From: Adrian Fiergolski <adrian.fiergolski@fastree3d.com>
To: u-boot@lists.denx.de
Cc: michal.simek@xilinx.com,
Adrian Fiergolski <adrian.fiergolski@fastree3d.com>
Subject: [PATCH v5 1/2] firmware: zynqmp: fix write to an uninitialised pointer in xilinx_pm_request
Date: Thu, 14 Oct 2021 14:43:49 +0200 [thread overview]
Message-ID: <20211014124349.1429696-1-adrian.fiergolski@fastree3d.com> (raw)
When a caller is not interested in the returned message, the ret_payload pointer
is set to NULL in the u-boot-sources. In this case, under EL3, the memory from
address 0x0 would be overwritten by xilinx_pm_request with the returned IPI
message, damaging the original data under this address. The patch, in case
ret_payload is NULL, assigns the pointer to the array holding the IPI message
being sent.
Signed-off-by: Adrian Fiergolski <adrian.fiergolski@fastree3d.com>
---
Fix casting of ret (ingore v4).
drivers/firmware/firmware-zynqmp.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/firmware-zynqmp.c b/drivers/firmware/firmware-zynqmp.c
index d4dc856baf..8273437dd9 100644
--- a/drivers/firmware/firmware-zynqmp.c
+++ b/drivers/firmware/firmware-zynqmp.c
@@ -154,6 +154,8 @@ U_BOOT_DRIVER(zynqmp_power) = {
int __maybe_unused xilinx_pm_request(u32 api_id, u32 arg0, u32 arg1, u32 arg2,
u32 arg3, u32 *ret_payload)
{
+ int ret;
+
debug("%s at EL%d, API ID: 0x%0x\n", __func__, current_el(), api_id);
if (IS_ENABLED(CONFIG_SPL_BUILD) || current_el() == 3) {
@@ -165,6 +167,12 @@ int __maybe_unused xilinx_pm_request(u32 api_id, u32 arg0, u32 arg1, u32 arg2,
*/
u32 regs[] = {api_id, arg0, arg1, arg2, arg3};
+ /*
+ * Use regs array in case ret_payload is NULL
+ */
+ if (ret_payload == NULL)
+ ret_payload = regs;
+
if (api_id == PM_FPGA_LOAD) {
/* Swap addr_hi/low because of incompatibility */
u32 temp = regs[1];
@@ -174,6 +182,8 @@ int __maybe_unused xilinx_pm_request(u32 api_id, u32 arg0, u32 arg1, u32 arg2,
}
ipi_req(regs, PAYLOAD_ARG_CNT, ret_payload, PAYLOAD_ARG_CNT);
+
+ ret = (int)ret_payload[0];
#else
return -EPERM;
#endif
@@ -198,8 +208,9 @@ int __maybe_unused xilinx_pm_request(u32 api_id, u32 arg0, u32 arg1, u32 arg2,
ret_payload[4] = (u32)regs.regs[2];
}
+ ret = (ret_payload) ? ret_payload[0] : 0;
}
- return (ret_payload) ? ret_payload[0] : 0;
+ return ret;
}
static const struct udevice_id zynqmp_firmware_ids[] = {
--
2.33.0
next reply other threads:[~2021-10-14 12:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-14 12:43 Adrian Fiergolski [this message]
2021-10-14 12:43 ` [PATCH v5 2/2] firmware: zynqmp: return status in EL2 from xilinx_pm_request Adrian Fiergolski
2021-10-15 14:58 ` Michal Simek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211014124349.1429696-1-adrian.fiergolski@fastree3d.com \
--to=adrian.fiergolski@fastree3d.com \
--cc=michal.simek@xilinx.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.