diff options
| author | Deepak Kumar Singh <deesin@codeaurora.org> | 2019-05-21 20:28:14 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-06-28 23:59:13 -0700 |
| commit | 18ccdd369a3d2e3af4c29c740664ba333edc1bd4 (patch) | |
| tree | 72f8f3e1d93414409219f81c68a8b87faba50b5d | |
| parent | 5ba85eb4eff2294bb60f8290da048e86bdeb570c (diff) | |
soc: qcom: smem: Validate heap size against smem area sizeLE.UM.2.3.1.c1-06200-8x09.0
Partition size is not available for heap, hence validating
it against smem area size instead of partition size.
CRs-Fixed: 2456912
Change-Id: I20e07c87e00c600fc1adbd9913083b7691dc901c
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
| -rw-r--r-- | drivers/soc/qcom/msm_smem.c | 20 |
1 files changed, 8 insertions, 12 deletions
diff --git a/drivers/soc/qcom/msm_smem.c b/drivers/soc/qcom/msm_smem.c index 72c799f62827..f2d050651444 100644 --- a/drivers/soc/qcom/msm_smem.c +++ b/drivers/soc/qcom/msm_smem.c @@ -621,18 +621,12 @@ static void *alloc_item_nonsecure(unsigned int id, unsigned int size_in) struct smem_shared *shared = smem_base; struct smem_heap_entry *toc = shared->heap_toc; uint32_t free_offset, heap_remaining; - struct smem_toc __iomem *p_toc; void *ret = NULL; - uint32_t p_size; - - p_toc = smem_get_toc(); - p_size = - readl_relaxed(&p_toc->entry[comm_partition.partition_num].size); heap_remaining = shared->heap_info.heap_remaining; free_offset = shared->heap_info.free_offset; - if (WARN_ON(heap_remaining > p_size - || free_offset > p_size)) + if (WARN_ON(heap_remaining > smem_ram_size + || free_offset > smem_ram_size)) return NULL; if (heap_remaining >= size_in) { @@ -972,13 +966,13 @@ unsigned int smem_get_free_space(unsigned int to_proc) uint32_t offset_free_cached; uint32_t heap_remaining; uint32_t p_size; + uint32_t p_num; if (to_proc >= NUM_SMEM_SUBSYSTEMS) { pr_err("%s: invalid to_proc:%d\n", __func__, to_proc); return UINT_MAX; } - toc = smem_get_toc(); if (partitions[to_proc].offset) { if (unlikely(OVERFLOW_ADD_UNSIGNED(uintptr_t, (uintptr_t)smem_areas[0].virt_addr, @@ -989,7 +983,10 @@ unsigned int smem_get_free_space(unsigned int to_proc) hdr = smem_areas[0].virt_addr + partitions[to_proc].offset; offset_free_cached = hdr->offset_free_cached; offset_free_uncached = hdr->offset_free_uncached; - p_size = readl_relaxed(&toc->entry[to_proc].size); + + toc = smem_get_toc(); + p_num = partitions[to_proc].partition_num; + p_size = readl_relaxed(&toc->entry[p_num].size); if (WARN_ON(offset_free_uncached > offset_free_cached || offset_free_cached > p_size)) return -EINVAL; @@ -998,8 +995,7 @@ unsigned int smem_get_free_space(unsigned int to_proc) } shared = smem_ram_base; heap_remaining = shared->heap_info.heap_remaining; - p_size = readl_relaxed(&toc->entry[comm_partition.partition_num].size); - if (WARN_ON(heap_remaining > p_size)) + if (WARN_ON(heap_remaining > smem_ram_size)) return -EINVAL; return heap_remaining; |