[v2,2/2] firmware: qcom: qcom_tzmem: Implement sanity checks

Commit Message

Kuldeep Singh Oct. 14, 2024, 11:15 a.m. UTC

The qcom_tzmem driver currently has exposed APIs that lack validations
on required input parameters. This oversight can lead to unexpected null
pointer dereference crashes.

To address this issue, add sanity for required input parameters.

Signed-off-by: Kuldeep Singh <quic_kuldsing@quicinc.com>
---
 drivers/firmware/qcom/qcom_tzmem.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Bartosz Golaszewski Oct. 14, 2024, 1:08 p.m. UTC | #1

On Mon, Oct 14, 2024 at 1:19 PM Kuldeep Singh <quic_kuldsing@quicinc.com> wrote:
>
> The qcom_tzmem driver currently has exposed APIs that lack validations
> on required input parameters. This oversight can lead to unexpected null
> pointer dereference crashes.
>

The commit message is not true. None of the things you changed below
can lead to a NULL-pointer dereference.

> To address this issue, add sanity for required input parameters.
>
> Signed-off-by: Kuldeep Singh <quic_kuldsing@quicinc.com>
> ---
>  drivers/firmware/qcom/qcom_tzmem.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/firmware/qcom/qcom_tzmem.c b/drivers/firmware/qcom/qcom_tzmem.c
> index 92b365178235..977e48fec32f 100644
> --- a/drivers/firmware/qcom/qcom_tzmem.c
> +++ b/drivers/firmware/qcom/qcom_tzmem.c
> @@ -203,6 +203,9 @@ qcom_tzmem_pool_new(const struct qcom_tzmem_pool_config *config)
>
>         might_sleep();
>
> +       if (!config->policy)
> +               return ERR_PTR(-EINVAL);

This is already handled by the default case of the switch.

> +
>         switch (config->policy) {
>         case QCOM_TZMEM_POLICY_STATIC:
>                 if (!config->initial_size)
> @@ -412,6 +415,9 @@ void qcom_tzmem_free(void *vaddr)
>  {
>         struct qcom_tzmem_chunk *chunk;
>
> +       if (!vaddr)
> +               return;
> +
>         scoped_guard(spinlock_irqsave, &qcom_tzmem_chunks_lock)
>                 chunk = radix_tree_delete_item(&qcom_tzmem_chunks,
>                                                (unsigned long)vaddr, NULL);

This would lead to a WARN() as the lookup would inevitably fail. We
can possibly keep this bit but please change the commit message.

Bart

> --
> 2.34.1
>
>

Kuldeep Singh Oct. 16, 2024, 9:01 a.m. UTC | #2

On 10/14/2024 6:38 PM, Bartosz Golaszewski wrote:
> On Mon, Oct 14, 2024 at 1:19 PM Kuldeep Singh <quic_kuldsing@quicinc.com> wrote:
>>
>> The qcom_tzmem driver currently has exposed APIs that lack validations
>> on required input parameters. This oversight can lead to unexpected null
>> pointer dereference crashes.
>>
> 
> The commit message is not true. None of the things you changed below
> can lead to a NULL-pointer dereference.>
>> To address this issue, add sanity for required input parameters.
>>
>> Signed-off-by: Kuldeep Singh <quic_kuldsing@quicinc.com>
>> ---
>>  drivers/firmware/qcom/qcom_tzmem.c | 6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> diff --git a/drivers/firmware/qcom/qcom_tzmem.c b/drivers/firmware/qcom/qcom_tzmem.c
>> index 92b365178235..977e48fec32f 100644
>> --- a/drivers/firmware/qcom/qcom_tzmem.c
>> +++ b/drivers/firmware/qcom/qcom_tzmem.c
>> @@ -203,6 +203,9 @@ qcom_tzmem_pool_new(const struct qcom_tzmem_pool_config *config)
>>
>>         might_sleep();
>>
>> +       if (!config->policy)
>> +               return ERR_PTR(-EINVAL);
> 
> This is already handled by the default case of the switch.

