* [PATCH] crypto: qat - validate slices count returned by FW
@ 2024-04-16 10:33 Lucas Segarra Fernandez
2024-04-26 9:30 ` Herbert Xu
0 siblings, 1 reply; 2+ messages in thread
From: Lucas Segarra Fernandez @ 2024-04-16 10:33 UTC (permalink / raw
To: herbert
Cc: linux-crypto, qat-linux, Lucas Segarra Fernandez,
Damian Muszynski, Giovanni Cabiddu
The function adf_send_admin_tl_start() enables the telemetry (TL)
feature on a QAT device by sending the ICP_QAT_FW_TL_START message to
the firmware. This triggers the FW to start writing TL data to a DMA
buffer in memory and returns an array containing the number of
accelerators of each type (slices) supported by this HW.
The pointer to this array is stored in the adf_tl_hw_data data
structure called slice_cnt.
The array slice_cnt is then used in the function tl_print_dev_data()
to report in debugfs only statistics about the supported accelerators.
An incorrect value of the elements in slice_cnt might lead to an out
of bounds memory read.
At the moment, there isn't an implementation of FW that returns a wrong
value, but for robustness validate the slice count array returned by FW.
Fixes: 69e7649f7cc2 ("crypto: qat - add support for device telemetry")
Signed-off-by: Lucas Segarra Fernandez <lucas.segarra.fernandez@intel.com>
Reviewed-by: Damian Muszynski <damian.muszynski@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
---
.../crypto/intel/qat/qat_common/adf_gen4_tl.c | 1 +
.../intel/qat/qat_common/adf_telemetry.c | 21 +++++++++++++++++++
.../intel/qat/qat_common/adf_telemetry.h | 1 +
3 files changed, 23 insertions(+)
diff --git a/drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c b/drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c
index 7fc7a77f6aed..c7ad8cf07863 100644
--- a/drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_gen4_tl.c
@@ -149,5 +149,6 @@ void adf_gen4_init_tl_data(struct adf_tl_hw_data *tl_data)
tl_data->sl_exec_counters = sl_exec_counters;
tl_data->rp_counters = rp_counters;
tl_data->num_rp_counters = ARRAY_SIZE(rp_counters);
+ tl_data->max_sl_cnt = ADF_GEN4_TL_MAX_SLICES_PER_TYPE;
}
EXPORT_SYMBOL_GPL(adf_gen4_init_tl_data);
diff --git a/drivers/crypto/intel/qat/qat_common/adf_telemetry.c b/drivers/crypto/intel/qat/qat_common/adf_telemetry.c
index 2ff714d11bd2..74fb0c2ed241 100644
--- a/drivers/crypto/intel/qat/qat_common/adf_telemetry.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_telemetry.c
@@ -41,6 +41,20 @@ static int validate_tl_data(struct adf_tl_hw_data *tl_data)
return 0;
}
+static int validate_tl_slice_counters(struct icp_qat_fw_init_admin_slice_cnt *slice_count,
+ u8 max_slices_per_type)
+{
+ u8 *sl_counter = (u8 *)slice_count;
+ int i;
+
+ for (i = 0; i < ADF_TL_SL_CNT_COUNT; i++) {
+ if (sl_counter[i] > max_slices_per_type)
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
static int adf_tl_alloc_mem(struct adf_accel_dev *accel_dev)
{
struct adf_tl_hw_data *tl_data = &GET_TL_DATA(accel_dev);
@@ -214,6 +228,13 @@ int adf_tl_run(struct adf_accel_dev *accel_dev, int state)
return ret;
}
+ ret = validate_tl_slice_counters(&telemetry->slice_cnt, tl_data->max_sl_cnt);
+ if (ret) {
+ dev_err(dev, "invalid value returned by FW\n");
+ adf_send_admin_tl_stop(accel_dev);
+ return ret;
+ }
+
telemetry->hbuffs = state;
atomic_set(&telemetry->state, state);
diff --git a/drivers/crypto/intel/qat/qat_common/adf_telemetry.h b/drivers/crypto/intel/qat/qat_common/adf_telemetry.h
index 9be81cd3b886..e54a406cc1b4 100644
--- a/drivers/crypto/intel/qat/qat_common/adf_telemetry.h
+++ b/drivers/crypto/intel/qat/qat_common/adf_telemetry.h
@@ -40,6 +40,7 @@ struct adf_tl_hw_data {
u8 num_dev_counters;
u8 num_rp_counters;
u8 max_rp;
+ u8 max_sl_cnt;
};
struct adf_telemetry {
base-commit: a64466233e2ff45c846ea79c6ca4f2d50ef1244b
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] crypto: qat - validate slices count returned by FW
2024-04-16 10:33 [PATCH] crypto: qat - validate slices count returned by FW Lucas Segarra Fernandez
@ 2024-04-26 9:30 ` Herbert Xu
0 siblings, 0 replies; 2+ messages in thread
From: Herbert Xu @ 2024-04-26 9:30 UTC (permalink / raw
To: Lucas Segarra Fernandez
Cc: linux-crypto, qat-linux, Damian Muszynski, Giovanni Cabiddu
On Tue, Apr 16, 2024 at 12:33:37PM +0200, Lucas Segarra Fernandez wrote:
> The function adf_send_admin_tl_start() enables the telemetry (TL)
> feature on a QAT device by sending the ICP_QAT_FW_TL_START message to
> the firmware. This triggers the FW to start writing TL data to a DMA
> buffer in memory and returns an array containing the number of
> accelerators of each type (slices) supported by this HW.
> The pointer to this array is stored in the adf_tl_hw_data data
> structure called slice_cnt.
>
> The array slice_cnt is then used in the function tl_print_dev_data()
> to report in debugfs only statistics about the supported accelerators.
> An incorrect value of the elements in slice_cnt might lead to an out
> of bounds memory read.
> At the moment, there isn't an implementation of FW that returns a wrong
> value, but for robustness validate the slice count array returned by FW.
>
> Fixes: 69e7649f7cc2 ("crypto: qat - add support for device telemetry")
> Signed-off-by: Lucas Segarra Fernandez <lucas.segarra.fernandez@intel.com>
> Reviewed-by: Damian Muszynski <damian.muszynski@intel.com>
> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
> ---
> .../crypto/intel/qat/qat_common/adf_gen4_tl.c | 1 +
> .../intel/qat/qat_common/adf_telemetry.c | 21 +++++++++++++++++++
> .../intel/qat/qat_common/adf_telemetry.h | 1 +
> 3 files changed, 23 insertions(+)
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-04-26 9:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-16 10:33 [PATCH] crypto: qat - validate slices count returned by FW Lucas Segarra Fernandez
2024-04-26 9:30 ` Herbert Xu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).