aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--target/linux/brcm2708/patches-4.19/951-0001-Add-missing-dma_unmap_sg-calls-to-free-relevant-swio.patch46
-rw-r--r--target/linux/brcm2708/patches-4.19/952-0002-Limit-max_req_size-under-arm64-or-any-other-platform.patch33
2 files changed, 79 insertions, 0 deletions
diff --git a/target/linux/brcm2708/patches-4.19/951-0001-Add-missing-dma_unmap_sg-calls-to-free-relevant-swio.patch b/target/linux/brcm2708/patches-4.19/951-0001-Add-missing-dma_unmap_sg-calls-to-free-relevant-swio.patch
new file mode 100644
index 0000000000..3c59d2d322
--- /dev/null
+++ b/target/linux/brcm2708/patches-4.19/951-0001-Add-missing-dma_unmap_sg-calls-to-free-relevant-swio.patch
@@ -0,0 +1,46 @@
+From 51487e55ceabd24572bdd12ed7fd45e20676f399 Mon Sep 17 00:00:00 2001
+From: Yaroslav Rosomakho <yaroslavros@gmail.com>
+Date: Fri, 23 Aug 2019 11:05:51 +0200
+Subject: [PATCH 1/2] Add missing dma_unmap_sg calls to free relevant swiotlb
+ bounce buffers. This prevents DMA leaks.
+
+Signed-off-by: Yaroslav Rosomakho <yaroslavros@gmail.com>
+---
+ drivers/mmc/host/bcm2835-mmc.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/mmc/host/bcm2835-mmc.c
++++ b/drivers/mmc/host/bcm2835-mmc.c
+@@ -344,16 +344,17 @@ static void bcm2835_mmc_dma_complete(voi
+
+ host->use_dma = false;
+
+- if (host->data && !(host->data->flags & MMC_DATA_WRITE)) {
+- /* otherwise handled in SDHCI IRQ */
++ if (host->data) {
+ dma_chan = host->dma_chan_rxtx;
+- dir_data = DMA_FROM_DEVICE;
+-
++ if (host->data->flags & MMC_DATA_WRITE)
++ dir_data = DMA_TO_DEVICE;
++ else
++ dir_data = DMA_FROM_DEVICE;
+ dma_unmap_sg(dma_chan->device->dev,
+ host->data->sg, host->data->sg_len,
+ dir_data);
+-
+- bcm2835_mmc_finish_data(host);
++ if (! (host->data->flags & MMC_DATA_WRITE))
++ bcm2835_mmc_finish_data(host);
+ } else if (host->wait_for_dma) {
+ host->wait_for_dma = false;
+ tasklet_schedule(&host->finish_tasklet);
+@@ -539,6 +540,8 @@ static void bcm2835_mmc_transfer_dma(str
+ spin_unlock_irqrestore(&host->lock, flags);
+ dmaengine_submit(desc);
+ dma_async_issue_pending(dma_chan);
++ } else {
++ dma_unmap_sg(dma_chan->device->dev, host->data->sg, len, dir_data);
+ }
+
+ }
diff --git a/target/linux/brcm2708/patches-4.19/952-0002-Limit-max_req_size-under-arm64-or-any-other-platform.patch b/target/linux/brcm2708/patches-4.19/952-0002-Limit-max_req_size-under-arm64-or-any-other-platform.patch
new file mode 100644
index 0000000000..7c5806d1a0
--- /dev/null
+++ b/target/linux/brcm2708/patches-4.19/952-0002-Limit-max_req_size-under-arm64-or-any-other-platform.patch
@@ -0,0 +1,33 @@
+From ea1ecb2257bef3cc0b23c08364436103141999c7 Mon Sep 17 00:00:00 2001
+From: Yaroslav Rosomakho <yaroslavros@gmail.com>
+Date: Fri, 23 Aug 2019 11:02:22 +0200
+Subject: [PATCH 2/2] Limit max_req_size under arm64 (or any other platform
+ that uses swiotlb) to prevent potential buffer overflow due to bouncing.
+
+Signed-off-by: Yaroslav Rosomakho <yaroslavros@gmail.com>
+---
+ drivers/mmc/host/bcm2835-mmc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/bcm2835-mmc.c
++++ b/drivers/mmc/host/bcm2835-mmc.c
+@@ -38,6 +38,7 @@
+ #include <linux/dmaengine.h>
+ #include <linux/dma-mapping.h>
+ #include <linux/of_dma.h>
++#include <linux/swiotlb.h>
+
+ #include "sdhci.h"
+
+@@ -1377,7 +1378,10 @@ static int bcm2835_mmc_add_host(struct b
+ }
+ #endif
+ mmc->max_segs = 128;
+- mmc->max_req_size = 524288;
++ if (swiotlb_max_segment())
++ mmc->max_req_size = (1 << IO_TLB_SHIFT) * IO_TLB_SEGSIZE;
++ else
++ mmc->max_req_size = 524288;
+ mmc->max_seg_size = mmc->max_req_size;
+ mmc->max_blk_size = 512;
+ mmc->max_blk_count = 65535;