Ack. Need to drop.
https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L218

While examining qcom_tzmem_pool_free under the same principle, it
appears the following check is unnecessary.
https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268

> 
>> +
>>         switch (config->policy) {
>>         case QCOM_TZMEM_POLICY_STATIC:
>>                 if (!config->initial_size)
>> @@ -412,6 +415,9 @@ void qcom_tzmem_free(void *vaddr)
>>  {
>>         struct qcom_tzmem_chunk *chunk;
>>
>> +       if (!vaddr)
>> +               return;
>> +
>>         scoped_guard(spinlock_irqsave, &qcom_tzmem_chunks_lock)
>>                 chunk = radix_tree_delete_item(&qcom_tzmem_chunks,
>>                                                (unsigned long)vaddr, NULL);
> 
> This would lead to a WARN() as the lookup would inevitably fail. We
> can possibly keep this bit but please change the commit message.

Sure, will reword commit message.

Kuldeep Singh Oct. 22, 2024, 5:43 a.m. UTC | #3

On 10/16/2024 2:31 PM, Kuldeep Singh wrote:
> 
> On 10/14/2024 6:38 PM, Bartosz Golaszewski wrote:
>> On Mon, Oct 14, 2024 at 1:19 PM Kuldeep Singh <quic_kuldsing@quicinc.com> wrote:
>>>
>>> The qcom_tzmem driver currently has exposed APIs that lack validations
>>> on required input parameters. This oversight can lead to unexpected null
>>> pointer dereference crashes.
>>>
>>
>> The commit message is not true. None of the things you changed below
>> can lead to a NULL-pointer dereference.>
>>> To address this issue, add sanity for required input parameters.
>>>
>>> Signed-off-by: Kuldeep Singh <quic_kuldsing@quicinc.com>
>>> ---
>>>  drivers/firmware/qcom/qcom_tzmem.c | 6 ++++++
>>>  1 file changed, 6 insertions(+)
>>>
>>> diff --git a/drivers/firmware/qcom/qcom_tzmem.c b/drivers/firmware/qcom/qcom_tzmem.c
>>> index 92b365178235..977e48fec32f 100644
>>> --- a/drivers/firmware/qcom/qcom_tzmem.c
>>> +++ b/drivers/firmware/qcom/qcom_tzmem.c
>>> @@ -203,6 +203,9 @@ qcom_tzmem_pool_new(const struct qcom_tzmem_pool_config *config)
>>>
>>>         might_sleep();
>>>
>>> +       if (!config->policy)
>>> +               return ERR_PTR(-EINVAL);
>>
>> This is already handled by the default case of the switch.
> 
> Ack. Need to drop.
> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L218
> 
> While examining qcom_tzmem_pool_free under the same principle, it
> appears the following check is unnecessary.
> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268
> 

Bartosz,
I am thinking to remove below check in next rev like mentioned above.
https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268

Do you have any other opinion here?
Please let me know.

Bartosz Golaszewski Oct. 22, 2024, 6:57 a.m. UTC | #4

On Tue, 22 Oct 2024 at 07:43, Kuldeep Singh <quic_kuldsing@quicinc.com> wrote:
>
>
>
> On 10/16/2024 2:31 PM, Kuldeep Singh wrote:
> >
> > On 10/14/2024 6:38 PM, Bartosz Golaszewski wrote:
> >> On Mon, Oct 14, 2024 at 1:19 PM Kuldeep Singh <quic_kuldsing@quicinc.com> wrote:
> >>>
> >>> The qcom_tzmem driver currently has exposed APIs that lack validations
> >>> on required input parameters. This oversight can lead to unexpected null
> >>> pointer dereference crashes.
> >>>
> >>
> >> The commit message is not true. None of the things you changed below
> >> can lead to a NULL-pointer dereference.>
> >>> To address this issue, add sanity for required input parameters.
> >>>
> >>> Signed-off-by: Kuldeep Singh <quic_kuldsing@quicinc.com>
> >>> ---
> >>>  drivers/firmware/qcom/qcom_tzmem.c | 6 ++++++
> >>>  1 file changed, 6 insertions(+)
> >>>
> >>> diff --git a/drivers/firmware/qcom/qcom_tzmem.c b/drivers/firmware/qcom/qcom_tzmem.c
> >>> index 92b365178235..977e48fec32f 100644
> >>> --- a/drivers/firmware/qcom/qcom_tzmem.c
> >>> +++ b/drivers/firmware/qcom/qcom_tzmem.c
> >>> @@ -203,6 +203,9 @@ qcom_tzmem_pool_new(const struct qcom_tzmem_pool_config *config)
> >>>
> >>>         might_sleep();
> >>>
> >>> +       if (!config->policy)
> >>> +               return ERR_PTR(-EINVAL);
> >>
> >> This is already handled by the default case of the switch.
> >
> > Ack. Need to drop.
> > https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L218
> >
> > While examining qcom_tzmem_pool_free under the same principle, it
> > appears the following check is unnecessary.
> > https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268
> >
>
> Bartosz,
> I am thinking to remove below check in next rev like mentioned above.
> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268
>
> Do you have any other opinion here?
> Please let me know.
>

No, let's keep the NULL-pointer check and add it to qcom_tzmem_free(),
I'm not against it. I was just saying that in the latter case it will
already be handled by the radix tree lookup.

