[PATCH 1/2] ASoC: SOF: ipc-msg-injector: Propagate write errors correctly
This code is supposed to propagate errors from simple_write_to_buffer() or return -EFAULT if "size != count". However "size" needs to be signed for the code to work correctly and the case where "size == 0" is not handled correctly.
Fixes: 066c67624d8c ("ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages") Fixes: 2f0b1b013bbc ("ASoC: SOF: debug: Add support for IPC message injection") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com --- sound/soc/sof/sof-client-ipc-msg-injector.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/sound/soc/sof/sof-client-ipc-msg-injector.c b/sound/soc/sof/sof-client-ipc-msg-injector.c index 03490a4d4ae7..030cb97d7713 100644 --- a/sound/soc/sof/sof-client-ipc-msg-injector.c +++ b/sound/soc/sof/sof-client-ipc-msg-injector.c @@ -150,7 +150,7 @@ static ssize_t sof_msg_inject_dfs_write(struct file *file, const char __user *bu { struct sof_client_dev *cdev = file->private_data; struct sof_msg_inject_priv *priv = cdev->data; - size_t size; + ssize_t size; int ret;
if (*ppos) @@ -158,8 +158,10 @@ static ssize_t sof_msg_inject_dfs_write(struct file *file, const char __user *bu
size = simple_write_to_buffer(priv->tx_buffer, priv->max_msg_size, ppos, buffer, count); + if (size < 0) + return size; if (size != count) - return size > 0 ? -EFAULT : size; + return -EFAULT;
memset(priv->rx_buffer, 0, priv->max_msg_size);
@@ -179,7 +181,7 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file, struct sof_client_dev *cdev = file->private_data; struct sof_msg_inject_priv *priv = cdev->data; struct sof_ipc4_msg *ipc4_msg = priv->tx_buffer; - size_t size; + ssize_t size; int ret;
if (*ppos) @@ -192,8 +194,10 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file, size = simple_write_to_buffer(&ipc4_msg->header_u64, sizeof(ipc4_msg->header_u64), ppos, buffer, count); + if (size < 0) + return size; if (size != sizeof(ipc4_msg->header_u64)) - return size > 0 ? -EFAULT : size; + return -EFAULT;
count -= size; if (!count) { @@ -201,8 +205,10 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file, size = simple_write_to_buffer(ipc4_msg->data_ptr, priv->max_msg_size, ppos, buffer, count); + if (size < 0) + return size; if (size != count) - return size > 0 ? -EFAULT : size; + return -EFAULT; }
ipc4_msg->data_size = count;
This if statement is reversed. In fact, the condition can just be deleted because writing zero bytes is a no-op.
Fixes: 066c67624d8c ("ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com --- sound/soc/sof/sof-client-ipc-msg-injector.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/sound/soc/sof/sof-client-ipc-msg-injector.c b/sound/soc/sof/sof-client-ipc-msg-injector.c index 030cb97d7713..6bdfa527b7f7 100644 --- a/sound/soc/sof/sof-client-ipc-msg-injector.c +++ b/sound/soc/sof/sof-client-ipc-msg-injector.c @@ -200,16 +200,14 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file, return -EFAULT;
count -= size; - if (!count) { - /* Copy the payload */ - size = simple_write_to_buffer(ipc4_msg->data_ptr, - priv->max_msg_size, ppos, buffer, - count); - if (size < 0) - return size; - if (size != count) - return -EFAULT; - } + /* Copy the payload */ + size = simple_write_to_buffer(ipc4_msg->data_ptr, + priv->max_msg_size, ppos, buffer, + count); + if (size < 0) + return size; + if (size != count) + return -EFAULT;
ipc4_msg->data_size = count;
On 02/06/2022 12:09, Dan Carpenter wrote:
This if statement is reversed. In fact, the condition can just be deleted because writing zero bytes is a no-op.
Wow, you are right. I only tested with a message w/o additional payload.
