evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "msm: ipa: Fix to handle NULL pointer dereference"

Browse source
This commit is contained in:
Linux Build Service Account 2018-03-10 21:18:50 -08:00 committed by Gerrit - the friendly Code Review server
commit 2c333d317c
2 changed files with 128 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

65
drivers/platform/msm/ipa/ipa_v2/ipa_rt.c
View file

@ -51,6 +51,7 @@ int __ipa_generate_rt_hw_rule_v2(enum ipa_ip_type ip,
u32 tmp[IPA_RT_FLT_HW_RULE_BUF_SIZE/4]; u32 tmp[IPA_RT_FLT_HW_RULE_BUF_SIZE/4];
u8 *start; u8 *start;
int pipe_idx; int pipe_idx;
struct ipa_hdr_entry *hdr_entry;
if (buf == NULL) { if (buf == NULL) {
memset(tmp, 0, (IPA_RT_FLT_HW_RULE_BUF_SIZE/4)); memset(tmp, 0, (IPA_RT_FLT_HW_RULE_BUF_SIZE/4));
@ -74,6 +75,18 @@ int __ipa_generate_rt_hw_rule_v2(enum ipa_ip_type ip,
} }
rule_hdr->u.hdr.pipe_dest_idx = pipe_idx; rule_hdr->u.hdr.pipe_dest_idx = pipe_idx;
rule_hdr->u.hdr.system = !ipa_ctx->hdr_tbl_lcl; rule_hdr->u.hdr.system = !ipa_ctx->hdr_tbl_lcl;
/* Adding check to confirm still
* header entry present in header table or not
*/
if (entry->hdr) {
hdr_entry = ipa_id_find(entry->rule.hdr_hdl);
if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {
IPAERR_RL("Header entry already deleted\n");
return -EPERM;
}
}
if (entry->hdr) { if (entry->hdr) {
if (entry->hdr->cookie == IPA_HDR_COOKIE) { if (entry->hdr->cookie == IPA_HDR_COOKIE) {
rule_hdr->u.hdr.hdr_offset = rule_hdr->u.hdr.hdr_offset =
@ -140,6 +153,8 @@ int __ipa_generate_rt_hw_rule_v2_5(enum ipa_ip_type ip,
u32 tmp[IPA_RT_FLT_HW_RULE_BUF_SIZE/4]; u32 tmp[IPA_RT_FLT_HW_RULE_BUF_SIZE/4];
u8 *start; u8 *start;
int pipe_idx; int pipe_idx;
struct ipa_hdr_entry *hdr_entry;
struct ipa_hdr_proc_ctx_entry *hdr_proc_entry;
if (buf == NULL) { if (buf == NULL) {
memset(tmp, 0, IPA_RT_FLT_HW_RULE_BUF_SIZE); memset(tmp, 0, IPA_RT_FLT_HW_RULE_BUF_SIZE);
@ -162,6 +177,24 @@ int __ipa_generate_rt_hw_rule_v2_5(enum ipa_ip_type ip,
return -EPERM; return -EPERM;
} }
rule_hdr->u.hdr_v2_5.pipe_dest_idx = pipe_idx; rule_hdr->u.hdr_v2_5.pipe_dest_idx = pipe_idx;
/* Adding check to confirm still
* header entry present in header table or not
*/
if (entry->hdr) {
hdr_entry = ipa_id_find(entry->rule.hdr_hdl);
if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {
IPAERR_RL("Header entry already deleted\n");
return -EPERM;
}
} else if (entry->proc_ctx) {
hdr_proc_entry = ipa_id_find(entry->rule.hdr_proc_ctx_hdl);
if (!hdr_proc_entry ||
hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {
IPAERR_RL("Proc header entry already deleted\n");
return -EPERM;
}
}
if (entry->proc_ctx || (entry->hdr && entry->hdr->is_hdr_proc_ctx)) { if (entry->proc_ctx || (entry->hdr && entry->hdr->is_hdr_proc_ctx)) {
struct ipa_hdr_proc_ctx_entry *proc_ctx; struct ipa_hdr_proc_ctx_entry *proc_ctx;
@ -1130,6 +1163,8 @@ int __ipa_del_rt_rule(u32 rule_hdl)
{ {
struct ipa_rt_entry *entry; struct ipa_rt_entry *entry;
int id; int id;
struct ipa_hdr_entry *hdr_entry;
struct ipa_hdr_proc_ctx_entry *hdr_proc_entry;
entry = ipa_id_find(rule_hdl); entry = ipa_id_find(rule_hdl);
@ -1151,6 +1186,24 @@ int __ipa_del_rt_rule(u32 rule_hdl)
return -EINVAL; return -EINVAL;
} }
} }
/* Adding check to confirm still
* header entry present in header table or not
*/
if (entry->hdr) {
hdr_entry = ipa_id_find(entry->rule.hdr_hdl);
if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {
IPAERR_RL("Header entry already deleted\n");
return -EINVAL;
}
} else if (entry->proc_ctx) {
hdr_proc_entry = ipa_id_find(entry->rule.hdr_proc_ctx_hdl);
if (!hdr_proc_entry ||
hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {
IPAERR_RL("Proc header entry already deleted\n");
return -EINVAL;
}
}
if (entry->hdr) if (entry->hdr)
__ipa_release_hdr(entry->hdr->id); __ipa_release_hdr(entry->hdr->id);
@ -1463,6 +1516,7 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy *rtrule)
{ {
struct ipa_rt_entry *entry; struct ipa_rt_entry *entry;
struct ipa_hdr_entry *hdr = NULL; struct ipa_hdr_entry *hdr = NULL;
struct ipa_hdr_entry *hdr_entry;
if (rtrule->rule.hdr_hdl) { if (rtrule->rule.hdr_hdl) {
hdr = ipa_id_find(rtrule->rule.hdr_hdl); hdr = ipa_id_find(rtrule->rule.hdr_hdl);
@ -1483,6 +1537,17 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy *rtrule)
goto error; goto error;
} }
/* Adding check to confirm still
* header entry present in header table or not
*/
if (entry->hdr) {
hdr_entry = ipa_id_find(entry->rule.hdr_hdl);
if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {
IPAERR_RL("Header entry already deleted\n");
return -EPERM;
}
}
if (entry->hdr) if (entry->hdr)
entry->hdr->ref_cnt--; entry->hdr->ref_cnt--;

