firmware: meson-sm: Check for buffer output size

After the data is read by the secure monitor driver it is being copied
in the output buffer checking only the size of the bounce buffer but not
the size of the output buffer.

Fix this in the secure monitor driver slightly changing the API. Fix
also the efuse driver that it is the only driver using this API to not
break bisectability.

Signed-off-by: Carlo Caione <carlo@endlessm.com>
Acked-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> # for nvmem
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Kevin Hilman <khilman@baylibre.com>

diff --git a/drivers/firmware/meson/meson_sm.c b/drivers/firmware/meson/meson_sm.c
index b0d254930ed35cd86efa782d631582bcabda22b4..5f30a5774e57ed5575f2c0ea8b34a74edbfc017d 100644 (file)
--- a/drivers/firmware/meson/meson_sm.c
+++ b/drivers/firmware/meson/meson_sm.c
@@ -127,6 +127,7 @@ EXPORT_SYMBOL(meson_sm_call);
  * meson_sm_call_read - retrieve data from secure-monitor
  *
  * @buffer:    Buffer to store the retrieved data
+ * @bsize:     Size of the buffer
  * @cmd_index: Index of the SMC32 function ID
  * @arg0:      SMC32 Argument 0
  * @arg1:      SMC32 Argument 1
@@ -136,8 +137,8 @@ EXPORT_SYMBOL(meson_sm_call);
  *
  * Return:     size of read data on success, a negative value on error
  */
-int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0,
-                      u32 arg1, u32 arg2, u32 arg3, u32 arg4)
+int meson_sm_call_read(void *buffer, unsigned int bsize, unsigned int cmd_index,
+                      u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4)
 {
        u32 size;
 
@@ -147,10 +148,13 @@ int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0,
        if (!fw.chip->cmd_shmem_out_base)
                return -EINVAL;
 
+       if (bsize > fw.chip->shmem_size)
+               return -EINVAL;
+
        if (meson_sm_call(cmd_index, &size, arg0, arg1, arg2, arg3, arg4) < 0)
                return -EINVAL;
 
-       if (!size || size > fw.chip->shmem_size)
+       if (!size || size > bsize)
                return -EINVAL;
 
        if (buffer)

diff --git a/drivers/nvmem/meson-efuse.c b/drivers/nvmem/meson-efuse.c
index f207c3b1048200d6a37586de7acaf5071a9bf2c0..70bfc9839bb2fede6ec424f23d933805ba3f4812 100644 (file)
--- a/drivers/nvmem/meson-efuse.c
+++ b/drivers/nvmem/meson-efuse.c
@@ -27,7 +27,7 @@ static int meson_efuse_read(void *context, unsigned int offset,
        u8 *buf = val;
        int ret;
 
-       ret = meson_sm_call_read(buf, SM_EFUSE_READ, offset,
+       ret = meson_sm_call_read(buf, bytes, SM_EFUSE_READ, offset,
                                 bytes, 0, 0, 0);
        if (ret < 0)
                return ret;

diff --git a/include/linux/firmware/meson/meson_sm.h b/include/linux/firmware/meson/meson_sm.h
index 8e953c6f394ae58ef5902c2ae4fd44fd5f3c1173..37a5eaea69dde299a18855ffc99b1227513b25da 100644 (file)
--- a/include/linux/firmware/meson/meson_sm.h
+++ b/include/linux/firmware/meson/meson_sm.h
@@ -25,7 +25,7 @@ int meson_sm_call(unsigned int cmd_index, u32 *ret, u32 arg0, u32 arg1,
                  u32 arg2, u32 arg3, u32 arg4);
 int meson_sm_call_write(void *buffer, unsigned int b_size, unsigned int cmd_index,
                        u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4);
-int meson_sm_call_read(void *buffer, unsigned int cmd_index, u32 arg0, u32 arg1,
-                      u32 arg2, u32 arg3, u32 arg4);
+int meson_sm_call_read(void *buffer, unsigned int bsize, unsigned int cmd_index,
+                      u32 arg0, u32 arg1, u32 arg2, u32 arg3, u32 arg4);
 
 #endif /* _MESON_SM_FW_H_ */