From patchwork Tue Apr 20 08:34:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Burmeister X-Patchwork-Id: 12213559 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-14.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, UNWANTED_LANGUAGE_BODY,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 085A7C433B4 for ; Tue, 20 Apr 2021 08:36:16 +0000 (UTC) Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 62D6D61104 for ; Tue, 20 Apr 2021 08:36:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 62D6D61104 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=devtank.co.uk Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding :Content-Type:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=omNg6kh5WJUV5wnRAmSlioTJpOazzMVxSXu2ba5pt6I=; b=QzAwMmP6eRll/aijrb7UxS1WZh cEd1AuoG8hNA49NdrqdsqzuhZtE6j8EmOC/GJbv0qV0cK2wMGn5OysIUyRMI0plSt5OQTwC4uEs6G fOpr8wGw6zKASnvuK9zqNeWoLFYPYyhyUeQZoNtzQctdXyjZfLVkiXgxscwaFZ/I5IvOq/Gwdv5pt WwqtoIpDerOmwhgv3Z7LpvnY5r5ca8HKD74WoIXJFmypPpS4I+Q7N20n3ckR3+uPQMSlqKA0qnCcM VlDDHabOMmAhU0+tJUwCIAK/xaN7uQKYGDz9NaYZ0RYAIN+uYtlJlf05ccR1+/wVAfOVuyz7Ge/QI j77nDvvg==; Received: from localhost ([::1] helo=desiato.infradead.org) by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux)) id 1lYlpq-00BakM-EG; Tue, 20 Apr 2021 08:34:18 +0000 Received: from bombadil.infradead.org ([2607:7c80:54:e::133]) by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lYlpn-00Bak5-NF for linux-arm-kernel@desiato.infradead.org; Tue, 20 Apr 2021 08:34:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Transfer-Encoding: MIME-Version:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:In-Reply-To:References; bh=fEyunwwdlfOesu6cu8znhTRdSvHiaQimv53Nkvu2/Ms=; b=KotbgKvXXPuBXz+rCqNEvHSE9r uY/+usmzW6+S53iLZ3pI7DDekzWmtEgHPuNRnQsmr3JTRLvYgJFuysVtBPwmenYrKEYzxjd/1UlYe Yzy5dXzX3kPfEQfJQpPct69nazO0lStdo520ZBQyUEe2tkuNKlANsuy6nVpO2vL5TDRPWHYRnlANr mpWnL8l35b4WviOePclonGyMFnuV74jt5UKSrNBzmJcPQ+uafWKWcUqJtsXwaZ3lhYCNs3s+j/NVO 8ImU29HnxBWe/V+MbMh+3vx5nVvKlJYbfpxPp/LLQNQulHiuFK13kITmO/7Nl1K2c4LCcFjJTkM// rFjPHGmw==; Received: from mail-ej1-x62f.google.com ([2a00:1450:4864:20::62f]) by bombadil.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux)) id 1lYlpi-00BvVf-3F for linux-arm-kernel@lists.infradead.org; Tue, 20 Apr 2021 08:34:14 +0000 Received: by mail-ej1-x62f.google.com with SMTP id n2so56975732ejy.7 for ; Tue, 20 Apr 2021 01:34:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devtank-co-uk.