forked from marfrit/kernel-agent
claude-noether
b04c8cd501
PR #33's per-series mirrors were generated against the bes2600-dkms cleanups branch (rooted at fe73571) without rebasing onto the v7.0-danctnix1 kernel baseline. Result: per-commit diffs carried stale baseline context (e.g. from_timer rather than the new timer_container_of API), so the cumulative no longer applied cleanly to ohm's actual base. pkgrel=6 build #1 failed with 'Hunk #3 FAILED' in Patch D's sta.c. Fix: in marfrit/bes2600-dkms, create danctnix-sync branch (fe73571 + drop-in replace bes2600/ with v7.0-danctnix1's drivers/staging/bes2600/), rebase cleanups onto it as cleanups-rebased-on-danctnix, manually resolve the resulting conflicts keeping each commit's intent + the new baseline context, rebase Patch H accordingly. Format-patch and re-route to the same series-dir names as PR #33. Conflict resolution notes: - 'remove userspace /dev/bes2600 character device interface' commit: the chardev wrapper was removed but two utility funcs that danctnix's bes2600_btuart.c depends on (bes2600_chrdev_is_bus_error, bes2600_chrdev_switch_subsys_glb) were re-added with EXPORT_SYMBOL_GPL. bes2600_switch_bt re-added as static (file-local, called only from bes2600_chrdev_switch_subsys_glb). - Patch D (atomicize ba_lock): re-resolved bes2600_ba_timer's timer_container_of() vs from_timer() to keep the new API. - SCS Makefile @@ hunk counts corrected from -9,6 +9,10 to -9,6 +9,11 (the original was actually wrong; build-via-fuzz was masking it). Cumulative b2sum: ka-promote ohm now emits eb179c03f35a4dbaec2e40036f0033ef04985bb6b14ab22419d68e5caaa5874f... (279 554 bytes, 32 patches resolved). pkgrel=6 built from this manifest + installed on ohm 2026-05-19 ~23:39. Functional verification: bes2600 + bes2600_btuart both load, Pattern A 0 over fresh boot, wlan0 associates to newton. srcversion 1A919EED0E6DC2478559B17 differs from pkgrel=5's BEB625FA... — the reconstruction is functionally equivalent (5 GHz working, no firmware/driver race conditions) but NOT byte-equivalent (the chardev utility re-add chose different formatting than the original danctnix code). Byte-equivalence is not a goal; per-series traceability and working hardware are. Closes (proper this time): #29. Refs: #28, #30, #33 (the half-working attempt), #31, #32.
124 lines
4.4 KiB
Diff
124 lines
4.4 KiB
Diff
From 2f9b4c719faf9563895c064439a7da25f35c8fc7 Mon Sep 17 00:00:00 2001
|
|
From: Markus Fritsche <fritsche.markus@gmail.com>
|
|
Date: Thu, 23 Apr 2026 11:58:31 +0200
|
|
Subject: [PATCH 07/29] bes2600: bounce SDIO TX buffers to avoid DMA OOB read
|
|
|
|
The SDIO TX path rounds the DMA transfer length up to the host's
|
|
current block size and hands that length to dma_map_sg() via
|
|
sg_set_buf(&sg[scatters], tx_buffer->buf, align) in sdio_tx_work().
|
|
tx_buffer->buf typically aliases into an skb linear head whose
|
|
allocated size matches tx_buffer->len, not the block-aligned
|
|
align. The DMA engine (swiotlb / dw_mci IDMAC) therefore reads up
|
|
to one block past the end of the skb. On a PineTab2 with KFENCE
|
|
enabled this fires as:
|
|
|
|
BUG: KFENCE: out-of-bounds read in __pi_memcpy_generic
|
|
Out-of-bounds read at ... (704B right of kfence-#...):
|
|
__pi_memcpy_generic
|
|
swiotlb_tbl_map_single
|
|
swiotlb_map
|
|
dma_direct_map_sg
|
|
__dma_map_sg_attrs
|
|
dma_map_sg_attrs
|
|
dw_mci_pre_dma_transfer
|
|
__dw_mci_start_request
|
|
...
|
|
bes_sdio_memcpy_to_io_helper+0x18c/0x288 [bes2600]
|
|
sdio_tx_work+0x2b4/0x4a0 [bes2600]
|
|
|
|
allocated by ... pskb_expand_head / validate_xmit_skb / tcp_*
|
|
|
|
In addition to being undefined behavior, the padding bytes (which
|
|
come from whatever memory follows the skb) are transmitted to the
|
|
peer, leaking kernel memory on the air.
