Merge "soc: qcom: scm: add check to avoid buffer overflow" (30d7dbe9) · Commits · e / devices / android_kernel_xiaomi_markw

drivers/soc/qcom/scm.c

+12 −6

Original line number	Diff line number	Diff line
		@@ -56,9 +56,16 @@ DEFINE_MUTEX(scm_lmh_lock);
		#define SMC_ATOMIC_MASK 0x80000000
		#define IS_CALL_AVAIL_CMD 1

		#define SCM_BUF_LEN(__cmd_size, __resp_size) \
		(sizeof(struct scm_command) + sizeof(struct scm_response) + \
		__cmd_size + __resp_size)
		#define SCM_BUF_LEN(__cmd_size, __resp_size) ({ \
		size_t x = __cmd_size + __resp_size; \
		size_t y = sizeof(struct scm_command) + sizeof(struct scm_response); \
		size_t result; \
		if (x < __cmd_size \|\| (x + y) < x) \
		result = 0; \
		else \
		result = x + y; \
		result; \
		})
		/**
		* struct scm_command - one SCM command buffer
		* @len: total available memory for command and response
		@@ -357,8 +364,7 @@ int scm_call_noalloc(u32 svc_id, u32 cmd_id, const void *cmd_buf,
		int ret;
		size_t len = SCM_BUF_LEN(cmd_len, resp_len);

		if (cmd_len > scm_buf_len \|\| resp_len > scm_buf_len \|\|
		len > scm_buf_len)
		if (len == 0)
		return -EINVAL;

		if (!IS_ALIGNED((unsigned long)scm_buf, PAGE_SIZE))
		@@ -783,7 +789,7 @@ int scm_call(u32 svc_id, u32 cmd_id, const void *cmd_buf, size_t cmd_len,
		int ret;
		size_t len = SCM_BUF_LEN(cmd_len, resp_len);

		if (cmd_len > len \|\| resp_len > len)
		if (len == 0 \|\| PAGE_ALIGN(len) < len)
		return -EINVAL;

		cmd = kzalloc(PAGE_ALIGN(len), GFP_KERNEL);