summaryrefslogtreecommitdiff
path: root/drivers/soc
diff options
context:
space:
mode:
authorAlex Elder <elder@linaro.org>2018-04-27 09:08:17 -0500
committerAndy Gross <andy.gross@linaro.org>2018-05-25 15:53:58 -0500
commit7df5ff258bd27900d516fea88da10d05602bf8c7 (patch)
tree003dca0855f32fc21e4c7e059a910807e8fc089e /drivers/soc
parent488de0317bc50b0271de7baa03ecc91c3901d8ed (diff)
soc: qcom: qmi: fix a buffer sizing bug
In qmi_handle_init(), a buffer is allocated for to hold messages received through the handle's socket. Any "normal" messages (expected by the caller) will have a header prepended, so the buffer size is adjusted to accomodate that. The buffer must also be of sufficient size to receive control messages, so the size is increased if necessary to ensure these will fit. Unfortunately the calculation is done wrong, making it possible for the calculated buffer size to be too small to hold a "normal" message. Specifically, if: recv_buf_size > sizeof(struct qrtr_ctrl_pkt) - sizeof(struct qmi_header) AND recv_buf_size < sizeof(struct qrtr_ctrl_pkt) the current logic will use sizeof(struct qrtr_ctrl_pkt) as the receive buffer size, which is not enough to hold the maximum "normal" message plus its header. Currently this problem occurs for (13 < recv_buf_size < 20). This patch corrects this. Signed-off-by: Alex Elder <elder@linaro.org> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Andy Gross <andy.gross@linaro.org>
Diffstat (limited to 'drivers/soc')
-rw-r--r--drivers/soc/qcom/qmi_interface.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/soc/qcom/qmi_interface.c b/drivers/soc/qcom/qmi_interface.c
index 321982277697..938ca41c56cd 100644
--- a/drivers/soc/qcom/qmi_interface.c
+++ b/drivers/soc/qcom/qmi_interface.c
@@ -639,10 +639,11 @@ int qmi_handle_init(struct qmi_handle *qmi, size_t recv_buf_size,
if (ops)
qmi->ops = *ops;
+ /* Make room for the header */
+ recv_buf_size += sizeof(struct qmi_header);
+ /* Must also be sufficient to hold a control packet */
if (recv_buf_size < sizeof(struct qrtr_ctrl_pkt))
recv_buf_size = sizeof(struct qrtr_ctrl_pkt);
- else
- recv_buf_size += sizeof(struct qmi_header);
qmi->recv_buf_size = recv_buf_size;
qmi->recv_buf = kzalloc(recv_buf_size, GFP_KERNEL);