b/drivers/pci/controller/dwc/pcie-designware.c
> @@ -244,13 +244,16 @@ static void dw_pcie_prog_outbound_atu_unroll(struct dw_pcie *pci, int index,
> u64 pci_addr, u32 size)
> {
> u32 retries, val;
> + u64 limit_addr = cpu_addr + size - 1;
>
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_BASE,
> lower_32_bits(cpu_addr));
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_BASE,
> upper_32_bits(cpu_addr));
> - dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LIMIT,
> - lower_32_bits(cpu_addr + size - 1));
> + dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_LIMIT,
> + lower_32_bits(limit_addr));
> + dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_LIMIT,
> + upper_32_bits(limit_addr));
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_TARGET,
> lower_32_bits(pci_addr));
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_TARGET,
> diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h
> index a22ea5982817..5ce1aef706c5 100644
> --- a/drivers/pci/controller/dwc/pcie-designware.h
> +++ b/drivers/pci/controller/dwc/pcie-designware.h
> @@ -112,9 +112,10 @@
> #define PCIE_ATU_UNR_REGION_CTRL2 0x04
> #define PCIE_ATU_UNR_LOWER_BASE 0x08
> #define PCIE_ATU_UNR_UPPER_BASE 0x0C
> -#define PCIE_ATU_UNR_LIMIT 0x10
> +#define PCIE_ATU_UNR_LOWER_LIMIT 0x10
> #define PCIE_ATU_UNR_LOWER_TARGET 0x14
> #define PCIE_ATU_UNR_UPPER_TARGET 0x18
> +#define PCIE_ATU_UNR_UPPER_LIMIT 0x20
>
> /*
> * The default address offset between dbi_base and atu_base. Root controller
> --
> 2.7.4
Acked-by: Gustavo Pimentel <[email protected]>
Hi Lorenzo,
On Tue, May 5, 2020 at 11:29:33, Lorenzo Pieralisi
<[email protected]> wrote:
> On Wed, Apr 01, 2020 at 04:58:13PM -0700, Alan Mikhak wrote:
> > From: Alan Mikhak <[email protected]>
> >
> > Function dw_pcie_prog_outbound_atu_unroll() does not program the upper
> > 32-bit ATU limit register. Since ATU programming functions limit the
> > size of the translated region to 4GB by using a u32 size parameter,
> > these issues may combine into undefined behavior for resource sizes
> > with non-zero upper 32-bits.
> >
> > For example, a 128GB address space starting at physical CPU address of
> > 0x2000000000 with size of 0x2000000000 needs the following values
> > programmed into the lower and upper 32-bit limit registers:
> > 0x3fffffff in the upper 32-bit limit register
> > 0xffffffff in the lower 32-bit limit register
> >
> > Currently, only the lower 32-bit limit register is programmed with a
> > value of 0xffffffff but the upper 32-bit limit register is not being
> > programmed. As a result, the upper 32-bit limit register remains at its
> > default value after reset of 0x0.
> >
> > These issues may combine to produce undefined behavior since the ATU
> > limit address may be lower than the ATU base address. Programming the
> > upper ATU limit address register prevents such undefined behavior despite
> > the region size getting truncated due to the 32-bit size limit.
> >
> > Signed-off-by: Alan Mikhak <[email protected]>
> > ---
> > drivers/pci/controller/dwc/pcie-designware.c | 7 +++++--
> > drivers/pci/controller/dwc/pcie-designware.h | 3 ++-
> > 2 files changed, 7 insertions(+), 3 deletions(-)
>
> I would appreciate some feedback and possibly and ACK from DWC
> maintainers. Should this go to stable kernels ? It seems so,
> let me know if we want to add a stable tag.
