From: Rafał Miłecki <rafal@xxxxxxxxxx>
While experimenting with firmware loading I ended up in a state of
firmware reporting shared RAM address 0x04000001. It was causing:
[ 94.448015] Unable to handle kernel paging request at virtual address cd680001
due to reading out of the mapped memory.
This patch adds some basic validation to avoid kernel crashes due to the
unexpected firmware behavior.
Signed-off-by: Rafał Miłecki <rafal@xxxxxxxxxx>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
index 257f919c52cc..58a6bc379358 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -1560,6 +1560,12 @@ static int brcmf_pcie_download_fw_nvram(struct brcmf_pciedev_info *devinfo,
brcmf_err(bus, "FW failed to initialize\n");
return -ENODEV;
}
+ if (sharedram_addr < devinfo->ci->rambase ||
+ sharedram_addr >= devinfo->ci->rambase + devinfo->ci->ramsize) {
+ brcmf_err(bus, "Invalid shared RAM address 0x%08x\n",
+ sharedram_addr);
+ return -ENODEV;
+ }
brcmf_dbg(PCIE, "Shared RAM addr: 0x%08x\n", sharedram_addr);
return (brcmf_pcie_init_share_ram_info(devinfo, sharedram_addr));
--
2.20.1
