From patchwork Tue May 30 12:38:49 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kiran Gunda X-Patchwork-Id: 9754503 X-Patchwork-Delegate: agross@codeaurora.org Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0A917602B9 for ; Tue, 30 May 2017 12:39:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F0F432846F for ; Tue, 30 May 2017 12:39:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E5DDB2847B; Tue, 30 May 2017 12:39:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 518722847A for ; Tue, 30 May 2017 12:39:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751777AbdE3Mjp (ORCPT ); Tue, 30 May 2017 08:39:45 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:56456 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751702AbdE3Mjo (ORCPT ); Tue, 30 May 2017 08:39:44 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 99AA8607F0; Tue, 30 May 2017 12:39:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1496147973; bh=dKW5zqNzWNMiJ9bhcPuSOoaBRZtKvfh4rKx3JV6/K6E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=IOUdDjgik6X/P0SL2tqfxjBLHWQVHc3JLh3XsjlqoZuFvPU1MYQQ/hzsvhtQrUfKP DCaVxAzSiGwyTDkw1ri/aMWk6ZZCBdVKNaCaJM2jlwDhOsGBOqArE3xv04rIsYYVBa bnn5eMFfVJjQUO3poZZXthjfU/xK/fp+lgiq62S4= Received: from kgunda-linux.qualcomm.com (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: kgunda@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 53B4D607E4; Tue, 30 May 2017 12:39:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1496147972; bh=dKW5zqNzWNMiJ9bhcPuSOoaBRZtKvfh4rKx3JV6/K6E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XLEMeswybaVU61nljFrjwUk/Lhl1zzQPaGtpApiKWeNUb31Vjl5iZtY5Np3DGIix8 L9bc88m3jYB5ZY1nDXz8FwnxSWv/yYaRPJcQ4TVKvb1QvXpnt7+GNyc1NlhttnzATk 6EAFWg6rR08nzZ7mGJ+dj3HQ94AJR7w/P67dna3I= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 53B4D607E4 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=kgunda@codeaurora.org From: Kiran Gunda To: Kiran Gunda , Abhijeet Dharmapurikar , Christophe JAILLET , Subbaraman Narayanamurthy , David Collins , linux-kernel@vger.kernel.org Cc: linux-arm-msm@vger.kernel.org, adharmap@quicinc.com, aghayal@qti.qualcomm.com, sboyd@codeaurora.org Subject: [PATCH V1 01/15] spmi: pmic_arb: block access of invalid read and writes Date: Tue, 30 May 2017 18:08:49 +0530 Message-Id: <1496147943-25822-2-git-send-email-kgunda@codeaurora.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1496147943-25822-1-git-send-email-kgunda@codeaurora.org> References: <1496147943-25822-1-git-send-email-kgunda@codeaurora.org> Sender: linux-arm-msm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Abhijeet Dharmapurikar The system crashes due to bad access when reading from an non configured peripheral and when writing to peripheral which is not owned by current ee. This patch verifies ownership to avoid crashing on write. For reads, since the forward mapping table, data_channel->ppid, is towards the end of the block, we use the core size to figure the max number of ppids supported. The table starts at an offset of 0x800 within the block, so size - 0x800 will give us the area used by