From 9cc2323feebdde500f50f7abb855045dbde765cb Mon Sep 17 00:00:00 2001 From: Simon Goldschmidt Date: Sat, 26 Jan 2019 22:13:04 +0100 Subject: [PATCH] lmb: handle more than one DRAM BANK This fixes the automatic lmb initialization and reservation for boards with more than one DRAM bank. This fixes the CVE-2018-18439 and -18440 fixes that only allowed to load files into the firs DRAM bank from fs and via tftp. Found-by: Heinrich Schuchardt Signed-off-by: Simon Goldschmidt Tested-by: Heinrich Schuchardt Reviewed-by: Simon Glass --- common/bootm.c | 4 ++-- fs/fs.c | 3 +-- include/lmb.h | 7 +++++-- lib/lmb.c | 37 ++++++++++++++++++++++++++++++++----- net/tftp.c | 3 +-- 5 files changed, 41 insertions(+), 13 deletions(-) diff --git a/common/bootm.c b/common/bootm.c index a4618b6d2e..7c7505f092 100644 --- a/common/bootm.c +++ b/common/bootm.c @@ -59,8 +59,8 @@ static void boot_start_lmb(bootm_headers_t *images) mem_start = env_get_bootm_low(); mem_size = env_get_bootm_size(); - lmb_init_and_reserve(&images->lmb, (phys_addr_t)mem_start, mem_size, - NULL); + lmb_init_and_reserve_range(&images->lmb, (phys_addr_t)mem_start, + mem_size, NULL); } #else #define lmb_reserve(lmb, base, size) diff --git a/fs/fs.c b/fs/fs.c index c05e6c85ed..0e9c2f1062 100644 --- a/fs/fs.c +++ b/fs/fs.c @@ -454,8 +454,7 @@ static int fs_read_lmb_check(const char *filename, ulong addr, loff_t offset, if (len && len < read_len) read_len = len; - lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start, - gd->bd->bi_dram[0].size, (void *)gd->fdt_blob); + lmb_init_and_reserve(&lmb, gd->bd, (void *)gd->fdt_blob); lmb_dump_all(&lmb); if (lmb_alloc_addr(&lmb, addr, read_len) == addr) diff --git a/include/lmb.h b/include/lmb.h index e87c0b0ada..3b338dfee0 100644 --- a/include/lmb.h +++ b/include/lmb.h @@ -4,6 +4,8 @@ #ifdef __KERNEL__ #include +#include + /* * Logical memory blocks. * @@ -29,8 +31,9 @@ struct lmb { }; extern void lmb_init(struct lmb *lmb); -extern void lmb_init_and_reserve(struct lmb *lmb, phys_addr_t base, - phys_size_t size, void *fdt_blob); +extern void lmb_init_and_reserve(struct lmb *lmb, bd_t *bd, void *fdt_blob); +extern void lmb_init_and_reserve_range(struct lmb *lmb, phys_addr_t base, + phys_size_t size, void *fdt_blob); extern long lmb_add(struct lmb *lmb, phys_addr_t base, phys_size_t size); extern long lmb_reserve(struct lmb *lmb, phys_addr_t base, phys_size_t size); extern phys_addr_t lmb_alloc(struct lmb *lmb, phys_size_t size, ulong align); diff --git a/lib/lmb.c b/lib/lmb.c index 7aff2c248f..b3b84e4d37 100644 --- a/lib/lmb.c +++ b/lib/lmb.c @@ -98,12 +98,8 @@ void lmb_init(struct lmb *lmb) lmb->reserved.size = 0; } -/* Initialize the struct, add memory and call arch/board reserve functions */ -void lmb_init_and_reserve(struct lmb *lmb, phys_addr_t base, phys_size_t size, - void *fdt_blob) +static void lmb_reserve_common(struct lmb *lmb, void *fdt_blob) { - lmb_init(lmb); - lmb_add(lmb, base, size); arch_lmb_reserve(lmb); board_lmb_reserve(lmb); @@ -111,6 +107,37 @@ void lmb_init_and_reserve(struct lmb *lmb, phys_addr_t base, phys_size_t size, boot_fdt_add_mem_rsv_regions(lmb, fdt_blob); } +/* Initialize the struct, add memory and call arch/board reserve functions */ +void lmb_init_and_reserve(struct lmb *lmb, bd_t *bd, void *fdt_blob) +{ +#ifdef CONFIG_NR_DRAM_BANKS + int i; +#endif + + lmb_init(lmb); +#ifdef CONFIG_NR_DRAM_BANKS + for (i = 0; i < CONFIG_NR_DRAM_BANKS; i++) { + if (bd->bi_dram[i].size) { + lmb_add(lmb, bd->bi_dram[i].start, + bd->bi_dram[i].size); + } + } +#else + if (bd->bi_memsize) + lmb_add(lmb, bd->bi_memstart, bd->bi_memsize); +#endif + lmb_reserve_common(lmb, fdt_blob); +} + +/* Initialize the struct, add memory and call arch/board reserve functions */ +void lmb_init_and_reserve_range(struct lmb *lmb, phys_addr_t base, + phys_size_t size, void *fdt_blob) +{ + lmb_init(lmb); + lmb_add(lmb, base, size); + lmb_reserve_common(lmb, fdt_blob); +} + /* This routine called with relocation disabled. */ static long lmb_add_region(struct lmb_region *rgn, phys_addr_t base, phys_size_t size) { diff --git a/net/tftp.c b/net/tftp.c index eca801aa19..34488b76c8 100644 --- a/net/tftp.c +++ b/net/tftp.c @@ -606,8 +606,7 @@ static int tftp_init_load_addr(void) struct lmb lmb; phys_size_t max_size; - lmb_init_and_reserve(&lmb, gd->bd->bi_dram[0].start, - gd->bd->bi_dram[0].size, (void *)gd->fdt_blob); + lmb_init_and_reserve(&lmb, gd->bd, (void *)gd->fdt_blob); max_size = lmb_get_free_size(&lmb, load_addr); if (!max_size) -- 2.30.2