Re: [PATCH] tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer
From: Jiri Slaby
Date: Wed Dec 21 2022 - 01:43:13 EST
On 20. 12. 22, 17:15, Krzysztof Kozlowski wrote:
Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on
default RX FIFO depth, e.g. 16. Later during serial startup the
qcom_geni_serial_port_setup() updates the RX FIFO depth
(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.
...
If the RX FIFO depth changes after probe, be sure to resize the buffer.
Fixes: f9d690b6ece7 ("tty: serial: qcom_geni_serial: Allocate port->rx_fifo buffer in probe")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@xxxxxxxxxx>
Reviewed-by: Jiri Slaby <jirislaby@xxxxxxxxxx>
This patch LGTM, I only wonder:
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -864,9 +864,10 @@ static irqreturn_t qcom_geni_serial_isr(int isr, void *dev)
return IRQ_HANDLED;
}
-static void get_tx_fifo_size(struct qcom_geni_serial_port *port)
+static int get_tx_fifo_size(struct qcom_geni_serial_port *port)
... why is this function dubbed get_tx_fifo_size(), provided it handles
rx fifo too? And it does not "get" the tx fifo size. In fact, the
function sets that :).
{
struct uart_port *uport;
+ u32 old_rx_fifo_depth = port->rx_fifo_depth;
uport = &port->uport;
port->tx_fifo_depth = geni_se_get_tx_fifo_depth(&port->se);
@@ -874,6 +875,16 @@ static void get_tx_fifo_size(struct qcom_geni_serial_port *port)
port->rx_fifo_depth = geni_se_get_rx_fifo_depth(&port->se);
uport->fifosize =
(port->tx_fifo_depth * port->tx_fifo_width) / BITS_PER_BYTE;
+
+ if (port->rx_fifo && (old_rx_fifo_depth != port->rx_fifo_depth) && port->rx_fifo_depth) {
+ port->rx_fifo = devm_krealloc(uport->dev, port->rx_fifo,
+ port->rx_fifo_depth * sizeof(u32),
+ GFP_KERNEL);
And now it even allocates memory.
So more appropriate name should be setup_fifos() or similar.
+ if (!port->rx_fifo)
+ return -ENOMEM;
+ }
+
+ return 0;
--
js
suse labs