Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / 637683d6aaec23c41484796c0f9398ae32d058f5^! / .
commit637683d6aaec23c41484796c0f9398ae32d058f5[log] [tgz]
authorChannagoud Kadabi <ckadabi@codeaurora.org>Wed Nov 26 14:51:14 2014 -0800
committerChannagoud Kadabi <ckadabi@codeaurora.org>Mon Dec 01 17:07:31 2014 -0800
tree347b1d3cdbdbc920b69728ea7c2d8d53f96e2764
parente69a286974a0767b547e50f5b808ae10da622708 [diff]
platform: msm_shared: Do not return pointer allocated on stack

RPM response is read into local buffer which is allocated
on stack and returned to the caller. Returning pointer on stack
will have undefined behaviour, pass response buffer from the caller
to avoid this problem.

Change-Id: Iac967725659166fb6100a02fbac68041ce8cb7af

diff --git a/platform/msm_shared/include/smd.h b/platform/msm_shared/include/smd.h
index 0daaace..b8f645f 100644
--- a/platform/msm_shared/include/smd.h
+++ b/platform/msm_shared/include/smd.h

@@ -118,7 +118,7 @@
 
 int smd_init(smd_channel_info_t *ch, uint32_t ch_type);
 void smd_uninit(smd_channel_info_t *ch);
-uint8_t* smd_read(smd_channel_info_t *ch, uint32_t *len, int ch_type);
+void smd_read(smd_channel_info_t *ch, uint32_t *len, int ch_type, uint32_t *response);
 int smd_write(smd_channel_info_t *ch, void *data, uint32_t len, int type);
 int smd_get_channel_info(smd_channel_info_t *ch, uint32_t ch_type);
 void smd_get_channel_entry(smd_channel_info_t *ch, uint32_t ch_type);

diff --git a/platform/msm_shared/rpm-smd.c b/platform/msm_shared/rpm-smd.c
index d623542..0756bcd 100644
--- a/platform/msm_shared/rpm-smd.c
+++ b/platform/msm_shared/rpm-smd.c

@@ -133,8 +133,12 @@
 	rpm_ack_msg *resp;
 	msg_type type;
 	uint32_t ret = 0;
+	/* As per the current design rpm response does not exceed 20 bytes */
+	uint32_t response[5];
 
-	resp = (rpm_ack_msg*)smd_read(&ch, len, SMD_APPS_RPM);
+	smd_read(&ch, len, SMD_APPS_RPM, response);
+
+	resp = (rpm_ack_msg *)response;
 
 	arch_invalidate_cache_range((addr_t)resp, sizeof(rpm_gen_hdr));
 

diff --git a/platform/msm_shared/smd.c b/platform/msm_shared/smd.c
index 66b4b9f..3616e2b 100644
--- a/platform/msm_shared/smd.c
+++ b/platform/msm_shared/smd.c

@@ -209,12 +209,10 @@
 	ch_ptr->port_info->ch1.read_index = read_index;
 }
 
-uint8_t* smd_read(smd_channel_info_t *ch, uint32_t *len, int ch_type)
+void smd_read(smd_channel_info_t *ch, uint32_t *len, int ch_type, uint32_t *response)
 {
 	smd_pkt_hdr smd_hdr;
 	uint32_t size = 0;
-	/* Response as per the current design does not exceed 20 bytes */
-	uint32_t response[5];
 
 	/* Read the indices from smem */
 	ch->port_info = smem_get_alloc_entry(SMEM_SMD_BASE_ID + ch->alloc_entry.cid,
@@ -222,7 +220,7 @@
 	if(!ch->port_info->ch1.DTR_DSR)
 	{
 		dprintf(CRITICAL,"%s: DTR is off\n", __func__);
-		return -1;
+		return;
 	}
 
 	/* Wait until the data updated in the smd buffer is equal to smd packet header*/
@@ -247,9 +245,9 @@
 	}
 
 	/* We are good to return the response now */
-	memcpy_from_fifo(ch, response, sizeof(response));
+	memcpy_from_fifo(ch, response, smd_hdr.pkt_size);
 
-	arch_invalidate_cache_range((addr_t)response, sizeof(response));
+	arch_invalidate_cache_range((addr_t)response, smd_hdr.pkt_size);
 
 	return response;
 }