spmi: pmic_arb: block access of invalid read and writes
The system crashes due to bad access when reading from an non configured
peripheral and when writing to peripheral which is not owned by current
ee. This patch verifies ownership to avoid crashing on
write.
For reads, since the forward mapping table, data_channel->ppid, is
towards the end of the block, we use the core size to figure the
max number of ppids supported. The table starts at an offset of 0x800
within the block, so size - 0x800 will give us the area used by the
table. Since each table is 4 bytes long (core_size - 0x800) / 4 will
gives us the number of data_channel supported.
This new protection is functional on hw v2.
Change-Id: I74e3452963a7dda9a8c8aaef76de3117cabc454b
Signed-off-by: Abhijeet Dharmapurikar <adharmap@codeaurora.org>
[collinsd: fix minor merge conflict and checkpatch warning]
Signed-off-by: David Collins <collinsd@codeaurora.org>
diff --git a/drivers/spmi/spmi-pmic-arb.c b/drivers/spmi/spmi-pmic-arb.c
index a157af7..869e00c 100644
--- a/drivers/spmi/spmi-pmic-arb.c
+++ b/drivers/spmi/spmi-pmic-arb.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -111,6 +111,7 @@
* @ee: the current Execution Environment
* @min_apid: minimum APID (used for bounding IRQ search)
* @max_apid: maximum APID
+ * @max_periph: maximum number of PMIC peripherals supported by HW.
* @mapping_table: in-memory copy of PPID -> APID mapping table.
* @domain: irq domain object for PMIC IRQ domain
* @spmic: SPMI controller object
@@ -132,6 +133,7 @@
u8 ee;
u16 min_apid;
u16 max_apid;
+ u16 max_periph;
u32 *mapping_table;
DECLARE_BITMAP(mapping_table_valid, PMIC_ARB_MAX_PERIPHS);
struct irq_domain *domain;
@@ -140,11 +142,13 @@
const struct pmic_arb_ver_ops *ver_ops;
u16 *ppid_to_chan;
u16 last_channel;
+ u8 *chan_to_owner;
};
/**
* pmic_arb_ver: version dependent functionality.
*
+ * @mode: access rights to specified pmic peripheral.
* @non_data_cmd: on v1 issues an spmi non-data command.
* on v2 no HW support, returns -EOPNOTSUPP.
* @offset: on v1 offset of per-ee channel.
@@ -160,6 +164,8 @@
* on v2 offset of SPMI_PIC_IRQ_CLEARn.
*/
struct pmic_arb_ver_ops {
+ int (*mode)(struct spmi_pmic_arb_dev *dev, u8 sid, u16 addr,
+ mode_t *mode);
/* spmi commands (read_cmd, write_cmd, cmd) functionality */
int (*offset)(struct spmi_pmic_arb_dev *dev, u8 sid, u16 addr,
u32 *offset);
@@ -313,11 +319,23 @@
u32 cmd;
int rc;
u32 offset;
+ mode_t mode;
rc = pmic_arb->ver_ops->offset(pmic_arb, sid, addr, &offset);
if (rc)
return rc;
+ rc = pmic_arb->ver_ops->mode(pmic_arb, sid, addr, &mode);
+ if (rc)
+ return rc;
+
+ if (!(mode & 0400)) {
+ dev_err(&pmic_arb->spmic->dev,
+ "error: impermissible read from peripheral sid:%d addr:0x%x\n",
+ sid, addr);
+ return -ENODEV;
+ }
+
if (bc >= PMIC_ARB_MAX_TRANS_BYTES) {
dev_err(&ctrl->dev,
"pmic-arb supports 1..%d bytes per trans, but:%zu requested",
@@ -364,11 +382,23 @@
u32 cmd;
int rc;
u32 offset;
+ mode_t mode;
rc = pmic_arb->ver_ops->offset(pmic_arb, sid, addr, &offset);
if (rc)
return rc;
+ rc = pmic_arb->ver_ops->mode(pmic_arb, sid, addr, &mode);
+ if (rc)
+ return rc;
+
+ if (!(mode & 0200)) {
+ dev_err(&pmic_arb->spmic->dev,
+ "error: impermissible write to peripheral sid:%d addr:0x%x\n",
+ sid, addr);
+ return -ENODEV;
+ }
+
if (bc >= PMIC_ARB_MAX_TRANS_BYTES) {
dev_err(&ctrl->dev,
"pmic-arb supports 1..%d bytes per trans, but:%zu requested",
@@ -727,6 +757,13 @@
return 0;
}
+static int
+pmic_arb_mode_v1(struct spmi_pmic_arb_dev *pa, u8 sid, u16 addr, mode_t *mode)
+{
+ *mode = 0600;
+ return 0;
+}
+
/* v1 offset per ee */
static int
pmic_arb_offset_v1(struct spmi_pmic_arb_dev *pa, u8 sid, u16 addr, u32 *offset)
@@ -745,7 +782,11 @@
* PMIC_ARB_REG_CHNL is a table in HW mapping channel to ppid.
