Re: [PATCH 3/3] rpmsg: glink: smem: Use modulo for FIFO tail wrap-around in rx_advance

Next message: Woojin Ji: "[PATCH bpf-next] selftests/bpf: Add arena direct-value one-past-end reject test"
Previous message: Guangshuo Li: "[PATCH] iio: adc: ti-ads1119: fix PM reference leak in buffer preenable"
In reply to: Chunkai Deng: "[PATCH 3/3] rpmsg: glink: smem: Use modulo for FIFO tail wrap-around in rx_advance"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dmitry Baryshkov

Date: Wed Jun 03 2026 - 08:19:58 EST

On Wed, Jun 03, 2026 at 06:14:30PM +0800, Chunkai Deng wrote:
> glink_smem_rx_advance() wraps the tail index with a single subtraction,
> which only corrects for one full wrap. The advance count is derived from
> remote-supplied packet fields (up to sizeof(glink_msg) + 0xffff bytes);
> if such a count reaches or exceeds pipe->native.length, the tail remains

Would not such a packet already cause issues as it will overflow the
FIFO?

> outside [0, length) after the subtraction and the next FIFO access uses
> an out-of-bounds offset.
>
> Use modulo so the tail is always normalised back into [0, length),
> keeping it consistent with the index bounds enforced by the WARN_ON_ONCE
> checks added to the FIFO helpers.
>
> Signed-off-by: Chunkai Deng <chunkai.deng@xxxxxxxxxxxxxxxx>
> ---
> drivers/rpmsg/qcom_glink_smem.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/rpmsg/qcom_glink_smem.c b/drivers/rpmsg/qcom_glink_smem.c
> index 42ad315d7910..4f143921b719 100644
> --- a/drivers/rpmsg/qcom_glink_smem.c
> +++ b/drivers/rpmsg/qcom_glink_smem.c
> @@ -129,7 +129,7 @@ static void glink_smem_rx_advance(struct qcom_glink_pipe *np,
>
> tail += count;
> if (tail >= pipe->native.length)
> - tail -= pipe->native.length;
> + tail %= pipe->native.length;
>
> *pipe->tail = cpu_to_le32(tail);
> }
>
> --
> 2.34.1
>

--
With best wishes
Dmitry