diff options
| author | Alex Elder <elder@linaro.org> | 2018-06-25 20:58:52 -0400 |
|---|---|---|
| committer | Andy Gross <andy.gross@linaro.org> | 2018-09-13 17:57:04 -0400 |
| commit | 190b216c1535ca5af8db5c81e86d2192c4204b51 (patch) | |
| tree | 913a6dea89e0b239c9f6c3285456402a3adfff97 | |
| parent | ada79289735fea37e755bbefc4403c989e66f4b1 (diff) | |
soc: qcom: smem: verify partition header size
Add verification in qcom_smem_partition_header() that the size in a
partition's header structure matches the size in its partition table
entry.
Signed-off-by: Alex Elder <elder@linaro.org>
Signed-off-by: Andy Gross <andy.gross@linaro.org>
| -rw-r--r-- | drivers/soc/qcom/smem.c | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/drivers/soc/qcom/smem.c b/drivers/soc/qcom/smem.c index eb530a6770c1..efaeec4a0395 100644 --- a/drivers/soc/qcom/smem.c +++ b/drivers/soc/qcom/smem.c | |||
| @@ -733,6 +733,7 @@ qcom_smem_partition_header(struct qcom_smem *smem, | |||
| 733 | struct smem_ptable_entry *entry) | 733 | struct smem_ptable_entry *entry) |
| 734 | { | 734 | { |
| 735 | struct smem_partition_header *header; | 735 | struct smem_partition_header *header; |
| 736 | u32 size; | ||
| 736 | 737 | ||
| 737 | header = smem->regions[0].virt_base + le32_to_cpu(entry->offset); | 738 | header = smem->regions[0].virt_base + le32_to_cpu(entry->offset); |
| 738 | 739 | ||
| @@ -743,6 +744,13 @@ qcom_smem_partition_header(struct qcom_smem *smem, | |||
| 743 | return NULL; | 744 | return NULL; |
| 744 | } | 745 | } |
| 745 | 746 | ||
| 747 | size = le32_to_cpu(header->size); | ||
| 748 | if (size != le32_to_cpu(entry->size)) { | ||
| 749 | dev_err(smem->dev, "bad partition size (%u != %u)\n", | ||
| 750 | size, le32_to_cpu(entry->size)); | ||
| 751 | return NULL; | ||
| 752 | } | ||
| 753 | |||
| 746 | return header; | 754 | return header; |
| 747 | } | 755 | } |
| 748 | 756 | ||
| @@ -796,11 +804,6 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem) | |||
| 796 | return -EINVAL; | 804 | return -EINVAL; |
| 797 | } | 805 | } |
| 798 | 806 | ||
| 799 | if (le32_to_cpu(header->size) != le32_to_cpu(entry->size)) { | ||
| 800 | dev_err(smem->dev, "Global partition has invalid size\n"); | ||
| 801 | return -EINVAL; | ||
| 802 | } | ||
| 803 | |||
| 804 | size = le32_to_cpu(header->offset_free_uncached); | 807 | size = le32_to_cpu(header->offset_free_uncached); |
| 805 | if (size > le32_to_cpu(header->size)) { | 808 | if (size > le32_to_cpu(header->size)) { |
| 806 | dev_err(smem->dev, | 809 | dev_err(smem->dev, |
| @@ -871,12 +874,6 @@ static int qcom_smem_enumerate_partitions(struct qcom_smem *smem, | |||
| 871 | return -EINVAL; | 874 | return -EINVAL; |
| 872 | } | 875 | } |
| 873 | 876 | ||
| 874 | if (le32_to_cpu(header->size) != le32_to_cpu(entry->size)) { | ||
| 875 | dev_err(smem->dev, | ||
| 876 | "Partition %d has invalid size\n", i); | ||
| 877 | return -EINVAL; | ||
| 878 | } | ||
| 879 | |||
| 880 | if (le32_to_cpu(header->offset_free_uncached) > le32_to_cpu(header->size)) { | 877 | if (le32_to_cpu(header->offset_free_uncached) > le32_to_cpu(header->size)) { |
| 881 | dev_err(smem->dev, | 878 | dev_err(smem->dev, |
| 882 | "Partition %d has invalid free pointer\n", i); | 879 | "Partition %d has invalid free pointer\n", i); |