From patchwork Thu Apr 26 11:55:34 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Niklas Cassel X-Patchwork-Id: 10365839 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 39EAF60542 for ; Thu, 26 Apr 2018 11:56:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 22DA328E33 for ; Thu, 26 Apr 2018 11:56:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1719128ECE; Thu, 26 Apr 2018 11:56:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BD84628E33 for ; Thu, 26 Apr 2018 11:56:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756480AbeDZLzw (ORCPT ); Thu, 26 Apr 2018 07:55:52 -0400 Received: from mail-lf0-f65.google.com ([209.85.215.65]:43151 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756339AbeDZLzq (ORCPT ); Thu, 26 Apr 2018 07:55:46 -0400 Received: by mail-lf0-f65.google.com with SMTP id g12-v6so14202783lfb.10 for ; Thu, 26 Apr 2018 04:55:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=IxJbzDMn9YLUt6vv54dFL6EbmRYsIGz0vnOlvcofvAc=; b=gDCdmLVV3Unl4VMJ1RY/A6AMumzHTB/SLbGsQyfz9/g+cWUPZlAbeZ6Rh5OM/gUVTI /4ZwaqsZWLwIGzx4EuZe09RbpEML/mzqofwUoPI/tw+XfzbVAi878vfdJB7h/JcsBKjJ KoY97XQi11Qj1HbE/x58pbmwKaYO8meev5+Sk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=IxJbzDMn9YLUt6vv54dFL6EbmRYsIGz0vnOlvcofvAc=; b=KvULu2vcnyJ7T69GuZ/q/81xtmFUy12VJs2PfkKV5mbAe0vatKWxe/tbLfCexohc0B 6MNu42qp5UqYFUAObXwjvdFjn4wt/wuZ8+rcVea8myjxli0Ba9Ys6mumw5Azk9HiO+Bo yNeGFW/+1FEK/o3kxrtiPQeYKAiQwBHwdr66PIsAuIqpId9fEZFstmEL/4iXYLteEKK5 XkM9YBFnNg02RwglwpTfu8ibFNTAtch5XS4ahd8SdZaf6/m6rrTpcZfKAx76z3b3lnsM 6cg9rzM/mSeUWgMnnBmh9Dzr8QMUzzCeB9thDMg/794gBD70dxtlspGJCLSFi7NHlCFS h6bg== X-Gm-Message-State: ALQs6tB5kQYPu5LAO4VMGyhYL7EdNoTNCCnIaLkV5ZwHyeXRdXB6b3hn tGcl/yrHh7XdR5Je6/B2YAnPHw== X-Google-Smtp-Source: AB8JxZrK0wQm38Bqyl5xcbKVOVuIc0MzXt34PK5lDpXKqDfnnvIPIdjReYspVJR5a2z88y5P6Js3Nw== X-Received: by 10.46.156.8 with SMTP id s8mr8633410lji.97.1524743744180; Thu, 26 Apr 2018 04:55:44 -0700 (PDT) Received: from localhost.localdomain (h-184-10.A323.priv.bahnhof.se. [155.4.184.10]) by smtp.gmail.com with ESMTPSA id e23-v6sm4391603lfi.58.2018.04.26.04.55.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 26 Apr 2018 04:55:43 -0700 (PDT) From: Niklas Cassel To: andy.gross@linaro.org, david.brown@linaro.org Cc: bjorn.andersson@linaro.org, sboyd@kernel.org, linux-arm-msm@vger.kernel.org, linux-soc@vger.kernel.org, linux-kernel@vger.kernel.org, Niklas Cassel Subject: [PATCH RESEND] firmware: qcom: scm: Fix crash in qcom_scm_call_atomic1() Date: Thu, 26 Apr 2018 13:55:34 +0200 Message-Id: <20180426115534.20971-1-niklas.cassel@linaro.org> X-Mailer: git-send-email 2.14.3 Sender: linux-arm-msm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP qcom_scm_call_atomic1() can crash with a NULL pointer dereference at qcom_scm_call_atomic1+0x30/0x48. disassembly of qcom_scm_call_atomic1(): ... <0xc08d73b0 <+12>: ldr r3, [r12] ... (no instruction explicitly modifies r12) 0xc08d73cc <+40>: smc 0 ... (no instruction explicitly modifies r12) 0xc08d73d4 <+48>: ldr r3, [r12] <- crashing instruction ... Since the first ldr is successful, and since r12 isn't explicitly modified by any instruction between the first and the second ldr, it must have been modified by the smc call, which is ok, since r12 is caller save according to the AAPCS. Add r12 to the clobber list so that the compiler knows that the callee potentially overwrites the value in r12. Clobber descriptions may not in any way overlap with an input or output operand. Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Signed-off-by: Niklas Cassel --- drivers/firmware/qcom_scm-32.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/qcom_scm-32.c b/drivers/firmware/qcom_scm-32.c index dfbd894d5bb7..4e24e591ae74 100644 --- a/drivers/firmware/qcom_scm-32.c +++ b/drivers/firmware/qcom_scm-32.c @@ -147,7 +147,7 @@ static u32 smc(u32 cmd_addr) "smc #0 @ switch to secure world\n" : "=r" (r0) : "r" (r0), "r" (r1), "r" (r2) - : "r3"); + : "r3", "r12"); } while (r0 == QCOM_SCM_INTERRUPTED); return r0; @@ -263,7 +263,7 @@ static s32 qcom_scm_call_atomic1(u32 svc, u32 cmd, u32 arg1) "smc #0 @ switch to secure world\n" : "=r" (r0) : "r" (r0), "r" (r1), "r" (r2) - : "r3"); + : "r3", "r12"); return r0; } @@ -298,7 +298,7 @@ static s32 qcom_scm_call_atomic2(u32 svc, u32 cmd, u32 arg1, u32 arg2) "smc #0 @ switch to secure world\n" : "=r" (r0) : "r" (r0), "r" (r1), "r" (r2), "r" (r3) - ); + : "r12"); return r0; } @@ -328,7 +328,7 @@ u32 qcom_scm_get_version(void) "smc #0 @ switch to secure world\n" : "=r" (r0), "=r" (r1) : "r" (r0), "r" (r1) - : "r2", "r3"); + : "r2", "r3", "r12"); } while (r0 == QCOM_SCM_INTERRUPTED); version = r1;