On 10/15/21 16:57, Michal Simek wrote:
When a caller is not interested in the returned message, the ret_payload
pointer is set to NULL in the u-boot-sources. In this case, under EL3, the
memory from address 0x0 would be overwritten by ipi_req() with the returned
IPI message, damaging the original data under this address. The patch, in
case ret_payload is NULL, assigns the pointer to the array holding the IPI
message being sent.
Signed-off-by: Adrian Fiergolski <[email protected]>
Signed-off-by: Michal Simek <[email protected]>
---
Based on origin series from Adrian. That's why also adding his SoB line.
https://lore.kernel.org/r/[email protected]
Adrian: The patch is just suggestion how we could avoid that NULL pointer
writes but done in ipi_req()
---
drivers/firmware/firmware-zynqmp.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/firmware/firmware-zynqmp.c
b/drivers/firmware/firmware-zynqmp.c
index 1391aab0a160..7e498d8169e8 100644
--- a/drivers/firmware/firmware-zynqmp.c
+++ b/drivers/firmware/firmware-zynqmp.c
@@ -30,6 +30,10 @@ static int ipi_req(const u32 *req, size_t req_len, u32 *res,
size_t res_maxlen)
{
struct zynqmp_ipi_msg msg;
int ret;
+ u32 buffer[PAYLOAD_ARG_CNT];
+
+ if (!res)
+ res = buffer;
if (req_len > PMUFW_PAYLOAD_ARG_CNT ||
res_maxlen > PMUFW_PAYLOAD_ARG_CNT)
Applied.
M
--
Michal Simek, Ing. (M.Eng), OpenPGP -> KeyID: FE3D1F91
w: www.monstr.eu p: +42-0-721842854
Maintainer of Linux kernel - Xilinx Microblaze
Maintainer of Linux kernel - Xilinx Zynq ARM and ZynqMP ARM64 SoCs
U-Boot custodian - Xilinx Microblaze/Zynq/ZynqMP/Versal SoCs
