| Message ID | 20210915122116.18317-5-peter.ujfalusi@linux.intel.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 10d93a98190aec2c3ff98d9472ab1bf0543aa02c |
| Headers | show |
| Series | ASoC: SOF: Abstract away the 'bar' usage (mostly) | expand |
On Wed, Sep 15, 2021 at 03:21:08PM +0300, Peter Ujfalusi wrote: > i.MX8 only uses SOF_FW_BLK_TYPE_IRAM (1) and SOF_FW_BLK_TYPE_SRAM (3) > bars, everything else is left as 0 in sdev->bar[] array. > > If a broken or purposefully crafted firmware image is loaded with other > types of FW_BLK_TYPE then a kernel crash can be triggered. This is a fix which should have been at the start of the series.
On 15/09/2021 16:00, Mark Brown wrote: > On Wed, Sep 15, 2021 at 03:21:08PM +0300, Peter Ujfalusi wrote: >> i.MX8 only uses SOF_FW_BLK_TYPE_IRAM (1) and SOF_FW_BLK_TYPE_SRAM (3) >> bars, everything else is left as 0 in sdev->bar[] array. >> >> If a broken or purposefully crafted firmware image is loaded with other >> types of FW_BLK_TYPE then a kernel crash can be triggered. > > This is a fix which should have been at the start of the series. The same is true for the next patch for imx8m, I'll move it ahead in the v2.
diff --git a/sound/soc/sof/imx/imx8.c b/sound/soc/sof/imx/imx8.c index 326aa65166c2..150f1bc3fb95 100644 --- a/sound/soc/sof/imx/imx8.c +++ b/sound/soc/sof/imx/imx8.c @@ -365,7 +365,14 @@ static int imx8_remove(struct snd_sof_dev *sdev) /* on i.MX8 there is 1 to 1 match between type and BAR idx */ static int imx8_get_bar_index(struct snd_sof_dev *sdev, u32 type) { - return type; + /* Only IRAM and SRAM bars are valid */ + switch (type) { + case SOF_FW_BLK_TYPE_IRAM: + case SOF_FW_BLK_TYPE_SRAM: + return type; + default: + return -EINVAL; + } } static void imx8_ipc_msg_data(struct snd_sof_dev *sdev,
i.MX8 only uses SOF_FW_BLK_TYPE_IRAM (1) and SOF_FW_BLK_TYPE_SRAM (3) bars, everything else is left as 0 in sdev->bar[] array. If a broken or purposefully crafted firmware image is loaded with other types of FW_BLK_TYPE then a kernel crash can be triggered. Make sure that only IRAM/SRAM type is converted to bar index. Fixes: 202acc565a1f0 ("ASoC: SOF: imx: Add i.MX8 HW support") Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com> Reviewed-by: Daniel Baluta <daniel.baluta@gmail.com> Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com> Reviewed-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com> --- sound/soc/sof/imx/imx8.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)