From patchwork Mon May 31 13:14:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 450503 Delivered-To: patch@linaro.org Received: by 2002:a02:c735:0:0:0:0:0 with SMTP id h21csp863603jao; Mon, 31 May 2021 07:09:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbnW/bcNFR/NAcC6zwe8IluVFAbvsHSTLu60QIbVJqaT7d8UkzSiIqfKahW+h5AWiIt9Un X-Received: by 2002:a5d:9916:: with SMTP id x22mr17105106iol.160.1622470168286; Mon, 31 May 2021 07:09:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622470168; cv=none; d=google.com; s=arc-20160816; b=kltk4kVxqw7RmphMlUJ/ltyLUr2FxVmf5UINKeAYGvbJR3BEI3GBEiU6NO9V6v/33Y OqNu5VdgtLeoxnELjllS21Ap/eocme3/lM8sTMjsfaNJDw+8hxIYvAFlDOlQ9r/0Nq4l aFIsWB4h/cEm5cfyMbGDKQup2XdnVD622qaIPttECjjudRb+vArOOhth83XlU8v+SPtU HM5NvH4hGBPYdq3nFn99uCSOVkSISCwqM+5VBNqlSSg9URNWjGmzM1dAEVsNEi2+wVV4 IHXkkkVuWrBG+56Xy97YoT+N3l1Vf7ntoVfiXUEx6yTzFKU36mnRhmeVE39ym1V7btqO s6CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1JDQzYcIpnZZ0qhNIqU6I4Bb7R/jJ/pWqScayU4He0s=; b=AxgjB8la5RS9fVk+TMlj73L4NdfW7caCr41N/FXwscYOhah63GY16Ih1BIv0gR1qoi IAU2oG0kWPGIpeSYh13j7f4F6xXHN7WPHY94596DTu7V0FOqGtHXOKZuzVXNm2NJQP6s ja9sWDssPnyjf+rti3UW1h92ltO2BcrS+scmk0OzxWkjhVn3No2rX1JN9pRNfj8Vh5yR pvm2R8bsVEC0tou/9fRDBT0TYbhuixIRbAmJApHg7U8i+Wcn63WcmokpYPy1/ohw3OqR T7T465YPh12c9w0IawUEHGrX8Q98nJwp7APFhv0lcrU5j/38XNJkwYsCQVCeCfFd6wTR xetA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kpkHWWam; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l11si15474819jaj.50.2021.05.31.07.09.28; Mon, 31 May 2021 07:09:28 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=kpkHWWam; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233040AbhEaOLE (ORCPT + 12 others); Mon, 31 May 2021 10:11:04 -0400 Received: from mail.kernel.org ([198.145.29.99]:41002 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233097AbhEaOJD (ORCPT ); Mon, 31 May 2021 10:09:03 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1E9BB61977; Mon, 31 May 2021 13:40:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622468405; bh=3sQMk0epr6E0X7al4cR/3xUgG5Bj/7N9ASpnMkjs0QI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kpkHWWam73BPi1YfZ+Cv3+h+T7nGbHgBlwTJp+m+LHW8ZCpbSfsvd9jxQl4VJ8lJC NgoOW4W19/NysKwTdOSUU59+pmkLvPT4rZL3bIFFU+9bIb9OCTWekV/qAJONJtgTIL rNpTjyPkfWgFGJzhme9yf9tGOeDplPmRFauN0fFg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alex Elder , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 195/252] net: ipa: memory region array is variable size Date: Mon, 31 May 2021 15:14:20 +0200 Message-Id: <20210531130704.636600929@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210531130657.971257589@linuxfoundation.org> References: <20210531130657.971257589@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Alex Elder [ Upstream commit 440c3247cba3d9433ac435d371dd7927d68772a7 ] IPA configuration data includes an array of memory region descriptors. That was a fixed-size array at one time, but at some point we started defining it such that it was only as big as required for a given platform. The actual number of entries in the array is recorded in the configuration data along with the array. A loop in ipa_mem_config() still assumes the array has entries for all defined memory region IDs. As a result, this loop can go past the end of the actual array and attempt to write "canary" values based on nonsensical data. Fix this, by stashing the number of entries in the array, and using that rather than IPA_MEM_COUNT in the initialization loop found in ipa_mem_config(). The only remaining use of IPA_MEM_COUNT is in a validation check to ensure configuration data doesn't have too many entries. That's fine for now. Fixes: 3128aae8c439a ("net: ipa: redefine struct ipa_mem_data") Signed-off-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ipa/ipa.h | 2 ++ drivers/net/ipa/ipa_mem.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) -- 2.30.2 diff --git a/drivers/net/ipa/ipa.h b/drivers/net/ipa/ipa.h index 6c2371084c55..da862db09d7b 100644 --- a/drivers/net/ipa/ipa.h +++ b/drivers/net/ipa/ipa.h @@ -56,6 +56,7 @@ enum ipa_flag { * @mem_virt: Virtual address of IPA-local memory space * @mem_offset: Offset from @mem_virt used for access to IPA memory * @mem_size: Total size (bytes) of memory at @mem_virt + * @mem_count: Number of entries in the mem array * @mem: Array of IPA-local memory region descriptors * @imem_iova: I/O virtual address of IPA region in IMEM * @imem_size; Size of IMEM region @@ -102,6 +103,7 @@ struct ipa { void *mem_virt; u32 mem_offset; u32 mem_size; + u32 mem_count; const struct ipa_mem *mem; unsigned long imem_iova; diff --git a/drivers/net/ipa/ipa_mem.c b/drivers/net/ipa/ipa_mem.c index 2d45c444a67f..a78d66051a17 100644 --- a/drivers/net/ipa/ipa_mem.c +++ b/drivers/net/ipa/ipa_mem.c @@ -181,7 +181,7 @@ int ipa_mem_config(struct ipa *ipa) * for the region, write "canary" values in the space prior to * the region's base address. */ - for (mem_id = 0; mem_id < IPA_MEM_COUNT; mem_id++) { + for (mem_id = 0; mem_id < ipa->mem_count; mem_id++) { const struct ipa_mem *mem = &ipa->mem[mem_id]; u16 canary_count; __le32 *canary; @@ -488,6 +488,7 @@ int ipa_mem_init(struct ipa *ipa, const struct ipa_mem_data *mem_data) ipa->mem_size = resource_size(res); /* The ipa->mem[] array is indexed by enum ipa_mem_id values */ + ipa->mem_count = mem_data->local_count; ipa->mem = mem_data->local; ret = ipa_imem_init(ipa, mem_data->imem_addr, mem_data->imem_size);