[U-Boot] pci: fix address range check in __pci_hose_phys_to_bus()

The address range check may overflow if the memory region is located at
the top of the 32-bit address space. This can e.g. be seen on TK1 if
using the E1000 gigabit Ethernet driver where start and size are both
0x80000000 leading to the following messages:

Apalis TK1 # tftpboot $loadaddr test_file
Using e1000#0 device
TFTP from server 192.168.10.1; our IP address is 192.168.10.2
Filename 'test_file'.
Load address: 0x80408000
Loading: pci_hose_phys_to_bus: invalid physical address

This patch fixes this by changing the order of the addition vs.
subtraction in the range check just like already done in
__pci_hose_bus_to_phys().

Reported-by: Ivan Mercier <ivan.mercier@nexvision.fr>
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
---

 drivers/pci/pci_common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Well done Marcel!
I didn't have much more time to investigate on it.
OK with nvidia jetson TK1 with i210 AND RTL8169.


On 18/11/2015 15:19, Bin Meng wrote:
> On Wed, Nov 18, 2015 at 10:05 PM, Marcel Ziswiler
> <marcel.ziswiler@toradex.com> wrote:
>> The address range check may overflow if the memory region is located at
>> the top of the 32-bit address space. This can e.g. be seen on TK1 if
>> using the E1000 gigabit Ethernet driver where start and size are both
>> 0x80000000 leading to the following messages:
>>
>> Apalis TK1 # tftpboot $loadaddr test_file
>> Using e1000#0 device
>> TFTP from server 192.168.10.1; our IP address is 192.168.10.2
>> Filename 'test_file'.
>> Load address: 0x80408000
>> Loading: pci_hose_phys_to_bus: invalid physical address
>>
>> This patch fixes this by changing the order of the addition vs.
>> subtraction in the range check just like already done in
>> __pci_hose_bus_to_phys().
>>
>> Reported-by: Ivan Mercier <ivan.mercier@nexvision.fr>
>> Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
>> ---
>>
>>   drivers/pci/pci_common.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/pci/pci_common.c b/drivers/pci/pci_common.c
>> index a64792f..2a14902 100644
>> --- a/drivers/pci/pci_common.c
>> +++ b/drivers/pci/pci_common.c
>> @@ -268,7 +268,7 @@ int __pci_hose_phys_to_bus(struct pci_controller *hose,
>>                  bus_addr = phys_addr - res->phys_start + res->bus_start;
>>
>>                  if (bus_addr >= res->bus_start &&
>> -                   bus_addr < res->bus_start + res->size) {
>> +                   (bus_addr - res->bus_start) < res->size) {
>>                          *ba = bus_addr;
>>                          return 0;
>>                  }
>> --
> Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
>

On Wed, Nov 18, 2015 at 10:05 PM, Marcel Ziswiler
<marcel.ziswiler@toradex.com> wrote:
> The address range check may overflow if the memory region is located at
> the top of the 32-bit address space. This can e.g. be seen on TK1 if
> using the E1000 gigabit Ethernet driver where start and size are both
> 0x80000000 leading to the following messages:
>
> Apalis TK1 # tftpboot $loadaddr test_file
> Using e1000#0 device
> TFTP from server 192.168.10.1; our IP address is 192.168.10.2
> Filename 'test_file'.
> Load address: 0x80408000
> Loading: pci_hose_phys_to_bus: invalid physical address
>
> This patch fixes this by changing the order of the addition vs.
> subtraction in the range check just like already done in
> __pci_hose_bus_to_phys().
>
> Reported-by: Ivan Mercier <ivan.mercier@nexvision.fr>
> Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
> ---
>
>  drivers/pci/pci_common.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/pci/pci_common.c b/drivers/pci/pci_common.c
> index a64792f..2a14902 100644
> --- a/drivers/pci/pci_common.c
> +++ b/drivers/pci/pci_common.c
> @@ -268,7 +268,7 @@ int __pci_hose_phys_to_bus(struct pci_controller *hose,
>                 bus_addr = phys_addr - res->phys_start + res->bus_start;
>
>                 if (bus_addr >= res->bus_start &&
> -                   bus_addr < res->bus_start + res->size) {
> +                   (bus_addr - res->bus_start) < res->size) {
>                         *ba = bus_addr;
>                         return 0;
>                 }
> --

For some reason, this patch did not show up on patchwork for sometime
and it lost my 'Reviewed-by' tag. Here it is:

Reviewed-by: Bin Meng <bmeng.cn@gmail.com>

On 11/18/2015 07:05 AM, Marcel Ziswiler wrote:
> The address range check may overflow if the memory region is located at
> the top of the 32-bit address space. This can e.g. be seen on TK1 if
> using the E1000 gigabit Ethernet driver where start and size are both
> 0x80000000 leading to the following messages:
>
> Apalis TK1 # tftpboot $loadaddr test_file
> Using e1000#0 device
> TFTP from server 192.168.10.1; our IP address is 192.168.10.2
> Filename 'test_file'.
> Load address: 0x80408000
> Loading: pci_hose_phys_to_bus: invalid physical address
>
> This patch fixes this by changing the order of the addition vs.
> subtraction in the range check just like already done in
> __pci_hose_bus_to_phys().

Reviewed-by: Stephen Warren <swarren@nvidia.com>

On 19 November 2015 at 09:40, Stephen Warren <swarren@wwwdotorg.org> wrote:
> On 11/18/2015 07:05 AM, Marcel Ziswiler wrote:
>>
>> The address range check may overflow if the memory region is located at
>> the top of the 32-bit address space. This can e.g. be seen on TK1 if
>> using the E1000 gigabit Ethernet driver where start and size are both
>> 0x80000000 leading to the following messages:
>>
>> Apalis TK1 # tftpboot $loadaddr test_file
>> Using e1000#0 device
>> TFTP from server 192.168.10.1; our IP address is 192.168.10.2
>> Filename 'test_file'.
>> Load address: 0x80408000
>> Loading: pci_hose_phys_to_bus: invalid physical address
>>
>> This patch fixes this by changing the order of the addition vs.
>> subtraction in the range check just like already done in
>> __pci_hose_bus_to_phys().
>
>
> Reviewed-by: Stephen Warren <swarren@nvidia.com>

Acked-by: Simon Glass <sjg@chromium.org>

On Wed, Nov 18, 2015 at 03:05:06PM +0100, Marcel Ziswiler wrote:

> The address range check may overflow if the memory region is located at
> the top of the 32-bit address space. This can e.g. be seen on TK1 if
> using the E1000 gigabit Ethernet driver where start and size are both
> 0x80000000 leading to the following messages:
> 
> Apalis TK1 # tftpboot $loadaddr test_file
> Using e1000#0 device
> TFTP from server 192.168.10.1; our IP address is 192.168.10.2
> Filename 'test_file'.
> Load address: 0x80408000
> Loading: pci_hose_phys_to_bus: invalid physical address
> 
> This patch fixes this by changing the order of the addition vs.
> subtraction in the range check just like already done in
> __pci_hose_bus_to_phys().
> 
> Reported-by: Ivan Mercier <ivan.mercier@nexvision.fr>
> Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
> Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
> Reviewed-by: Stephen Warren <swarren@nvidia.com>
> Acked-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/master, thanks!