Re: [PATCH] i2c: cpm: Fix i2c_ram structure
From: Christophe Leroy <hidden>
Date: 2020-09-22 12:41:46
Also in:
linux-i2c
Le 22/09/2020 à 11:04, nico.vince@gmail.com a écrit :
quoted hunk ↗ jump to hunk
From: Nicolas VINCENT <redacted> the i2c_ram structure is missing the sdmatmp field mentionned in datasheet for MPC8272 at paragraph 36.5. With this field missing, the hardware would write past the allocated memory done through cpm_muram_alloc for the i2c_ram structure and land in memory allocated for the buffers descriptors corrupting the cbd_bufaddr field. Since this field is only set during setup(), the first i2c transaction would work and the following would send data read from an arbitrary memory location. Signed-off-by: Nicolas VINCENT <redacted> --- drivers/i2c/busses/i2c-cpm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)diff --git a/drivers/i2c/busses/i2c-cpm.c b/drivers/i2c/busses/i2c-cpm.c index 1213e1932ccb..c5700addbf65 100644 --- a/drivers/i2c/busses/i2c-cpm.c +++ b/drivers/i2c/busses/i2c-cpm.c@@ -64,7 +64,8 @@ struct i2c_ram { uint txtmp; /* Internal */ char res1[4]; /* Reserved */ ushort rpbase; /* Relocation pointer */ - char res2[2]; /* Reserved */ + char res2[6]; /* Reserved */ + uint sdmatmp; /* Internal */
On CPM1, I2C param RAM has size 0x30 (offset 0x1c80-0x1caf) Your change overlaps the miscellaneous area that contains CP Microcode Revision Number, ref MPC885 Reference Manual §18.7.3
}; #define I2COM_START 0x80
Christophe