From patchwork Fri Apr 9 09:53:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 418167 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp1430239jai; Fri, 9 Apr 2021 03:07:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzb/9p6/87ZR3FihaaPTDKsnCXNJPTSq57zNHSaeSDIbMNUfJiSmuXljxDQ0QazPbqqJqZQ X-Received: by 2002:a50:f29a:: with SMTP id f26mr16722160edm.13.1617962830645; Fri, 09 Apr 2021 03:07:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617962830; cv=none; d=google.com; s=arc-20160816; b=INU+ejcL8eylgMU+5WF3W4Xf5G1Eh8GL/ElGgCmkeoV6c9SeaIVqwvXwUQH2bjeHGL Em1SXCmIyiBCE7xLTTQoj92ZrGeVXcbtL/CRkC2CRCylLyyBjaYZ3ioVH4zaqxeibQoG pTqjbglYOc/UyXDrlX55KDCRtY0JTJcukbuySSsF+Em6P5jK5k5GHPRvJkxCYMfAX6OY CXOFLMqmrWuXceM1bkQoiNpBzhBWk+XKg1oRh9UM4u1cOdnv11hU9uBO7uK48X9YNFrV FMLBZhrZ/RykKOSLDVvgDVY+hh935oKSZqi1Q6SLCk0ZZvVWi69E5Q7GmL/NwG9W+J2r PNAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZAokJk+Gch6NpClv5JyNtrvNjx2vK4c0wmpEezcHtIQ=; b=p7qj0dtU20j5FX6EPllIeLwG5Ig1M45iEVYeJ615oGSGRJVbYEpwYT5ZMUKyaL32zO 4K3UgEFvuk0x37Jj7nI20o/gQm3tlMBmbheJfQgj3Wu5dGbQGRdJqtORWj6cgk+/Prrn jsbJ21YS6SMAmSI1vGHO1caCtPqruMnjNZt3xbgHixNXe2OCeSs7AYGRM5BYa9irdgmm PjJRPKgvFeGjSUSgSK5uJCK+//uhChUVc1ZEpPEcPdpoLM/T20WEEd5ZkoHgIf1RKkK+ lSdBsGwRY3iX1kedtc38k3YcEwsrIbvnQhYyxSGhqZcyLB8gj2+ODNo4h4kaxeXLJDAI kjow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Aefpq1jj; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gf19si1636716ejb.462.2021.04.09.03.07.10; Fri, 09 Apr 2021 03:07:10 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Aefpq1jj; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234028AbhDIKHJ (ORCPT + 12 others); Fri, 9 Apr 2021 06:07:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:50622 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233659AbhDIKDr (ORCPT ); Fri, 9 Apr 2021 06:03:47 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 040F561206; Fri, 9 Apr 2021 10:00:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617962446; bh=tdHLtEtCX3b5BlIKrG9poLwWODMhHlHkQGLXh4IbXlk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Aefpq1jjpi4wm7D/+71oNcxvWvKZsFBS9njC9/GfMJStQohBBt5pJ3nirVOzSF286 A9/4eHHWaCt8Pwx6kOLbRlY9skD3Dpu9mBPvjI6LxutBK1zXYclHW1srRGadHVSSUA KsCcWhwI6MWMjkuo1m0Sf3XBJh3AbtEWc+adOGa4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alex Elder , "David S. Miller" , Sasha Levin Subject: [PATCH 5.11 19/45] net: ipa: fix init header command validation Date: Fri, 9 Apr 2021 11:53:45 +0200 Message-Id: <20210409095306.028565280@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210409095305.397149021@linuxfoundation.org> References: <20210409095305.397149021@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Alex Elder [ Upstream commit b4afd4b90a7cfe54c7cd9db49e3c36d552325eac ] We use ipa_cmd_header_valid() to ensure certain values we will program into hardware are within range, well in advance of when we actually program them. This way we avoid having to check for errors when we actually program the hardware. Unfortunately the dev_err() call for a bad offset value does not supply the arguments to match the format specifiers properly. Fix this. There was also supposed to be a check to ensure the size to be programmed fits in the field that holds it. Add this missing check. Rearrange the way we ensure the header