firmware: tegra: Add return code checks and increase debugfs size

Add checking of the BPMP-FW return code values for MRQ_DEBUGFS calls.

Also, development versions of the firmware may have debugfs with a
directory structure larger than 256 KiB. Hence increase the size of the
memory buffer to accommodate those firmware revisions.

And finally, ensure that no access outside of allocated memory buffer
happens in case BPMP-FW returns an invalid response size (nbytes) from
mrq_debugfs_dumpdir() call.

Signed-off-by: Timo Alho <talho@nvidia.com>
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>

diff --git a/drivers/firmware/tegra/bpmp-debugfs.c b/drivers/firmware/tegra/bpmp-debugfs.c
index 636b40d4364dff076dd6234d7dea1656b27db671..5a6a01b1687244b97b5651117996583248550567 100644 (file)
--- a/drivers/firmware/tegra/bpmp-debugfs.c
+++ b/drivers/firmware/tegra/bpmp-debugfs.c
@@ -127,6 +127,8 @@ static int mrq_debugfs_read(struct tegra_bpmp *bpmp,
        err = tegra_bpmp_transfer(bpmp, &msg);
        if (err < 0)
                return err;
+       else if (msg.rx.ret < 0)
+               return -EINVAL;
 
        *nbytes = (size_t)resp.fop.nbytes;
 
@@ -184,6 +186,8 @@ static int mrq_debugfs_dumpdir(struct tegra_bpmp *bpmp, dma_addr_t addr,
        err = tegra_bpmp_transfer(bpmp, &msg);
        if (err < 0)
                return err;
+       else if (msg.rx.ret < 0)
+               return -EINVAL;
 
        *nbytes = (size_t)resp.dumpdir.nbytes;
 
@@ -374,7 +378,7 @@ int tegra_bpmp_init_debugfs(struct tegra_bpmp *bpmp)
 {
        dma_addr_t phys;
        void *virt;
-       const size_t sz = SZ_256K;
+       const size_t sz = SZ_512K;
        size_t nbytes;
        int ret;
        struct dentry *root;
@@ -394,8 +398,12 @@ int tegra_bpmp_init_debugfs(struct tegra_bpmp *bpmp)
        }
 
        ret = mrq_debugfs_dumpdir(bpmp, phys, sz, &nbytes);
-       if (ret < 0)
+       if (ret < 0) {
+               goto free;
+       } else if (nbytes > sz) {
+               ret = -EINVAL;
                goto free;
+       }
 
        ret = create_debugfs_mirror(bpmp, virt, nbytes, root);
 free: