diff options
| author | Govind Singh <govinds@codeaurora.org> | 2019-07-31 17:12:20 +0530 |
|---|---|---|
| committer | Kalle Valo <kvalo@codeaurora.org> | 2019-09-17 17:10:28 +0300 |
| commit | c41305993ff5a399775da54232b30ff2d6c9576e (patch) | |
| tree | 92e09887d336bec9abc364a94cbb69c05be7ccae /drivers/net/wireless/ath/ath10k | |
| parent | 9c44bf4c12550f1c3c1be0671e559477e70ab350 (diff) | |
| download | blackbird-op-linux-c41305993ff5a399775da54232b30ff2d6c9576e.tar.gz blackbird-op-linux-c41305993ff5a399775da54232b30ff2d6c9576e.zip | |
ath10k: revalidate the msa region coming from firmware
driver sends QMI_WLFW_MSA_INFO_REQ_V01 QMI request to firmware
and in response expects range of addresses and size to be mapped.
Add condition to check whether addresses in response falls
under valid range otherwise return failure.
Testing: Tested on WCN3990 HW
Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1
Signed-off-by: Govind Singh <govinds@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Diffstat (limited to 'drivers/net/wireless/ath/ath10k')
| -rw-r--r-- | drivers/net/wireless/ath/ath10k/qmi.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c index 545ac1f06997..44ad009f8e2e 100644 --- a/drivers/net/wireless/ath/ath10k/qmi.c +++ b/drivers/net/wireless/ath/ath10k/qmi.c @@ -111,6 +111,7 @@ static int ath10k_qmi_msa_mem_info_send_sync_msg(struct ath10k_qmi *qmi) struct wlfw_msa_info_resp_msg_v01 resp = {}; struct wlfw_msa_info_req_msg_v01 req = {}; struct ath10k *ar = qmi->ar; + phys_addr_t max_mapped_addr; struct qmi_txn txn; int ret; int i; @@ -150,8 +151,20 @@ static int ath10k_qmi_msa_mem_info_send_sync_msg(struct ath10k_qmi *qmi) goto out; } + max_mapped_addr = qmi->msa_pa + qmi->msa_mem_size; qmi->nr_mem_region = resp.mem_region_info_len; for (i = 0; i < resp.mem_region_info_len; i++) { + if (resp.mem_region_info[i].size > qmi->msa_mem_size || + resp.mem_region_info[i].region_addr > max_mapped_addr || + resp.mem_region_info[i].region_addr < qmi->msa_pa || + resp.mem_region_info[i].size + + resp.mem_region_info[i].region_addr > max_mapped_addr) { + ath10k_err(ar, "received out of range memory region address 0x%llx with size 0x%x, aborting\n", + resp.mem_region_info[i].region_addr, + resp.mem_region_info[i].size); + ret = -EINVAL; + goto fail_unwind; + } qmi->mem_region[i].addr = resp.mem_region_info[i].region_addr; qmi->mem_region[i].size = resp.mem_region_info[i].size; qmi->mem_region[i].secure = resp.mem_region_info[i].secure_flag; @@ -165,6 +178,8 @@ static int ath10k_qmi_msa_mem_info_send_sync_msg(struct ath10k_qmi *qmi) ath10k_dbg(ar, ATH10K_DBG_QMI, "qmi msa mem info request completed\n"); return 0; +fail_unwind: + memset(&qmi->mem_region[0], 0, sizeof(qmi->mem_region[0]) * i); out: return ret; } |