|
|
|
|
Allocate a driver-owned DMA-page bounce buffer sized to
|
|
MAX_SDIO_TRANSFER_LEN and use it as the scatter-gather backing for
|
|
sdio_tx_work. Each TX buffer is copied into its bounce slot and the
|
|
tail (align - tx_buffer->len bytes) is zeroed. This mirrors the
|
|
existing bounce pattern already used by bes2600_sdio_memcpy_toio()
|
|
via single_gathered_buffer; a separate allocation is used for the
|
|
TX path because single_gathered_buffer is only serialised via
|
|
sdio_claim_host and sdio_tx_work accumulates scatter entries before
|
|
claiming the bus.
|
|
|
|
Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>
|
|
---
|
|
bes2600/bes2600_sdio.c | 39 ++++++++++++++++++++++++++++++++++++++-
|
|
1 file changed, 38 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/staging/bes2600/bes2600_sdio.c b/drivers/staging/bes2600/bes2600_sdio.c
|
|
index f172d53..b9d836f 100644
|
|
--- a/drivers/staging/bes2600/bes2600_sdio.c
|
|
+++ b/drivers/staging/bes2600/bes2600_sdio.c
|
|
@@ -95,6 +95,7 @@ struct sbus_priv {
|
|
struct work_struct tx_work;
|
|
struct scatterlist tx_sg[BES_SDIO_TX_MULTIPLE_NUM + 1];
|
|
struct scatterlist tx_sg_nosignal[BES_SDIO_TX_MULTIPLE_NUM_NOSIGNAL + 1];
|
|
+ u8 *tx_bounce;
|
|
u32 tx_data_cnt;
|
|
u32 tx_xfer_cnt;
|
|
u32 tx_proc_cnt;
|
|
@@ -1136,7 +1137,26 @@ static void sdio_tx_work(struct work_struct *work)
|
|
}
|
|
}
|
|
|
|
- sg_set_buf(&sg[scatters], tx_buffer->buf, align);
|
|
+ /*
|
|
+ * The transfer length is rounded up to the SDIO block
|
|
+ * size, but tx_buffer->buf is only tx_buffer->len bytes
|
|
+ * long (it usually aliases into an skb linear head).
|
|
+ * Copy into a driver-owned bounce buffer and zero-pad
|
|
+ * to the aligned size; otherwise DMA reads past the
|
|
+ * skb and leaks adjacent kernel memory on the wire --
|
|
+ * observed as KFENCE OOB reads from
|
|
+ * bes_sdio_memcpy_to_io_helper via dma_map_sg.
|
|
+ */
|
|
+ if (WARN_ON_ONCE(total_len + align > MAX_SDIO_TRANSFER_LEN))
|
|
+ goto flush_previous;
|
|
+ memcpy(self->tx_bounce + total_len,
|
|
+ tx_buffer->buf, tx_buffer->len);
|
|
+ if (align > tx_buffer->len)
|
|
+ memset(self->tx_bounce + total_len +
|
|
+ tx_buffer->len, 0,
|
|
+ align - tx_buffer->len);
|
|
+ sg_set_buf(&sg[scatters],
|
|
+ self->tx_bounce + total_len, align);
|
|
total_len += align;
|
|
++scatters;
|
|
/*del_node:*/
|
|
@@ -1857,6 +1877,17 @@ static int bes2600_sdio_probe(struct sdio_func *func,
|
|
if (!self->single_gathered_buffer)
|
|
return -ENOMEM;
|
|
#endif
|
|
+#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
|
|
+ self->tx_bounce = (u8 *)__get_dma_pages(GFP_KERNEL,
|
|
+ get_order(MAX_SDIO_TRANSFER_LEN));
|
|
+ if (!self->tx_bounce) {
|
|
+#ifndef SDIO_HOST_ADMA_SUPPORT
|
|
+ free_pages((unsigned long)self->single_gathered_buffer,
|
|
+ get_order(MAX_SDIO_TRANSFER_LEN));
|
|
+#endif
|
|
+ return -ENOMEM;
|
|
+ }
|
|
+#endif
|
|
#ifdef BES_SDIO_RXTX_TOGGLE
|
|
self->fw_started = false;
|
|
#endif
|
|
@@ -1984,6 +2015,12 @@ static void bes2600_sdio_remove(struct sdio_func *func)
|
|
if (self->single_gathered_buffer) {
|
|
free_pages((unsigned long)self->single_gathered_buffer, get_order(MAX_SDIO_TRANSFER_LEN));
|
|
}
|
|
+#endif
|
|
+#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
|
|
+ if (self->tx_bounce) {
|
|
+ free_pages((unsigned long)self->tx_bounce,
|
|
+ get_order(MAX_SDIO_TRANSFER_LEN));
|
|
+ }
|
|
#endif
|
|
kfree(self);
|
|
}
|
|
--
|
|
2.54.0
|
|
|