From 3da0de69628d1341e38608067a9f5198a1e35954 Mon Sep 17 00:00:00 2001 From: Andrew Jeffery Date: Fri, 23 Mar 2018 12:27:15 +1030 Subject: mboxd_windows: Shrink windows accessing the end of flash The host may request a window over the end of the flash where the window size combined with the requested offset exceeds the limit of the flash. This issue was introduced with the virtual PNOR, as copy_flash() now may return a size less than requested. This leads to offset requests that are still block aligned, but the windows may no longer be aligned with respect to the flash size. This issue triggers the read error reported from the Petitboot environment in an earlier commit message: / # cat /dev/mtd0 > /dev/null [ 501.061616288,3] MBOX-FLASH: Bad response code from BMC 2 [ 501.150405995,3] MBOX-FLASH: Error waiting for BMC cat: read error: Input/output error / # echo $? 1 / # With the corresponding mboxd trace on the BMC: [ 1519966031.652036815] Received MBOX command: 4 [ 1519966031.652272613] Host requested flash @ 0x03f1a000 [ 1519966031.652411603] Tried to open read window past flash limit [ 1519966031.652500088] Couldn't create window mapping for offset 0x03f1a000 [ 1519966031.652607966] Error handling mbox cmd: 4 [ 1519966031.652661421] Writing MBOX response: 2 [ 1519966031.652762229] Error handling MBOX event Instead, shrink the request such that the resulting window exactly maps the flash limit, and no further. Change-Id: Id33ae3b14252eb40240ef1925311f22aceb103b4 Signed-off-by: Andrew Jeffery --- mboxd_windows.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'mboxd_windows.c') diff --git a/mboxd_windows.c b/mboxd_windows.c index 275f38a..233bfdd 100644 --- a/mboxd_windows.c +++ b/mboxd_windows.c @@ -592,7 +592,10 @@ int create_map_window(struct mbox_context *context, } #endif - if ((offset + cur->size) > context->flash_size) { + if (offset > context->flash_size) { + MSG_ERR("Tried to open read window past flash limit\n"); + return -MBOX_R_PARAM_ERROR; + } else if ((offset + cur->size) > context->flash_size) { /* * There is V1 skiboot implementations out there which don't * mask offset with window size, meaning when we have @@ -607,9 +610,11 @@ int create_map_window(struct mbox_context *context, cur->size = align_down(context->flash_size - offset, 1 << context->block_size_shift); } else { - /* Trying to read past the end of flash */ - MSG_ERR("Tried to open read window past flash limit\n"); - return -MBOX_R_PARAM_ERROR; + /* + * Allow requests to exceed the flash size, but limit + * the response to the size of the flash. + */ + cur->size = context->flash_size - offset; } } -- cgit v1.2.1