From patchwork Fri Mar  3 15:17:58 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Carlo Caione <carlo@caione.org>
X-Patchwork-Id: 9603065
Return-Path: 
 <linux-amlogic-bounces+patchwork-linux-amlogic=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9888A60414 for <patchwork-linux-amlogic@patchwork.kernel.org>;
	Fri,  3 Mar 2017 15:10:16 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8AAAC2863D
	for <patchwork-linux-amlogic@patchwork.kernel.org>;
	Fri,  3 Mar 2017 15:10:16 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7FA0F28648; Fri,  3 Mar 2017 15:10:16 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID autolearn=unavailable version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id EBB172863D
	for <patchwork-linux-amlogic@patchwork.kernel.org>;
	Fri,  3 Mar 2017 15:10:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References:
	In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:List-Owner;
	bh=djdMmWxYPa3dt84Qakr0plJAWWUC4KFOsZ7Gm/KOSAE=;
	b=mceMUJmaHv6w4xoEGL9Fm+A+Iw
	sdMLukIIqExDMTM5OacaJ/IGHZkLhNG+OD9LDcHd7fwKzJlAJoeXVaIDvHEalJPkU4gQvMe35xwdq
	XOFP5BSFH1GivkbLjDhtdQz5ai4OBXBipw4V+2u6CVwNEtRGjJNQ8RbBdy+pZ3+zMb8dkEWA2zlB3
	y9wpRukzldHYV8DA4/s7XrnHFyZ0b2sKml3mLtKw1kvRdeHTWy/ANm2xSjcYHa0tz/fLQEpHFx11v
	5hHGH/XJpxZd8BwGym6GKXFUE8eCLeORvc0msUIgn2jO56fLzYaO857tcSvQId/AwWTiXg8MrGujW
	k2wNHulw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux))
	id 1cjoqO-00018x-GG; Fri, 03 Mar 2017 15:10:08 +0000
Received: from mail-wm0-x241.google.com ([2a00:1450:400c:c09::241])
	by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux))
	id 1cjoov-0007f2-Tn; Fri, 03 Mar 2017 15:08:40 +0000
Received: by mail-wm0-x241.google.com with SMTP id n11so3596122wma.0;
	Fri, 03 Mar 2017 07:08:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=VIY96fXx4i9lNDc+tjPWMYKbZLeWTp/49US8na/mbM8=;
	b=p3KOPPvR9+c6qmVS+jU9E/Z4lmksahl0vKluj85vbRlF64HS5H1vclGt3wJ/vs734X
	+Gls3X5w+11vSrx+5PqSVKCyBHhGMYO2eX8yylhDpjVAR4Z0vJshIk37wfwmf9fTceA+
	GyFamsQ3Zmq+gsmLgF4huJAjaYB1d+jk2MLgcaY+ntbgcEywewe+YFDjK2gLvYUgaqCp
	MQtHit95CAlRWl6xYqe6v0ZYnjwMeCbdd3hAhI3Xzl+9uM28fOK7k9IRL84JOKI2yIJz
	Px+MA05RPina3vKopoaj3eViezHrcIKO4UjwNwIUKntT2d/KArQ+MMID7IGegyJnqwtE
	VkVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references;
	bh=VIY96fXx4i9lNDc+tjPWMYKbZLeWTp/49US8na/mbM8=;
	b=s7IyS0EjCvQ3Fmfoem+M2MW5YFaDglUp5pRPwwx9DgSIJde7nHQ4Ik5b2eqmIFWwSj
	lqDceNBAng52fGwf95oUV3K32xdUO1E8LKJzAD+AxJXyd/1sMzqREXYCPhRlsSFhpeh6
	dKMV3TpVuRF7/BR40gA0g/mKR70FgS0bX0LkIXts77IlvnvSC28Zy202N3Ky55cJbAd6
	zA39veD9Sjb1BQzhZ1szOlZRqZOt2Tk0RzMSQ78s1r5mPvsF6ncEtYIXAMsWQzRQT+me
	Oc+ZS/KYx7WjFvdejBa25XE+lotZ4LCFnIL/A+HW64wC7xMDblkuEr87Qr5dIBRSKQqQ
	rSXw==
X-Gm-Message-State: 
 AMke39l+yzr7mKr0CRqNnM729JIzQpyrsjK+/vtXynOdWAPOdsK3l+40xl1DJotCxGS9kA==
X-Received: by 10.28.166.133 with SMTP id p127mr3567649wme.62.1488553694383;
	Fri, 03 Mar 2017 07:08:14 -0800 (PST)
Received: from satan.homestation.setup ([151.45.79.45])
	by smtp.gmail.com with ESMTPSA id
	w17sm15587811wra.28.2017.03.03.07.08.13
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 03 Mar 2017 07:08:13 -0800 (PST)
From: Carlo Caione <carlo@caione.org>
To: linux-arm-kernel@lists.infradead.org, linux-amlogic@lists.infradead.org,
	linux@endlessm.com, mark.rutland@arm.com, srinivas.kandagatla@linaro.org
Subject: [PATCH 1/2] firmware: meson-sm: Check for buffer output size
Date: Fri,  3 Mar 2017 16:17:58 +0100
Message-Id: <20170303151759.8330-2-carlo@caione.org>
X-Mailer: git-send-email 2.12.0
In-Reply-To: <20170303151759.8330-1-carlo@caione.org>
References: <20170303151759.8330-1-carlo@caione.org>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20170303_070838_120598_BC5F204D 
X-CRM114-Status: GOOD (  14.25  )
X-BeenThere: linux-amlogic@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <linux-amlogic.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-amlogic>,
	<mailto:linux-amlogic-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-amlogic/>
List-Post: <mailto:linux-amlogic@lists.infradead.org>
List-Help: <mailto:linux-amlogic-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-amlogic>,
	<mailto:linux-amlogic-request@lists.infradead.org?subject=subscribe>
Cc: Carlo Caione <carlo@endlessm.com>
MIME-Version: 1.0
Sender: "linux-amlogic" <linux-amlogic-bounces@lists.infradead.org>
Errors-To: 
 linux-amlogic-bounces+patchwork-linux-amlogic=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Carlo Caione <carlo@endlessm.com>

