Commit a05b0c8c authored by David S. Miller's avatar David S. Miller

Merge branch 'pa-fox-validation'

Alex Elder says:

====================
ipa: fix validation

There is sanity checking code in the IPA driver that's meant to be
enabled only during development.  This allows the driver to make
certain assumptions, but not have to verify those assumptions are
true at (operational) runtime.  This code is built conditional on
IPA_VALIDATION, set (if desired) inside the IPA makefile.

Unfortunately, this validation code has some errors.  First, there
are some mismatched arguments supplied to some dev_err() calls in
ipa_cmd_table_valid() and ipa_cmd_header_valid(), and these are
exposed if validation is enabled.  Second, the tag that enables
this conditional code isn't used consistently (it's IPA_VALIDATE
in some spots and IPA_VALIDATION in others).

This series fixes those two problems with the conditional validation
code.

Version 2 removes the two patches that introduced ipa_assert().  It
also modifies the description in the first patch so that it mentions
the changes made to ipa_cmd_table_valid().
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents e56c53d1 b4afd4b9
...@@ -175,21 +175,23 @@ bool ipa_cmd_table_valid(struct ipa *ipa, const struct ipa_mem *mem, ...@@ -175,21 +175,23 @@ bool ipa_cmd_table_valid(struct ipa *ipa, const struct ipa_mem *mem,
: field_max(IP_FLTRT_FLAGS_NHASH_ADDR_FMASK); : field_max(IP_FLTRT_FLAGS_NHASH_ADDR_FMASK);
if (mem->offset > offset_max || if (mem->offset > offset_max ||
ipa->mem_offset > offset_max - mem->offset) { ipa->mem_offset > offset_max - mem->offset) {
dev_err(dev, "IPv%c %s%s table region offset too large " dev_err(dev, "IPv%c %s%s table region offset too large\n",
"(0x%04x + 0x%04x > 0x%04x)\n",
ipv6 ? '6' : '4', hashed ? "hashed " : "", ipv6 ? '6' : '4', hashed ? "hashed " : "",
route ? "route" : "filter", route ? "route" : "filter");
dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n",
ipa->mem_offset, mem->offset, offset_max); ipa->mem_offset, mem->offset, offset_max);
return false; return false;
} }
if (mem->offset > ipa->mem_size || if (mem->offset > ipa->mem_size ||
mem->size > ipa->mem_size - mem->offset) { mem->size > ipa->mem_size - mem->offset) {
dev_err(dev, "IPv%c %s%s table region out of range " dev_err(dev, "IPv%c %s%s table region out of range\n",
"(0x%04x + 0x%04x > 0x%04x)\n",
ipv6 ? '6' : '4', hashed ? "hashed " : "", ipv6 ? '6' : '4', hashed ? "hashed " : "",
route ? "route" : "filter", route ? "route" : "filter");
dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n",
mem->offset, mem->size, ipa->mem_size); mem->offset, mem->size, ipa->mem_size);
return false; return false;
} }
...@@ -205,22 +207,36 @@ static bool ipa_cmd_header_valid(struct ipa *ipa) ...@@ -205,22 +207,36 @@ static bool ipa_cmd_header_valid(struct ipa *ipa)
u32 size_max; u32 size_max;
u32 size; u32 size;
/* In ipa_cmd_hdr_init_local_add() we record the offset and size
* of the header table memory area. Make sure the offset and size
* fit in the fields that need to hold them, and that the entire
* range is within the overall IPA memory range.
*/
offset_max = field_max(HDR_INIT_LOCAL_FLAGS_HDR_ADDR_FMASK); offset_max = field_max(HDR_INIT_LOCAL_FLAGS_HDR_ADDR_FMASK);
if (mem->offset > offset_max || if (mem->offset > offset_max ||
ipa->mem_offset > offset_max - mem->offset) { ipa->mem_offset > offset_max - mem->offset) {
dev_err(dev, "header table region offset too large " dev_err(dev, "header table region offset too large\n");
"(0x%04x + 0x%04x > 0x%04x)\n", dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n",
ipa->mem_offset + mem->offset, offset_max); ipa->mem_offset, mem->offset, offset_max);
return false; return false;
} }
size_max = field_max(HDR_INIT_LOCAL_FLAGS_TABLE_SIZE_FMASK); size_max = field_max(HDR_INIT_LOCAL_FLAGS_TABLE_SIZE_FMASK);
size = ipa->mem[IPA_MEM_MODEM_HEADER].size; size = ipa->mem[IPA_MEM_MODEM_HEADER].size;
size += ipa->mem[IPA_MEM_AP_HEADER].size; size += ipa->mem[IPA_MEM_AP_HEADER].size;
if (mem->offset > ipa->mem_size || size > ipa->mem_size - mem->offset) {
dev_err(dev, "header table region out of range " if (size > size_max) {
"(0x%04x + 0x%04x > 0x%04x)\n", dev_err(dev, "header table region size too large\n");
dev_err(dev, " (0x%04x > 0x%08x)\n", size, size_max);
return false;
}
if (size > ipa->mem_size || mem->offset > ipa->mem_size - size) {
dev_err(dev, "header table region out of range\n");
dev_err(dev, " (0x%04x + 0x%04x > 0x%04x)\n",
mem->offset, size, ipa->mem_size); mem->offset, size, ipa->mem_size);
return false; return false;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment