git.ipfire.org Git - thirdparty/u-boot.git/commit

author	Ian Roberts <ian.roberts@timesys.com>
	Tue, 26 Mar 2024 02:22:37 +0000 (22:22 -0400)
committer	Jaehoon Chung <jh80.chung@samsung.com>
	Fri, 26 Apr 2024 06:31:00 +0000 (15:31 +0900)
commit	5f0714496869b95e57a8b72192089e7df18c94cf
tree	0a8072fabf682c49393be7664258d6e5b2e4aad4	tree \| snapshot
parent	74755c1fed1b09526b0993c729fe3ae909752fbd	commit \| diff

mmc: sdhci: Fix potential ADMA descriptor table overflow

Change ADMA_TABLE_NO_ENTRIES to round the division up to fully
contain CONFIG_SYS_MMC_MAX_BLK_COUNT, fixing potential buffer overflow
of the ADMA descriptor table.

sdhci_prepare_adma_table() expecitily states it does _not_ check for
overflow as the descriptor table size is dependent on
CONFIG_SYS_MMC_MAX_BLK_COUNT. However, the ADMA_TABLE_NO_ENTRIES
calculation does not round up the divison, so with the current u-boot
defaults:
max_mmc_transfer = (CONFIG_SYS_MMC_MAX_BLK_COUNT * MMC_MAX_BLOCK_LEN) =
65535 * 512 = 33553920 bytes.
ADMA_TABLE_NO_ENTRIES = max_mmc_transfer / ADMA_MAX_LEN =
33553920 / 65532, which does not divide cleanly.
actual_max_transfer = ADMA_TABLE_NO_ENTRIES * ADMA_MAX_LEN = 512 *
65532 = 33552384, which is smaller than max_mmc_transfer.
This can cause sdhci_prepare_adma_table() to write one extra
descriptor, overflowing the table when a transaction larger than
actual_max_transfer is issued.

Co-developed-by: Nathan Barrett-Morrison <nathan.morrison@timesys.com>
Signed-off-by: Nathan Barrett-Morrison <nathan.morrison@timesys.com>
Signed-off-by: Greg Malysa <greg.malysa@timesys.com>
Signed-off-by: Ian Roberts <ian.roberts@timesys.com>
Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>