On Wed 22 Jul 13:10 PDT 2020, Sibi Sankar wrote:
> The following mem abort is observed when one of the modem blob firmware
> size exceeds the allocated mpss region. Fix this by restricting the copy
> size to segment size using request_firmware_into_buf before load.
>
> Err Logs:
> Unable to handle kernel paging request at virtual address
> Mem abort info:
> ...
> Call trace:
> __memcpy+0x110/0x180
> rproc_start+0xd0/0x190
> rproc_boot+0x404/0x550
> state_store+0x54/0xf8
> dev_attr_store+0x44/0x60
> sysfs_kf_write+0x58/0x80
> kernfs_fop_write+0x140/0x230
> vfs_write+0xc4/0x208
> ksys_write+0x74/0xf8
> ...
>
> Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Sibi Sankar <sibis@xxxxxxxxxxxxxx>
Reviewed-by: Bjorn Andersson <bjorn.andersson@xxxxxxxxxx>
> ---
> drivers/remoteproc/qcom_q6v5_mss.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/remoteproc/qcom_q6v5_mss.c b/drivers/remoteproc/qcom_q6v5_mss.c
> index 4e72c9e30426c..f4aa61ba220dc 100644
> --- a/drivers/remoteproc/qcom_q6v5_mss.c
> +++ b/drivers/remoteproc/qcom_q6v5_mss.c
> @@ -1174,15 +1174,14 @@ static int q6v5_mpss_load(struct q6v5 *qproc)
> } else if (phdr->p_filesz) {
> /* Replace "xxx.xxx" with "xxx.bxx" */
> sprintf(fw_name + fw_name_len - 3, "b%02d", i);
> - ret = request_firmware(&seg_fw, fw_name, qproc->dev);
> + ret = request_firmware_into_buf(&seg_fw, fw_name, qproc->dev,
> + ptr, phdr->p_filesz);
> if (ret) {
> dev_err(qproc->dev, "failed to load %s\n", fw_name);
> iounmap(ptr);
> goto release_firmware;
> }
>
> - memcpy(ptr, seg_fw->data, seg_fw->size);
> -
> release_firmware(seg_fw);
> }
>
> --
> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
> a Linux Foundation Collaborative Project
>
