[PATCH 1/2] firmware: meson-sm: Check for buffer output size
Srinivas Kandagatla
srinivas.kandagatla at linaro.org
Wed Mar 22 09:28:20 PDT 2017
On 03/03/17 15:17, Carlo Caione wrote:
> From: Carlo Caione <carlo at endlessm.com>
>
> After the data is read by the secure monitor driver it is being copied
> in the output buffer checking only the size of the bounce buffer but not
> the size of the output buffer.
>
> Fix this in the secure monitor driver slightly changing the API. Fix
> also the efuse driver that it is the only driver using this API to not
> break bisectability.
>
> Signed-off-by: Carlo Caione <carlo at endlessm.com>
Sorry for the delay!!
For nvmem part,
Acked-by: Srinivas Kandagatla <srinivas.kandagatla at linaro.org>
> ---
> drivers/firmware/meson/meson_sm.c | 10 +++++++---
> drivers/nvmem/meson-efuse.c | 2 +-
> include/linux/firmware/meson/meson_sm.h | 4 ++--
> 3 files changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/firmware/meson/meson_sm.c b/drivers/firmware/meson/meson_sm.c
> index b0d254930ed3..5f30a5774e57 100644
> --- a/drivers/firmware/meson/meson_sm.c
> +++ b/drivers/firmware/meson/meson_sm.c
> @@ -127,6 +127,7 @@ EXPORT_SYMBOL(meson_sm_call);
> * meson_sm_call_read - retrieve data from secure-monitor
> *
> * @buffer: Buffer to store the retrieved data
> + * @bsize: Size of the buffer
> * @cmd_index: Index of the SMC32 function ID
> * @arg0: SMC32 Argument 0
> * @arg1: SMC32 Argument 1
> @@ -136,8 +137,8 @@ EXPORT_SYMBOL(meson_sm_call);
> *
> * Return: size of read data on success, a negative value on error
> */
> -int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0,
> - u32 arg1, u32 arg2, u32 arg3, u32 arg4)
> +int meson_sm_call_read(void *buffer, unsigned int bsize, unsigned int cmd_index,
> + u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4)
> {
> u32 size;
>
> @@ -147,10 +148,13 @@ int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0,
> if (!fw.chip->cmd_shmem_out_base)
> return -EINVAL;
>
> + if (bsize > fw.chip->shmem_size)
> + return -EINVAL;
> +
> if (meson_sm_call(cmd_index, &size, arg0, arg1, arg2, arg3, arg4) < 0)
> return -EINVAL;
>
> - if (!size || size > fw.chip->shmem_size)
> + if (!size || size > bsize)
> return -EINVAL;
>
> if (buffer)
> diff --git a/drivers/nvmem/meson-efuse.c b/drivers/nvmem/meson-efuse.c
> index f207c3b10482..70bfc9839bb2 100644
> --- a/drivers/nvmem/meson-efuse.c
> +++ b/drivers/nvmem/meson-efuse.c
> @@ -27,7 +27,7 @@ static int meson_efuse_read(void *context, unsigned int offset,
> u8 *buf = val;
> int ret;
>
> - ret = meson_sm_call_read(buf, SM_EFUSE_READ, offset,
> + ret = meson_sm_call_read(buf, bytes, SM_EFUSE_READ, offset,
> bytes, 0, 0, 0);
> if (ret < 0)
> return ret;
> diff --git a/include/linux/firmware/meson/meson_sm.h b/include/linux/firmware/meson/meson_sm.h
> index 8e953c6f394a..37a5eaea69dd 100644
> --- a/include/linux/firmware/meson/meson_sm.h
> +++ b/include/linux/firmware/meson/meson_sm.h
> @@ -25,7 +25,7 @@ int meson_sm_call(unsigned int cmd_index, u32 *ret, u32 arg0, u32 arg1,
> u32 arg2, u32 arg3, u32 arg4);
> int meson_sm_call_write(void *buffer, unsigned int b_size, unsigned int cmd_index,
> u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4);
> -int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0, u32 arg1,
> - u32 arg2, u32 arg3, u32 arg4);
> +int meson_sm_call_read(void *buffer, unsigned int bsize, unsigned int cmd_index,
> + u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4);
>
> #endif /* _MESON_SM_FW_H_ */
>
More information about the linux-arm-kernel
mailing list