From patchwork Mon Apr 9 21:40:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Niklas Cassel X-Patchwork-Id: 133051 Delivered-To: patch@linaro.org Received: by 10.46.84.29 with SMTP id i29csp653686ljb; Mon, 9 Apr 2018 14:42:30 -0700 (PDT) X-Google-Smtp-Source: AIpwx48zZX8u9blVM5czfQy+cbc1nXiH5dauQVvlO/P2vRqhXnjUqeFC7lePPnUHKu/P9NK+pll/ X-Received: by 10.99.97.11 with SMTP id v11mr2779989pgb.172.1523310150101; Mon, 09 Apr 2018 14:42:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523310150; cv=none; d=google.com; s=arc-20160816; b=kl1cedJqcOj5ZXv7tE/RtZLysBwaMvM56h0ioRhJ6BMbtGr+KDlmieyIVR8GGjWtQp aXYcvrW3ofa/7BLKGn9kbhFhxPVJ1bf7sf3KuRMafetZUxosqFxhCpZzZsqiyMb+kNTm 7TvPrppi/RlocKrm7eOuAoY6z878IHuriIPnFimvBox75rMHbnezWT2HX5+ErRLatKiq 0CdF/a0eIOKb83Mwt/AhQn/xpiHQtHKPonBwIb89ZTCc2hYnXcQ9XeFY2Y2T8XVfS0UH arJOzXqK5PpFC1+QIUyV5vA7foEexT7dAQTAsPtPsy41aH47EnlD2GJ4d8Bm5nN4NPMd tFqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=s2m7a1seVeZAQby51qZyY3Xp9rfMInreI3z+lyllvi4=; b=lEU+3UMII7HFVG3l0OyLduyOizcnR5+HT/PvqEtkEiglVEpaltupS3jMbG7tvkeOCE mQe7G4adLt5/HnU/8J5SCgZJEaT5ptswwC0EhS7H/C6YbygDH/q+/JyBNuroFJBruSdM uzYXrfBXdg8E0OmlQufAEvqX5pKrkoU09FjasK4H9qq6Y2QGR7VtCBu3C2oYtb0xkCc3 dit6HzvqW5d94iDzYTsHy4GeKW9Li0mq3UooP5j3hScAK7Ei6quCpkgh4IfDQTY2MrxH Scsr3Wxz2LnyWn0/L65mSkjF6Jyihf7ZecEyLJiQh21A/pM6gaDURPSHNpoCwZB2uNOV uC7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=iezcsfk4; spf=pass (google.com: best guess record for domain of linux-arm-msm-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-arm-msm-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g16si907958pfd.93.2018.04.09.14.42.29; Mon, 09 Apr 2018 14:42:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-arm-msm-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=iezcsfk4; spf=pass (google.com: best guess record for domain of linux-arm-msm-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-arm-msm-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752369AbeDIVm1 (ORCPT + 11 others); Mon, 9 Apr 2018 17:42:27 -0400 Received: from mail-lf0-f65.google.com ([209.85.215.65]:36630 "EHLO mail-lf0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751663AbeDIVm1 (ORCPT ); Mon, 9 Apr 2018 17:42:27 -0400 Received: by mail-lf0-f65.google.com with SMTP id d20-v6so2861047lfe.3 for ; Mon, 09 Apr 2018 14:42:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=GjIwQxr7Qw2JLpkPu2yuvoDT5kLEfTIcjhQsvcOx278=; b=iezcsfk4+mJ6z7LMDNm/MCoDfR77N+y3jyuP3In80WhhMBydy2qbOUuanOeRIS4x8e mS1abD079wrEXd17qb4scbNngB1IvRm6BBz4enLIVthdz7+/FaTwfD001ELZvp1NA3uo DCUKh3rxUamcIuk22LCgOW0qoHLcDltzLMR8M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=GjIwQxr7Qw2JLpkPu2yuvoDT5kLEfTIcjhQsvcOx278=; b=NrDnNbMMF+BVZrigGd5PBJJ0lMAytj4XudUt9XJU2gTkOlNa4ANzTMigpmE66gjFYn cTuXWbXi3VZ/8cVPA7FLBmtW9UJdF6xZvANidjgmjkbjepEHEP8rOic6b0DO/UtRJl4G 0/plrrO2mnVWMHDL0mEKsJc+UwfH8CYEuMp+eRei/J1dx3c2XvC8bfqz2mMYixCtV5PE kH3yYvQ/oHmcmX96H/mAFDOHx10H8gTIC8+IHzcSrKpzuv8KNGGsmeqH9ZZoRbsm6US5 LQegYFRLVCeP4URY9uX0X9ofCvoD9CnM/PvMmlxKKFOOx83gfTdyGYbqSh4jgEgk4TMH