From patchwork Fri Apr 9 09:53:38 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 418164 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp1425675jai; Fri, 9 Apr 2021 03:01:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzjNbHcDLMfgMPCeWT9U2y04wu+bBG/Xioz78F2S56L37l50Te2E/C11D7nmjiWKtNTbHmq X-Received: by 2002:a17:906:b191:: with SMTP id w17mr15563868ejy.200.1617962506612; Fri, 09 Apr 2021 03:01:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617962506; cv=none; d=google.com; s=arc-20160816; b=y4klNBNyuj6tdRJa/cWTbvtN1YP32WOxSP6Yf1jeDDh37tJ9pEgWjyT9YezGHzb+K3 2aXjy851BV7wZ3Zc3X29XLzDwPxtJ0ZNPO5YCM1e03qgthRXh1DBfnC7H9qwxcID0TkV r5wU5YfDAUKHbWoHidcU/zQMCIQEaNSDkFhemkPbgSB1IyNinEn+RO3tI/vJx+HvIyz9 ayJz4PjwUOjNd7eqGijOvFBx47KDjNUhDEvaPTXZa4HI5FFO+AAJfRIZ2SKnvQoFJl13 2zMpgrnphSz1iEtJz8AnG95bBQUh8mbBnqvUt5E+4YUpjzZMFPGTVdlCqPDEl0fnVddV dFIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=oKvHySirqZeHhx0r+d+9WNjeQn/XzV193ndXAgyOeKs=; b=Trt7PcDSVLZrs5Jk8J10yvmQNYJr41InS6DmKKhCSJmv0H+aTNYkN5GY/ep1dQbMOo F+IiurIxc7q9LmuyikymDe/egx2pMradSjCNV/Ual8Eh94QRHNQ7r/IznBGxIMOoCXNm 3SBmrNgKXZL0RJEQqeWyavO1Y+EuSgoAEEpXtmqtjugfQmiWnInhp+pezBVGi8uCN2PM BbIDcNdtehQZPW5E8iH8O4izEuxurSVNv0WiBONNsWr53nwB/CiTMpvEyUutREXAEqWA 2O6cahGpeZIISm6jVP1wKqkEn1GimybKhMRAWwgZgZqaS6AHjzZlkq7pGMgqZTdP1b8/ eMvA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QCd1I6p3; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e7si2188899edk.222.2021.04.09.03.01.46; Fri, 09 Apr 2021 03:01:46 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QCd1I6p3; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233060AbhDIKBo (ORCPT + 12 others); Fri, 9 Apr 2021 06:01:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:45618 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233936AbhDIJ7a (ORCPT ); Fri, 9 Apr 2021 05:59:30 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A9C506121F; Fri, 9 Apr 2021 09:58:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617962326; bh=VxoJmc3w8Jg63Gj0JpCAQ8fEFiA7dFne0yZFtGuMaCg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QCd1I6p347OPUlPxIdE7qG5wQrS0F3pmLdSnBQ0i9fuwahOFRZJXylj/qZVIJ+Uxi OAXg5aieK0Fmy2XLPP1Kz91HK2pEo4lcUqaPoKXfDAPxt/XWAeaSHu++caFDRjXJE/ vguM+tIZ9f20NO94bRiQFBgKprfHCk4relJHZZV4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alex Elder , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 16/41] net: ipa: fix init header command validation Date: Fri, 9 Apr 2021 11:53:38 +0200 Message-Id: <20210409095305.361379304@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210409095304.818847860@linuxfoundation.org> References: <20210409095304.818847860@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Alex Elder [ Upstream commit b4afd4b90a7cfe54c7cd9db49e3c36d552325eac ] We use ipa_cmd_header_valid() to ensure certain values we will program into hardware are within range, well in advance of when we actually program them. This way we avoid having to check for errors when we actually program the hardware. Unfortunately the dev_err() call for a bad offset value does not supply the arguments to match the format specifiers properly. Fix this. There was also supposed to be a check to ensure the size to be programmed fits in the field that holds it. Add this missing check. Rearrange the way we ensure the