On Fri 27 Apr 07:08 PDT 2018, Alex Elder wrote: > In qmi_handle_init(), a buffer is allocated for to hold messages > received through the handle's socket. Any "normal" messages > (expected by the caller) will have a header prepended, so the > buffer size is adjusted to accomodate that. > > The buffer must also be of sufficient size to receive control > messages, so the size is increased if necessary to ensure these > will fit. > > Unfortunately the calculation is done wrong, making it possible > for the calculated buffer size to be too small to hold a "normal" > message. Specifically, if: > > recv_buf_size > sizeof(struct qrtr_ctrl_pkt) - sizeof(struct qmi_header) > AND > recv_buf_size < sizeof(struct qrtr_ctrl_pkt) > > the current logic will use sizeof(struct qrtr_ctrl_pkt) as the > receive buffer size, which is not enough to hold the maximum > "normal" message plus its header. Currently this problem occurs > for (13 < recv_buf_size < 20). > > This patch corrects this. > > Signed-off-by: Alex Elder <elder@xxxxxxxxxx> Good catch, thanks! Reviewed-by: Bjorn Andersson <bjorn.andersson@xxxxxxxxxx> Regards, Bjorn > --- > drivers/soc/qcom/qmi_interface.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/soc/qcom/qmi_interface.c b/drivers/soc/qcom/qmi_interface.c > index 321982277697..938ca41c56cd 100644 > --- a/drivers/soc/qcom/qmi_interface.c > +++ b/drivers/soc/qcom/qmi_interface.c > @@ -639,10 +639,11 @@ int qmi_handle_init(struct qmi_handle *qmi, size_t recv_buf_size, > if (ops) > qmi->ops = *ops; > > + /* Make room for the header */ > + recv_buf_size += sizeof(struct qmi_header); > + /* Must also be sufficient to hold a control packet */ > if (recv_buf_size < sizeof(struct qrtr_ctrl_pkt)) > recv_buf_size = sizeof(struct qrtr_ctrl_pkt); > - else > - recv_buf_size += sizeof(struct qmi_header); > > qmi->recv_buf_size = recv_buf_size; > qmi->recv_buf = kzalloc(recv_buf_size, GFP_KERNEL); > -- > 2.14.1 > -- To unsubscribe from this list: send the line "unsubscribe linux-arm-msm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html