Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1102170pxf;
        Thu, 18 Mar 2021 21:31:03 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyi184ZDuH34bfh3tQO9ICSrLg709hCiczLys32WbI1Xqe1RZc7JB6RKnlqO4ITKMReJ7Yp
X-Received: by 2002:a17:906:ada:: with SMTP id z26mr2182180ejf.438.1616128263109;
        Thu, 18 Mar 2021 21:31:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1616128263; cv=none;
        d=google.com; s=arc-20160816;
        b=lCnSVpk4Vepg0IqdhaTFwdTX8t860W3+ibt0J6bXZjyf/a1NZorZ/iT0hdh0tqG7Ra
         V/iAB5OZoBbMgJZhdSksJQcuFqRJksABFzeqIuLvAQepHifDGnSo/JQ4j6/n6ml6jHNH
         JH67NNFVfn333OxHe9gJhia/UeCUcWJJkXld7TpJ1NTIb2XxPKFSjv47YP7jg7TXSeNU
         KPhyaZA3/s/Dsx7ESmRIz25cyza4OnFfuKNga8K8sqW6GJr4IkL0ylF9W/Pv698g6Rxd
         YMszQcLVkxCBcdOKDknit4WvGKQzRCFMtVRT4E2TGVSx37oIyk+BjsDIJNgRitbIY5d5
         cSUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=Y0jgz//zVEbNql9HK61bKjTuk8XcYuXVt9tdgPActZw=;
        b=J95Xzqdfy8htGldLL2ZOdQVj66O/Vn2ItPj9tw33A5/ldRo2mATYc8ZCqTP9k1FFiB
         BFX59Jy0IV8QV4rgHlbER/+6L5MebtiyTUG4oixp+W4xybis83N6bHNDpeuxyJoJ1Pis
         CvSC7rWyaOYEHBtAbaIwGktZYA7oApjWByybo4WdAZVWPhmsKW9NMm+yMOfDbY/pwizo
         YuCDDeWXh0gOZirGGIUCg8kU01sj6HL2Qqpt84FbWzqpEZRCMtrDV7+WZJzC6MGDkoU9
         zSfiFbyK8FBo9qViVaeagGVSulbxpudvRxe2Kt9Fem70b9Q4AgMkDKb6o377KcaItIM/
         rK6g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=BOWuRozL;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d12si3322371edr.552.2021.03.18.21.30.37;
        Thu, 18 Mar 2021 21:31:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=BOWuRozL;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233774AbhCSE3q (ORCPT <rfc822;macmurkernel@gmail.com>
        + 99 others); Fri, 19 Mar 2021 00:29:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39032 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233736AbhCSE32 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 Mar 2021 00:29:28 -0400
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C8C6C06175F
        for <linux-kernel@vger.kernel.org>; Thu, 18 Mar 2021 21:29:28 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id v26so4737212iox.11
        for <linux-kernel@vger.kernel.org>; Thu, 18 Mar 2021 21:29:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=Y0jgz//zVEbNql9HK61bKjTuk8XcYuXVt9tdgPActZw=;
        b=BOWuRozLgqzrcjQClsoI5cN9tLYe2V9Zs90rup1kKI4tRLIN8S2j4AVpgIWlpCK/p8
         tPTTyQGQMshP+KNH5lEbUvETtHeqaTS5ptHrfxY4FuAXSHLA2tIUj/9MxNdmv+VQkFeI
         qqULh1NeITSaTzb2dtUa66bbSaTv+EdIivhV6KlNlmEvgvVSnppGW70jCxuspiV/jnkf
         nM6v0GKM1xNE0qc9UFHgKiF3C9zxEl+kw9KbAEhHlcSVe7MK484LmztO6XXPGTenPS+c
         Klkt4VNqCaV4VzVwWg+D3fXIpqGpKRQGnUryVIb5m1JmaReL1Q6S37ogP4e+O0Z2E59d
         Duow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=Y0jgz//zVEbNql9HK61bKjTuk8XcYuXVt9tdgPActZw=;
        b=GhqhZQy75bzQKE79+sRxiYigMTx3IoqqcDhMLaSSNvojDEgiimNKcgaRkodAWOqQT1
         meFsLF/fQnSZWbVQAdrayLXXiVRi0zWAb38WMIGrTPsKABtSoNW9Kz12dUJzdgfvC8nU
         QcVHuD0sbB8fpx6wXKGuFNm+62Ps/Y6VA4tbHoIXeOnxLBmWdb51vs8rWaboN0yQUeM8
         HfCYIJKFMr+vWszhQQWq104GntBlUMnSUE2eTr/58Z6aN6hhR3pFsr035sty9163Gs0e
         wxXz+qCG68yDNjdQvKpvBv2gR7MJB0PbX548mtq33jox4ojZDW10YzAgyKtQ+b3t5rhf
         HpZA==
X-Gm-Message-State: AOAM531pd9E7nn2Xa/ZKTtlPwZoHACuXgGeOfvf3wMvHf/XieItXOJgs
        InXfrHCA8Ie8B4oOXMsPxK7vhQ==
X-Received: by 2002:a5d:9610:: with SMTP id w16mr1433166iol.167.1616128167997;
        Thu, 18 Mar 2021 21:29:27 -0700 (PDT)
Received: from localhost.localdomain (c-73-185-129-58.hsd1.mn.comcast.net. [73.185.129.58])
        by smtp.gmail.com with ESMTPSA id k3sm1985940ioj.35.2021.03.18.21.29.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 18 Mar 2021 21:29:27 -0700 (PDT)
From:   Alex Elder <elder@linaro.org>
To:     davem@davemloft.net, kuba@kernel.org
Cc:     bjorn.andersson@linaro.org, evgreen@chromium.org,
        cpratapa@codeaurora.org, elder@kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH net-next 1/4] net: ipa: fix init header command validation
Date:   Thu, 18 Mar 2021 23:29:20 -0500
Message-Id: <20210319042923.1584593-2-elder@linaro.org>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20210319042923.1584593-1-elder@linaro.org>
References: <20210319042923.1584593-1-elder@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

We use ipa_cmd_header_valid() to ensure certain values we will
program into hardware are within range, well in advance of when we
actually program them.  This way we avoid having to check for errors
when we actually program the hardware.

