On 15.10.2021 16:57, Michal Simek wrote: > When a caller is not interested in the returned message, the ret_payload > pointer is set to NULL in the u-boot-sources. In this case, under EL3, the > memory from address 0x0 would be overwritten by ipi_req() with the returned > IPI message, damaging the original data under this address. The patch, in > case ret_payload is NULL, assigns the pointer to the array holding the IPI > message being sent. > > Signed-off-by: Adrian Fiergolski <[email protected]> > Signed-off-by: Michal Simek <[email protected]> Reviewed-by: Adrian Fiergolski <[email protected]>
Thanks, Adrian > --- > > Based on origin series from Adrian. That's why also adding his SoB line. > https://lore.kernel.org/r/[email protected] > > Adrian: The patch is just suggestion how we could avoid that NULL pointer > writes but done in ipi_req() > > --- > drivers/firmware/firmware-zynqmp.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/firmware/firmware-zynqmp.c > b/drivers/firmware/firmware-zynqmp.c > index 1391aab0a160..7e498d8169e8 100644 > --- a/drivers/firmware/firmware-zynqmp.c > +++ b/drivers/firmware/firmware-zynqmp.c > @@ -30,6 +30,10 @@ static int ipi_req(const u32 *req, size_t req_len, u32 > *res, size_t res_maxlen) > { > struct zynqmp_ipi_msg msg; > int ret; > + u32 buffer[PAYLOAD_ARG_CNT]; > + > + if (!res) > + res = buffer; > > if (req_len > PMUFW_PAYLOAD_ARG_CNT || > res_maxlen > PMUFW_PAYLOAD_ARG_CNT)
