On Thu, Dec 14, 2023 at 09:14:39PM +0100, Tobias Waldekranz wrote:
> When probing, if a device is waiting for firmware to be loaded into
> its RAM, ask userspace for the binary and load it over XMDIO.
Does a device without firmware have valid ID registers? Is the driver
going to probe via bus enumeration, or is it necessary to use a
compatible with ID values?
> + for (sect = fw->data; (sect + sizeof(hdr)) < (fw->data + fw->size);) {
This validates that the firmware is big enough to hold the header...
> + memcpy(&hdr, sect, sizeof(hdr));
> + hdr.data.size = cpu_to_le32(hdr.data.size);
> + hdr.data.addr = cpu_to_le32(hdr.data.addr);
> + hdr.data.csum = cpu_to_le16(hdr.data.csum);
> + hdr.next_hdr = cpu_to_le32(hdr.next_hdr);
I'm surprised sparse is not complaining about this. You have the same
source and destination, and sparse probably wants the destination to
be marked as little endian.
> + hdr.csum = cpu_to_le16(hdr.csum);
> +
> + for (i = 0, csum = 0; i < offsetof(struct mv3310_fw_hdr, csum); i++)
> + csum += sect[i];
> +
> + if ((u16)~csum != hdr.csum) {
> + dev_err(&phydev->mdio.dev, "Corrupt section header\n");
> + err = -EINVAL;
> + break;
> + }
> +
> + err = mv3310_load_fw_sect(phydev, &hdr, sect + sizeof(hdr));
What i don't see is any validation that the firmware left at sect +
sizeof(hdr) big enough to contain hdr.data.size bytes.
Andrew
