On Thu, Feb 07, 2019 at 07:01:45PM +0300, Dmitry Osipenko wrote: > 07.02.2019 18:23, Sowjanya Komatineni пишет: > > > >> It became apparent to me that there is a problem here. The size of dma_buf is 4096 bytes and maximum message length is 4096 too, we have pushed 12 bytes packet_header to the buffer >and now there are 4084 bytes left for the message in the buffer. Hence transfer of 4KB will cause buffer overflow and either crash kernel or corrupt memory. One solution is to just always >push packet_header using PIO, other to reduce max_write_len or increase dma_buf size. > > > > Yes, This is known to me and I will add separate patch for this to update quirks to take care for t186 and t194 to exclude packet hdr lengths > > There was separate patch when quirks were added and it got merged already from 5.0-rc1 but don’t want to sneak that here. Will send separate patch to take care of this. > > Need to update quirk to exclude packet header > > > > No. This is a bug of this patch, it must be fixed in this patch as well. > > Please include this snippet into the next version of this patch. > > diff --git a/drivers/i2c/busses/i2c-tegra.c b/drivers/i2c/busses/i2c-tegra.c > index 7921d3e6237d..0ed8162a37e4 100644 > --- a/drivers/i2c/busses/i2c-tegra.c > +++ b/drivers/i2c/busses/i2c-tegra.c > @@ -1293,7 +1293,7 @@ static const struct i2c_algorithm tegra_i2c_algo = { > static const struct i2c_adapter_quirks tegra_i2c_quirks = { > .flags = I2C_AQ_NO_ZERO_LEN, > .max_read_len = 4096, > - .max_write_len = 4096, > + .max_write_len = 4096 - I2C_PACKET_HEADER_SIZE, > }; > > static const struct i2c_adapter_quirks tegra194_i2c_quirks = { > @@ -1545,7 +1545,7 @@ static int tegra_i2c_probe(struct platform_device *pdev) > i2c_dev->is_dvc = of_device_is_compatible(pdev->dev.of_node, > "nvidia,tegra20-i2c-dvc"); > i2c_dev->adapter.quirks = i2c_dev->hw->quirks; > - i2c_dev->dma_buf_size = i2c_dev->adapter.quirks->max_write_len; > + i2c_dev->dma_buf_size = i2c_dev->adapter.quirks->max_read_len; > init_completion(&i2c_dev->msg_complete); > init_completion(&i2c_dev->dma_complete); > spin_lock_init(&i2c_dev->xfer_lock); I'm not sure we actually need this. My understanding is that it's really the payload size that's 4 KiB and 64 KiB, respectively. I don't think that includes the header. Thierry
Attachment:
signature.asc
Description: PGP signature