header table fits in overall IPA memory range. Finally, update ipa_cmd_table_valid() so the format of messages printed for errors matches what's done in ipa_cmd_header_valid(). Signed-off-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ipa/ipa_cmd.c | 50 ++++++++++++++++++++++++++------------- 1 file changed, 33 insertions(+), 17 deletions(-) -- 2.30.2 diff --git a/drivers/net/ipa/ipa_cmd.c b/drivers/net/ipa/ipa_cmd.c index 46d8b7336d8f..a47378b7d9b2 100644 --- a/drivers/net/ipa/ipa_cmd.c +++ b/drivers/net/ipa/ipa_cmd.c @@ -175,21 +175,23 @@ bool ipa_cmd_table_valid(struct ipa *ipa, const struct ipa_mem *mem, : field_max(IP_FLTRT_FLAGS_NHASH_ADDR_FMASK); if (mem->offset > offset_max || ipa->mem_offset > offset_max - mem->offset) { - dev_err(dev, "IPv%c %s%s table region offset too large " - "(0x%04x + 0x%04x > 0x%04x)\n", - ipv6 ? '6' : '4', hashed ? "hashed " : "", - route ? "route" : "filter", - ipa->mem_offset, mem->offset, offset_max); + dev_err(dev, "IPv%c %s%s table region offset too large\n", + ipv6 ? '6' : '4', hashed ? "hashed " : "", + route ? "route" : "filter"); + dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n", + ipa->mem_offset, mem->offset, offset_max); + return false; } if (mem->offset > ipa->mem_size || mem->size > ipa->mem_size - mem->offset) { - dev_err(dev, "IPv%c %s%s table region out of range " - "(0x%04x + 0x%04x > 0x%04x)\n", - ipv6 ? '6' : '4', hashed ? "hashed " : "", - route ? "route" : "filter", - mem->offset, mem->size, ipa->mem_size); + dev_err(dev, "IPv%c %s%s table region out of range\n", + ipv6 ? '6' : '4', hashed ? "hashed " : "", + route ? "route" : "filter"); + dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n", + mem->offset, mem->size, ipa->mem_size); + return false; } @@ -205,22 +207,36 @@ static bool ipa_cmd_header_valid(struct ipa *ipa) u32 size_max; u32 size; + /* In ipa_cmd_hdr_init_local_add() we record the offset and size + * of the header table memory area. Make sure the offset and size + * fit in the fields that need to hold them, and that the entire + * range is within the overall IPA memory range. + */ offset_max = field_max(HDR_INIT_LOCAL_FLAGS_HDR_ADDR_FMASK); if (mem->offset > offset_max || ipa->mem_offset > offset_max - mem->offset) { - dev_err(dev, "header table region offset too large " - "(0x%04x + 0x%04x > 0x%04x)\n", - ipa->mem_offset + mem->offset, offset_max); + dev_err(dev, "header table region offset too large\n"); + dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n", + ipa->mem_offset, mem->offset, offset_max); + return false; } size_max = field_max(HDR_INIT_LOCAL_FLAGS_TABLE_SIZE_FMASK); size = ipa->mem[IPA_MEM_MODEM_HEADER].size; size += ipa->mem[IPA_MEM_AP_HEADER].size; - if (mem->offset > ipa->mem_size || size > ipa->mem_size - mem->offset) { - dev_err(dev, "header table region out of range " - "(0x%04x + 0x%04x > 0x%04x)\n", - mem->offset, size, ipa->mem_size); + + if (size > size_max) { + dev_err(dev, "header table region size too large\n"); + dev_err(dev, " (0x%04x > 0x%08x)\n", size, size_max); + + return false; + } + if (size > ipa->mem_size || mem->offset > ipa->mem_size - size) { + dev_err(dev, "header table region out of range\n"); + dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n", + mem->offset, size, ipa->mem_size); + return false; }