After the data is read by the secure monitor driver it is being copied
in the output buffer checking only the size of the bounce buffer but not
the size of the output buffer.

Fix this in the secure monitor driver slightly changing the API. Fix
also the efuse driver that it is the only driver using this API to not
break bisectability.

Signed-off-by: Carlo Caione <carlo@endlessm.com>
Acked-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
---
 drivers/firmware/meson/meson_sm.c       | 10 +++++++---
 drivers/nvmem/meson-efuse.c             |  2 +-
 include/linux/firmware/meson/meson_sm.h |  4 ++--
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/drivers/firmware/meson/meson_sm.c b/drivers/firmware/meson/meson_sm.c
index b0d254930ed3..5f30a5774e57 100644
--- a/drivers/firmware/meson/meson_sm.c
+++ b/drivers/firmware/meson/meson_sm.c
@@ -127,6 +127,7 @@ EXPORT_SYMBOL(meson_sm_call);
  * meson_sm_call_read - retrieve data from secure-monitor
  *
  * @buffer:	Buffer to store the retrieved data
+ * @bsize:	Size of the buffer
  * @cmd_index:	Index of the SMC32 function ID
  * @arg0:	SMC32 Argument 0
  * @arg1:	SMC32 Argument 1
@@ -136,8 +137,8 @@ EXPORT_SYMBOL(meson_sm_call);
  *
  * Return:	size of read data on success, a negative value on error
  */
-int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0,
-		       u32 arg1, u32 arg2, u32 arg3, u32 arg4)
+int meson_sm_call_read(void *buffer, unsigned int bsize, unsigned int cmd_index,
+		       u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4)
 {
 	u32 size;
 
@@ -147,10 +148,13 @@ int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0,
 	if (!fw.chip->cmd_shmem_out_base)
 		return -EINVAL;
 
+	if (bsize > fw.chip->shmem_size)
+		return -EINVAL;
+
 	if (meson_sm_call(cmd_index, &size, arg0, arg1, arg2, arg3, arg4) < 0)
 		return -EINVAL;
 
-	if (!size || size > fw.chip->shmem_size)
+	if (!size || size > bsize)
 		return -EINVAL;
 
 	if (buffer)
diff --git a/drivers/nvmem/meson-efuse.c b/drivers/nvmem/meson-efuse.c
index f207c3b10482..70bfc9839bb2 100644
--- a/drivers/nvmem/meson-efuse.c
+++ b/drivers/nvmem/meson-efuse.c
@@ -27,7 +27,7 @@ static int meson_efuse_read(void *context, unsigned int offset,
 	u8 *buf = val;
 	int ret;
 
-	ret = meson_sm_call_read(buf, SM_EFUSE_READ, offset,
+	ret = meson_sm_call_read(buf, bytes, SM_EFUSE_READ, offset,
 				 bytes, 0, 0, 0);
 	if (ret < 0)
 		return ret;
diff --git a/include/linux/firmware/meson/meson_sm.h b/include/linux/firmware/meson/meson_sm.h
index 8e953c6f394a..37a5eaea69dd 100644
--- a/include/linux/firmware/meson/meson_sm.h
+++ b/include/linux/firmware/meson/meson_sm.h
@@ -25,7 +25,7 @@ int meson_sm_call(unsigned int cmd_index, u32 *ret, u32 arg0, u32 arg1,
 		  u32 arg2, u32 arg3, u32 arg4);
 int meson_sm_call_write(void *buffer, unsigned int b_size, unsigned int cmd_index,
 			u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4);
-int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0, u32 arg1,
-		       u32 arg2, u32 arg3, u32 arg4);
+int meson_sm_call_read(void *buffer, unsigned int bsize, unsigned int cmd_index,
+		       u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4);
 
 #endif /* _MESON_SM_FW_H_ */