glink_smem_rx_advance() wraps the tail index with a single subtraction, which only corrects for one full wrap. The advance count is derived from remote-supplied packet fields (up to sizeof(glink_msg) + 0xffff bytes); if such a count reaches or exceeds pipe->native.length, the tail remains outside [0, length) after the subtraction and the next FIFO access uses an out-of-bounds offset.
Use modulo so the tail is always normalised back into [0, length), keeping it consistent with the index bounds enforced by the WARN_ON_ONCE checks added to the FIFO helpers. Signed-off-by: Chunkai Deng <[email protected]> --- drivers/rpmsg/qcom_glink_smem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/rpmsg/qcom_glink_smem.c b/drivers/rpmsg/qcom_glink_smem.c index 42ad315d7910..4f143921b719 100644 --- a/drivers/rpmsg/qcom_glink_smem.c +++ b/drivers/rpmsg/qcom_glink_smem.c @@ -129,7 +129,7 @@ static void glink_smem_rx_advance(struct qcom_glink_pipe *np, tail += count; if (tail >= pipe->native.length) - tail -= pipe->native.length; + tail %= pipe->native.length; *pipe->tail = cpu_to_le32(tail); } -- 2.34.1
