diff options
| author | Michal Simek <michal.simek@xilinx.com> | 2021-10-15 17:57:39 +0300 |
|---|---|---|
| committer | Michal Simek <michal.simek@xilinx.com> | 2021-10-21 09:54:50 +0300 |
| commit | 53f5d1688e33f4c9c1e68ba132d50f8aca06fc3b (patch) | |
| tree | 197a13e30a238db7ad9439d2d1154e04a8467917 /drivers/firmware | |
| parent | b05cc389bac1151aa6b14e2d6a66d06329d7e3fe (diff) | |
| download | u-boot-53f5d1688e33f4c9c1e68ba132d50f8aca06fc3b.tar.xz | |
firmware: zynqmp: fix write to an uninitialised pointer in ipi_req()
When a caller is not interested in the returned message, the ret_payload
pointer is set to NULL in the u-boot-sources. In this case, under EL3, the
memory from address 0x0 would be overwritten by ipi_req() with the returned
IPI message, damaging the original data under this address. The patch, in
case ret_payload is NULL, assigns the pointer to the array holding the IPI
message being sent.
Signed-off-by: Adrian Fiergolski <adrian.fiergolski@fastree3d.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Adrian Fiergolski <Adrian.Fiergolski@fastree3d.com>
Link: https://lore.kernel.org/r/3178ff7651948270b714daa4adad48b94eaca9ba.1634309856.git.michal.simek@xilinx.com
Diffstat (limited to 'drivers/firmware')
| -rw-r--r-- | drivers/firmware/firmware-zynqmp.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/firmware/firmware-zynqmp.c b/drivers/firmware/firmware-zynqmp.c index 7e0acc5bc8..b44fede307 100644 --- a/drivers/firmware/firmware-zynqmp.c +++ b/drivers/firmware/firmware-zynqmp.c @@ -29,6 +29,10 @@ static int ipi_req(const u32 *req, size_t req_len, u32 *res, size_t res_maxlen) { struct zynqmp_ipi_msg msg; int ret; + u32 buffer[PAYLOAD_ARG_CNT]; + + if (!res) + res = buffer; if (req_len > PMUFW_PAYLOAD_ARG_CNT || res_maxlen > PMUFW_PAYLOAD_ARG_CNT) |