Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a7654c6b authored by Kyle Yan's avatar Kyle Yan Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: ADSPRPC: Buffer length to be copied is truncated" into msm-4.8

parents 8c1402c0 d209c1ee

drivers/char/adsprpc.c

+12 −2
Original line number Diff line number Diff line
@@ -1023,6 +1023,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) 
	/* calculate len requreed for copying */

	for (oix = 0; oix < inbufs + outbufs; ++oix) {

		int i = ctx->overps[oix]->raix;

		uintptr_t mstart, mend;

		ssize_t len = lpra[i].buf.len;



		if (!len)
@@ -1031,7 +1032,15 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) 
			continue;

		if (ctx->overps[oix]->offset == 0)

			copylen = ALIGN(copylen, BALIGN);

		copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart;

		mstart = ctx->overps[oix]->mstart;

		mend = ctx->overps[oix]->mend;

		VERIFY(err, (mend - mstart) <= LONG_MAX);

		if (err)

			goto bail;

		copylen += mend - mstart;

		VERIFY(err, copylen >= 0);

		if (err)

			goto bail;

	}

	ctx->used = copylen;
@@ -1111,7 +1120,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) 
	for (oix = 0; oix < inbufs + outbufs; ++oix) {

		int i = ctx->overps[oix]->raix;

		struct fastrpc_mmap *map = ctx->maps[i];

		int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;

		ssize_t mlen;

		uint64_t buf;

		ssize_t len = lpra[i].buf.len;
@@ -1123,6 +1132,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) 
			rlen -= ALIGN(args, BALIGN) - args;

			args = ALIGN(args, BALIGN);

		}

		mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;

		VERIFY(err, rlen >= mlen);

		if (err)

			goto bail;