Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3c250821 authored by Jeff Hugo's avatar Jeff Hugo
Browse files

soc: qcom: smp2p: Copy the entry name out of smem for comparison 



Shared memory is configured as device memory, and thus has specific access
requirements.  Functions like strcmp() are not guaranteed to do the proper
accesses.  Searching for a SMP2P entry involves a strcmp() call with the
entry name stored in shared memory used as one of the parameters.

To ensure safe device memory accesses, use a safe memcpy function to copy
the entry name into local memory, and use that copy for the comparison.

Change-Id: I3edb236090ce21201330485acd54c6de18ece3b6
Signed-off-by: default avatarJeffrey Hugo <jhugo@codeaurora.org>
parent e589fedd

drivers/soc/qcom/smp2p.c

+4 −2
Original line number Diff line number Diff line
@@ -506,6 +506,7 @@ static void smp2p_find_entry_v1(struct smp2p_smem __iomem *item, 
{

	int i;

	struct smp2p_entry_v1 *pos;

	char entry_name[SMP2P_MAX_ENTRY_NAME];



	if (!item || !name || !entry_ptr) {

		SMP2P_ERR("%s: invalid arguments %p, %p, %p\n",
@@ -519,8 +520,9 @@ static void smp2p_find_entry_v1(struct smp2p_smem __iomem *item, 


	pos = (struct smp2p_entry_v1 *)(char *)(item + 1);

	for (i = 0; i < entries_total; i++, ++pos) {

		if (pos->name[0]) {

			if (!strncmp(pos->name, name, SMP2P_MAX_ENTRY_NAME)) {

		memcpy_fromio(entry_name, pos->name, SMP2P_MAX_ENTRY_NAME);

		if (entry_name[0]) {

			if (!strcmp(entry_name, name)) {

				*entry_ptr = &pos->entry;

				break;

			}

drivers/soc/qcom/smp2p_debug.c

+8 −2
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
#include <linux/ctype.h>

#include <linux/list.h>

#include <linux/debugfs.h>

#include <linux/io.h>

#include "smp2p_private.h"



#if defined(CONFIG_DEBUG_FS)
@@ -167,6 +168,7 @@ static void smp2p_item(struct seq_file *s, int remote_pid) 
	struct smp2p_entry_v1 *in_entries = NULL;

	int out_valid = 0;

	int in_valid = 0;

	char entry_name[SMP2P_MAX_ENTRY_NAME];



	int_cfg = smp2p_get_interrupt_config();

	if (!int_cfg)
@@ -239,9 +241,11 @@ static void smp2p_item(struct seq_file *s, int remote_pid) 


	for (entry = 0; out_entries || in_entries; ++entry) {

		if (out_entries && entry < out_valid) {

			memcpy_fromio(entry_name, out_entries->name,

							SMP2P_MAX_ENTRY_NAME);

			scnprintf(tmp_buff, sizeof(tmp_buff),

					"%-16s 0x%08x",

					out_entries->name,

					entry_name,

					out_entries->entry);

			++out_entries;

		} else {
@@ -251,9 +255,11 @@ static void smp2p_item(struct seq_file *s, int remote_pid) 
		seq_printf(s, "| %-37s", tmp_buff);



		if (in_entries && entry < in_valid) {

			memcpy_fromio(entry_name, in_entries->name,

							SMP2P_MAX_ENTRY_NAME);

			scnprintf(tmp_buff, sizeof(tmp_buff),

					"%-16s 0x%08x",

					in_entries->name,

					entry_name,

					in_entries->entry);

			++in_entries;

		} else {