Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 574dd005 authored by Karthikeyan Ramasubramanian's avatar Karthikeyan Ramasubramanian
Browse files

slimbus: Fix the type usage of transaction id 



Transaction ID with a type of 'u8' will always have the range 0 to 255.
Checking it against the condition <= 255 and then incrementing it will
always return true and lead to an overflow.

Fix this behavior by updating the type of transaction ID to unsigned int
and use a preprocessor macro instead of magic number to check for the
upper threshold.

Change-Id: I43ec1d3dd2cda280292d416d422c298d9f8ebf6a
Signed-off-by: default avatarKarthikeyan Ramasubramanian <kramasub@codeaurora.org>
parent cd348a49

drivers/slimbus/slim-msm-ngd.c

+5 −4
Original line number Diff line number Diff line
@@ -392,18 +392,19 @@ static int ngd_get_tid(struct slim_controller *ctrl, struct slim_msg_txn *txn, 
	unsigned long flags;



	spin_lock_irqsave(&ctrl->txn_lock, flags);

	if (ctrl->last_tid <= 255) {

	if (ctrl->last_tid < SLIM_MAX_TXNS) {

		dev->msg_cnt = ctrl->last_tid;

		ctrl->last_tid++;

	} else {

		int i;



		for (i = 0; i < 256; i++) {

			dev->msg_cnt = ((dev->msg_cnt + 1) & 0xFF);

		for (i = 0; i < SLIM_MAX_TXNS; i++) {

			dev->msg_cnt =

				((dev->msg_cnt + 1) & (SLIM_MAX_TXNS - 1));

			if (ctrl->txnt[dev->msg_cnt] == NULL)

				break;

		}

		if (i >= 256) {

		if (i >= SLIM_MAX_TXNS) {

			dev_err(&ctrl->dev, "out of TID");

			spin_unlock_irqrestore(&ctrl->txn_lock, flags);

			return -ENOMEM;

drivers/slimbus/slimbus.c

+2 −2
Original line number Diff line number Diff line
@@ -744,7 +744,7 @@ EXPORT_SYMBOL(slim_msg_response); 
static int slim_processtxn(struct slim_controller *ctrl,

				struct slim_msg_txn *txn, bool need_tid)

{

	u8 i = 0;

	unsigned int i = 0;

	int ret = 0;

	unsigned long flags;
@@ -755,7 +755,7 @@ static int slim_processtxn(struct slim_controller *ctrl, 
				break;

		}

		if (i >= ctrl->last_tid) {

			if (ctrl->last_tid == 255) {

			if (ctrl->last_tid == SLIM_MAX_TXNS) {

				spin_unlock_irqrestore(&ctrl->txn_lock, flags);

				return -ENOMEM;

			}

include/linux/slimbus/slimbus.h

+2 −2
Original line number Diff line number Diff line
@@ -514,7 +514,7 @@ enum slim_clk_state { 
 * @devs: List of devices on this controller

 * @wq: Workqueue per controller used to notify devices when they report present

 * @txnt: Table of transactions having transaction ID

 * @last_tid: size of the table txnt (can't grow beyond 256 since TID is 8-bits)

 * @last_tid: size of the table txnt (can't grow beyond 256)

 * @ports: Ports associated with this controller

 * @nports: Number of ports supported by the controller

 * @chans: Channels associated with this controller
@@ -576,7 +576,7 @@ struct slim_controller { 
	struct list_head	devs;

	struct workqueue_struct *wq;

	struct slim_msg_txn	*txnt[SLIM_MAX_TXNS];

	u8			last_tid;

	unsigned int		last_tid;

	spinlock_t		txn_lock;

	struct slim_port	*ports;

	int			nports;