firmware: exynos-acpm: Count acpm_xfer buffers with __counted_by_ptr

Use __counted_by_ptr() attribute on the acpm_xfer buffers so UBSAN will
validate runtime that we do not pass over the buffer size, thus making
code safer.

Usage of __counted_by_ptr() (or actually __counted_by()) requires that
counter is initialized before counted array.

Tested-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20260219-firmare-acpm-counted-v2-3-e1f7389237d3@oss.qualcomm.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>

diff --git a/drivers/firmware/samsung/exynos-acpm-dvfs.c b/drivers/firmware/samsung/exynos-acpm-dvfs.c
index 485fc77ad4b1a3092c1c7c7e0ee22533874f6d00..17e7be7757b3940c85f945c845f43a1373130958 100644 (file)
--- a/drivers/firmware/samsung/exynos-acpm-dvfs.c
+++ b/drivers/firmware/samsung/exynos-acpm-dvfs.c
@@ -25,12 +25,12 @@ static void acpm_dvfs_set_xfer(struct acpm_xfer *xfer, u32 *cmd, size_t cmdlen,
                               unsigned int acpm_chan_id, bool response)
 {
        xfer->acpm_chan_id = acpm_chan_id;
-       xfer->txd = cmd;
        xfer->txcnt = cmdlen;
+       xfer->txd = cmd;
 
        if (response) {
-               xfer->rxd = cmd;
                xfer->rxcnt = cmdlen;
+               xfer->rxd = cmd;
        }
 }
 

diff --git a/drivers/firmware/samsung/exynos-acpm.h b/drivers/firmware/samsung/exynos-acpm.h
index 422fbcac728423a39d9f95031871294ec38edc61..8392fcb91f459f1a043e7f8217f4ce7fa727861a 100644 (file)
--- a/drivers/firmware/samsung/exynos-acpm.h
+++ b/drivers/firmware/samsung/exynos-acpm.h
@@ -8,8 +8,8 @@
 #define __EXYNOS_ACPM_H__
 
 struct acpm_xfer {
-       const u32 *txd;
-       u32 *rxd;
+       const u32 *txd __counted_by_ptr(txcnt);
+       u32 *rxd __counted_by_ptr(rxcnt);
        size_t txcnt;
        size_t rxcnt;
        unsigned int acpm_chan_id;