From b49a0e69a7b1a68c8d3f64097d06dabb770fec96 Mon Sep 17 00:00:00 2001 From: Iwona Winiarska Date: Wed, 4 Aug 2021 01:48:18 +0200 Subject: [PATCH 1/4] soc: aspeed: lpc-ctrl: Fix boundary check for mmap The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one side of the comparison, and uses resource address (rather than just the resource size) on the other side of the comparison. This can allow malicious userspace to easily bypass the boundary check and map pages that are located outside memory-region reserved by the driver. Fixes: 6c4e97678501 ("drivers/misc: Add Aspeed LPC control driver") Cc: stable@vger.kernel.org Signed-off-by: Iwona Winiarska Reviewed-by: Andrew Jeffery Tested-by: Andrew Jeffery Reviewed-by: Joel Stanley Signed-off-by: Joel Stanley --- drivers/soc/aspeed/aspeed-lpc-ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/aspeed/aspeed-lpc-ctrl.c b/drivers/soc/aspeed/aspeed-lpc-ctrl.c index c557ffd0992c..55e46fa6cf42 100644 --- a/drivers/soc/aspeed/aspeed-lpc-ctrl.c +++ b/drivers/soc/aspeed/aspeed-lpc-ctrl.c @@ -51,7 +51,7 @@ static int aspeed_lpc_ctrl_mmap(struct file *file, struct vm_area_struct *vma) unsigned long vsize = vma->vm_end - vma->vm_start; pgprot_t prot = vma->vm_page_prot; - if (vma->vm_pgoff + vsize > lpc_ctrl->mem_base + lpc_ctrl->mem_size) + if (vma->vm_pgoff + vma_pages(vma) > lpc_ctrl->mem_size >> PAGE_SHIFT) return -EINVAL; /* ast2400/2500 AHB accesses are not cache coherent */ From 8b07e990fb254fcbaa919616ac77f981cb48c73d Mon Sep 17 00:00:00 2001 From: Iwona Winiarska Date: Wed, 4 Aug 2021 01:48:19 +0200 Subject: [PATCH 2/4] soc: aspeed: p2a-ctrl: Fix boundary check for mmap The check mixes pages (vm_pgoff) with bytes (vm_start, vm_end) on one side of the comparison, and uses resource address (rather than just the resource size) on the other side of the comparison. This can allow malicious userspace to easily bypass the boundary check and map pages that are located outside memory-region reserved by the driver. Fixes: 01c60dcea9f7 ("drivers/misc: Add Aspeed P2A control driver") Cc: stable@vger.kernel.org Signed-off-by: Iwona Winiarska Reviewed-by: Andrew Jeffery Tested-by: Andrew Jeffery Reviewed-by: Joel Stanley Signed-off-by: Joel Stanley --- drivers/soc/aspeed/aspeed-p2a-ctrl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/aspeed/aspeed-p2a-ctrl.c b/drivers/soc/aspeed/aspeed-p2a-ctrl.c index b60fbeaffcbd..20b5fb2a207c 100644 --- a/drivers/soc/aspeed/aspeed-p2a-ctrl.c +++ b/drivers/soc/aspeed/aspeed-p2a-ctrl.c @@ -110,7 +110,7 @@ static int aspeed_p2a_mmap(struct file *file, struct vm_area_struct *vma) vsize = vma->vm_end - vma->vm_start; prot = vma->vm_page_prot; - if (vma->vm_pgoff + vsize > ctrl->mem_base + ctrl->mem_size) + if (vma->vm_pgoff + vma_pages(vma) > ctrl->mem_size >> PAGE_SHIFT) return -EINVAL; /* ast2400/2500 AHB accesses are not cache coherent */ From 8812dff6459dd898ba27e49ccac646d12bbcea23 Mon Sep 17 00:00:00 2001 From: Joel Stanley Date: Wed, 18 Aug 2021 10:35:34 +0930 Subject: [PATCH 3/4] soc: aspeed: socinfo: Add AST2625 variant Add AST26XX series AST2625-A3 SOC ID, taken from the vendor u-boot SDK: arch/arm/mach-aspeed/ast2600/scu_info.c + SOC_ID("AST2625-A3", 0x0503040305030403), Reviewed-by: Dylan Hung Link: https://lore.kernel.org/r/20210818010534.2508122-1-joel@jms.id.au Signed-off-by: Joel Stanley --- drivers/soc/aspeed/aspeed-socinfo.