From patchwork Fri Apr 27 14:08:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Elder X-Patchwork-Id: 134625 Delivered-To: patch@linaro.org Received: by 10.46.151.6 with SMTP id r6csp806542lji; Fri, 27 Apr 2018 07:42:40 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqaqcwmYXzIjrinyxsHzcRpAwpsnrMpaDywi0RrD4P65+HsNw/DGhR/b+c/Du8/rshbUpsI X-Received: by 10.98.217.5 with SMTP id s5mr2518124pfg.20.1524840160430; Fri, 27 Apr 2018 07:42:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524840160; cv=none; d=google.com; s=arc-20160816; b=LQw8beDx0Tews0w80I3ubfHY3K3b3FqkPamMqcI4sG3DQ9/drsQilEK96mmoHO3gMp JoA0rbV7xNYKViBnzPkMwxBtc8VCY4Gv1dm2WwuqugUbfLZ+LCQjHenQeWKNZbRuzZpJ t6WzrWzduVI0Fq9YW/Nu2zf8sTrsTxm4IrXakkzvDH5Ncey/QajMnWGkuBhkbkJgEuSq PYa77Ui5PIxZByl4F/G/5/Cbj2XVW6klDCH+CO8P8AQLhr8DoNV419u8EKYkzZgcaZIL KOLI9L8OHgHLiSN+ompPI8ylukm011I2hw7VTdiD042xwwZtafBIq3vppJKL+uwr6tOP hPnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=BhCl+XxjqYPw1R3RSTdNR7lSneC+n6i3NbdttCgUCpg=; b=jAHQ7gmXpnyEE4aH3qyJkKwAHxMLCQiFZuzEOgj3SAIQMBoTe4Sk1fWZZYwNe4XhL/ iNbVpToEFa0MdiqCJqdLLj6CgyFwgAIQkVpJ38HueDnpVDVp1wvrC2B41XhnuXVHavpN U0gDv5jMls4QtN0DFQa+b2jAz7eduRVR9KrZAkkrmMtIVICudsr830kdqK0G3xV0T50J EDX78Phsdy7kD8wyl130Leyip3pT2fgI+jnntmg72069h25ogcyRCnOEDFjLn/LooPg2 Cquz5kbBAi4/goChIzT5bvv5bp5VEYpbs0K9u3ruVi36YPiDmVpBLD0LTH/3kTk3n51s 7nzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HivqVbAy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p83si1403449pfl.279.2018.04.27.07.42.40; Fri, 27 Apr 2018 07:42:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=HivqVbAy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934567AbeD0OIv (ORCPT + 29 others); Fri, 27 Apr 2018 10:08:51 -0400 Received: from mail-io0-f194.google.com ([209.85.223.194]:44752 "EHLO mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934550AbeD0OIo (ORCPT ); Fri, 27 Apr 2018 10:08:44 -0400 Received: by mail-io0-f194.google.com with SMTP id d11-v6so2567263iof.11 for ; Fri, 27 Apr 2018 07:08:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=BhCl+XxjqYPw1R3RSTdNR7lSneC+n6i3NbdttCgUCpg=; b=HivqVbAyU+t0pgcwOabZITUmO1NRrGEdvzeGL8OkuU5yN87Jxsw2IJaTrf0+aXW7LV o8Kckrr2nHOxju7dzv7FOTmiDFx3rf4NeHF5ay1W0Ck0imyF6MZD0/VyKRDdnzSEv93S fSEQvxj2RP2jJ/Qu02KdOU3MTo2fv+3FYI10I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=BhCl+XxjqYPw1R3RSTdNR7lSneC+n6i3NbdttCgUCpg=; b=FaLa8mRyUDjjfvgN/xts3z0T2tPbYU1FZFdUGuqZAtSFIHRaXLHqxmaUdowQiZ3oyv zUXFazyGTqHj0iDM9YxHETzfUl25QonEZnDKhLSysnbZ5JmdTSMJ3FGNrT3hBeo2LhZB XcweOUV4PAJuk1Ku3V9nh09aWYsAZq5Xt7uIjdI0FsUArm/6MkTu550igyYOvu2DTECs ar8gw3HbUJTUrq37qC9t/k2HreME92wviCtDs0Qn+qiOhZKBZNN3xajulPL6+nFoX92u p4RPq9bRvSuVVY2h5q0V8yu2/zSUED1QeVOjBHwaBrsV8CCh4/2kVkyoK158FHEwepxr Xe/Q== X-Gm-Message-State: ALQs6tBvMG7b/wQdPoApvB3rcNOJlKOy76lVquE7vRyC01ZXo8vWR06o PfBA/D4P40QmZdaOhG6qYknQVw== X-Received: by 2002:a6b:1c84:: with SMTP id c126-v6mr2329900ioc.210.1524838124034; Fri, 27 Apr 2018 07:08:44 -0700 (PDT) Received: from localhost.localdomain (c-71-195-29-92.hsd1.mn.comcast.net. [71.195.29.92]) by smtp.gmail.com with ESMTPSA id t7-v6sm498847ite.35.2018.04.27.07.08.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Apr 2018 07:08:43 -0700 (PDT) From: Alex Elder To: andy.gross@linaro.org, david.brown@linaro.org Cc: linux-arm-msm@vger.kernel.org, linux-soc@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] soc: qcom: qmi: fix a buffer sizing bug Date: Fri, 27 Apr 2018 09:08:17 -0500 Message-Id: <20180427140817.10871-1-elder@linaro.org> X-Mailer: git-send-email 2.14.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In qmi_handle_init(), a buffer is allocated for to hold messages received through the handle's socket. Any "normal" messages (expected by the caller) will have a header prepended, so the buffer size is adjusted to accomodate that. The buffer must also be of sufficient size to receive control messages, so the size is increased if necessary to ensure these will fit. Unfortunately the calculation is done wrong, making it possible for the calculated buffer size to be too small to hold a "normal" message. Specifically, if: recv_buf_size > sizeof(struct qrtr_ctrl_pkt) - sizeof(struct qmi_header) AND recv_buf_size < sizeof(struct qrtr_ctrl_pkt) the current logic will use sizeof(struct qrtr_ctrl_pkt) as the receive buffer size, which is not enough to hold the maximum "normal" message plus its header. Currently this problem occurs for (13 < recv_buf_size < 20). This patch corrects this. Signed-off-by: Alex Elder --- drivers/soc/qcom/qmi_interface.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) -- 2.14.1 diff --git a/drivers/soc/qcom/qmi_interface.c b/drivers/soc/qcom/qmi_interface.c index 321982277697..938ca41c56cd 100644 --- a/drivers/soc/qcom/qmi_interface.c +++ b/drivers/soc/qcom/qmi_interface.c @@ -639,10 +639,11 @@ int qmi_handle_init(struct qmi_handle *qmi, size_t recv_buf_size, if (ops) qmi->ops = *ops; + /* Make room for the header */ + recv_buf_size += sizeof(struct qmi_header); + /* Must also be sufficient to hold a control packet */ if (recv_buf_size < sizeof(struct qrtr_ctrl_pkt)) recv_buf_size = sizeof(struct qrtr_ctrl_pkt); - else - recv_buf_size += sizeof(struct qmi_header); qmi->recv_buf_size = recv_buf_size; qmi->recv_buf = kzalloc(recv_buf_size, GFP_KERNEL);