Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
soc/tegra: cbb: Add checks for potential out of bound errors
Added checks to avoid potential out of bounds errors which can happen if
the 'slave map' and 'CBB errors' arrays are not correct or latest where
some entries are missing.
Fixes: fc2f151d2314 ("soc/tegra: cbb: Add driver for Tegra234 CBB 2.0")
Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
authored by
Sumit Gupta
and committed by
Thierry Reding
55084947
cd1d719b
+40
-2
+40
-2
drivers/soc/tegra/cbb/tegra234-cbb.c
+40
-2
drivers/soc/tegra/cbb/tegra234-cbb.c
···
95
95
const char * const *master_id;
96
96
unsigned int notifier_offset;
97
97
const struct tegra_cbb_error *errors;
98
+
const int max_errors;
98
99
const struct tegra234_slave_lookup *slave_map;
100
+
const int max_slaves;
99
101
};
100
102
101
103
struct tegra234_cbb {
···
272
270
tegra_cbb_print_err(file, "\t Multiple type of errors reported\n");
273
271
274
272
while (status) {
273
+
if (type >= cbb->fabric->max_errors) {
274
+
tegra_cbb_print_err(file, "\t Wrong type index:%u, status:%u\n",
275
+
type, status);
276
+
return;
277
+
}
278
+
275
279
if (status & 0x1)
276
280
tegra_cbb_print_err(file, "\t Error Code\t\t: %s\n",
277
281
cbb->fabric->errors[type].code);
···
289
281
type = 0;
290
282
291
283
while (overflow) {
284
+
if (type >= cbb->fabric->max_errors) {
285
+
tegra_cbb_print_err(file, "\t Wrong type index:%u, overflow:%u\n",
286
+
type, overflow);
287
+
return;
288
+
}
289
+
292
290
if (overflow & 0x1)
293
291
tegra_cbb_print_err(file, "\t Overflow\t\t: Multiple %s\n",
294
292
cbb->fabric->errors[type].code);
···
347
333
access_type = FIELD_GET(FAB_EM_EL_ACCESSTYPE, cbb->mn_attr0);
348
334
349
335
tegra_cbb_print_err(file, "\n");
350
-
tegra_cbb_print_err(file, "\t Error Code\t\t: %s\n",
351
-
cbb->fabric->errors[cbb->type].code);
336
+
if (cbb->type < cbb->fabric->max_errors)
337
+
tegra_cbb_print_err(file, "\t Error Code\t\t: %s\n",
338
+
cbb->fabric->errors[cbb->type].code);
339
+
else
340
+
tegra_cbb_print_err(file, "\t Wrong type index:%u\n", cbb->type);
352
341
353
342
tegra_cbb_print_err(file, "\t MASTER_ID\t\t: %s\n", cbb->fabric->master_id[mstr_id]);
354
343
tegra_cbb_print_err(file, "\t Address\t\t: %#llx\n", cbb->access);
···
389
372
390
373
if ((fab_id == PSC_FAB_ID) || (fab_id == FSI_FAB_ID))
391
374
return;
375
+
376
+
if (slave_id >= cbb->fabric->max_slaves) {
377
+
tegra_cbb_print_err(file, "\t Invalid slave_id:%d\n", slave_id);
378
+
return;
379
+
}
392
380
393
381
if (!strcmp(cbb->fabric->errors[cbb->type].code, "TIMEOUT_ERR")) {
394
382
tegra234_lookup_slave_timeout(file, cbb, slave_id, fab_id);
···
661
639
.name = "aon-fabric",
662
640
.master_id = tegra234_master_id,
663
641
.slave_map = tegra234_aon_slave_map,
642
+
.max_slaves = ARRAY_SIZE(tegra234_aon_slave_map),
664
643
.errors = tegra234_cbb_errors,
644
+
.max_errors = ARRAY_SIZE(tegra234_cbb_errors),
665
645
.notifier_offset = 0x17000,
666
646
};
667
647
···
679
655
.name = "bpmp-fabric",
680
656
.master_id = tegra234_master_id,
681
657
.slave_map = tegra234_bpmp_slave_map,
658
+
.max_slaves = ARRAY_SIZE(tegra234_bpmp_slave_map),
682
659
.errors = tegra234_cbb_errors,
660
+
.max_errors = ARRAY_SIZE(tegra234_cbb_errors),
683
661
.notifier_offset = 0x19000,
684
662
};
685
663
···
753
727
.name = "cbb-fabric",
754
728
.master_id = tegra234_master_id,
755
729
.slave_map = tegra234_cbb_slave_map,
730
+
.max_slaves = ARRAY_SIZE(tegra234_cbb_slave_map),
756
731
.errors = tegra234_cbb_errors,
732
+
.max_errors = ARRAY_SIZE(tegra234_cbb_errors),
757
733
.notifier_offset = 0x60000,
758
734
.off_mask_erd = 0x3a004
759
735
};
···
773
745
.name = "dce-fabric",
774
746
.master_id = tegra234_master_id,
775
747
.slave_map = tegra234_common_slave_map,
748
+
.max_slaves = ARRAY_SIZE(tegra234_common_slave_map),
776
749
.errors = tegra234_cbb_errors,
750
+
.max_errors = ARRAY_SIZE(tegra234_cbb_errors),
777
751
.notifier_offset = 0x19000,
778
752
};
779
753
···
783
753
.name = "rce-fabric",
784
754
.master_id = tegra234_master_id,
785
755
.slave_map = tegra234_common_slave_map,
756
+
.max_slaves = ARRAY_SIZE(tegra234_common_slave_map),
786
757
.errors = tegra234_cbb_errors,
758
+
.max_errors = ARRAY_SIZE(tegra234_cbb_errors),
787
759
.notifier_offset = 0x19000,
788
760
};
789
761
···
793
761
.name = "sce-fabric",
794
762
.master_id = tegra234_master_id,
795
763
.slave_map = tegra234_common_slave_map,
764
+
.max_slaves = ARRAY_SIZE(tegra234_common_slave_map),
796
765
.errors = tegra234_cbb_errors,
766
+
.max_errors = ARRAY_SIZE(tegra234_cbb_errors),
797
767
.notifier_offset = 0x19000,
798
768
};
799
769
···
974
940
.name = "cbb-fabric",
975
941
.master_id = tegra241_master_id,
976
942
.slave_map = tegra241_cbb_slave_map,
943
+
.max_slaves = ARRAY_SIZE(tegra241_cbb_slave_map),
977
944
.errors = tegra241_cbb_errors,
945
+
.max_errors = ARRAY_SIZE(tegra241_cbb_errors),
978
946
.notifier_offset = 0x60000,
979
947
.off_mask_erd = 0x40004,
980
948
};
···
996
960
.name = "bpmp-fabric",
997
961
.master_id = tegra241_master_id,
998
962
.slave_map = tegra241_bpmp_slave_map,
963
+
.max_slaves = ARRAY_SIZE(tegra241_bpmp_slave_map),
999
964
.errors = tegra241_cbb_errors,
965
+
.max_errors = ARRAY_SIZE(tegra241_cbb_errors),
1000
966
.notifier_offset = 0x19000,
1001
967
};
1002
968