Commit 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use
__ioread32_copy() instead of open-coding") switched to use a generic copy
function, but failed to notice that the header pointer is updated between
the two copies, resulting in bogus data being copied in the latter one.
Fix by keeping the old header pointer.
The patch fixes totally broken networking on WRT54GL router (both LAN
and WLAN interfaces fail to probe).
Fixes: 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use __ioread32_copy() instead of open-coding")
Signed-off-by: Aaro Koskinen <[email protected]>
---
v2: Avoid using the device memory after the first copy when
checking the nvram length, suggested by Stephen Boyd.
v1: http://marc.info/?t=145807850800003&r=1&w=2
drivers/firmware/broadcom/bcm47xx_nvram.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/firmware/broadcom/bcm47xx_nvram.c b/drivers/firmware/broadcom/bcm47xx_nvram.c
index 0c2f0a6..0b631e5 100644
--- a/drivers/firmware/broadcom/bcm47xx_nvram.c
+++ b/drivers/firmware/broadcom/bcm47xx_nvram.c
@@ -94,15 +94,14 @@ static int nvram_find_and_copy(void __iomem *iobase, u32 lim)
found:
__ioread32_copy(nvram_buf, header, sizeof(*header) / 4);
- header = (struct nvram_header *)nvram_buf;
- nvram_len = header->len;
+ nvram_len = ((struct nvram_header *)(nvram_buf))->len;
if (nvram_len > size) {
pr_err("The nvram size according to the header seems to be bigger than the partition on flash\n");
nvram_len = size;
}
if (nvram_len >= NVRAM_SPACE) {
pr_err("nvram on flash (%i bytes) is bigger than the reserved space in memory, will just copy the first %i bytes\n",
- header->len, NVRAM_SPACE - 1);
+ nvram_len, NVRAM_SPACE - 1);
nvram_len = NVRAM_SPACE - 1;
}
/* proceed reading data after header */
--
2.7.2
On 03/16, Aaro Koskinen wrote:
> Commit 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use
> __ioread32_copy() instead of open-coding") switched to use a generic copy
> function, but failed to notice that the header pointer is updated between
> the two copies, resulting in bogus data being copied in the latter one.
> Fix by keeping the old header pointer.
>
> The patch fixes totally broken networking on WRT54GL router (both LAN
> and WLAN interfaces fail to probe).
>
> Fixes: 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use __ioread32_copy() instead of open-coding")
> Signed-off-by: Aaro Koskinen <[email protected]>
> ---
Reviewed-by: Stephen Boyd <[email protected]>
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
On 03/16/2016 12:06 AM, Aaro Koskinen wrote:
> Commit 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use
> __ioread32_copy() instead of open-coding") switched to use a generic copy
> function, but failed to notice that the header pointer is updated between
> the two copies, resulting in bogus data being copied in the latter one.
> Fix by keeping the old header pointer.
>
> The patch fixes totally broken networking on WRT54GL router (both LAN
> and WLAN interfaces fail to probe).
>
> Fixes: 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use __ioread32_copy() instead of open-coding")
> Signed-off-by: Aaro Koskinen <[email protected]>
> ---
>
> v2: Avoid using the device memory after the first copy when
> checking the nvram length, suggested by Stephen Boyd.
>
> v1: http://marc.info/?t=145807850800003&r=1&w=2
>
> drivers/firmware/broadcom/bcm47xx_nvram.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/firmware/broadcom/bcm47xx_nvram.c b/drivers/firmware/broadcom/bcm47xx_nvram.c
> index 0c2f0a6..0b631e5 100644
> --- a/drivers/firmware/broadcom/bcm47xx_nvram.c
> +++ b/drivers/firmware/broadcom/bcm47xx_nvram.c
> @@ -94,15 +94,14 @@ static int nvram_find_and_copy(void __iomem *iobase, u32 lim)
>
> found:
> __ioread32_copy(nvram_buf, header, sizeof(*header) / 4);
> - header = (struct nvram_header *)nvram_buf;
> - nvram_len = header->len;
> + nvram_len = ((struct nvram_header *)(nvram_buf))->len;
I do not understand why this change is needed? Doesn't the old code do
exactly the same as the new one?
The old code updated the header pointer and then accesses a member, the
new one directly accesses this member without updating this pointer.
I assume, I am missing something. ;-)
> if (nvram_len > size) {
> pr_err("The nvram size according to the header seems to be bigger than the partition on flash\n");
> nvram_len = size;
> }
> if (nvram_len >= NVRAM_SPACE) {
> pr_err("nvram on flash (%i bytes) is bigger than the reserved space in memory, will just copy the first %i bytes\n",
> - header->len, NVRAM_SPACE - 1);
> + nvram_len, NVRAM_SPACE - 1);
> nvram_len = NVRAM_SPACE - 1;
> }
> /* proceed reading data after header */
>
On 03/23, Hauke Mehrtens wrote:
> On 03/16/2016 12:06 AM, Aaro Koskinen wrote:
> > Commit 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use
> > __ioread32_copy() instead of open-coding") switched to use a generic copy
> > function, but failed to notice that the header pointer is updated between
> > the two copies, resulting in bogus data being copied in the latter one.
> > Fix by keeping the old header pointer.
> >
> > The patch fixes totally broken networking on WRT54GL router (both LAN
> > and WLAN interfaces fail to probe).
> >
> > Fixes: 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use __ioread32_copy() instead of open-coding")
> > Signed-off-by: Aaro Koskinen <[email protected]>
> > ---
> >
> > v2: Avoid using the device memory after the first copy when
> > checking the nvram length, suggested by Stephen Boyd.
> >
> > v1: http://marc.info/?t=145807850800003&r=1&w=2
> >
> > drivers/firmware/broadcom/bcm47xx_nvram.c | 5 ++---
> > 1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/firmware/broadcom/bcm47xx_nvram.c b/drivers/firmware/broadcom/bcm47xx_nvram.c
> > index 0c2f0a6..0b631e5 100644
> > --- a/drivers/firmware/broadcom/bcm47xx_nvram.c
> > +++ b/drivers/firmware/broadcom/bcm47xx_nvram.c
> > @@ -94,15 +94,14 @@ static int nvram_find_and_copy(void __iomem *iobase, u32 lim)
> >
> > found:
> > __ioread32_copy(nvram_buf, header, sizeof(*header) / 4);
> > - header = (struct nvram_header *)nvram_buf;
> > - nvram_len = header->len;
> > + nvram_len = ((struct nvram_header *)(nvram_buf))->len;
>
> I do not understand why this change is needed? Doesn't the old code do
> exactly the same as the new one?
>
> The old code updated the header pointer and then accesses a member, the
> new one directly accesses this member without updating this pointer.
>
> I assume, I am missing something. ;-)
The goal is to access 'nvram_buf' which is a copy of 'header'.
This is to avoid any problems with accessing device memory, i.e.
'header', without using the appropriate I/O accessors (readl,
readw, readb).
The bug that's being fixed though is to make sure 'header'
doesn't get overwritten with the pointer to the in-memory copy
that we just made. Further down in this function we copy the
second 'header' that lives in device memory, and repointing
'header' to the in-memory copy breaks that.
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project