Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3825415pxj; Tue, 11 May 2021 12:44:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzukAODtkB8AQvCj+CHTZ1yUMlAtk25EkB0nzYdiSDByTFUl5K8UitjrEqj4aupmKI1Vc6R X-Received: by 2002:a9d:491:: with SMTP id 17mr27551973otm.184.1620762252991; Tue, 11 May 2021 12:44:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620762252; cv=none; d=google.com; s=arc-20160816; b=U1GcWW8NHQGSQxOqqGF8aoUPvrG3LUPGN5OgErcKpjxQS9sLir3zO3pWso5yU4AM6b TzB5TjoWBI4k3EFtUX6HsRWRRG0SndjeJcTlAl3AKApnGK/gmnhonlgRRhEdjC7Mha5N aaXNFb6vMngqpVqX0PEF3b1PhX/KF9BQfz1MK8uGsvfjae8qFAkOXBtZpTbsc7pqtq1l wRN8JLgv8b6+jtEiHlBHJbDPZAWC6zUlYLm14zWsDQ8ypUSgA/Lov+cFmHWpvbYMkFXx d3m5V4V5uPL1XZyC5S3Jn4vMpibf7U/cFvsOcpqltguFpE1dLkQ4hUJc9+HQjumYgEaL d03g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=OUH0FdBeW1WnRtCtReTmgR1inU25bGMEwO/oVzk72IY=; b=Y5bzK9nMEUWIdAVWN3X6zo2Ai1pxc1ZFRC4PiVcVYE0HuPXXc6Y9g8nyogJoLZWELH gU2kudVNytf+tdWx2reqTIuziHRHJKUpSen8d+MdLdYpPbba0GJQd+4gMsfluf1GRdIa o1XEOHmKnlV+zYGUopyvDiDN1b6/rHWGUW+3EYesyOcJNAhKxhiRr+wgJWvDr82MzK/q zkd9++uBOQKhatu/OuY5DBQdJC1NBG9/npsbpZaAPUkNsxdbidneFEn7CzYy7mJabax2 VcIye+BfYXnYwiPR0FmO/qIDzyIX/JVYW8zYXZqYvHHIKoT/VTNzaByLUjkxczX2Sd2m qLFw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RVHTN0z0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l184si19465391oif.200.2021.05.11.12.43.58; Tue, 11 May 2021 12:44:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RVHTN0z0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232093AbhEKTnQ (ORCPT + 99 others); Tue, 11 May 2021 15:43:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35550 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231808AbhEKTnP (ORCPT ); Tue, 11 May 2021 15:43:15 -0400 Received: from mail-il1-x12e.google.com (mail-il1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 472F7C061574 for ; Tue, 11 May 2021 12:42:09 -0700 (PDT) Received: by mail-il1-x12e.google.com with SMTP id w13so6033368ilv.11 for ; Tue, 11 May 2021 12:42:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=OUH0FdBeW1WnRtCtReTmgR1inU25bGMEwO/oVzk72IY=; b=RVHTN0z0CTnwSws52IqIFciBCI4uG+vGpfhMwu96/YF+df0LqBgOSSMhSzkxXxiL/a MisbEK0ye3GOcwqozujkDgr4LFDPgSfqVPvhgFgRtDM+ZgUNs56dv9gBhPamQZbDkzSt 3MvlOWbL2P7hvcgMcpQEVK7U+n4bS+YmxpCYJc2eE1zDtsH3NW91cv15ID7sh6h1TME/ Ouhsdk6i4HcmmAhJAXPT68Hrpu9sq2BhRWZYHsOUL0wugcW+o466Tpz/lJEkFZNegAQ4 ibt7tmvAfGVmlqt8Nj50GLtdJUraz8W45UTTwNB2sLW/ga3G2eWphMoavkdlNa77udMW 4bYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=OUH0FdBeW1WnRtCtReTmgR1inU25bGMEwO/oVzk72IY=; b=kBFbzbXE7dWVjiZQK65U4dmRMtBYZvRsaZDetw1xVFqnLGa/X5L/ddedHUphHkzDe8 KcDPp1sMSfhiYzw/PnMZ2ss7S7h+op7l0s82TRGBVUgIif35NfycLN+zBtrUts22AAKE hgpDGZv8Xp23clKx9oVV/GsnF36Is6HQUwxp01z6s8mafWz76e7XEqm7/g5RXHpybf+o xCzYdY3zr2fuoeaKhrRCuwh/urQ+bzUopsEvn5/9gICv3GAaqIqiotYJwO4w6o9DJerA SJLecbqQgYMJZEtmcIexyiSVpzH+MB+u4cUW1WaKVPGwRK+2hsfBkNB+Mnpol+YJKii6 bqiw== X-Gm-Message-State: AOAM530XhmK3sWwWDGIbaneGpfUmd4gDmm5KTcRp8LPHWXXdyN5XxaXj Z3lc8Us8+3tL5Tlpf13S43wojQ== X-Received: by 2002:a05:6e02:12aa:: with SMTP id f10mr27982600ilr.44.1620762128709; Tue, 11 May 2021 12:42:08 -0700 (PDT) Received: from presto.localdomain (c-73-185-129-58.hsd1.mn.comcast.net. [73.185.129.58]) by smtp.gmail.com with ESMTPSA id f13sm9973600ila.62.2021.05.11.12.42.