Re: [PATCH] tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 20. 12. 22, 17:15, Krzysztof Kozlowski wrote:
Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on
default RX FIFO depth, e.g. 16.  Later during serial startup the
qcom_geni_serial_port_setup() updates the RX FIFO depth
(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.
...
If the RX FIFO depth changes after probe, be sure to resize the buffer.

Fixes: f9d690b6ece7 ("tty: serial: qcom_geni_serial: Allocate port->rx_fifo buffer in probe")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxx>

Reviewed-by: Jiri Slaby <jirislaby@xxxxxxxxxx>

This patch LGTM, I only wonder:

--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -864,9 +864,10 @@ static irqreturn_t qcom_geni_serial_isr(int isr, void *dev)
  	return IRQ_HANDLED;
  }
-static void get_tx_fifo_size(struct qcom_geni_serial_port *port)
+static int get_tx_fifo_size(struct qcom_geni_serial_port *port)

... why is this function dubbed get_tx_fifo_size(), provided it handles rx fifo too? And it does not "get" the tx fifo size. In fact, the function sets that :).

  {
  	struct uart_port *uport;
+	u32 old_rx_fifo_depth = port->rx_fifo_depth;
uport = &port->uport;
  	port->tx_fifo_depth = geni_se_get_tx_fifo_depth(&port->se);
@@ -874,6 +875,16 @@ static void get_tx_fifo_size(struct qcom_geni_serial_port *port)
  	port->rx_fifo_depth = geni_se_get_rx_fifo_depth(&port->se);
  	uport->fifosize =
  		(port->tx_fifo_depth * port->tx_fifo_width) / BITS_PER_BYTE;
+
+	if (port->rx_fifo && (old_rx_fifo_depth != port->rx_fifo_depth) && port->rx_fifo_depth) {
+		port->rx_fifo = devm_krealloc(uport->dev, port->rx_fifo,
+					      port->rx_fifo_depth * sizeof(u32),
+					      GFP_KERNEL);

And now it even allocates memory.

So more appropriate name should be setup_fifos() or similar.

+		if (!port->rx_fifo)
+			return -ENOMEM;
+	}
+
+	return 0;


--
js
suse labs




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [Linux for Sparc]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux