diff options
author | Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> | 2023-02-22 15:44:12 +0100 |
---|---|---|
committer | Vinod Koul <vkoul@kernel.org> | 2023-04-12 15:30:35 +0530 |
commit | 2367e0ecb498764e95cfda691ff0828f7d25f9a4 (patch) | |
tree | 57e3c0fa3120a5763c10300deb5575375cdbf65e /drivers/soundwire/qcom.c | |
parent | 208a03ee9db815f28059d3399ee31577aeba0dd7 (diff) | |
download | lwn-2367e0ecb498764e95cfda691ff0828f7d25f9a4.tar.gz lwn-2367e0ecb498764e95cfda691ff0828f7d25f9a4.zip |
soundwire: qcom: gracefully handle too many ports in DT
There are two issues related to the number of ports coming from
Devicetree when exceeding in total QCOM_SDW_MAX_PORTS. Both lead to
incorrect memory accesses:
1. With DTS having too big value of input or output ports, the driver,
when copying port parameters from local/stack arrays into 'pconfig'
array in 'struct qcom_swrm_ctrl', will iterate over their sizes.
2. If DTS also has too many parameters for these ports (e.g.
qcom,ports-sinterval-low), the driver will overflow buffers on the
stack when reading these properties from DTS.
Add a sanity check so incorrect DTS will not cause kernel memory
corruption.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Link: https://lore.kernel.org/r/20230222144412.237832-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Diffstat (limited to 'drivers/soundwire/qcom.c')
-rw-r--r-- | drivers/soundwire/qcom.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c index 79bebcecde6d..c296e0bf897b 100644 --- a/drivers/soundwire/qcom.c +++ b/drivers/soundwire/qcom.c @@ -1218,6 +1218,9 @@ static int qcom_swrm_get_port_config(struct qcom_swrm_ctrl *ctrl) ctrl->num_dout_ports = val; nports = ctrl->num_dout_ports + ctrl->num_din_ports; + if (nports > QCOM_SDW_MAX_PORTS) + return -EINVAL; + /* Valid port numbers are from 1-14, so mask out port 0 explicitly */ set_bit(0, &ctrl->dout_port_mask); set_bit(0, &ctrl->din_port_mask); |