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=fEyunwwdlfOesu6cu8znhTRdSvHiaQimv53Nkvu2/Ms=; b=A5tGY/62El4/U8UQgU4S13zEeq4lQO4yo6U+yMUh7uIXXxkUeGk3dMPiNXhRr60ozY mWoGrqx8xCoGS15Gx3RknYSGLXLRC/nLW3LWNa+pWUKT/2W6nL6mbF21FfxAJZlNFhBv 8CPyW7TfBxL9sk9c8uK5NM84wPYZ8ULCz0Y6FZSCIRC22h5KFgmAw3dMSa3iYvKM+SyM IjtN/LwR+vZyUHStTnNE8adY3GSa3jEe2PygF71NQnoDptvxibLI7bi3kuOjW1j0y83h izsXaBaIYH6pL7o9BbzwbObOZPQZk7p1R6uY/AuREo5+GsSaWYnQEiCvuDzk8uNQB/xG +3UA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=fEyunwwdlfOesu6cu8znhTRdSvHiaQimv53Nkvu2/Ms=; b=pHJZaQdct5dBCJk1Hl9bwdYPj4uXibs6WvYKP1QFl0LR9lEKuZ3gEZPcc/Nva0gZeP GrIgT4TyBnBn0+fntYhjzBJUd4DdaeE7bSNTmnGUvasNTW7Mer5TOOgU7ngRbxcyq01F /tswV4NTqJjXge/mDgvf6GcYqB3r8khywPKgUzkZ672v3KxgdZyuHqXjn98Yi+3jiNvD gWeZpyeFoy2Fyo/TPQq3286TYYVTbOsE/gx8gmRG5LDzcxHTdJz7+t3vdYLTE5KtSl6e 8MzFL9TEKkeomQeb0QUGzzPew+tjvAfM1J5fscVHl48jS5IM4Y3PClsBxPC+VJinKDNa E6RQ== X-Gm-Message-State: AOAM533s6o8r6+Lcm0KU2zGB2IFvIK9J67aa62E9BRvOf0dpU3wMp9gm WCkVEKf8/f/2ouT05na0BAXCxA== X-Google-Smtp-Source: ABdhPJz7aM7Bwl/dR2pKbxiKX0S4UODEQmGieslAoRD1LKebcp9kK5wHO4fSQbWLdOvboV32vbl3sQ== X-Received: by 2002:a17:906:5490:: with SMTP id r16mr27211264ejo.352.1618907647259; Tue, 20 Apr 2021 01:34:07 -0700 (PDT) Received: from jabjoe-desktop.lan ([2a02:8010:673b:0:27d5:da8f:c244:7b8a]) by smtp.googlemail.com with ESMTPSA id g11sm15483620edt.35.2021.04.20.01.34.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Apr 2021 01:34:06 -0700 (PDT) From: Joe Burmeister To: Mark Brown , Florian Fainelli , Ray Jui , Scott Branden , bcm-kernel-feedback-list@broadcom.com, Nicolas Saenz Julienne , linux-spi@vger.kernel.org, linux-rpi-kernel@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Cc: joe.burmeister@devtank.co.uk Subject: [PATCH] spi: bcm2835: Fix buffer overflow with CS able to go beyond limit. Date: Tue, 20 Apr 2021 09:34:02 +0100 Message-Id: <20210420083402.6950-1-joe.burmeister@devtank.co.uk> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210420_013410_211116_4CD2ADA3 X-CRM114-Status: GOOD ( 22.69 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org It was previoulsy possible to have a device tree with more chips than the driver supports and go off the end of CS arrays. This patches inforces CS limit but sets that limit to the max of the default limit and what is in the device tree when driver is loaded. Signed-off-by: Joe Burmeister --- drivers/spi/spi-bcm2835.c | 77 +++++++++++++++++++++++++++++---------- 1 file changed, 58 insertions(+), 19 deletions(-) diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c index aab6c7e5c114..cee761bfffe4 100644 --- a/drivers/spi/spi-bcm2835.c +++ b/drivers/spi/spi-bcm2835.c @@ -28,6 +28,7 @@ #include #include /* FIXME: using chip internals */ #include /* FIXME: using chip internals */ +#include #include #include @@ -134,7 +135,7 @@ struct bcm2835_spi { int tx_prologue; int rx_prologue; unsigned int tx_spillover; - u32 prepare_cs[BCM2835_SPI_NUM_CS]; + u32 *prepare_cs; struct dentry *debugfs_dir; u64 count_transfer_polling; @@ -147,9 +148,9 @@ struct bcm2835_spi { unsigned int rx_dma_active; struct dma_async_tx_descriptor *fill_tx_desc; dma_addr_t fill_tx_addr; - struct dma_async_tx_descriptor *clear_rx_desc[BCM2835_SPI_NUM_CS]; + struct dma_async_tx_descriptor **clear_rx_desc; dma_addr_t clear_rx_addr; - u32 clear_rx_cs[BCM2835_SPI_NUM_CS] ____cacheline_aligned; + u32 *clear_rx_cs; }; #if defined(CONFIG_DEBUG_FS) @@ -875,14 +876,14 @@ static void bcm2835_dma_release(struct spi_controller *ctlr, if (ctlr->dma_rx) { dmaengine_terminate_sync(ctlr->dma_rx); - for (i = 0; i < BCM2835_SPI_NUM_CS; i++) + for (i = 0; i < ctlr->num_chipselect; i++) if (bs->clear_rx_desc[i]) dmaengine_desc_free(bs->clear_rx_desc[i]); if (bs->clear_rx_addr) dma_unmap_single(ctlr->dma_rx->device->dev, bs->clear_rx_addr, - sizeof(bs->clear_rx_cs), + sizeof(u32) * ctlr->num_chipselect, DMA_TO_DEVICE); dma_release_channel(ctlr->dma_rx); @@ -978,7 +979,7 @@ static int bcm2835_dma_init(struct spi_controller *ctlr, struct device *dev, bs->clear_rx_addr = dma_map_single(ctlr->dma_rx->device->dev, bs->clear_rx_cs, - sizeof(bs->clear_rx_cs), + sizeof(u32) * ctlr->num_chipselect, DMA_TO_DEVICE); if (dma_mapping_error(ctlr->dma_rx->device->dev, bs->clear_rx_addr)) { dev_err(dev, "cannot map clear_rx_cs - not using DMA mode\n"); @@ -987,7 +988,7 @@ static int bcm2835_dma_init(struct spi_controller *ctlr, struct device *dev, goto err_release; } - for (i = 0; i < BCM2835_SPI_NUM_CS; i++) { + for (i = 0; i < ctlr->num_chipselect; i++) { bs->clear_rx_desc[i] = dmaengine_prep_dma_cyclic(ctlr->dma_rx, bs->clear_rx_addr + i * sizeof(u32), sizeof(u32), 0, @@ -1209,6 +1210,12 @@ static int bcm2835_spi_setup(struct spi_device *spi) struct gpio_chip *chip; u32 cs; + if (spi->chip_select >= ctlr->num_chipselect) { + dev_err(&spi->dev, "cs%d >= max %d\n", spi->chip_select, + ctlr->num_chipselect); + return -EINVAL; + } + /* * Precalculate SPI slave's CS register value for ->prepare_message(): * The driver always uses software-controlled GPIO chip select, hence @@ -1233,7 +1240,7 @@ static int bcm2835_spi_setup(struct spi_device *spi) BCM2835_SPI_CS_CLEAR_RX; dma_sync_single_for_device(ctlr->dma_rx->device->dev, bs->clear_rx_addr, - sizeof(bs->clear_rx_cs), + sizeof(u32) * ctlr->num_chipselect, DMA_TO_DEVICE); } @@ -1286,39 +1293,71 @@ static int bcm2835_spi_setup(struct spi_device *spi) return 0; } + +#ifdef CONFIG_OF +static int bcm2835_spi_get_num_chipselect(struct platform_device *pdev) +{ + return max_t(int, of_gpio_named_count(pdev->dev.of_node, "cs-gpios"), + BCM2835_SPI_NUM_CS); +} +#else +static int bcm2835_spi_get_num_chipselect(struct platform_device *pdev) +{ + return BCM2835_SPI_NUM_CS; +} +#endif + + static int bcm2835_spi_probe(struct