summaryrefslogtreecommitdiff
path: root/drivers/soundwire/qcom.c
diff options
context:
space:
mode:
authorKrzysztof Kozlowski <krzysztof.kozlowski@linaro.org>2023-02-22 15:44:12 +0100
committerVinod Koul <vkoul@kernel.org>2023-04-12 15:30:35 +0530
commit2367e0ecb498764e95cfda691ff0828f7d25f9a4 (patch)
tree57e3c0fa3120a5763c10300deb5575375cdbf65e /drivers/soundwire/qcom.c
parent208a03ee9db815f28059d3399ee31577aeba0dd7 (diff)
downloadlwn-2367e0ecb498764e95cfda691ff0828f7d25f9a4.tar.gz
lwn-2367e0ecb498764e95cfda691ff0828f7d25f9a4.zip
soundwire: qcom: gracefully handle too many ports in DT
There are two issues related to the number of ports coming from Devicetree when exceeding in total QCOM_SDW_MAX_PORTS. Both lead to incorrect memory accesses: 1. With DTS having too big value of input or output ports, the driver, when copying port parameters from local/stack arrays into 'pconfig' array in 'struct qcom_swrm_ctrl', will iterate over their sizes. 2. If DTS also has too many parameters for these ports (e.g. qcom,ports-sinterval-low), the driver will overflow buffers on the stack when reading these properties from DTS. Add a sanity check so incorrect DTS will not cause kernel memory corruption. Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org> Link: https://lore.kernel.org/r/20230222144412.237832-2-krzysztof.kozlowski@linaro.org Signed-off-by: Vinod Koul <vkoul@kernel.org>
Diffstat (limited to 'drivers/soundwire/qcom.c')
-rw-r--r--drivers/soundwire/qcom.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/soundwire/qcom.c b/drivers/soundwire/qcom.c
index 79bebcecde6d..c296e0bf897b 100644
--- a/drivers/soundwire/qcom.c
+++ b/drivers/soundwire/qcom.c
@@ -1218,6 +1218,9 @@ static int qcom_swrm_get_port_config(struct qcom_swrm_ctrl *ctrl)
ctrl->num_dout_ports = val;
nports = ctrl->num_dout_ports + ctrl->num_din_ports;
+ if (nports > QCOM_SDW_MAX_PORTS)
+ return -EINVAL;
+
/* Valid port numbers are from 1-14, so mask out port 0 explicitly */
set_bit(0, &ctrl->dout_port_mask);
set_bit(0, &ctrl->din_port_mask);