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 May 2021 12:42:08 -0700 (PDT) From: Alex Elder To: davem@davemloft.net, kuba@kernel.org Cc: bjorn.andersson@linaro.org, evgreen@chromium.org, cpratapa@codeaurora.org, subashab@codeaurora.org, elder@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH net] net: ipa: memory region array is variable size Date: Tue, 11 May 2021 14:42:04 -0500 Message-Id: <20210511194204.863605-1-elder@linaro.org> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org IPA configuration data includes an array of memory region descriptors. That was a fixed-size array at one time, but at some point we started defining it such that it was only as big as required for a given platform. The actual number of entries in the array is recorded in the configuration data along with the array. A loop in ipa_mem_config() still assumes the array has entries for all defined memory region IDs. As a result, this loop can go past the end of the actual array and attempt to write "canary" values based on nonsensical data. Fix this, by stashing the number of entries in the array, and using that rather than IPA_MEM_COUNT in the initialization loop found in ipa_mem_config(). The only remaining use of IPA_MEM_COUNT is in a validation check to ensure configuration data doesn't have too many entries. That's fine for now. Fixes: 3128aae8c439a ("net: ipa: redefine struct ipa_mem_data") Signed-off-by: Alex Elder --- drivers/net/ipa/ipa.h | 2 ++ drivers/net/ipa/ipa_mem.c | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/ipa/ipa.h b/drivers/net/ipa/ipa.h index e7ff376cb5b7d..744406832a774 100644 --- a/drivers/net/ipa/ipa.h +++ b/drivers/net/ipa/ipa.h @@ -58,6 +58,7 @@ enum ipa_flag { * @mem_virt: Virtual address of IPA-local memory space * @mem_offset: Offset from @mem_virt used for access to IPA memory * @mem_size: Total size (bytes) of memory at @mem_virt + * @mem_count: Number of entries in the mem array * @mem: Array of IPA-local memory region descriptors * @imem_iova: I/O virtual address of IPA region in IMEM * @imem_size: Size of IMEM region @@ -103,6 +104,7 @@ struct ipa { void *mem_virt; u32 mem_offset; u32 mem_size; + u32 mem_count; const struct ipa_mem *mem; unsigned long imem_iova; diff --git a/drivers/net/ipa/ipa_mem.c b/drivers/net/ipa/ipa_mem.c index c5c3b1b7e67d5..1624125e7459f 100644 --- a/drivers/net/ipa/ipa_mem.c +++ b/drivers/net/ipa/ipa_mem.c @@ -180,7 +180,7 @@ int ipa_mem_config(struct ipa *ipa) * for the region, write "canary" values in the space prior to * the region's base address. */ - for (mem_id = 0; mem_id < IPA_MEM_COUNT; mem_id++) { + for (mem_id = 0; mem_id < ipa->mem_count; mem_id++) { const struct ipa_mem *mem = &ipa->mem[mem_id]; u16 canary_count; __le32 *canary; @@ -487,6 +487,7 @@ int ipa_mem_init(struct ipa *ipa, const struct ipa_mem_data *mem_data) ipa->mem_size = resource_size(res); /* The ipa->mem[] array is indexed by enum ipa_mem_id values */ + ipa->mem_count = mem_data->local_count; ipa->mem = mem_data->local; ret = ipa_imem_init(ipa, mem_data->imem_addr, mem_data->imem_size); -- 2.27.0