Bart

Kuldeep Singh Oct. 22, 2024, 6:33 p.m. UTC | #5

On 10/22/2024 12:27 PM, Bartosz Golaszewski wrote:
> On Tue, 22 Oct 2024 at 07:43, Kuldeep Singh <quic_kuldsing@quicinc.com> wrote:
>>
>>
>>
>> On 10/16/2024 2:31 PM, Kuldeep Singh wrote:
>>>
>>> On 10/14/2024 6:38 PM, Bartosz Golaszewski wrote:
>>>> On Mon, Oct 14, 2024 at 1:19 PM Kuldeep Singh <quic_kuldsing@quicinc.com> wrote:
>>>>>
>>>>> The qcom_tzmem driver currently has exposed APIs that lack validations
>>>>> on required input parameters. This oversight can lead to unexpected null
>>>>> pointer dereference crashes.
>>>>>
>>>>
>>>> The commit message is not true. None of the things you changed below
>>>> can lead to a NULL-pointer dereference.>
>>>>> To address this issue, add sanity for required input parameters.
>>>>>
>>>>> Signed-off-by: Kuldeep Singh <quic_kuldsing@quicinc.com>
>>>>> ---
>>>>>  drivers/firmware/qcom/qcom_tzmem.c | 6 ++++++
>>>>>  1 file changed, 6 insertions(+)
>>>>>
>>>>> diff --git a/drivers/firmware/qcom/qcom_tzmem.c b/drivers/firmware/qcom/qcom_tzmem.c
>>>>> index 92b365178235..977e48fec32f 100644
>>>>> --- a/drivers/firmware/qcom/qcom_tzmem.c
>>>>> +++ b/drivers/firmware/qcom/qcom_tzmem.c
>>>>> @@ -203,6 +203,9 @@ qcom_tzmem_pool_new(const struct qcom_tzmem_pool_config *config)
>>>>>
>>>>>         might_sleep();
>>>>>
>>>>> +       if (!config->policy)
>>>>> +               return ERR_PTR(-EINVAL);
>>>>
>>>> This is already handled by the default case of the switch.
>>>
>>> Ack. Need to drop.
>>> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L218
>>>
>>> While examining qcom_tzmem_pool_free under the same principle, it
>>> appears the following check is unnecessary.
>>> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268
>>>
>>
>> Bartosz,
>> I am thinking to remove below check in next rev like mentioned above.
>> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268
>>
>> Do you have any other opinion here?
>> Please let me know.
>>
> 
> No, let's keep the NULL-pointer check and add it to qcom_tzmem_free(),
> I'm not against it. I was just saying that in the latter case it will
> already be handled by the radix tree lookup.

Hey, I think you misread my comment. Let me explain more.
As agreed, Will drop (!config->policy) check from qcom_tzmem_pool_new
because it's already present.
https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L218

Keep (!vaddr) check in qcom_tzmem_free as discussed above.
https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L411

And last thing, like we don't check (!pool) in qcom_tzmem_alloc as it
cannot be null, same way I believe (!pool) is unnecessary in
qcom_tzmem_pool_free as qcom_tzmem_pool_new should return valid pool and
if not, should be handled by calling driver.
https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L369
https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268