Acked-by: Peter Ujfalusi peter.ujfalusi@linux.intel.com
Fixes: 066c67624d8c ("ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
sound/soc/sof/sof-client-ipc-msg-injector.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/sound/soc/sof/sof-client-ipc-msg-injector.c b/sound/soc/sof/sof-client-ipc-msg-injector.c index 030cb97d7713..6bdfa527b7f7 100644 --- a/sound/soc/sof/sof-client-ipc-msg-injector.c +++ b/sound/soc/sof/sof-client-ipc-msg-injector.c @@ -200,16 +200,14 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file, return -EFAULT;
count -= size;
- if (!count) {
/* Copy the payload */size = simple_write_to_buffer(ipc4_msg->data_ptr,priv->max_msg_size, ppos, buffer,count);if (size < 0)return size;if (size != count)return -EFAULT;- }
/* Copy the payload */
size = simple_write_to_buffer(ipc4_msg->data_ptr,
priv->max_msg_size, ppos, buffer,count);if (size < 0)
return size;if (size != count)
return -EFAULT;ipc4_msg->data_size = count;
On 02/06/2022 12:08, Dan Carpenter wrote:
This code is supposed to propagate errors from simple_write_to_buffer() or return -EFAULT if "size != count". However "size" needs to be signed for the code to work correctly and the case where "size == 0" is not handled correctly.
Thanks Dan!
Acked-by: Peter Ujfalusi peter.ujfalusi@linux.intel.com
Fixes: 066c67624d8c ("ASoC: SOF: ipc-msg-injector: Add support for IPC4 messages") Fixes: 2f0b1b013bbc ("ASoC: SOF: debug: Add support for IPC message injection") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
sound/soc/sof/sof-client-ipc-msg-injector.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/sound/soc/sof/sof-client-ipc-msg-injector.c b/sound/soc/sof/sof-client-ipc-msg-injector.c index 03490a4d4ae7..030cb97d7713 100644 --- a/sound/soc/sof/sof-client-ipc-msg-injector.c +++ b/sound/soc/sof/sof-client-ipc-msg-injector.c @@ -150,7 +150,7 @@ static ssize_t sof_msg_inject_dfs_write(struct file *file, const char __user *bu { struct sof_client_dev *cdev = file->private_data; struct sof_msg_inject_priv *priv = cdev->data;
- size_t size;
ssize_t size; int ret;
if (*ppos)
@@ -158,8 +158,10 @@ static ssize_t sof_msg_inject_dfs_write(struct file *file, const char __user *bu
size = simple_write_to_buffer(priv->tx_buffer, priv->max_msg_size, ppos, buffer, count);
- if (size < 0)
return size;
return size > 0 ? -EFAULT : size;
return -EFAULT;memset(priv->rx_buffer, 0, priv->max_msg_size);
@@ -179,7 +181,7 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file, struct sof_client_dev *cdev = file->private_data; struct sof_msg_inject_priv *priv = cdev->data; struct sof_ipc4_msg *ipc4_msg = priv->tx_buffer;
- size_t size;
ssize_t size; int ret;
if (*ppos)
@@ -192,8 +194,10 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file, size = simple_write_to_buffer(&ipc4_msg->header_u64, sizeof(ipc4_msg->header_u64), ppos, buffer, count);
- if (size < 0)
return size;
return size > 0 ? -EFAULT : size;
return -EFAULT;count -= size; if (!count) {
@@ -201,8 +205,10 @@ static ssize_t sof_msg_inject_ipc4_dfs_write(struct file *file, size = simple_write_to_buffer(ipc4_msg->data_ptr, priv->max_msg_size, ppos, buffer, count);
if (size < 0)return size;
return size > 0 ? -EFAULT : size;
return -EFAULT;}
ipc4_msg->data_size = count;
On Thu, 2 Jun 2022 12:08:25 +0300, Dan Carpenter wrote:
This code is supposed to propagate errors from simple_write_to_buffer() or return -EFAULT if "size != count". However "size" needs to be signed for the code to work correctly and the case where "size == 0" is not handled correctly.
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next
Thanks!
[1/2] ASoC: SOF: ipc-msg-injector: Propagate write errors correctly commit: d9a251a029f23e79c1ac394bc551ed5d536bc740 [2/2] ASoC: SOF: ipc-msg-injector: Fix reversed if statement commit: bedc357217e6e09623f6209c891fa8d57a737ac1
All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying to this mail.
Thanks, Mark
participants (3)
-
Dan Carpenter -
Mark Brown -
Péter Ujfalusi