the table. Since each table is 4 bytes long (core_size - 0x800) / 4 will gives us the number of data_channel supported. This new protection is functional on hw v2. Signed-off-by: Abhijeet Dharmapurikar Signed-off-by: Kiran Gunda --- drivers/spmi/spmi-pmic-arb.c | 84 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 83 insertions(+), 1 deletion(-) diff --git a/drivers/spmi/spmi-pmic-arb.c b/drivers/spmi/spmi-pmic-arb.c index 5ec3a59..df463d4 100644 --- a/drivers/spmi/spmi-pmic-arb.c +++ b/drivers/spmi/spmi-pmic-arb.c @@ -111,6 +111,7 @@ enum pmic_arb_cmd_op_code { * @ee: the current Execution Environment * @min_apid: minimum APID (used for bounding IRQ search) * @max_apid: maximum APID + * @max_periph: maximum number of PMIC peripherals supported by HW. * @mapping_table: in-memory copy of PPID -> APID mapping table. * @domain: irq domain object for PMIC IRQ domain * @spmic: SPMI controller object @@ -132,6 +133,7 @@ struct spmi_pmic_arb_dev { u8 ee; u16 min_apid; u16 max_apid; + u16 max_periph; u32 *mapping_table; DECLARE_BITMAP(mapping_table_valid, PMIC_ARB_MAX_PERIPHS); struct irq_domain *domain; @@ -140,11 +142,13 @@ struct spmi_pmic_arb_dev { const struct pmic_arb_ver_ops *ver_ops; u16 *ppid_to_chan; u16 last_channel; + u8 *chan_to_owner; }; /** * pmic_arb_ver: version dependent functionality. * + * @mode: access rights to specified pmic peripheral. * @non_data_cmd: on v1 issues an spmi non-data command. * on v2 no HW support, returns -EOPNOTSUPP. * @offset: on v1 offset of per-ee channel. @@ -160,6 +164,8 @@ struct spmi_pmic_arb_dev { * on v2 offset of SPMI_PIC_IRQ_CLEARn. */ struct pmic_arb_ver_ops { + int (*mode)(struct spmi_pmic_arb_dev *dev, u8 sid, u16 addr, + mode_t *mode); /* spmi commands (read_cmd, write_cmd, cmd) functionality */ int (*offset)(struct spmi_pmic_arb_dev *dev, u8 sid, u16 addr, u32 *offset); @@ -313,11 +319,23 @@ static int pmic_arb_read_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid, u32 cmd; int rc; u32 offset; + mode_t mode; rc = pmic_arb->ver_ops->offset(pmic_arb, sid, addr, &offset); if (rc) return rc; + rc = pmic_arb->ver_ops->mode(pmic_arb, sid, addr, &mode); + if (rc) + return rc; + + if (!(mode & S_IRUSR)) { + dev_err(&pmic_arb->spmic->dev, + "error: impermissible read from peripheral sid:%d addr:0x%x\n", + sid, addr); + return -EPERM; + } + if (bc >= PMIC_ARB_MAX_TRANS_BYTES) { dev_err(&ctrl->dev, "pmic-arb supports 1..%d bytes per trans, but:%zu requested", @@ -364,11 +382,23 @@ static int pmic_arb_write_cmd(struct spmi_controller *ctrl, u8 opc, u8 sid, u32 cmd; int rc; u32 offset; + mode_t mode; rc = pmic_arb->ver_ops->offset(pmic_arb, sid, addr, &offset); if (rc) return rc; + rc = pmic_arb->ver_ops->mode(pmic_arb, sid, addr, &mode); + if (rc) + return rc; + + if (!(mode & S_IWUSR)) { + dev_err(&pmic_arb->spmic->dev, + "error: impermissible write to peripheral sid:%d addr:0x%x\n", + sid, addr); + return -EPERM; + } + if (bc >= PMIC_ARB_MAX_TRANS_BYTES) { dev_err(&ctrl->dev, "pmic-arb supports 1..