From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5C9E1332ED6 for ; Wed, 24 Jun 2026 19:08:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.52 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782328105; cv=none; b=Xat/rL4xhZzI0Gz8oFfkmjW/G3SW/vljQX9vXbBHzJkm7UBZkg21vwDvMQUSz4WSMCE8Nz5oGR2soPNTKJR66/8q9pgjSwN7iSw+/2KOWAPjIX0sfcGZCA9GCiFYNSyZFrfbTE4+9rLZwPAV9Z7C3vf4eUGVwtWYPbjl8zcgpwE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782328105; c=relaxed/simple; bh=+no/xQXr26f8abs55lWEPFmkA/oZ4KO0G/7aHmHy7Y8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=IiTQsMZk968/t0UmCLbfsZJkR1ksnrHiQqwJfnmGziLEsnkJqJxwD8HSqZhYkfuv8rZNNl+YNBtK0JjJSgA6M6bp0pBLqD8oiF7aJa/Mr1xQvdJB0etJfP8ZgCjrWpGlUt1AXnMTSp/AVcn8rRvU3Lk7wRsKiB/FZZNQMkORFDU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UKJz1Yt1; arc=none smtp.client-ip=209.85.221.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UKJz1Yt1" Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-463f1165e16so1631384f8f.0 for ; Wed, 24 Jun 2026 12:08:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782328103; x=1782932903; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=LGb+JhB64d0RGvLH+Gy+gftrzBh3+GzIkvGBLcFoPV0=; b=UKJz1Yt1zTnjR+TiNbjD2zR4XYrGxnqw6I6usLuTJ57MEnoIXJEvfDI8sy53cWUqub XhpZhNqEJ/rIceNkOwUIl4TTGP7ALTTTRwvZF3cwCpn0ebWgCgT+8ZglEORDV21vJ2/D N31bbH2+yZ+l33eVZmc7nxPsqIJ4pJD5pnQSpivl5XfVGg8+fD6VT1McNAllhfxIW3yv GFOrL510+HT2gyDociAObiuuZa+QNh1pZs+dBSyLxeMPqNkfU/GLblnGtX8MRAj07B2v P2XCz0vvTmlSozhC+gpCfMywD5WQDYG+VP+58eqMqkkPVDa7PSHwNIIM9m5127bCh2Di 9CMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782328103; x=1782932903; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=LGb+JhB64d0RGvLH+Gy+gftrzBh3+GzIkvGBLcFoPV0=; b=O5J2JiHPtb892loRzf+swBxMiAtxE2LAgAbut1G52jdKo+yAVMrujIT8wCzONnOjZp ToUgfhFgDkxB79sd2RR4seMYtkspYdEdEH5q0yygOsnUROd43mZHVgAp6efU1UNj/Wy5 z2+7EyrzzZyOBpApCXyqeQlwx7LW6czPT25P+WniQd0O/bOo4Vof4lV5jtOKmTrEh7jB /cL4DjhRG7R2MyrtNBjVIzfvic9Szh13BBN7NFH5KsiReQgXLubLB+ShP5faS6nNO3ua klKKVlbqe16uuNlJqkwicGcuZbqeutZw0dufcn+H+w8srKZOrJeCe2vp93FsIJVUljAA Mt6A== X-Forwarded-Encrypted: i=1; AHgh+Rqqb+6AEvT2hI1+LUOPNx6z4jxO+FAAGoUxXCTJfh9uCM5usoknabdMUE0+oJ5tF1rzqLXyeDVk39XXpJA=@vger.kernel.org X-Gm-Message-State: AOJu0Yw1UXnGUdIcN9DTlAGqbUcA9yYt8wwFZIphZq53Mca6/U8zik7x GQs8jVwqv+qXVCztf3R0WgwrhclAhiS5Pt/H03BppFvShENmuL5p7l+N X-Gm-Gg: AfdE7cnamR8NwuJD6iKhbRHi/CFg2zdkpGStkhU2U4n6Z0samgtho9V6zxW2edID7Au joEL1mAVpPLcT8frwr2vZAZB0QWuMUQUyUV8utmrOQwcrOQ9Oo63n7UxykmfvLOPjsbJmSQ+iqo HiSd5/BIyZ3+xUdedC2WJlbIAIW/raho4xaXaRaor7WRnTrfANxymqKIU9WkmbSSM98plf/Ocnx 45uABe9tOUyU7JurJ4mODJgAdUOp7XwK2JCfi7YWi0LvgVY4LelsQcS4ASyW7X8zFlzLLNk7Sea zL2qJBM/3mJ1rpPzmxnmeitUTn/t7MdtylLEQPAgZoi0UxsUZc790YYlTysLQYqVHSq6Af5DsQz VbzCK6CC+VUtpThoZzwSgXpulZ14Fi01QtqgUKrbaUK5mqjZeNbIj5tOBfwU1CH2qQawnkrGbhL TIy31x2yZKUS2/VjAm/AIrjHmo5g== X-Received: by 2002:a5d:5c11:0:b0:46c:d441:da63 with SMTP id ffacd0b85a97d-46cd441dc98mr4130346f8f.40.1782328102615; Wed, 24 Jun 2026 12:08:22 -0700 (PDT) Received: from Dev-Null-MSI ([2a0d:3344:52ac:a808:98a4:4381:be45:536f]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-46c22b73badsm9222414f8f.33.2026.06.24.12.08.