From f7a341555d1addb49a8b7084977ce7b44b4aa019 Mon Sep 17 00:00:00 2001 From: Aidan MacDonald Date: Wed, 16 Mar 2022 22:22:01 +0000 Subject: fiiom3k: trim OF kernel arguments to fix boot hangs The M3K's kernel has an incredibly stupid function that mangles the kernel args and copies them to a 100-byte buffer without any kind of bounds checking. So, if the kernel arguments are more than 99 chars the stack may be corrupted, sometimes crashing the kernel. Fortunately, most of the arguments the OF uses are useless, and the truly necessary arguments fit within the absurd 99-char limit. Change-Id: I01ef4513298f79d3c08538239802c21e88509631 --- bootloader/x1000/x1000bootloader.h | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/bootloader/x1000/x1000bootloader.h b/bootloader/x1000/x1000bootloader.h index 10f6c6e730..b0d8d378f4 100644 --- a/bootloader/x1000/x1000bootloader.h +++ b/bootloader/x1000/x1000bootloader.h @@ -44,13 +44,19 @@ struct uimage_header; # define OF_PLAYER_NAME "FiiO player" # define OF_PLAYER_ADDR 0x20000 # define OF_PLAYER_LENGTH (4 * 1024 * 1024) +/* WARNING: The length of kernel arguments cannot exceed 99 bytes on the M3K + * due to an Ingenic kernel bug: plat_mem_setup() calls ddr_param_change() and + * that function tries to copy the command line to an 100-char buffer without + * any bounds checking. Overflowing the buffer typically leads to disaster. + * It seems ddr_param_change() is not present on all Ingenic kernels and the + * bug may not affect the Q1. */ # define OF_PLAYER_ARGS OF_RECOVERY_ARGS \ - " init=/linuxrc ubi.mtd=3 root=ubi0:rootfs ubi.mtd=4 rootfstype=ubifs rw loglevel=8" + " init=/linuxrc ubi.mtd=3 root=ubi0:rootfs ubi.mtd=4 rootfstype=ubifs rw" # define OF_RECOVERY_NAME "FiiO recovery" # define OF_RECOVERY_ADDR 0x420000 # define OF_RECOVERY_LENGTH (5 * 1024 * 1024) # define OF_RECOVERY_ARGS \ - "mem=64M@0x0 no_console_suspend console=ttyS2,115200n8 lpj=5009408 ip=off" + "mem=64M console=ttyS2" #elif defined(SHANLING_Q1) # define BL_RECOVERY BUTTON_NEXT # define BL_UP BUTTON_PREV -- cgit v1.2.3