Re: [PATCH v2] drivers/firmware/broadcom/bcm47xx_nvram.c: fix incorrect __ioread32_copy
From: Stephen Boyd <hidden>
Date: 2016-03-23 22:00:16
Also in:
lkml
On 03/23, Hauke Mehrtens wrote:
On 03/16/2016 12:06 AM, Aaro Koskinen wrote:quoted
Commit 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use __ioread32_copy() instead of open-coding") switched to use a generic copy function, but failed to notice that the header pointer is updated between the two copies, resulting in bogus data being copied in the latter one. Fix by keeping the old header pointer. The patch fixes totally broken networking on WRT54GL router (both LAN and WLAN interfaces fail to probe). Fixes: 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use __ioread32_copy() instead of open-coding") Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi> --- v2: Avoid using the device memory after the first copy when checking the nvram length, suggested by Stephen Boyd. v1: http://marc.info/?t=145807850800003&r=1&w=2 drivers/firmware/broadcom/bcm47xx_nvram.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)diff --git a/drivers/firmware/broadcom/bcm47xx_nvram.c b/drivers/firmware/broadcom/bcm47xx_nvram.c index 0c2f0a6..0b631e5 100644 --- a/drivers/firmware/broadcom/bcm47xx_nvram.c +++ b/drivers/firmware/broadcom/bcm47xx_nvram.c@@ -94,15 +94,14 @@ static int nvram_find_and_copy(void __iomem *iobase, u32 lim) found: __ioread32_copy(nvram_buf, header, sizeof(*header) / 4); - header = (struct nvram_header *)nvram_buf; - nvram_len = header->len; + nvram_len = ((struct nvram_header *)(nvram_buf))->len;I do not understand why this change is needed? Doesn't the old code do exactly the same as the new one? The old code updated the header pointer and then accesses a member, the new one directly accesses this member without updating this pointer. I assume, I am missing something. ;-)
The goal is to access 'nvram_buf' which is a copy of 'header'. This is to avoid any problems with accessing device memory, i.e. 'header', without using the appropriate I/O accessors (readl, readw, readb). The bug that's being fixed though is to make sure 'header' doesn't get overwritten with the pointer to the in-memory copy that we just made. Further down in this function we copy the second 'header' that lives in device memory, and repointing 'header' to the in-memory copy breaks that. -- Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project