Ms1Q== X-Gm-Message-State: ALQs6tC9KCkdLW/VakWMjULLf42yKgR1mkAQDjHMRhTTBHl6BzAf/lUG kM1WDr/QwoL0cIZpsv/b5IIeVg== X-Received: by 10.46.56.6 with SMTP id f6mr7306556lja.4.1523310145807; Mon, 09 Apr 2018 14:42:25 -0700 (PDT) Received: from localhost.lan (h-184-10.A323.priv.bahnhof.se. [155.4.184.10]) by smtp.gmail.com with ESMTPSA id e9-v6sm266581lff.22.2018.04.09.14.42.24 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 09 Apr 2018 14:42:25 -0700 (PDT) From: Niklas Cassel To: Andy Gross , Bjorn Andersson , Stephen Boyd , Avaneesh Kumar Dwivedi , Niklas Cassel Cc: linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] firmware: qcom: scm: Fix crash in qcom_scm_call_atomic1() Date: Mon, 9 Apr 2018 23:40:15 +0200 Message-Id: <20180409214016.21219-1-niklas.cassel@linaro.org> X-Mailer: git-send-email 2.14.3 Sender: linux-arm-msm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org qcom_scm_call_atomic1() can crash with a NULL pointer dereference at qcom_scm_call_atomic1+0x30/0x48. disassembly of qcom_scm_call_atomic1(): ... <0xc08d73b0 <+12>: ldr r3, [r12] ... (no instruction explicitly modifies r12) 0xc08d73cc <+40>: smc 0 ... (no instruction explicitly modifies r12) 0xc08d73d4 <+48>: ldr r3, [r12] <- crashing instruction ... Since the first ldr is successful, and since r12 isn't explicitly modified by any instruction between the first and the second ldr, it must have been modified by the smc call, which is ok, since r12 is caller save according to the AAPCS. Add r12 to the clobber list so that the compiler knows that the callee potentially overwrites the value in r12. Clobber descriptions may not in any way overlap with an input or output operand. Signed-off-by: Niklas Cassel --- drivers/firmware/qcom_scm-32.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) -- 2.14.3 -- To unsubscribe from this list: send the line "unsubscribe linux-arm-msm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd diff --git a/drivers/firmware/qcom_scm-32.c b/drivers/firmware/qcom_scm-32.c index dfbd894d5bb7..4e24e591ae74 100644 --- a/drivers/firmware/qcom_scm-32.c +++ b/drivers/firmware/qcom_scm-32.c @@ -147,7 +147,7 @@ static u32 smc(u32 cmd_addr) "smc #0 @ switch to secure world\n" : "=r" (r0) : "r" (r0), "r" (r1), "r" (r2) - : "r3"); + : "r3", "r12"); } while (r0 == QCOM_SCM_INTERRUPTED); return r0; @@ -263,7 +263,7 @@ static s32 qcom_scm_call_atomic1(u32 svc, u32 cmd, u32 arg1) "smc #0 @ switch to secure world\n" : "=r" (r0) : "r" (r0), "r" (r1), "r" (r2) - : "r3"); + : "r3", "r12"); return r0; } @@ -298,7 +298,7 @@ static s32 qcom_scm_call_atomic2(u32 svc, u32 cmd, u32 arg1, u32 arg2) "smc #0 @ switch to secure world\n" : "=r" (r0) : "r" (r0), "r" (r1), "r" (r2), "r" (r3) - ); + : "r12"); return r0; } @@ -328,7 +328,7 @@ u32 qcom_scm_get_version(void) "smc #0 @ switch to secure world\n" : "=r" (r0), "=r" (r1) : "r" (r0), "r" (r1) - : "r2", "r3"); + : "r2", "r3", "r12"); } while (r0 == QCOM_SCM_INTERRUPTED); version = r1;