soc: qcom: smem: verify partition offset_free_uncached

Add verification in qcom_smem_partition_header() that the
offset_free_uncached field in a partition's header structure does
not exceed the partition's size.

Signed-off-by: Alex Elder <elder@linaro.org>
Signed-off-by: Andy Gross <andy.gross@linaro.org>

diff --git a/drivers/soc/qcom/smem.c b/drivers/soc/qcom/smem.c
index efaeec4a0395a8500d7f88f0840a49f3bbdad4b4..a94888c26e18c161cc111d661d17fbd12120fa2e 100644 (file)
--- a/drivers/soc/qcom/smem.c
+++ b/drivers/soc/qcom/smem.c
@@ -751,6 +751,12 @@ qcom_smem_partition_header(struct qcom_smem *smem,
                return NULL;
        }
 
+       if (le32_to_cpu(header->offset_free_uncached) > size) {
+               dev_err(smem->dev, "bad partition free uncached (%u > %u)\n",
+                       le32_to_cpu(header->offset_free_uncached), size);
+               return NULL;
+       }
+
        return header;
 }
 
@@ -759,7 +765,7 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem)
        struct smem_partition_header *header;
        struct smem_ptable_entry *entry;
        struct smem_ptable *ptable;
-       u32 host0, host1, size;
+       u32 host0, host1;
        bool found = false;
        int i;
 
@@ -804,13 +810,6 @@ static int qcom_smem_set_global_partition(struct qcom_smem *smem)
                return -EINVAL;
        }
 
-       size = le32_to_cpu(header->offset_free_uncached);
-       if (size > le32_to_cpu(header->size)) {
-               dev_err(smem->dev,
-                       "Global partition has invalid free pointer\n");
-               return -EINVAL;
-       }
-
        smem->global_partition = header;
        smem->global_cacheline = le32_to_cpu(entry->cacheline);
 
@@ -874,12 +873,6 @@ static int qcom_smem_enumerate_partitions(struct qcom_smem *smem,
                        return -EINVAL;
                }
 
-               if (le32_to_cpu(header->offset_free_uncached) > le32_to_cpu(header->size)) {
-                       dev_err(smem->dev,
-                               "Partition %d has invalid free pointer\n", i);
-                       return -EINVAL;
-               }
-
                smem->partitions[remote_host] = header;
                smem->cacheline[remote_host] = le32_to_cpu(entry->cacheline);
        }