Unfortunately the dev_err() call for a bad offset value does not
supply the arguments to match the format specifiers properly.
Fix this.

There was also supposed to be a check to ensure the size to be
programmed fits in the field that holds it.  Add this missing check.

Rearrange the way we ensure the header table fits in overall IPA
memory range.

Signed-off-by: Alex Elder <elder@linaro.org>
---
 drivers/net/ipa/ipa_cmd.c | 49 +++++++++++++++++++++++++--------------
 1 file changed, 32 insertions(+), 17 deletions(-)

diff --git a/drivers/net/ipa/ipa_cmd.c b/drivers/net/ipa/ipa_cmd.c
index 35e35852c25c5..b40f031a905a7 100644
--- a/drivers/net/ipa/ipa_cmd.c
+++ b/drivers/net/ipa/ipa_cmd.c
@@ -175,21 +175,23 @@ bool ipa_cmd_table_valid(struct ipa *ipa, const struct ipa_mem *mem,
 			    : field_max(IP_FLTRT_FLAGS_NHASH_ADDR_FMASK);
 	if (mem->offset > offset_max ||
 	    ipa->mem_offset > offset_max - mem->offset) {
-		dev_err(dev, "IPv%c %s%s table region offset too large "
-			      "(0x%04x + 0x%04x > 0x%04x)\n",
-			      ipv6 ? '6' : '4', hashed ? "hashed " : "",
-			      route ? "route" : "filter",
-			      ipa->mem_offset, mem->offset, offset_max);
+		dev_err(dev, "IPv%c %s%s table region offset too large\n",
+			ipv6 ? '6' : '4', hashed ? "hashed " : "",
+			route ? "route" : "filter");
+		dev_err(dev, "    (0x%04x + 0x%04x > 0x%04x)\n",
+			ipa->mem_offset, mem->offset, offset_max);
+
 		return false;
 	}
 
 	if (mem->offset > ipa->mem_size ||
 	    mem->size > ipa->mem_size - mem->offset) {
-		dev_err(dev, "IPv%c %s%s table region out of range "
-			      "(0x%04x + 0x%04x > 0x%04x)\n",
-			      ipv6 ? '6' : '4', hashed ? "hashed " : "",
-			      route ? "route" : "filter",
-			      mem->offset, mem->size, ipa->mem_size);
+		dev_err(dev, "IPv%c %s%s table region out of range\n",
+			ipv6 ? '6' : '4', hashed ? "hashed " : "",
+			route ? "route" : "filter");
+		dev_err(dev, "    (0x%04x + 0x%04x > 0x%04x)\n",
+			mem->offset, mem->size, ipa->mem_size);
+
 		return false;
 	}
 
@@ -205,22 +207,35 @@ static bool ipa_cmd_header_valid(struct ipa *ipa)
 	u32 size_max;
 	u32 size;
 
+	/* In ipa_cmd_hdr_init_local_add() we record the offset and size
+	 * of the header table memory area.  Make sure the offset and size
+	 * fit in the fields that need to hold them, and that the entire
+	 * range is within the overall IPA memory range.
+	 */
 	offset_max = field_max(HDR_INIT_LOCAL_FLAGS_HDR_ADDR_FMASK);
 	if (mem->offset > offset_max ||
 	    ipa->mem_offset > offset_max - mem->offset) {
-		dev_err(dev, "header table region offset too large "
-			      "(0x%04x + 0x%04x > 0x%04x)\n",
-			      ipa->mem_offset + mem->offset, offset_max);
+		dev_err(dev, "header table region offset too large\n");
+		dev_err(dev, "    (0x%04x + 0x%04x > 0x%04x)\n",
+			ipa->mem_offset, mem->offset, offset_max);
+
 		return false;
 	}
 
 	size_max = field_max(HDR_INIT_LOCAL_FLAGS_TABLE_SIZE_FMASK);
 	size = ipa->mem[IPA_MEM_MODEM_HEADER].size;
 	size += ipa->mem[IPA_MEM_AP_HEADER].size;
-	if (mem->offset > ipa->mem_size || size > ipa->mem_size - mem->offset) {
-		dev_err(dev, "header table region out of range "
-			      "(0x%04x + 0x%04x > 0x%04x)\n",
-			      mem->offset, size, ipa->mem_size);
+	if (size > size_max) {
+		dev_err(dev, "header table region too large\n");
+		dev_err(dev, "    (0x%04x > 0x%04x)\n", size, size_max);
+
+		return false;
+	}
+	if (size > ipa->mem_size || mem->offset > ipa->mem_size - size) {
+		dev_err(dev, "header table region out of range\n");
+		dev_err(dev, "    (0x%04x + 0x%04x > 0x%04x)\n",
+			mem->offset, size, ipa->mem_size);
+
 		return false;
 	}
 
-- 
2.27.0