On Wed 22 Jul 13:10 PDT 2020, Sibi Sankar wrote: > The following mem abort is observed when the mba firmware size exceeds > the allocated mba region. MBA firmware size is restricted to a maximum > size of 1M and remaining memory region is used by modem debug policy > firmware when available. Hence verify whether the MBA firmware size lies > within the allocated memory region and is not greater than 1M before > loading. > > Err Logs: > Unable to handle kernel paging request at virtual address > Mem abort info: > ... > Call trace: > __memcpy+0x110/0x180 > rproc_start+0x40/0x218 > rproc_boot+0x5b4/0x608 > state_store+0x54/0xf8 > dev_attr_store+0x44/0x60 > sysfs_kf_write+0x58/0x80 > kernfs_fop_write+0x140/0x230 > vfs_write+0xc4/0x208 > ksys_write+0x74/0xf8 > __arm64_sys_write+0x24/0x30 > ... > > Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") > Cc: stable@xxxxxxxxxxxxxxx Reviewed-by: Bjorn Andersson <bjorn.andersson@xxxxxxxxxx> > Signed-off-by: Sibi Sankar <sibis@xxxxxxxxxxxxxx> > --- > drivers/remoteproc/qcom_q6v5_mss.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c > index 718acebae777f..4e72c9e30426c 100644 > --- a/drivers/remoteproc/qcom_q6v5_mss.c > +++ b/drivers/remoteproc/qcom_q6v5_mss.c > @@ -412,6 +412,12 @@ static int q6v5_load(struct rproc *rproc, const struct firmware *fw) > { > struct q6v5 *qproc = rproc->priv; > > + /* MBA is restricted to a maximum size of 1M */ > + if (fw->size > qproc->mba_size || fw->size > SZ_1M) { > + dev_err(qproc->dev, "MBA firmware load failed\n"); I'll change this to "MBA firmware exceeds size limit\n". Please let me know if you object. Regards, Bjorn > + return -EINVAL; > + } > + > memcpy(qproc->mba_region, fw->data, fw->size); > > return 0; > -- > The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, > a Linux Foundation Collaborative Project >