evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "msm: ipa: Fix use after free issue"

Browse source
This commit is contained in:
Linux Build Service Account 2017-10-18 02:00:38 -07:00 committed by Gerrit - the friendly Code Review server
commit 1682bdfd75
2 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
drivers/platform/msm/ipa/ipa_v2/ipa.c
View file

@ -536,6 +536,7 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_c
int retval; int retval;
struct ipa_wan_msg *wan_msg; struct ipa_wan_msg *wan_msg;
struct ipa_msg_meta msg_meta; struct ipa_msg_meta msg_meta;
struct ipa_wan_msg cache_wan_msg;
wan_msg = kzalloc(sizeof(struct ipa_wan_msg), GFP_KERNEL); wan_msg = kzalloc(sizeof(struct ipa_wan_msg), GFP_KERNEL);
if (!wan_msg) { if (!wan_msg) {
@ -549,6 +550,8 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_c
return -EFAULT; return -EFAULT;
} }
memcpy(&cache_wan_msg, wan_msg, sizeof(cache_wan_msg));
memset(&msg_meta, 0, sizeof(struct ipa_msg_meta)); memset(&msg_meta, 0, sizeof(struct ipa_msg_meta));
msg_meta.msg_type = msg_type; msg_meta.msg_type = msg_type;
msg_meta.msg_len = sizeof(struct ipa_wan_msg); msg_meta.msg_len = sizeof(struct ipa_wan_msg);
@ -565,8 +568,8 @@ static int ipa_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_c
/* cache the cne event */ /* cache the cne event */
memcpy(&ipa_ctx->ipa_cne_evt_req_cache[ memcpy(&ipa_ctx->ipa_cne_evt_req_cache[
ipa_ctx->num_ipa_cne_evt_req].wan_msg, ipa_ctx->num_ipa_cne_evt_req].wan_msg,
wan_msg, &cache_wan_msg,
sizeof(struct ipa_wan_msg)); sizeof(cache_wan_msg));
memcpy(&ipa_ctx->ipa_cne_evt_req_cache[ memcpy(&ipa_ctx->ipa_cne_evt_req_cache[
ipa_ctx->num_ipa_cne_evt_req].msg_meta, ipa_ctx->num_ipa_cne_evt_req].msg_meta,

7
drivers/platform/msm/ipa/ipa_v3/ipa.c
View file

@ -603,6 +603,7 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_
int retval; int retval;
struct ipa_wan_msg *wan_msg; struct ipa_wan_msg *wan_msg;
struct ipa_msg_meta msg_meta; struct ipa_msg_meta msg_meta;
struct ipa_wan_msg cache_wan_msg;
wan_msg = kzalloc(sizeof(struct ipa_wan_msg), GFP_KERNEL); wan_msg = kzalloc(sizeof(struct ipa_wan_msg), GFP_KERNEL);
if (!wan_msg) { if (!wan_msg) {
@ -616,6 +617,8 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_
return -EFAULT; return -EFAULT;
} }
memcpy(&cache_wan_msg, wan_msg, sizeof(cache_wan_msg));
memset(&msg_meta, 0, sizeof(struct ipa_msg_meta)); memset(&msg_meta, 0, sizeof(struct ipa_msg_meta));
msg_meta.msg_type = msg_type; msg_meta.msg_type = msg_type;
msg_meta.msg_len = sizeof(struct ipa_wan_msg); msg_meta.msg_len = sizeof(struct ipa_wan_msg);
@ -632,8 +635,8 @@ static int ipa3_send_wan_msg(unsigned long usr_param, uint8_t msg_type, bool is_
/* cache the cne event */ /* cache the cne event */
memcpy(&ipa3_ctx->ipa_cne_evt_req_cache[ memcpy(&ipa3_ctx->ipa_cne_evt_req_cache[
ipa3_ctx->num_ipa_cne_evt_req].wan_msg, ipa3_ctx->num_ipa_cne_evt_req].wan_msg,
wan_msg, &cache_wan_msg,
sizeof(struct ipa_wan_msg)); sizeof(cache_wan_msg));
memcpy(&ipa3_ctx->ipa_cne_evt_req_cache[ memcpy(&ipa3_ctx->ipa_cne_evt_req_cache[
ipa3_ctx->num_ipa_cne_evt_req].msg_meta, ipa3_ctx->num_ipa_cne_evt_req].msg_meta,