On fre, dec 15, 2023 at 15:30, Andrew Lunn <andrew@xxxxxxx> wrote:
> On Thu, Dec 14, 2023 at 09:14:39PM +0100, Tobias Waldekranz wrote:
>> When probing, if a device is waiting for firmware to be loaded into
>> its RAM, ask userspace for the binary and load it over XMDIO.
>
> Does a device without firmware have valid ID registers? Is the driver
> going to probe via bus enumeration, or is it necessary to use a
> compatible with ID values?
>
>> + for (sect = fw->data; (sect + sizeof(hdr)) < (fw->data + fw->size);) {
>
> This validates that the firmware is big enough to hold the header...
>
>> + memcpy(&hdr, sect, sizeof(hdr));
>> + hdr.data.size = cpu_to_le32(hdr.data.size);
>> + hdr.data.addr = cpu_to_le32(hdr.data.addr);
>> + hdr.data.csum = cpu_to_le16(hdr.data.csum);
>> + hdr.next_hdr = cpu_to_le32(hdr.next_hdr);
>
> I'm surprised sparse is not complaining about this. You have the same
> source and destination, and sparse probably wants the destination to
> be marked as little endian.
>
>> + hdr.csum = cpu_to_le16(hdr.csum);
>> +
>> + for (i = 0, csum = 0; i < offsetof(struct mv3310_fw_hdr, csum); i++)
>> + csum += sect[i];
>> +
>> + if ((u16)~csum != hdr.csum) {
>> + dev_err(&phydev->mdio.dev, "Corrupt section header\n");
>> + err = -EINVAL;
>> + break;
>> + }
>> +
>> + err = mv3310_load_fw_sect(phydev, &hdr, sect + sizeof(hdr));
>
> What i don't see is any validation that the firmware left at sect +
> sizeof(hdr) big enough to contain hdr.data.size bytes.
>
Thanks Andrew and Russel, for the review!
You both make valid points, I'll try to be less clever about this whole
section in v2.
