rpmsg : glink: validate head and tail index before fifo read write (e80a8aa9) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/rpmsg/qcom_glink_smem.c

+19 −4

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0
		/*
		* Copyright (c) 2016, Linaro Ltd
		* Copyright (c) 2018, The Linux Foundation, All rights reserved.
		* Copyright (c) 2018-2019, The Linux Foundation, All rights reserved.
		*/

		#include <linux/io.h>
		@@ -72,9 +72,14 @@ static size_t glink_smem_rx_avail(struct qcom_glink_pipe *np)
		tail = le32_to_cpu(*pipe->tail);

		if (head < tail)
		return pipe->native.length - tail + head;
		len = pipe->native.length - tail + head;
		else
		return head - tail;
		len = head - tail;

		if (WARN_ON_ONCE(len > pipe->native.length))
		len = 0;

		return len;
		}

		static void glink_smem_rx_peak(struct qcom_glink_pipe *np,
		@@ -85,6 +90,10 @@ static void glink_smem_rx_peak(struct qcom_glink_pipe *np,
		u32 tail;

		tail = le32_to_cpu(*pipe->tail);

		if (WARN_ON_ONCE(tail > pipe->native.length))
		return;

		tail += offset;
		if (tail >= pipe->native.length)
		tail -= pipe->native.length;
		@@ -109,7 +118,7 @@ static void glink_smem_rx_advance(struct qcom_glink_pipe *np,

		tail += count;
		if (tail >= pipe->native.length)
		tail -= pipe->native.length;
		tail %= pipe->native.length;

		*pipe->tail = cpu_to_le32(tail);
		}
		@@ -134,6 +143,9 @@ static size_t glink_smem_tx_avail(struct qcom_glink_pipe *np)
		else
		avail -= FIFO_FULL_RESERVE + TX_BLOCKED_CMD_RESERVE;

		if (WARN_ON_ONCE(avail > pipe->native.length))
		avail = 0;

		return avail;
		}

		@@ -143,6 +155,9 @@ static unsigned int glink_smem_tx_write_one(struct glink_smem_pipe *pipe,
		{
		size_t len;

		if (WARN_ON_ONCE(head > pipe->native.length))
		return head;

		len = min_t(size_t, count, pipe->native.length - head);
		if (len)
		memcpy(pipe->fifo + head, data, len);