table fits in overall IPA memory range. Finally, update ipa_cmd_table_valid() so the format of messages printed for errors matches what's done in ipa_cmd_header_valid(). Signed-off-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ipa/ipa_cmd.c | 50 ++++++++++++++++++++++++++------------- 1 file changed, 33 insertions(+), 17 deletions(-) -- 2.30.2 diff --git a/drivers/net/ipa/ipa_cmd.c b/drivers/net/ipa/ipa_cmd.c index eb65a11e33ea..1ce013a2d6ed 100644 --- a/drivers/net/ipa/ipa_cmd.c +++ b/drivers/net/ipa/ipa_cmd.c @@ -175,21 +175,23 @@ bool ipa_cmd_table_valid(struct ipa *ipa, const struct ipa_mem *mem, : field_max(IP_FLTRT_FLAGS_NHASH_ADDR_FMASK); if (mem->offset > offset_max || ipa->mem_offset > offset_max - mem->offset) { - dev_err(dev, "IPv%c %s%s table region offset too large " - "(0x%04x + 0x%04x > 0x%04x)\n", - ipv6 ? '6' : '4', hashed ? "hashed " : "", - route ? "route" : "filter", - ipa->mem_offset, mem->offset, offset_max); + dev_err(dev, "IPv%c %s%s table region offset too large\n", + ipv6 ? '6' : '4', hashed ? "hashed " : "", + route ? "route" : "filter"); + dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n", + ipa->mem_offset, mem->offset, offset_max); + return false; } if (mem->offset > ipa->mem_size || mem->size > ipa->mem_size - mem->offset) { - dev_err(dev, "IPv%c %s%s table region out of range " - "(0x%04x + 0x%04x > 0x%04x)\n", - ipv6 ? '6' : '4', hashed ? "hashed " : "", - route ? "route" : "filter", - mem->offset, mem->size, ipa->mem_size); + dev_err(dev, "IPv%c %s%s table region out of range\n", + ipv6 ? '6' : '4', hashed ? "hashed " : "", + route ? "route" : "filter"); + dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n", + mem->offset, mem->size, ipa->mem_size); + return false; } @@ -205,22 +207,36 @@ static bool ipa_cmd_header_valid(struct ipa *ipa) u32 size_max; u32 size; + /* In ipa_cmd_hdr_init_local_add() we record the offset and size + * of the header table memory area. Make sure the offset and size + * fit in the fields that need to hold them, and that the entire + * range is within the overall IPA memory range. + */ offset_max = field_max(HDR_INIT_LOCAL_FLAGS_HDR_ADDR_FMASK); if (mem->offset > offset_max || ipa->mem_offset > offset_max - mem->offset) { - dev_err(dev, "header table region offset too large " - "(0x%04x + 0x%04x > 0x%04x)\n", - ipa->mem_offset + mem->offset, offset_max); + dev_err(dev, "header table region offset too large\n"); + dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n", + ipa->mem_offset, mem->offset, offset_max); + return false; } size_max = field_max(HDR_INIT_LOCAL_FLAGS_TABLE_SIZE_FMASK); size = ipa->mem[IPA_MEM_MODEM_HEADER].size; size += ipa->mem[IPA_MEM_AP_HEADER].size; - if (mem->offset > ipa->mem_size || size > ipa->mem_size - mem->offset) { - dev_err(dev, "header table region out of range " - "(0x%04x + 0x%04x > 0x%04x)\n", - mem->offset, size, ipa->mem_size); + + if (size > size_max) { + dev_err(dev, "header table region size too large\n"); + dev_err(dev, " (0x%04x > 0x%08x)\n", size, size_max); + + return false; + } + if (size > ipa->mem_size || mem->offset > ipa->mem_size - size) { + dev_err(dev, "header table region out of range\n"); + dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n", + mem->offset, size, ipa->mem_size); + return false; }