| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Dec 2019 16:03:45 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org,
James Hughes <james.hughes@...pberrypi.org>,
Eric Anholt <eric@...olt.net>,
Stefan Wahren <stefan.wahren@...e.com>,
Sasha Levin <sashal@...nel.org>
Subject: [PATCH 4.19 063/243] firmware: raspberrypi: Fix firmware calls with large buffers
From: James Hughes <james.hughes@...pberrypi.org>
[ Upstream commit 91c6ada69f396e663acb2b713e8acb8a9463557d ]
Commit a1547e0bca51 ("firmware: raspberrypi: Remove VLA usage")
moved away from VLA's to a fixed maximum size for mailbox data.
However, some mailbox calls use larger data buffers
than the maximum allowed in that change. This fix therefor
moves from using fixed buffers to kmalloc to ensure all sizes
are catered for.
There is some documentation, which is somewhat out of date,
on the mailbox calls here :
https://github.com/raspberrypi/firmware/wiki/Mailbox-property-interface
Fixes: a1547e0bca51 ("firmware: raspberrypi: Remove VLA usage")
Signed-off-by: James Hughes <james.hughes@...pberrypi.org>
Reviewed-by: Eric Anholt <eric@...olt.net>
Signed-off-by: Stefan Wahren <stefan.wahren@...e.com>
Signed-off-by: Sasha Levin <sashal@...nel.org>
---
drivers/firmware/raspberrypi.c | 35 +++++++++++++++++-----------------
1 file changed, 18 insertions(+), 17 deletions(-)
diff --git a/drivers/firmware/raspberrypi.c b/drivers/firmware/raspberrypi.c
index a200a21746119..44eb99807e337 100644
--- a/drivers/firmware/raspberrypi.c
+++ b/drivers/firmware/raspberrypi.c
@@ -14,6 +14,7 @@
#include <linux/module.h>
#include <linux/of_platform.h>
#include <linux/platform_device.h>
+#include <linux/slab.h>
#include <soc/bcm2835/raspberrypi-firmware.h>
#define MBOX_MSG(chan, data28) (((data28) & ~0xf) | ((chan) & 0xf))
@@ -21,8 +22,6 @@
#define MBOX_DATA28(msg) ((msg) & ~0xf)
#define MBOX_CHAN_PROPERTY 8
-#define MAX_RPI_FW_PROP_BUF_SIZE 32
-
static struct platform_device *rpi_hwmon;
struct rpi_firmware {
@@ -144,28 +143,30 @@ EXPORT_SYMBOL_GPL(rpi_firmware_property_list);
int rpi_firmware_property(struct rpi_firmware *fw,
u32 tag, void *tag_data, size_t buf_size)
{
- /* Single tags are very small (generally 8 bytes), so the
- * stack should be safe.
- */
- u8 data[sizeof(struct rpi_firmware_property_tag_header) +
- MAX_RPI_FW_PROP_BUF_SIZE];
- struct rpi_firmware_property_tag_header *header =
- (struct rpi_firmware_property_tag_header *)data;
+ struct rpi_firmware_property_tag_header *header;
int ret;
- if (WARN_ON(buf_size > sizeof(data) - sizeof(*header)))
- return -EINVAL;
+ /* Some mailboxes can use over 1k bytes. Rather than checking
+ * size and using stack or kmalloc depending on requirements,
+ * just use kmalloc. Mailboxes don't get called enough to worry
+ * too much about the time taken in the allocation.
+ */
+ void *data = kmalloc(sizeof(*header) + buf_size, GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+ header = data;
header->tag = tag;
header->buf_size = buf_size;
header->req_resp_size = 0;
- memcpy(data + sizeof(struct rpi_firmware_property_tag_header),
- tag_data, buf_size);
+ memcpy(data + sizeof(*header), tag_data, buf_size);
+
+ ret = rpi_firmware_property_list(fw, data, buf_size + sizeof(*header));
+
+ memcpy(tag_data, data + sizeof(*header), buf_size);
- ret = rpi_firmware_property_list(fw, &data, buf_size + sizeof(*header));
- memcpy(tag_data,
- data + sizeof(struct rpi_firmware_property_tag_header),
- buf_size);
+ kfree(data);
return ret;
}
--
2.20.1
Powered by blists - more mailing lists