* ppid_to_chan is an in-memory invert of that table.
*/
- for (chan = pa->last_channel; ; chan++) {
+ for (chan = pa->last_channel; chan < pa->max_periph; chan++) {
+ regval = readl_relaxed(pa->cnfg +
+ SPMI_OWNERSHIP_TABLE_REG(chan));
+ pa->chan_to_owner[chan] = SPMI_OWNERSHIP_PERIPH2OWNER(regval);
+
offset = PMIC_ARB_REG_CHNL(chan);
if (offset >= pa->core_size)
break;
@@ -766,6 +807,26 @@
return chan;
}
+static int
+pmic_arb_mode_v2(struct spmi_pmic_arb_dev *pa, u8 sid, u16 addr, mode_t *mode)
+{
+ u16 ppid = (sid << 8) | (addr >> 8);
+ u16 chan;
+ u8 owner;
+
+ chan = pa->ppid_to_chan[ppid];
+ if (!(chan & PMIC_ARB_CHAN_VALID))
+ return -ENODEV;
+
+ *mode = 0;
+ *mode |= 0400;
+
+ chan &= ~PMIC_ARB_CHAN_VALID;
+ owner = pa->chan_to_owner[chan];
+ if (owner == pa->ee)
+ *mode |= 0200;
+ return 0;
+}
/* v2 offset per ppid (chan) and per ee */
static int
@@ -836,6 +897,7 @@
}
static const struct pmic_arb_ver_ops pmic_arb_v1 = {
+ .mode = pmic_arb_mode_v1,
.non_data_cmd = pmic_arb_non_data_cmd_v1,
.offset = pmic_arb_offset_v1,
.fmt_cmd = pmic_arb_fmt_cmd_v1,
@@ -846,6 +908,7 @@
};
static const struct pmic_arb_ver_ops pmic_arb_v2 = {
+ .mode = pmic_arb_mode_v2,
.non_data_cmd = pmic_arb_non_data_cmd_v2,
.offset = pmic_arb_offset_v2,
.fmt_cmd = pmic_arb_fmt_cmd_v2,
@@ -879,6 +942,12 @@
res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "core");
pa->core_size = resource_size(res);
+ if (pa->core_size <= 0x800) {
+ dev_err(&pdev->dev, "core_size is smaller than 0x800. Failing Probe\n");
+ err = -EINVAL;
+ goto err_put_ctrl;
+ }
+
core = devm_ioremap_resource(&ctrl->dev, res);
if (IS_ERR(core)) {
err = PTR_ERR(core);
@@ -899,6 +968,9 @@
pa->core = core;
pa->ver_ops = &pmic_arb_v2;
+ /* the apid to ppid table starts at PMIC_ARB_REG_CHNL(0) */
+ pa->max_periph = (pa->core_size - PMIC_ARB_REG_CHNL(0)) / 4;
+
res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
"obsrvr");
pa->rd_base = devm_ioremap_resource(&ctrl->dev, res);
@@ -923,6 +995,15 @@
err = -ENOMEM;
goto err_put_ctrl;
}
+
+ pa->chan_to_owner = devm_kcalloc(&ctrl->dev,
+ pa->max_periph,
+ sizeof(*pa->chan_to_owner),
+ GFP_KERNEL);
+ if (!pa->chan_to_owner) {
+ err = -ENOMEM;
+ goto err_put_ctrl;
+ }
}
res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "intr");