Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c2eb1f7f authored by Amir Samuelov's avatar Amir Samuelov Committed by Gerrit - the friendly Code Review server
Browse files

spcom: avoid implicit casting from size_t to uint32 for file ops 



spcom expose "pseudo file" char-device to user space.
The file operation callback function definition is using size_t for user
buffer size.
The spcom API uses uint32 as the spcom communication buffers are about
300 bytes, and the user space file operation read()/write() are limited to
PAGE_SIZE which is about 4KB.
Use explicit casting rather than implicit casting when fops callbacks
calls spcom internal functions.

CRs-Fixed: 2025174
Change-Id: I5d6bf71ab77f97ea350178bb8b3473fd4cefddfd
Signed-off-by: default avatarAmir Samuelov <amirs@codeaurora.org>
parent cd538dbf

drivers/soc/qcom/spcom.c

+16 −6
Original line number Original line Diff line number Diff line
@@ -2024,6 +2024,7 @@ static int spcom_handle_get_req_size(struct spcom_channel *ch, 
				      void *buf,

				      void *buf,

				      uint32_t size)

				      uint32_t size)

{

{

	int ret = -1;

	uint32_t next_req_size = 0;

	uint32_t next_req_size = 0;





	if (size < sizeof(next_req_size)) {

	if (size < sizeof(next_req_size)) {
@@ -2031,7 +2032,10 @@ static int spcom_handle_get_req_size(struct spcom_channel *ch, 
		return -EINVAL;

		return -EINVAL;

	}

	}





	next_req_size = spcom_get_next_request_size(ch);

	ret = spcom_get_next_request_size(ch);

	if (ret < 0)

		return ret;

	next_req_size = (uint32_t) ret;





	memcpy(buf, &next_req_size, sizeof(next_req_size));

	memcpy(buf, &next_req_size, sizeof(next_req_size));

	pr_debug("next_req_size [%d].\n", next_req_size);

	pr_debug("next_req_size [%d].\n", next_req_size);
@@ -2136,18 +2140,20 @@ static int spcom_handle_read(struct spcom_channel *ch, 
			      void *buf,

			      void *buf,

			      uint32_t size)

			      uint32_t size)

{

{

	int ret = -1;



	if (size == SPCOM_GET_NEXT_REQUEST_SIZE) {

	if (size == SPCOM_GET_NEXT_REQUEST_SIZE) {

		pr_debug("get next request size, ch [%s].\n", ch->name);

		pr_debug("get next request size, ch [%s].\n", ch->name);

		ch->is_server = true;

		ch->is_server = true;

		size = spcom_handle_get_req_size(ch, buf, size);

		ret = spcom_handle_get_req_size(ch, buf, size);

	} else {

	} else {

		pr_debug("get request/response, ch [%s].\n", ch->name);

		pr_debug("get request/response, ch [%s].\n", ch->name);

		size = spcom_handle_read_req_resp(ch, buf, size);

		ret = spcom_handle_read_req_resp(ch, buf, size);

	}

	}





	pr_debug("ch [%s] , size = %d.\n", ch->name, size);

	pr_debug("ch [%s] , size = %d.\n", ch->name, size);





	return size;

	return ret;

}

}





/*======================================================================*/

/*======================================================================*/
@@ -2299,6 +2305,7 @@ static ssize_t spcom_device_write(struct file *filp, 
	char *buf;

	char *buf;

	struct spcom_channel *ch;

	struct spcom_channel *ch;

	const char *name = file_to_filename(filp);

	const char *name = file_to_filename(filp);

	int buf_size = 0;





	pr_debug("Write file [%s] size [%d] pos [%d].\n",

	pr_debug("Write file [%s] size [%d] pos [%d].\n",

		 name, (int) size, (int) *f_pos);

		 name, (int) size, (int) *f_pos);
@@ -2325,6 +2332,7 @@ static ssize_t spcom_device_write(struct file *filp, 
			   (int) size, (int) SPCOM_MAX_COMMAND_SIZE);

			   (int) size, (int) SPCOM_MAX_COMMAND_SIZE);

		return -EINVAL;

		return -EINVAL;

	}

	}

	buf_size = size; /* explicit casting size_t to int */





	if (*f_pos != 0) {

	if (*f_pos != 0) {

		pr_err("offset should be zero, no sparse buffer.\n");

		pr_err("offset should be zero, no sparse buffer.\n");
@@ -2342,7 +2350,7 @@ static ssize_t spcom_device_write(struct file *filp, 
		return -EFAULT;

		return -EFAULT;

	}

	}





	ret = spcom_handle_write(ch, buf, size);

	ret = spcom_handle_write(ch, buf, buf_size);

	if (ret) {

	if (ret) {

		pr_err("handle command error [%d].\n", ret);

		pr_err("handle command error [%d].\n", ret);

		kfree(buf);

		kfree(buf);
@@ -2370,6 +2378,7 @@ static ssize_t spcom_device_read(struct file *filp, char __user *user_buff, 
	char *buf;

	char *buf;

	struct spcom_channel *ch;

	struct spcom_channel *ch;

	const char *name = file_to_filename(filp);

	const char *name = file_to_filename(filp);

	uint32_t buf_size = 0;





	pr_debug("Read file [%s], size = %d bytes.\n", name, (int) size);

	pr_debug("Read file [%s], size = %d bytes.\n", name, (int) size);
@@ -2378,6 +2387,7 @@ static ssize_t spcom_device_read(struct file *filp, char __user *user_buff, 
		pr_err("invalid parameters.\n");

		pr_err("invalid parameters.\n");

		return -EINVAL;

		return -EINVAL;

	}

	}

	buf_size = size; /* explicit casting size_t to uint32_t */





	ch = filp->private_data;

	ch = filp->private_data;
@@ -2395,7 +2405,7 @@ static ssize_t spcom_device_read(struct file *filp, char __user *user_buff, 
	if (buf == NULL)

	if (buf == NULL)

		return -ENOMEM;

		return -ENOMEM;





	ret = spcom_handle_read(ch, buf, size);

	ret = spcom_handle_read(ch, buf, buf_size);

	if (ret < 0) {

	if (ret < 0) {

		pr_err("read error [%d].\n", ret);

		pr_err("read error [%d].\n", ret);

		kfree(buf);

		kfree(buf);