Bartosz Golaszewski Oct. 23, 2024, 7:31 a.m. UTC | #6

On Tue, Oct 22, 2024 at 8:34 PM Kuldeep Singh <quic_kuldsing@quicinc.com> wrote:
>
>
>
> On 10/22/2024 12:27 PM, Bartosz Golaszewski wrote:
> > On Tue, 22 Oct 2024 at 07:43, Kuldeep Singh <quic_kuldsing@quicinc.com> wrote:
> >>
> >>
> >>
> >> On 10/16/2024 2:31 PM, Kuldeep Singh wrote:
> >>>
> >>> On 10/14/2024 6:38 PM, Bartosz Golaszewski wrote:
> >>>> On Mon, Oct 14, 2024 at 1:19 PM Kuldeep Singh <quic_kuldsing@quicinc.com> wrote:
> >>>>>
> >>>>> The qcom_tzmem driver currently has exposed APIs that lack validations
> >>>>> on required input parameters. This oversight can lead to unexpected null
> >>>>> pointer dereference crashes.
> >>>>>
> >>>>
> >>>> The commit message is not true. None of the things you changed below
> >>>> can lead to a NULL-pointer dereference.>
> >>>>> To address this issue, add sanity for required input parameters.
> >>>>>
> >>>>> Signed-off-by: Kuldeep Singh <quic_kuldsing@quicinc.com>
> >>>>> ---
> >>>>>  drivers/firmware/qcom/qcom_tzmem.c | 6 ++++++
> >>>>>  1 file changed, 6 insertions(+)
> >>>>>
> >>>>> diff --git a/drivers/firmware/qcom/qcom_tzmem.c b/drivers/firmware/qcom/qcom_tzmem.c
> >>>>> index 92b365178235..977e48fec32f 100644
> >>>>> --- a/drivers/firmware/qcom/qcom_tzmem.c
> >>>>> +++ b/drivers/firmware/qcom/qcom_tzmem.c
> >>>>> @@ -203,6 +203,9 @@ qcom_tzmem_pool_new(const struct qcom_tzmem_pool_config *config)
> >>>>>
> >>>>>         might_sleep();
> >>>>>
> >>>>> +       if (!config->policy)
> >>>>> +               return ERR_PTR(-EINVAL);
> >>>>
> >>>> This is already handled by the default case of the switch.
> >>>
> >>> Ack. Need to drop.
> >>> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L218
> >>>
> >>> While examining qcom_tzmem_pool_free under the same principle, it
> >>> appears the following check is unnecessary.
> >>> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268
> >>>
> >>
> >> Bartosz,
> >> I am thinking to remove below check in next rev like mentioned above.
> >> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268
> >>
> >> Do you have any other opinion here?
> >> Please let me know.
> >>
> >
> > No, let's keep the NULL-pointer check and add it to qcom_tzmem_free(),
> > I'm not against it. I was just saying that in the latter case it will
> > already be handled by the radix tree lookup.
>
> Hey, I think you misread my comment. Let me explain more.
> As agreed, Will drop (!config->policy) check from qcom_tzmem_pool_new
> because it's already present.
> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L218
>
> Keep (!vaddr) check in qcom_tzmem_free as discussed above.
> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L411
>
> And last thing, like we don't check (!pool) in qcom_tzmem_alloc as it
> cannot be null, same way I believe (!pool) is unnecessary in
> qcom_tzmem_pool_free as qcom_tzmem_pool_new should return valid pool and
> if not, should be handled by calling driver.
> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L369
> https://elixir.bootlin.com/linux/v6.12-rc3/source/drivers/firmware/qcom/qcom_tzmem.c#L268
>

Well I would say this is just churn if it's already there but yeah it
cannot be NULL so I won't object.

Bart

Patch

diff --git a/drivers/firmware/qcom/qcom_tzmem.c b/drivers/firmware/qcom/qcom_tzmem.c
index 92b365178235..977e48fec32f 100644
--- a/drivers/firmware/qcom/qcom_tzmem.c
+++ b/drivers/firmware/qcom/qcom_tzmem.c
@@ -203,6 +203,9 @@  qcom_tzmem_pool_new(const struct qcom_tzmem_pool_config *config)
 
 	might_sleep();
 
+	if (!config->policy)
+		return ERR_PTR(-EINVAL);
+
 	switch (config->policy) {
 	case QCOM_TZMEM_POLICY_STATIC:
 		if (!config->initial_size)
@@ -412,6 +415,9 @@  void qcom_tzmem_free(void *vaddr)
 {
 	struct qcom_tzmem_chunk *chunk;
 
+	if (!vaddr)
+		return;
+
 	scoped_guard(spinlock_irqsave, &qcom_tzmem_chunks_lock)
 		chunk = radix_tree_delete_item(&qcom_tzmem_chunks,
 					       (unsigned long)vaddr, NULL);