summaryrefslogtreecommitdiffstats
path: root/drivers/soc
diff options
context:
space:
mode:
authorAlex Elder <elder@linaro.org>2018-06-26 02:58:53 +0200
committerAndy Gross <andy.gross@linaro.org>2018-09-13 23:57:06 +0200
commit380dc4af50a61eaa8b749fac2e7e40ebf92079aa (patch)
tree1f059f1d290f087b858eef9d27b812dbf0932519 /drivers/soc
parentsoc: qcom: smem: verify partition header size (diff)
downloadlinux-380dc4af50a61eaa8b749fac2e7e40ebf92079aa.tar.xz
linux-380dc4af50a61eaa8b749fac2e7e40ebf92079aa.zip
soc: qcom: smem: verify partition offset_free_uncached
Add verification in qcom_smem_partition_header() that the offset_free_uncached field in a partition's header structure does not exceed the partition's size. Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: Andy Gross <andy.gross@linaro.org>
Diffstat (limited to 'drivers/soc')
-rw-r--r--drivers/soc/qcom/smem.c21
1 files changed, 7 insertions, 14 deletions
diff --git a/drivers/soc/qcom/smem.c b/drivers/soc/qcom/smem.c
index efaeec4a0395..a94888c26e18 100644
--- a/drivers/soc/qcom/smem.c
+++ b/drivers/soc/qcom/smem.c
@@ -751,6 +751,12 @@ qcom_smem_partition_header(struct qcom_smem *smem,
return NULL;
}
+ if (le32_to_cpu(header->offset_free_uncached) > size) {
+ dev_err(smem->dev, "bad partition free uncached (%u > %u)\n",
+ le32_to_cpu(header->offset_free_uncached), size);
+ return NULL;
+ }
+
return header;
}
@@ -759,7 +765,7 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem)
struct smem_partition_header *header;
struct smem_ptable_entry *entry;
struct smem_ptable *ptable;
- u32 host0, host1, size;
+ u32 host0, host1;
bool found = false;
int i;
@@ -804,13 +810,6 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem)
return -EINVAL;
}
- size = le32_to_cpu(header->offset_free_uncached);
- if (size > le32_to_cpu(header->size)) {
- dev_err(smem->dev,
- "Global partition has invalid free pointer\n");
- return -EINVAL;
- }
-
smem->global_partition = header;
smem->global_cacheline = le32_to_cpu(entry->cacheline);
@@ -874,12 +873,6 @@ static int qcom_smem_enumerate_partitions(struct qcom_smem *smem,
return -EINVAL;
}
- if (le32_to_cpu(header->offset_free_uncached) > le32_to_cpu(header->size)) {
- dev_err(smem->dev,
- "Partition %d has invalid free pointer\n", i);
- return -EINVAL;
- }
-
smem->partitions[remote_host] = header;
smem->cacheline[remote_host] = le32_to_cpu(entry->cacheline);
}