nv-tegra-mirror/linux-nv-oot
1
0
Fork 0
mirror of git://nv-tegra.nvidia.com/linux-nv-oot.git synced 2025-12-22 17:25:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

nvadsp: Access MSGQ ptrs via pointer increment

Browse Source 
Accessing queue and payload fields of MSGQ via array index
causes out-of-bound warnings in new kernel version as they
are initialized as arrays of size 1:
  index 53 is out of range for type 'int32_t [1]'
  index 2045 is out of range for type 'int32_t [1]'

Addressing this by accessing the fields via pointer
increment instead of array index.

Bug 4420795

Change-Id: I873dbe08a894d1eea8866bb8a16018816d0e4db3
Signed-off-by: Viswanath L <viswanathl@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/c/linux-nv-oot/+/3199294
Reviewed-by: Asha T <atalambedu@nvidia.com>
GVS: buildbot_gerritrpt <buildbot_gerritrpt@nvidia.com>
Reviewed-by: Dara Ramesh <dramesh@nvidia.com>
Reviewed-by: svcacv <svcacv@nvidia.com>
This commit is contained in:
Viswanath L
2024-08-26 05:54:53 +00:00
committed by Jon Hunter
parent 056a1e6459
commit 83dded8dd6
1 changed files with 8 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
drivers/platform/tegra/nvadsp/msgq.c
View File

@@ -1,7 +1,5 @@
// SPDX-License-Identifier: GPL-2.0-only // SPDX-License-Identifier: GPL-2.0-only
/** // SPDX-FileCopyrightText: Copyright (c) 2014-2024 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
* Copyright (c) 2014-2023, NVIDIA CORPORATION. All rights reserved.
*/
#include <linux/tegra_nvadsp.h> #include <linux/tegra_nvadsp.h>
@@ -61,12 +59,12 @@ int32_t msgq_queue_message(msgq_t *msgq, const msgq_message_t *message)
int32_t wi = msgq->write_index; int32_t wi = msgq->write_index;
bool wrap = ri <= wi; bool wrap = ri <= wi;
int32_t *start = msgq->queue; int32_t *start = msgq->queue;
int32_t *end = &msgq->queue[msgq->size]; int32_t *end = msgq->queue + msgq->size;
int32_t *first = &msgq->queue[wi]; int32_t *first = msgq->queue + wi;
int32_t *last = &msgq->queue[ri]; int32_t *last = msgq->queue + ri;
int32_t qremainder = wrap ? end - first : last - first; int32_t qremainder = wrap ? end - first : last - first;
int32_t qsize = wrap ? qremainder + (last - start) : qremainder; int32_t qsize = wrap ? qremainder + (last - start) : qremainder;
int32_t msize = &message->payload[message->size] - int32_t msize = (message->payload + message->size) -
(int32_t *)message; (int32_t *)message;
if (qsize <= msize) { if (qsize <= msize) {
@@ -123,7 +121,7 @@ int32_t msgq_dequeue_message(msgq_t *msgq, msgq_message_t *message)
ri = msgq->read_index; ri = msgq->read_index;
wi = msgq->write_index; wi = msgq->write_index;
msg = (msgq_message_t *)&msgq->queue[msgq->read_index]; msg = (msgq_message_t *)(msgq->queue + msgq->read_index);
if (ri == wi) { if (ri == wi) {
/* empty queue */ /* empty queue */
@@ -145,8 +143,8 @@ int32_t msgq_dequeue_message(msgq_t *msgq, msgq_message_t *message)
} else { } else {
/* copy message to the output buffer */ /* copy message to the output buffer */
int32_t msize = MSGQ_MESSAGE_HEADER_WSIZE + msg->size; int32_t msize = MSGQ_MESSAGE_HEADER_WSIZE + msg->size;
int32_t *first = &msgq->queue[msgq->read_index]; int32_t *first = msgq->queue + msgq->read_index;
int32_t *end = &msgq->queue[msgq->size]; int32_t *end = msgq->queue + msgq->size;
int32_t qremainder = end - first; int32_t qremainder = end - first;
if (msize < qremainder) { if (msize < qremainder) {