From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68184C4345A for ; Mon, 29 Mar 2021 08:54:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 46C2861879 for ; Mon, 29 Mar 2021 08:54:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236449AbhC2Ixh (ORCPT ); Mon, 29 Mar 2021 04:53:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:55736 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233270AbhC2Iel (ORCPT ); Mon, 29 Mar 2021 04:34:41 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C7EFA619AB; Mon, 29 Mar 2021 08:34:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617006881; bh=WTJcMEegiKcxEk43R4BYWCA/O9UUUJxOtBYag4De+vc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hUsvNtkONWX5jAI5ggUkN2r07vSzRVwPxinrpEHM4ZHpsW+qLBEMb0/KsBl/ZTn/b AEWrcnhbw5c8wpK2jiRogpMYdQRZsO2QimZ8KTyhZddyOs5lQuM3dDRniX+URIwXbt nUjVEizhhOQpT0huWKhWzqUZD+lgrGnLhpkUelI0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sujit Kautkar , Alex Elder , Bjorn Andersson , "David S. Miller" , Sasha Levin Subject: [PATCH 5.11 137/254] net: ipa: terminate message handler arrays Date: Mon, 29 Mar 2021 09:57:33 +0200 Message-Id: <20210329075637.725042865@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210329075633.135869143@linuxfoundation.org> References: <20210329075633.135869143@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alex Elder [ Upstream commit 3a9ef3e11c5d33e5cb355b4aad1a4caad2407541 ] When a QMI handle is initialized, an array of message handler structures is provided, defining how any received message should be handled based on its type and message ID. The QMI core code traverses this array when a message arrives and calls the function associated with the (type, msg_id) found in the array. The array is supposed to be terminated with an empty (all zero) entry though. Without it, an unsupported message will cause the QMI core code to go past the end of the array. Fix this bug, by properly terminating the message handler arrays provided when QMI handles are set up by the IPA driver. Fixes: 530f9216a9537 ("soc: qcom: ipa: AP/modem communications") Reported-by: Sujit Kautkar Signed-off-by: Alex Elder Reviewed-by: Bjorn Andersson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ipa/ipa_qmi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/ipa/ipa_qmi.c b/drivers/net/ipa/ipa_qmi.c index 2fc64483f275..e594bf3b600f 100644 --- a/drivers/net/ipa/ipa_qmi.c +++ b/drivers/net/ipa/ipa_qmi.c @@ -249,6 +249,7 @@ static const struct qmi_msg_handler ipa_server_msg_handlers[] = { .decoded_size = IPA_QMI_DRIVER_INIT_COMPLETE_REQ_SZ, .fn = ipa_server_driver_init_complete, }, + { }, }; /* Handle an INIT_DRIVER response message from the modem. */ @@ -269,6 +270,7 @@ static const struct qmi_msg_handler ipa_client_msg_handlers[] = { .decoded_size = IPA_QMI_INIT_DRIVER_RSP_SZ, .fn = ipa_client_init_driver, }, + { }, }; /* Return a pointer to an init modem driver request structure, which contains -- 2.30.1