summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCarlo Caione <carlo@endlessm.com>2017-03-03 16:17:58 +0100
committerKevin Hilman <khilman@baylibre.com>2017-03-23 12:22:32 -0700
commit83e007a0c6a3f4bfdf8f3f8d0fc266cda189b3d6 (patch)
tree7f5abab493f662317dc23ae0bf857e750c2917ff
parentc1ae3cfa0e89fa1a7ecc4c99031f5e9ae99d9201 (diff)
downloadlinux-stable-83e007a0c6a3f4bfdf8f3f8d0fc266cda189b3d6.tar.gz
linux-stable-83e007a0c6a3f4bfdf8f3f8d0fc266cda189b3d6.tar.bz2
linux-stable-83e007a0c6a3f4bfdf8f3f8d0fc266cda189b3d6.zip
firmware: meson-sm: Check for buffer output size
After the data is read by the secure monitor driver it is being copied in the output buffer checking only the size of the bounce buffer but not the size of the output buffer. Fix this in the secure monitor driver slightly changing the API. Fix also the efuse driver that it is the only driver using this API to not break bisectability. Signed-off-by: Carlo Caione <carlo@endlessm.com> Acked-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> # for nvmem Acked-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Kevin Hilman <khilman@baylibre.com>
-rw-r--r--drivers/firmware/meson/meson_sm.c10
-rw-r--r--drivers/nvmem/meson-efuse.c2
-rw-r--r--include/linux/firmware/meson/meson_sm.h4
3 files changed, 10 insertions, 6 deletions
diff --git a/drivers/firmware/meson/meson_sm.c b/drivers/firmware/meson/meson_sm.c
index b0d254930ed3..5f30a5774e57 100644
--- a/drivers/firmware/meson/meson_sm.c
+++ b/drivers/firmware/meson/meson_sm.c
@@ -127,6 +127,7 @@ EXPORT_SYMBOL(meson_sm_call);
* meson_sm_call_read - retrieve data from secure-monitor
*
* @buffer: Buffer to store the retrieved data
+ * @bsize: Size of the buffer
* @cmd_index: Index of the SMC32 function ID
* @arg0: SMC32 Argument 0
* @arg1: SMC32 Argument 1
@@ -136,8 +137,8 @@ EXPORT_SYMBOL(meson_sm_call);
*
* Return: size of read data on success, a negative value on error
*/
-int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0,
- u32 arg1, u32 arg2, u32 arg3, u32 arg4)
+int meson_sm_call_read(void *buffer, unsigned int bsize, unsigned int cmd_index,
+ u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4)
{
u32 size;
@@ -147,10 +148,13 @@ int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0,
if (!fw.chip->cmd_shmem_out_base)
return -EINVAL;
+ if (bsize > fw.chip->shmem_size)
+ return -EINVAL;
+
if (meson_sm_call(cmd_index, &size, arg0, arg1, arg2, arg3, arg4) < 0)
return -EINVAL;
- if (!size || size > fw.chip->shmem_size)
+ if (!size || size > bsize)
return -EINVAL;
if (buffer)
diff --git a/drivers/nvmem/meson-efuse.c b/drivers/nvmem/meson-efuse.c
index f207c3b10482..70bfc9839bb2 100644
--- a/drivers/nvmem/meson-efuse.c
+++ b/drivers/nvmem/meson-efuse.c
@@ -27,7 +27,7 @@ static int meson_efuse_read(void *context, unsigned int offset,
u8 *buf = val;
int ret;
- ret = meson_sm_call_read(buf, SM_EFUSE_READ, offset,
+ ret = meson_sm_call_read(buf, bytes, SM_EFUSE_READ, offset,
bytes, 0, 0, 0);
if (ret < 0)
return ret;
diff --git a/include/linux/firmware/meson/meson_sm.h b/include/linux/firmware/meson/meson_sm.h
index 8e953c6f394a..37a5eaea69dd 100644
--- a/include/linux/firmware/meson/meson_sm.h
+++ b/include/linux/firmware/meson/meson_sm.h
@@ -25,7 +25,7 @@ int meson_sm_call(unsigned int cmd_index, u32 *ret, u32 arg0, u32 arg1,
u32 arg2, u32 arg3, u32 arg4);
int meson_sm_call_write(void *buffer, unsigned int b_size, unsigned int cmd_index,
u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4);
-int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0, u32 arg1,
- u32 arg2, u32 arg3, u32 arg4);
+int meson_sm_call_read(void *buffer, unsigned int bsize, unsigned int cmd_index,
+ u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4);
#endif /* _MESON_SM_FW_H_ */