From patchwork Wed Feb 20 10:30:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= X-Patchwork-Id: 10821803 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B83B113BF for ; Wed, 20 Feb 2019 10:31:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A0BB22D7F4 for ; Wed, 20 Feb 2019 10:31:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 946182D7FE; Wed, 20 Feb 2019 10:31:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BDE102D7FA for ; Wed, 20 Feb 2019 10:31:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727373AbfBTKbD (ORCPT ); Wed, 20 Feb 2019 05:31:03 -0500 Received: from mail-lj1-f195.google.com ([209.85.208.195]:42989 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726209AbfBTKbD (ORCPT ); Wed, 20 Feb 2019 05:31:03 -0500 Received: by mail-lj1-f195.google.com with SMTP id d14so9160105ljl.9 for ; Wed, 20 Feb 2019 02:31:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=jTH4h8NYY/GPpagkmifVcrICWQ9e9yR4IZoOrfdP/7I=; b=gK28b5tne64+LsdvEkKr5B0gi50nPXkAsBGbsv4LaXkhOsAhghRjYXDXU8kbPRnbbo IDlx+/h4Jnr15Q50ADLZi2BhVfUtxpfx1RdR+/16n0nXKewOy03gDas0Fp+g7rX8m195 A70lCBCuvVUYxWpKzK6rCmet6nrSvAxoXEValDGFUB5dICyyAUme3yACxBLndpwCEc+P XV+jpAAgsKpRLJLa+Q4bW2JU41SbB43f5cI/o2nJtXqejwIfsHV5rD1UApxMa6RsT+6x PLDguXMaGhsC7wN5tDbyFlSHY8oqHCroihRorp18egqg6S4T/El/bYXMrLTv2Wigj+/4 luKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=jTH4h8NYY/GPpagkmifVcrICWQ9e9yR4IZoOrfdP/7I=; b=dyQfrcttH1gC7WBYivNmuWU5YffnTiFJikHcRNKM7hKez+IKbO53qUj2FVtxvCaB+E FKZLrVMX7vxJYfgPGMLy1I7M5CG1D9Czq/N8RJhx+1W6pjokbD9zP5BszTMPEVBY+56F LylTFWDwLGvR5ZzJKgvLEphBpQiiZs0pX7FhY4uZpdiKaQ1TfxzgxS6Po2wlCKs8lw6L 58v7Dz5cVOtD0kvBiaa6T++DmXxZ2aZSFA4PtM5mAlzWrQ4rQcC5wS+Bja7aQuNyJzC3 hMJ6Cep1PlOmoaCTx9FNWEdXUE2C0nwiiuzpypLKnSuFeSxXPit6Ew7w4HNgzwhZMRsa dUzw== X-Gm-Message-State: AHQUAubJ2wXWrQ5QrPpe4viP7Si3eWI5ZQ8i4e668JUDeA8+fbOvrZtA 1YI6L6MHcd1UgfkltT91OtU= X-Google-Smtp-Source: AHgI3Ib7x1qb3AK5qo1X7qPu0O/zO6bmxmPWTacWuvKnmM1JxQK8IelJgfDRhFmHaDFDFZAlfOYDtg== X-Received: by 2002:a2e:9e93:: with SMTP id f19-v6mr20504814ljk.122.1550658661278; Wed, 20 Feb 2019 02:31:01 -0800 (PST) Received: from elitebook.lan (ip-194-187-74-233.konfederacka.maverick.com.pl. [194.187.74.233]) by smtp.gmail.com with ESMTPSA id p3sm4033664ljj.14.2019.02.20.02.31.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Feb 2019 02:31:00 -0800 (PST) From: =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= To: Kalle Valo Cc: Arend van Spriel , linux-wireless@vger.kernel.org, brcm80211-dev-list.pdl@broadcom.com, brcm80211-dev-list@cypress.com, =?utf-8?b?UmFmYcWCIE1pxYJlY2tp?= Subject: [PATCH wireless-drivers-next] brcmfmac: add basic validation of shared RAM address Date: Wed, 20 Feb 2019 11:30:47 +0100 Message-Id: <20190220103047.8960-1-zajec5@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Rafał Miłecki While experimenting with firmware loading I ended up in a state of firmware reporting shared RAM address 0x04000001. It was causing: [ 94.448015] Unable to handle kernel paging request at virtual address cd680001 due to reading out of the mapped memory. This patch adds some basic validation to avoid kernel crashes due to the unexpected firmware behavior. Signed-off-by: Rafał Miłecki Acked-by: Arend van Spriel --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c index 257f919c52cc..58a6bc379358 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c @@ -1560,6 +1560,12 @@ static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo, brcmf_err(bus, "FW failed to initialize\n"); return -ENODEV; } + if (sharedram_addr < devinfo->ci->rambase || + sharedram_addr >= devinfo->ci->rambase + devinfo->ci->ramsize) { + brcmf_err(bus, "Invalid shared RAM address 0x%08x\n", + sharedram_addr); + return -ENODEV; + } brcmf_dbg(PCIE, "Shared RAM addr: 0x%08x\n", sharedram_addr); return (brcmf_pcie_init_share_ram_info(devinfo, sharedram_addr));