platform_device *pdev) { + struct device *dev = &pdev->dev; struct spi_controller *ctlr; struct bcm2835_spi *bs; + int num_chipselect; int err; - ctlr = devm_spi_alloc_master(&pdev->dev, ALIGN(sizeof(*bs), + ctlr = devm_spi_alloc_master(dev, ALIGN(sizeof(*bs), dma_get_cache_alignment())); if (!ctlr) return -ENOMEM; + num_chipselect = bcm2835_spi_get_num_chipselect(pdev); + platform_set_drvdata(pdev, ctlr); ctlr->use_gpio_descriptors = true; ctlr->mode_bits = BCM2835_SPI_MODE_BITS; ctlr->bits_per_word_mask = SPI_BPW_MASK(8); - ctlr->num_chipselect = BCM2835_SPI_NUM_CS; + ctlr->num_chipselect = num_chipselect; ctlr->setup = bcm2835_spi_setup; ctlr->transfer_one = bcm2835_spi_transfer_one; ctlr->handle_err = bcm2835_spi_handle_err; ctlr->prepare_message = bcm2835_spi_prepare_message; - ctlr->dev.of_node = pdev->dev.of_node; + ctlr->dev.of_node = dev->of_node; bs = spi_controller_get_devdata(ctlr); bs->ctlr = ctlr; + bs->prepare_cs = devm_kmalloc(dev, num_chipselect * sizeof(u32), GFP_KERNEL); + if (!bs->prepare_cs) + return -ENOMEM; + + bs->clear_rx_desc = devm_kmalloc(dev, num_chipselect * + sizeof(struct dma_async_tx_descriptor *), GFP_KERNEL); + if (!bs->clear_rx_desc) + return -ENOMEM; + + bs->clear_rx_cs = devm_kmalloc(dev, num_chipselect * sizeof(u32), GFP_DMA); + if (!bs->clear_rx_cs) + return -ENOMEM; + bs->regs = devm_platform_ioremap_resource(pdev, 0); if (IS_ERR(bs->regs)) return PTR_ERR(bs->regs); - bs->clk = devm_clk_get(&pdev->dev, NULL); + bs->clk = devm_clk_get(dev, NULL); if (IS_ERR(bs->clk)) - return dev_err_probe(&pdev->dev, PTR_ERR(bs->clk), + return dev_err_probe(dev, PTR_ERR(bs->clk), "could not get clk\n"); bs->irq = platform_get_irq(pdev, 0); @@ -1327,7 +1366,7 @@ static int bcm2835_spi_probe(struct platform_device *pdev) clk_prepare_enable(bs->clk); - err = bcm2835_dma_init(ctlr, &pdev->dev, bs); + err = bcm2835_dma_init(ctlr, dev, bs); if (err) goto out_clk_disable; @@ -1335,22 +1374,22 @@ static int bcm2835_spi_probe(struct platform_device *pdev) bcm2835_wr(bs, BCM2835_SPI_CS, BCM2835_SPI_CS_CLEAR_RX | BCM2835_SPI_CS_CLEAR_TX); - err = devm_request_irq(&pdev->dev, bs->irq, bcm2835_spi_interrupt, + err = devm_request_irq(dev, bs->irq, bcm2835_spi_interrupt, IRQF_SHARED, - dev_name(&pdev->dev), bs); + dev_name(dev), bs); if (err) { - dev_err(&pdev->dev, "could not request IRQ: %d\n", err); + dev_err(dev, "could not request IRQ: %d\n", err); goto out_dma_release; } err = spi_register_controller(ctlr); if (err) { - dev_err(&pdev->dev, "could not register SPI controller: %d\n", + dev_err(dev, "could not register SPI controller: %d\n", err); goto out_dma_release; } - bcm2835_debugfs_create(bs, dev_name(&pdev->dev)); + bcm2835_debugfs_create(bs, dev_name(dev)); return 0;