From 708d96ef1bc028e36cb6cfc51dad1b1384629637 Mon Sep 17 00:00:00 2001
From: Anurag Chouhan <achouhan@codeaurora.org>
Date: Wed, 19 Sep 2018 13:15:13 +0530
Subject: [PATCH] wcnss: Fix buffer overflow in wcnss_prealloc_get

There is potential integer truncation in the wcnss_prealloc_get api.
size_t is 8 byte on x64 platform and "unsigned int" is 4 byte.
To avoid this integer truncation, pass size as size_t instead
of unsigned int.

CRs-Fixed: 2269610
Change-Id: I14b274dd7cad98b55fdce1aaa27783272231afde
Signed-off-by: Anurag Chouhan <achouhan@codeaurora.org>
---
 drivers/net/wireless/cnss_prealloc/cnss_prealloc.c | 13 +++++++------
 include/linux/wcnss_wlan.h                         |  2 +-
 include/net/cnss_prealloc.h                        |  4 ++--
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/drivers/net/wireless/cnss_prealloc/cnss_prealloc.c b/drivers/net/wireless/cnss_prealloc/cnss_prealloc.c
index af64b3dc4da8..9eaa694570ac 100644
--- a/drivers/net/wireless/cnss_prealloc/cnss_prealloc.c
+++ b/drivers/net/wireless/cnss_prealloc/cnss_prealloc.c
@@ -17,6 +17,7 @@
 #include <linux/wcnss_wlan.h>
 #include <linux/spinlock.h>
 #include <linux/debugfs.h>
+#include <net/cnss_prealloc.h>
 #ifdef	CONFIG_WCNSS_SKB_PRE_ALLOC
 #include <linux/skbuff.h>
 #endif
@@ -34,7 +35,7 @@ static struct dentry *debug_base;
 
 struct wcnss_prealloc {
 	int occupied;
-	unsigned int size;
+	size_t size;
 	void *ptr;
 #ifdef CONFIG_SLUB_DEBUG
 	unsigned long stack_trace[WCNSS_MAX_STACK_TRACE];
@@ -159,7 +160,7 @@ static inline void wcnss_prealloc_save_stack_trace(struct wcnss_prealloc *entry)
 }
 #endif
 
-void *wcnss_prealloc_get(unsigned int size)
+void *wcnss_prealloc_get(size_t size)
 {
 	int i = 0;
 	unsigned long flags;
@@ -179,8 +180,8 @@ void *wcnss_prealloc_get(unsigned int size)
 	}
 	spin_unlock_irqrestore(&alloc_lock, flags);
 
-	pr_err("wcnss: %s: prealloc not available for size: %d\n",
-			__func__, size);
+	pr_err("wcnss: %s: prealloc not available for size: %zu\n",
+	       __func__, size);
 
 	return NULL;
 }
@@ -219,8 +220,8 @@ void wcnss_prealloc_check_memory_leak(void)
 			j++;
 		}
 
-		pr_err("Size: %u, addr: %pK, backtrace:\n",
-				wcnss_allocs[i].size, wcnss_allocs[i].ptr);
+		pr_err("Size: %zu, addr: %pK, backtrace:\n",
+		       wcnss_allocs[i].size, wcnss_allocs[i].ptr);
 		print_stack_trace(&wcnss_allocs[i].trace, 1);
 	}
 
diff --git a/include/linux/wcnss_wlan.h b/include/linux/wcnss_wlan.h
index 7389fff7da51..06c652cfb6af 100644
--- a/include/linux/wcnss_wlan.h
+++ b/include/linux/wcnss_wlan.h
@@ -119,7 +119,7 @@ int wcnss_get_wlan_mac_address(char mac_addr[WLAN_MAC_ADDR_SIZE]);
 void wcnss_allow_suspend(void);
 void wcnss_prevent_suspend(void);
 int wcnss_hardware_type(void);
-void *wcnss_prealloc_get(unsigned int size);
+void *wcnss_prealloc_get(size_t size);
 int wcnss_prealloc_put(void *ptr);
 void wcnss_reset_fiq(bool clk_chk_en);
 void wcnss_suspend_notify(void);
diff --git a/include/net/cnss_prealloc.h b/include/net/cnss_prealloc.h
index 734b4b69ecbb..39d080a8b184 100644
--- a/include/net/cnss_prealloc.h
+++ b/include/net/cnss_prealloc.h
@@ -1,4 +1,4 @@
-/* Copyright (c) 2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2015-2018, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -15,7 +15,7 @@
 
 #define WCNSS_PRE_ALLOC_GET_THRESHOLD (4*1024)
 
-extern void *wcnss_prealloc_get(unsigned int size);
+extern void *wcnss_prealloc_get(size_t size);
 extern int wcnss_prealloc_put(void *ptr);
 extern int wcnss_pre_alloc_reset(void);
 void wcnss_prealloc_check_memory_leak(void);