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jun 2026 12:08:22 -0700 (PDT) From: Yousef Alhouseen To: Derek Kiernan , Dragan Cvetic Cc: Arnd Bergmann , Greg Kroah-Hartman , Michal Simek , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Yousef Alhouseen Subject: [PATCH] misc: xilinx_sdfec: validate LDPC code register offsets Date: Wed, 24 Jun 2026 21:08:12 +0200 Message-ID: <20260624190812.3075-1-alhouseenyousef@gmail.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit The LDPC code register helpers check the target MMIO address after adding code_id * XSDFEC_LDPC_REG_JUMP to the register base. code_id is supplied through the ioctl path, so the multiplication and addition can wrap before the bounds check. Validate the code_id against the register window size before computing the final address, then write using the checked address. Signed-off-by: Yousef Alhouseen --- drivers/misc/xilinx_sdfec.c | 72 +++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 40 deletions(-) diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c index 3135ba3a5..63f0eb2bd 100644 --- a/drivers/misc/xilinx_sdfec.c +++ b/drivers/misc/xilinx_sdfec.c @@ -456,10 +456,23 @@ static int xsdfec_get_turbo(struct xsdfec_dev *xsdfec, void __user *arg) return err; } +static int xsdfec_ldpc_reg_addr(struct xsdfec_dev *xsdfec, u32 base, u32 high, + u32 offset, u32 *addr) +{ + if (offset > (high - base) / XSDFEC_LDPC_REG_JUMP) { + dev_dbg(xsdfec->dev, "Writing outside of LDPC register space"); + return -EINVAL; + } + + *addr = base + offset * XSDFEC_LDPC_REG_JUMP; + return 0; +} + static int xsdfec_reg0_write(struct xsdfec_dev *xsdfec, u32 n, u32 k, u32 psize, u32 offset) { u32 wdata; + u32 addr; if (n < XSDFEC_REG0_N_MIN || n > XSDFEC_REG0_N_MAX || psize == 0 || (n > XSDFEC_REG0_N_MUL_P * psize) || n <= k || ((n % psize) != 0)) { @@ -476,17 +489,11 @@ static int xsdfec_reg0_write(struct xsdfec_dev *xsdfec, u32 n, u32 k, u32 psize, k = k << XSDFEC_REG0_K_LSB; wdata = k | n; - if (XSDFEC_LDPC_CODE_REG0_ADDR_BASE + (offset * XSDFEC_LDPC_REG_JUMP) > - XSDFEC_LDPC_CODE_REG0_ADDR_HIGH) { - dev_dbg(xsdfec->dev, "Writing outside of LDPC reg0 space 0x%x", - XSDFEC_LDPC_CODE_REG0_ADDR_BASE + - (offset * XSDFEC_LDPC_REG_JUMP)); + if (xsdfec_ldpc_reg_addr(xsdfec, XSDFEC_LDPC_CODE_REG0_ADDR_BASE, + XSDFEC_LDPC_CODE_REG0_ADDR_HIGH, offset, + &addr)) return -EINVAL; - } - xsdfec_regwrite(xsdfec, - XSDFEC_LDPC_CODE_REG0_ADDR_BASE + - (offset * XSDFEC_LDPC_REG_JUMP), - wdata); + xsdfec_regwrite(xsdfec, addr, wdata); return 0; } @@ -494,6 +501,7 @@ static int xsdfec_reg1_write(struct xsdfec_dev *xsdfec, u32 psize, u32 no_packing, u32 nm, u32 offset) { u32 wdata; + u32 addr; if (psize < XSDFEC_REG1_PSIZE_MIN || psize > XSDFEC_REG1_PSIZE_MAX) { dev_dbg(xsdfec->dev, "Psize is not in range"); @@ -510,17 +518,11 @@ static int xsdfec_reg1_write(struct xsdfec_dev *xsdfec, u32 psize, nm = (nm << XSDFEC_REG1_NM_LSB) & XSDFEC_REG1_NM_MASK; wdata = nm | no_packing | psize; - if (XSDFEC_LDPC_CODE_REG1_ADDR_BASE + (offset * XSDFEC_LDPC_REG_JUMP) > - XSDFEC_LDPC_CODE_REG1_ADDR_HIGH) { - dev_dbg(xsdfec->dev, "Writing outside of LDPC reg1 space 0x%x", - XSDFEC_LDPC_CODE_REG1_ADDR_BASE + - (offset * XSDFEC_LDPC_REG_JUMP)); + if (xsdfec_ldpc_reg_addr(xsdfec, XSDFEC_LDPC_CODE_REG1_ADDR_BASE, + XSDFEC_LDPC_CODE_REG1_ADDR_HIGH, offset, + &addr)) return -EINVAL; - } - xsdfec_regwrite(xsdfec, - XSDFEC_LDPC_CODE_REG1_ADDR_BASE + - (offset * XSDFEC_LDPC_REG_JUMP), - wdata); + xsdfec_regwrite(xsdfec, addr, wdata); return 0; } @@ -529,6 +531,7 @@ static int xsdfec_reg2_write(struct xsdfec_dev *xsdfec, u32 nlayers, u32 nmqc, u32 max_schedule, u32 offset) { u32 wdata; + u32 addr; if (nlayers < XSDFEC_REG2_NLAYERS_MIN || nlayers > XSDFEC_REG2_NLAYERS_MAX) { @@ -563,17 +566,11 @@ static int xsdfec_reg2_write(struct xsdfec_dev *xsdfec, u32 nlayers, u32 nmqc, wdata = (max_schedule | no_final_parity | special_qc | norm_type | nmqc | nlayers); - if (XSDFEC_LDPC_CODE_REG2_ADDR_BASE + (offset * XSDFEC_LDPC_REG_JUMP) > - XSDFEC_LDPC_CODE_REG2_ADDR_HIGH) { - dev_dbg(xsdfec->dev, "Writing outside of LDPC reg2 space 0x%x", - XSDFEC_LDPC_CODE_REG2_ADDR_BASE + - (offset * XSDFEC_LDPC_REG_JUMP)); + if (xsdfec_ldpc_reg_addr(xsdfec, XSDFEC_LDPC_CODE_REG2_ADDR_BASE, + XSDFEC_LDPC_CODE_REG2_ADDR_HIGH, offset, + &addr)) return -EINVAL; - } - xsdfec_regwrite(xsdfec, - XSDFEC_LDPC_CODE_REG2_ADDR_BASE + - (offset * XSDFEC_LDPC_REG_JUMP), - wdata); + xsdfec_regwrite(xsdfec, addr, wdata); return 0; } @@ -581,20 +578,15 @@ static int xsdfec_reg3_write(struct xsdfec_dev *xsdfec, u8 sc_off, u8 la_off, u16 qc_off, u32 offset) { u32 wdata; + u32 addr; wdata = ((qc_off << XSDFEC_REG3_QC_OFF_LSB) | (la_off << XSDFEC_REG3_LA_OFF_LSB) | sc_off); - if (XSDFEC_LDPC_CODE_REG3_ADDR_BASE + (offset * XSDFEC_LDPC_REG_JUMP) > - XSDFEC_LDPC_CODE_REG3_ADDR_HIGH) { - dev_dbg(xsdfec->dev, "Writing outside of LDPC reg3 space 0x%x", - XSDFEC_LDPC_CODE_REG3_ADDR_BASE + - (offset * XSDFEC_LDPC_REG_JUMP)); + if (xsdfec_ldpc_reg_addr(xsdfec, XSDFEC_LDPC_CODE_REG3_ADDR_BASE, + XSDFEC_LDPC_CODE_REG3_ADDR_HIGH, offset, + &addr)) return -EINVAL; - } - xsdfec_regwrite(xsdfec, - XSDFEC_LDPC_CODE_REG3_ADDR_BASE + - (offset * XSDFEC_LDPC_REG_JUMP), - wdata); + xsdfec_regwrite(xsdfec, addr, wdata); return 0; } -- 2.54.0