>
> I will merge it, along with:
>
> https://urldefense.com/v3/__https://patchwork.kernel.org/patch/11468465/__;!!A4F2R9G_pg!NoymSJCWmOx51jB7LdQQAbXFin14nfuVIQNQxROnskLmmGkzFeNOrf8nFWX_-KgsgO87N9M$
>
> Lorenzo
Sorry for the delay. I just gave the ACK to that patch. For me, it makes
sense to me to send it along with the patch that you just referred to the
stable kernels.
-Gustavo
On Wed, Apr 01, 2020 at 04:58:13PM -0700, Alan Mikhak wrote:
> From: Alan Mikhak <[email protected]>
>
> Function dw_pcie_prog_outbound_atu_unroll() does not program the upper
> 32-bit ATU limit register. Since ATU programming functions limit the
> size of the translated region to 4GB by using a u32 size parameter,
> these issues may combine into undefined behavior for resource sizes
> with non-zero upper 32-bits.
>
> For example, a 128GB address space starting at physical CPU address of
> 0x2000000000 with size of 0x2000000000 needs the following values
> programmed into the lower and upper 32-bit limit registers:
> 0x3fffffff in the upper 32-bit limit register
> 0xffffffff in the lower 32-bit limit register
>
> Currently, only the lower 32-bit limit register is programmed with a
> value of 0xffffffff but the upper 32-bit limit register is not being
> programmed. As a result, the upper 32-bit limit register remains at its
> default value after reset of 0x0.
>
> These issues may combine to produce undefined behavior since the ATU
> limit address may be lower than the ATU base address. Programming the
> upper ATU limit address register prevents such undefined behavior despite
> the region size getting truncated due to the 32-bit size limit.
>
> Signed-off-by: Alan Mikhak <[email protected]>
> ---
> drivers/pci/controller/dwc/pcie-designware.c | 7 +++++--
> drivers/pci/controller/dwc/pcie-designware.h | 3 ++-
> 2 files changed, 7 insertions(+), 3 deletions(-)
Applied to pci/dwc, thanks.
Lorenzo
> diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c
> index 681548c88282..c92496e36fd5 100644
> --- a/drivers/pci/controller/dwc/pcie-designware.c
> +++ b/drivers/pci/controller/dwc/pcie-designware.c
> @@ -244,13 +244,16 @@ static void dw_pcie_prog_outbound_atu_unroll(struct dw_pcie *pci, int index,
> u64 pci_addr, u32 size)
> {
> u32 retries, val;
> + u64 limit_addr = cpu_addr + size - 1;
>
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_BASE,
> lower_32_bits(cpu_addr));
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_BASE,
> upper_32_bits(cpu_addr));
> - dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LIMIT,
> - lower_32_bits(cpu_addr + size - 1));
> + dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_LIMIT,
> + lower_32_bits(limit_addr));
> + dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_LIMIT,
> + upper_32_bits(limit_addr));
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_LOWER_TARGET,
> lower_32_bits(pci_addr));
> dw_pcie_writel_ob_unroll(pci, index, PCIE_ATU_UNR_UPPER_TARGET,
> diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h
> index a22ea5982817..5ce1aef706c5 100644
> --- a/drivers/pci/controller/dwc/pcie-designware.h
> +++ b/drivers/pci/controller/dwc/pcie-designware.h
> @@ -112,9 +112,10 @@
> #define PCIE_ATU_UNR_REGION_CTRL2 0x04
> #define PCIE_ATU_UNR_LOWER_BASE 0x08
> #define PCIE_ATU_UNR_UPPER_BASE 0x0C
> -#define PCIE_ATU_UNR_LIMIT 0x10
> +#define PCIE_ATU_UNR_LOWER_LIMIT 0x10
> #define PCIE_ATU_UNR_LOWER_TARGET 0x14
> #define PCIE_ATU_UNR_UPPER_TARGET 0x18
> +#define PCIE_ATU_UNR_UPPER_LIMIT 0x20
>
> /*
> * The default address offset between dbi_base and atu_base. Root controller
> --
> 2.7.4
>