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/soc/aspeed/aspeed-socinfo.c b/drivers/soc/aspeed/aspeed-socinfo.c index e3215f826d17..1ca140356a08 100644 --- a/drivers/soc/aspeed/aspeed-socinfo.c +++ b/drivers/soc/aspeed/aspeed-socinfo.c @@ -26,6 +26,7 @@ static struct { { "AST2600", 0x05000303 }, { "AST2620", 0x05010203 }, { "AST2605", 0x05030103 }, + { "AST2625", 0x05030403 }, }; static const char *siliconid_to_name(u32 siliconid) From 2f9b25fa668218f22a85ebe8c55d1d132fc0019d Mon Sep 17 00:00:00 2001 From: Joel Stanley Date: Tue, 29 Jun 2021 17:05:19 +0930 Subject: [PATCH 4/4] soc: aspeed: Re-enable FWH2AHB on AST2600 Recent builds of the vendor u-boot tree disable features of the BMC that may allow unwanted access if not correctly configured. This includes the firmware hub to ahb bridge (FWH2AHB), which is used by this driver. The bit to "un-disable" it is in the SCU. Set it only when the ioctl is called and we are running on the ast2600, as to not open up the 'backdoor' unless there's userspace trying to use it. Fixes: deb50313ba83 ("soc: aspeed-lpc-ctrl: LPC to AHB mapping on ast2600") Link: https://lore.kernel.org/r/20210629073520.318514-2-joel@jms.id.au Signed-off-by: Joel Stanley --- drivers/soc/aspeed/aspeed-lpc-ctrl.c | 29 ++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/drivers/soc/aspeed/aspeed-lpc-ctrl.c b/drivers/soc/aspeed/aspeed-lpc-ctrl.c index 55e46fa6cf42..6893c5ec3259 100644 --- a/drivers/soc/aspeed/aspeed-lpc-ctrl.c +++ b/drivers/soc/aspeed/aspeed-lpc-ctrl.c @@ -37,6 +37,7 @@ struct aspeed_lpc_ctrl { u32 pnor_size; u32 pnor_base; bool fwh2ahb; + struct regmap *scu; }; static struct aspeed_lpc_ctrl *file_aspeed_lpc_ctrl(struct file *file) @@ -183,13 +184,22 @@ static long aspeed_lpc_ctrl_ioctl(struct file *file, unsigned int cmd, /* * Switch to FWH2AHB mode, AST2600 only. - * - * The other bits in this register are interrupt status bits - * that are cleared by writing 1. As we don't want to clear - * them, set only the bit of interest. */ - if (lpc_ctrl->fwh2ahb) + if (lpc_ctrl->fwh2ahb) { + /* + * Enable FWH2AHB in SCU debug control register 2. This + * does not turn it on, but makes it available for it + * to be configured in HICR6. + */ + regmap_update_bits(lpc_ctrl->scu, 0x0D8, BIT(2), 0); + + /* + * The other bits in this register are interrupt status bits + * that are cleared by writing 1. As we don't want to clear + * them, set only the bit of interest. + */ regmap_write(lpc_ctrl->regmap, HICR6, SW_FWH2AHB); + } /* * Enable LPC FHW cycles. This is required for the host to @@ -296,9 +306,16 @@ static int aspeed_lpc_ctrl_probe(struct platform_device *pdev) return rc; } - if (of_device_is_compatible(dev->of_node, "aspeed,ast2600-lpc-ctrl")) + if (of_device_is_compatible(dev->of_node, "aspeed,ast2600-lpc-ctrl")) { lpc_ctrl->fwh2ahb = true; + lpc_ctrl->scu = syscon_regmap_lookup_by_compatible("aspeed,ast2600-scu"); + if (IS_ERR(lpc_ctrl->scu)) { + dev_err(dev, "couldn't find scu\n"); + return PTR_ERR(lpc_ctrl->scu); + } + } + lpc_ctrl->miscdev.minor = MISC_DYNAMIC_MINOR; lpc_ctrl->miscdev.name = DEVICE_NAME; lpc_ctrl->miscdev.fops = &aspeed_lpc_ctrl_fops;