diff mbox

[v2,15/19] remoteproc: core: Add function to verify resource table consistency

Message ID 1472676622-32533-16-git-send-email-loic.pallardy@st.com
State Superseded
Headers show

Commit Message

Loic PALLARDY Aug. 31, 2016, 8:50 p.m. UTC
As resource table could be parsed several times, at different times,
to avoid sanity check duplication, let's introduce a new function
to verify the complete integrity of one resource table.

This new function is called before copying it in cache and
accessing it.

Signed-off-by: Loic Pallardy <loic.pallardy@st.com>
---
 drivers/remoteproc/remoteproc_core.c | 79 ++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
diff mbox

Patch

diff --git a/drivers/remoteproc/remoteproc_core.c b/drivers/remoteproc/remoteproc_core.c
index 67b83d0..b43553f 100644
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -791,6 +791,78 @@  static void rproc_resource_cleanup(struct rproc *rproc)
 		rproc_remove_virtio_dev(rvdev);
 }
 
+static int rproc_rsc_tbl_sanity_check(struct rproc *rproc,
+		struct resource_table *table_ptr, int len)
+{
+	struct device *dev = &rproc->dev;
+	int i;
+
+	if (len < sizeof(*table_ptr))
+		goto out;
+
+	for (i = 0; i < table_ptr->num; i++) {
+		int offset = table_ptr->offset[i];
+		struct fw_rsc_hdr *hdr = (void *)table_ptr + offset;
+		int avail = len - offset - sizeof(*hdr);
+		void *rsc = (void *)hdr + sizeof(*hdr);
+		struct fw_rsc_vdev *v;
+		struct fw_rsc_spare *s;
+
+		/* make sure table isn't truncated */
+		if (avail < 0)
+			goto out;
+
+		if (offset == FW_RSC_ADDR_ANY || offset == 0) {
+			dev_err(dev, "Entry %d: bad offset value %x\n", i, offset);
+			return -EINVAL;
+		}
+
+		dev_dbg(dev, "rsc: type %d\n", hdr->type);
+
+		switch (hdr->type) {
+		case RSC_CARVEOUT:
+			avail -= sizeof(struct fw_rsc_carveout);
+			break;
+		case RSC_DEVMEM:
+			avail -= sizeof(struct fw_rsc_devmem);
+			break;
+		case RSC_TRACE:
+			avail -= sizeof(struct fw_rsc_trace);
+			break;
+		case RSC_VDEV:
+			v = rsc;
+			avail -= sizeof(struct fw_rsc_vdev);
+			if (avail < 0)
+				goto out;
+
+			avail -= v->num_of_vrings * sizeof(struct fw_rsc_vdev_vring)
+				 + v->config_len;
+			break;
+		case RSC_SPARE:
+			avail -= sizeof(struct fw_rsc_spare);
+			if (avail < 0)
+				goto out;
+
+			s = rsc;
+			avail -= s->len;
+			break;
+		default:
+			dev_err(&rproc->dev, "Unsupported resource type: %d\n",
+				hdr->type);
+			return -EINVAL;
+		}
+		if (avail < 0)
+			goto out;
+	}
+
+	return 0;
+
+out:
+	dev_err(dev, "Invalid resource table format\n");
+	dump_stack();
+	return -EINVAL;
+}
+
 #if defined(DEBUG)
 static void rproc_dump_resource_table(struct rproc *rproc,
 				      struct resource_table *table, int size)
@@ -1267,6 +1339,13 @@  static int rproc_fw_boot(struct rproc *rproc, const struct firmware *fw)
 		goto clean_up;
 	}
 
+	/*  verify resource table consistency */
+	ret = rproc_rsc_tbl_sanity_check(rproc, table, tablesz);
+	if (ret) {
+		dev_err(dev, "Failed to get valid resource table,%d\n", ret);
+		goto clean_up;
+	}
+
 	/*
 	 * Create a copy of the resource table. When a virtio device starts
 	 * and calls vring_new_virtqueue() the address of the allocated vring