evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

msm: ipa: Fix to use after free issue

Browse source 
Added code changes to avoid use after free
if header already table already freed
during ipa ioctl test.

Change-Id: I5e89c28448bd3b94714451432774457a170005bd
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
This commit is contained in:
Mohammed Javid 2017-08-01 19:05:06 +05:30
parent 502914e130
commit 1d85aeac42
2 changed files with 22 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
drivers/platform/msm/ipa/ipa_v2/ipa_rt.c
View file

@ -53,7 +53,7 @@ int __ipa_generate_rt_hw_rule_v2(enum ipa_ip_type ip,
int pipe_idx;
if (buf == NULL) {
memset(tmp, 0, IPA_RT_FLT_HW_RULE_BUF_SIZE);
memset(tmp, 0, (IPA_RT_FLT_HW_RULE_BUF_SIZE/4));
buf = (u8 *)tmp;
}
@ -75,8 +75,15 @@ int __ipa_generate_rt_hw_rule_v2(enum ipa_ip_type ip,
rule_hdr->u.hdr.pipe_dest_idx = pipe_idx;
rule_hdr->u.hdr.system = !ipa_ctx->hdr_tbl_lcl;
if (entry->hdr) {
rule_hdr->u.hdr.hdr_offset =
entry->hdr->offset_entry->offset >> 2;
if (entry->hdr->cookie == IPA_HDR_COOKIE) {
rule_hdr->u.hdr.hdr_offset =
entry->hdr->offset_entry->offset >> 2;
} else {
IPAERR("Entry hdr deleted by user = %d cookie = %u\n",
entry->hdr->user_deleted, entry->hdr->cookie);
WARN_ON(1);
rule_hdr->u.hdr.hdr_offset = 0;
}
} else {
rule_hdr->u.hdr.hdr_offset = 0;
}

17
drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
View file

@ -72,11 +72,18 @@ static int ipa_generate_rt_hw_rule(enum ipa_ip_type ip,
if (entry->proc_ctx || (entry->hdr && entry->hdr->is_hdr_proc_ctx)) {
struct ipa3_hdr_proc_ctx_entry *proc_ctx;
proc_ctx = (entry->proc_ctx) ? : entry->hdr->proc_ctx;
gen_params.hdr_lcl = ipa3_ctx->hdr_proc_ctx_tbl_lcl;
gen_params.hdr_type = IPAHAL_RT_RULE_HDR_PROC_CTX;
gen_params.hdr_ofst = proc_ctx->offset_entry->offset +
ipa3_ctx->hdr_proc_ctx_tbl.start_offset;
} else if (entry->hdr) {
if ((proc_ctx == NULL) ||
(proc_ctx->cookie != IPA_PROC_HDR_COOKIE)) {
gen_params.hdr_type = IPAHAL_RT_RULE_HDR_NONE;
gen_params.hdr_ofst = 0;
} else {
gen_params.hdr_lcl = ipa3_ctx->hdr_proc_ctx_tbl_lcl;
gen_params.hdr_type = IPAHAL_RT_RULE_HDR_PROC_CTX;
gen_params.hdr_ofst = proc_ctx->offset_entry->offset +
ipa3_ctx->hdr_proc_ctx_tbl.start_offset;
}
} else if ((entry->hdr != NULL) &&
(entry->hdr->cookie == IPA_HDR_COOKIE)) {
gen_params.hdr_lcl = ipa3_ctx->hdr_tbl_lcl;
gen_params.hdr_type = IPAHAL_RT_RULE_HDR_RAW;
gen_params.hdr_ofst = entry->hdr->offset_entry->offset;