firmware: zynqmp: fix write to an uninitialised pointer in ipi_req()
authorMichal Simek <michal.simek@xilinx.com>
Fri, 15 Oct 2021 14:57:39 +0000 (16:57 +0200)
committerMichal Simek <michal.simek@xilinx.com>
Thu, 21 Oct 2021 06:54:50 +0000 (08:54 +0200)
When a caller is not interested in the returned message, the ret_payload
pointer is set to NULL in the u-boot-sources. In this case, under EL3, the
memory from address 0x0 would be overwritten by ipi_req() with the returned
IPI message, damaging the original data under this address. The patch, in
case ret_payload is NULL, assigns the pointer to the array holding the IPI
message being sent.

Signed-off-by: Adrian Fiergolski <adrian.fiergolski@fastree3d.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Adrian Fiergolski <Adrian.Fiergolski@fastree3d.com>
Link: https://lore.kernel.org/r/3178ff7651948270b714daa4adad48b94eaca9ba.1634309856.git.michal.simek@xilinx.com
drivers/firmware/firmware-zynqmp.c

index 7e0acc5bc8a9da7827bfd8cc6dd89bdd952b434a..b44fede3079938708060511bc6a69c73e20fadb1 100644 (file)
@@ -29,6 +29,10 @@ static int ipi_req(const u32 *req, size_t req_len, u32 *res, size_t res_maxlen)
 {
        struct zynqmp_ipi_msg msg;
        int ret;
+       u32 buffer[PAYLOAD_ARG_CNT];
+
+       if (!res)
+               res = buffer;
 
        if (req_len > PMUFW_PAYLOAD_ARG_CNT ||
            res_maxlen > PMUFW_PAYLOAD_ARG_CNT)