Commit ce05a9f3 authored by Alex Elder's avatar Alex Elder Committed by David S. Miller
Browse files

net: ipa: clean up header memory validation 



Do some general cleanup in ipa_cmd_header_valid():
  - Delay assigning the mem variable until just before it's used.
  - Assign the maximum offset and size values together.
  - Improve comments explaining the single range of memory being
    made up of a modem portion and an AP portion.
  - Record the offset of the combined range in a local variable.
  - Do the initial size assignment right after assigning the offset.

Signed-off-by: default avatarAlex Elder <elder@linaro.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 8cc7ebbf

drivers/net/ipa/ipa_cmd.c

+24 −12
Original line number Diff line number Diff line
@@ -200,41 +200,53 @@ bool ipa_cmd_table_valid(struct ipa *ipa, const struct ipa_mem *mem, 
/* Validate the memory region that holds headers */

static bool ipa_cmd_header_valid(struct ipa *ipa)

{

	const struct ipa_mem *mem = &ipa->mem[IPA_MEM_MODEM_HEADER];

	struct device *dev = &ipa->pdev->dev;

	const struct ipa_mem *mem;

	u32 offset_max;

	u32 size_max;

	u32 offset;

	u32 size;



	/* In ipa_cmd_hdr_init_local_add() we record the offset and size

	 * of the header table memory area.  Make sure the offset and size

	 * fit in the fields that need to hold them, and that the entire

	 * range is within the overall IPA memory range.

	/* In ipa_cmd_hdr_init_local_add() we record the offset and size of

	 * the header table memory area in an immediate command.  Make sure

	 * the offset and size fit in the fields that need to hold them, and

	 * that the entire range is within the overall IPA memory range.

	 */

	offset_max = field_max(HDR_INIT_LOCAL_FLAGS_HDR_ADDR_FMASK);

	if (mem->offset > offset_max ||

	    ipa->mem_offset > offset_max - mem->offset) {

	size_max = field_max(HDR_INIT_LOCAL_FLAGS_TABLE_SIZE_FMASK);



	/* The header memory area contains both the modem and AP header

	 * regions.  The modem portion defines the address of the region.

	 */

	mem = &ipa->mem[IPA_MEM_MODEM_HEADER];

	offset = mem->offset;

	size = mem->size;



	/* Make sure the offset fits in the IPA command */

	if (offset > offset_max || ipa->mem_offset > offset_max - offset) {

		dev_err(dev, "header table region offset too large\n");

		dev_err(dev, "    (0x%04x + 0x%04x > 0x%04x)\n",

			ipa->mem_offset, mem->offset, offset_max);

			ipa->mem_offset, offset, offset_max);



		return false;

	}



	size_max = field_max(HDR_INIT_LOCAL_FLAGS_TABLE_SIZE_FMASK);

	size = ipa->mem[IPA_MEM_MODEM_HEADER].size;

	/* Add the size of the AP portion to the combined size */

	size += ipa->mem[IPA_MEM_AP_HEADER].size;



	/* Make sure the combined size fits in the IPA command */

	if (size > size_max) {

		dev_err(dev, "header table region size too large\n");

		dev_err(dev, "    (0x%04x > 0x%08x)\n", size, size_max);



		return false;

	}

	if (size > ipa->mem_size || mem->offset > ipa->mem_size - size) {



	/* Make sure the entire combined area fits in IPA memory */

	if (size > ipa->mem_size || offset > ipa->mem_size - size) {

		dev_err(dev, "header table region out of range\n");

		dev_err(dev, "    (0x%04x + 0x%04x > 0x%04x)\n",

			mem->offset, size, ipa->mem_size);

			offset, size, ipa->mem_size);



		return false;

	}