%d bytes per trans, but:%zu requested", @@ -727,6 +757,13 @@ static int qpnpint_irq_domain_map(struct irq_domain *d, return 0; } +static int +pmic_arb_mode_v1(struct spmi_pmic_arb_dev *pa, u8 sid, u16 addr, mode_t *mode) +{ + *mode = S_IRUSR | S_IWUSR; + return 0; +} + /* v1 offset per ee */ static int pmic_arb_offset_v1(struct spmi_pmic_arb_dev *pa, u8 sid, u16 addr, u32 *offset) @@ -745,7 +782,11 @@ static u16 pmic_arb_find_chan(struct spmi_pmic_arb_dev *pa, u16 ppid) * PMIC_ARB_REG_CHNL is a table in HW mapping channel to ppid. * ppid_to_chan is an in-memory invert of that table. */ - for (chan = pa->last_channel; ; chan++) { + for (chan = pa->last_channel; chan < pa->max_periph; chan++) { + regval = readl_relaxed(pa->cnfg + + SPMI_OWNERSHIP_TABLE_REG(chan)); + pa->chan_to_owner[chan] = SPMI_OWNERSHIP_PERIPH2OWNER(regval); + offset = PMIC_ARB_REG_CHNL(chan); if (offset >= pa->core_size) break; @@ -767,6 +808,27 @@ static u16 pmic_arb_find_chan(struct spmi_pmic_arb_dev *pa, u16 ppid) } +static int +pmic_arb_mode_v2(struct spmi_pmic_arb_dev *pa, u8 sid, u16 addr, mode_t *mode) +{ + u16 ppid = (sid << 8) | (addr >> 8); + u16 chan; + u8 owner; + + chan = pa->ppid_to_chan[ppid]; + if (!(chan & PMIC_ARB_CHAN_VALID)) + return -ENODEV; + + *mode = 0; + *mode |= S_IRUSR; + + chan &= ~PMIC_ARB_CHAN_VALID; + owner = pa->chan_to_owner[chan]; + if (owner == pa->ee) + *mode |= S_IWUSR; + return 0; +} + /* v2 offset per ppid (chan) and per ee */ static int pmic_arb_offset_v2(struct spmi_pmic_arb_dev *pa, u8 sid, u16 addr, u32 *offset) @@ -836,6 +898,7 @@ static u32 pmic_arb_irq_clear_v2(u8 n) } static const struct pmic_arb_ver_ops pmic_arb_v1 = { + .mode = pmic_arb_mode_v1, .non_data_cmd = pmic_arb_non_data_cmd_v1, .offset = pmic_arb_offset_v1, .fmt_cmd = pmic_arb_fmt_cmd_v1, @@ -846,6 +909,7 @@ static u32 pmic_arb_irq_clear_v2(u8 n) }; static const struct pmic_arb_ver_ops pmic_arb_v2 = { + .mode = pmic_arb_mode_v2, .non_data_cmd = pmic_arb_non_data_cmd_v2, .offset = pmic_arb_offset_v2, .fmt_cmd = pmic_arb_fmt_cmd_v2, @@ -879,6 +943,12 @@ static int spmi_pmic_arb_probe(struct platform_device *pdev) res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "core"); pa->core_size = resource_size(res); + if (pa->core_size <= 0x800) { + dev_err(&pdev->dev, "core_size is smaller than 0x800. Failing Probe\n"); + err = -EINVAL; + goto err_put_ctrl; + } + core = devm_ioremap_resource(&ctrl->dev, res); if (IS_ERR(core)) { err = PTR_ERR(core); @@ -899,6 +969,9 @@ static int spmi_pmic_arb_probe(struct platform_device *pdev) pa->core = core; pa->ver_ops = &pmic_arb_v2; + /* the apid to ppid table starts at PMIC_ARB_REG_CHNL(0) */ + pa->max_periph = (pa->core_size - PMIC_ARB_REG_CHNL(0)) / 4; + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "obsrvr"); pa->rd_base = devm_ioremap_resource(&ctrl->dev, res); @@ -923,6 +996,15 @@ static int spmi_pmic_arb_probe(struct platform_device *pdev) err = -ENOMEM; goto err_put_ctrl; } + + pa->chan_to_owner = devm_kcalloc(&ctrl->dev, + pa->max_periph, + sizeof(*pa->chan_to_owner), + GFP_KERNEL); + if (!pa->chan_to_owner) { + err = -ENOMEM; + goto err_put_ctrl; + } } res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "intr");