On 3/29/19 8:32 PM, Geert Uytterhoeven wrote:
> Hi Marek,
>
> On Mon, Mar 25, 2019 at 12:41 PM <marek.vasut@xxxxxxxxx> wrote:
>> From: Marek Vasut <marek.vasut+renesas@xxxxxxxxx>
>>
>> The MSI message address in the RC address space can be 64 bit. The
>> R-Car PCIe RC supports such a 64bit MSI message address as well.
>> The code currently uses virt_to_phys(__get_free_pages()) to obtain
>> a reserved page for the MSI message address, and the return value
>> of which can be a 64 bit physical address on 64 bit system.
>>
>> However, the driver only programs PCIEMSIALR register with the bottom
>> 32 bits of the virt_to_phys(__get_free_pages()) return value and does
>> not program the top 32 bits into PCIEMSIAUR, but rather programs the
>> PCIEMSIAUR register with 0x0. This worked fine on older 32 bit R-Car
>> SoCs, however may fail on new 64 bit R-Car SoCs.
>>
>> Since from a PCIe controller perspective, an inbound MSI is a memory
>> write to a special address (in case of this controller, defined by
>> the value in PCIEMSIAUR:PCIEMSIALR), which triggers an interrupt, but
>> never hits the DRAM _and_ because allocation of an MSI by a PCIe card
>> driver obtains the MSI message address by reading PCIEMSIAUR:PCIEMSIALR
>> in rcar_msi_setup_irqs(), incorrectly programmed PCIEMSIAUR cannot
>> cause memory corruption or other issues.
>>
>> There is however the possibility that if virt_to_phys(__get_free_pages())
>> returned address above the 32bit boundary _and_ PCIEMSIAUR was programmed
>> to 0x0 _and_ if the system had physical RAM at the address matching the
>> value of PCIEMSIALR, a PCIe card driver could allocate a buffer with a
>> physical address matching the value of PCIEMSIALR and a remote write to
>> such a buffer by a PCIe card would trigger a spurious MSI.
>>
>> Signed-off-by: Marek Vasut <marek.vasut+renesas@xxxxxxxxx>
>> Cc: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
>> Cc: Phil Edworthy <phil.edworthy@xxxxxxxxxxx>
>> Cc: Simon Horman <horms+renesas@xxxxxxxxxxxx>
>> Cc: Wolfram Sang <wsa@xxxxxxxxxxxxx>
>> Cc: linux-renesas-soc@xxxxxxxxxxxxxxx
>> To: linux-pci@xxxxxxxxxxxxxxx
>> Reviewed-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
>> ---
>> V2: - s/it's/its/ in commit message
>> - Add R-B from Geert
>> V3: - Reworded commit message and thus dropped Geerts R-B
>> V4: - Add Geert's R-B again
>> ---
>> drivers/pci/controller/pcie-rcar.c | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/pci/controller/pcie-rcar.c b/drivers/pci/controller/pcie-rcar.c
>> index c6013f95bdb2..62d2de9fbf1c 100644
>> --- a/drivers/pci/controller/pcie-rcar.c
>> +++ b/drivers/pci/controller/pcie-rcar.c
>> @@ -890,7 +890,7 @@ static int rcar_pcie_enable_msi(struct rcar_pcie *pcie)
>> {
>> struct device *dev = pcie->dev;
>> struct rcar_msi *msi = &pcie->msi;
>> - unsigned long base;
>> + phys_addr_t base;
>> int err, i;
>>
>> mutex_init(&msi->lock);
>> @@ -932,7 +932,7 @@ static int rcar_pcie_enable_msi(struct rcar_pcie *pcie)
>> base = virt_to_phys((void *)msi->pages);
>>
>> rcar_pci_write_reg(pcie, base | MSIFE, PCIEMSIALR);
>> - rcar_pci_write_reg(pcie, 0, PCIEMSIAUR);
>> + rcar_pci_write_reg(pcie, base >> 32, PCIEMSIAUR);
>
> As reported by 0day, this causes a warning on arm32 without LPAE:
>
> drivers/pci/controller/pcie-rcar.c:935:32: warning: right shift
> count >= width of type
>
> Using upper_32_bits() instead of an explicit shift should fix that.
I saw the report too.
Lorenzo, do you want a separate patch to squash with this or V5 ?
--
Best regards,
Marek Vasut