64
drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
View file

@ -50,6 +50,8 @@ static int ipa_generate_rt_hw_rule(enum ipa_ip_type ip,
struct ipa3_rt_entry *entry, u8 *buf) struct ipa3_rt_entry *entry, u8 *buf)
{ {
struct ipahal_rt_rule_gen_params gen_params; struct ipahal_rt_rule_gen_params gen_params;
struct ipa3_hdr_entry *hdr_entry;
struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry;
int res = 0; int res = 0;
memset(&gen_params, 0, sizeof(gen_params)); memset(&gen_params, 0, sizeof(gen_params));
@ -69,6 +71,25 @@ static int ipa_generate_rt_hw_rule(enum ipa_ip_type ip,
return -EPERM; return -EPERM;
} }
/* Adding check to confirm still
* header entry present in header table or not
*/
if (entry->hdr) {
hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);
if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {
IPAERR_RL("Header entry already deleted\n");
return -EPERM;
}
} else if (entry->proc_ctx) {
hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);
if (!hdr_proc_entry ||
hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {
IPAERR_RL("Proc header entry already deleted\n");
return -EPERM;
}
}
if (entry->proc_ctx || (entry->hdr && entry->hdr->is_hdr_proc_ctx)) { if (entry->proc_ctx || (entry->hdr && entry->hdr->is_hdr_proc_ctx)) {
struct ipa3_hdr_proc_ctx_entry *proc_ctx; struct ipa3_hdr_proc_ctx_entry *proc_ctx;
proc_ctx = (entry->proc_ctx) ? : entry->hdr->proc_ctx; proc_ctx = (entry->proc_ctx) ? : entry->hdr->proc_ctx;
@ -1268,6 +1289,8 @@ int __ipa3_del_rt_rule(u32 rule_hdl)
{ {
struct ipa3_rt_entry *entry; struct ipa3_rt_entry *entry;
int id; int id;
struct ipa3_hdr_entry *hdr_entry;
struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry;
entry = ipa3_id_find(rule_hdl); entry = ipa3_id_find(rule_hdl);
@ -1290,6 +1313,25 @@ int __ipa3_del_rt_rule(u32 rule_hdl)
} }
} }
/* Adding check to confirm still
* header entry present in header table or not
*/
if (entry->hdr) {
hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);
if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {
IPAERR_RL("Header entry already deleted\n");
return -EINVAL;
}
} else if (entry->proc_ctx) {
hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);
if (!hdr_proc_entry ||
hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {
IPAERR_RL("Proc header entry already deleted\n");
return -EINVAL;
}
}
if (entry->hdr) if (entry->hdr)
__ipa3_release_hdr(entry->hdr->id); __ipa3_release_hdr(entry->hdr->id);
else if (entry->proc_ctx) else if (entry->proc_ctx)
@ -1609,7 +1651,8 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy *rtrule)
struct ipa3_rt_entry *entry; struct ipa3_rt_entry *entry;
struct ipa3_hdr_entry *hdr = NULL; struct ipa3_hdr_entry *hdr = NULL;
struct ipa3_hdr_proc_ctx_entry *proc_ctx = NULL; struct ipa3_hdr_proc_ctx_entry *proc_ctx = NULL;
struct ipa3_hdr_entry *hdr_entry;
struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry;
if (rtrule->rule.hdr_hdl) { if (rtrule->rule.hdr_hdl) {
hdr = ipa3_id_find(rtrule->rule.hdr_hdl); hdr = ipa3_id_find(rtrule->rule.hdr_hdl);
if ((hdr == NULL) || (hdr->cookie != IPA_HDR_COOKIE)) { if ((hdr == NULL) || (hdr->cookie != IPA_HDR_COOKIE)) {
@ -1636,6 +1679,25 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy *rtrule)
goto error; goto error;
} }
/* Adding check to confirm still
* header entry present in header table or not
*/
if (entry->hdr) {
hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);
if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {
IPAERR_RL("Header entry already deleted\n");
return -EPERM;
}
} else if (entry->proc_ctx) {
hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);
if (!hdr_proc_entry ||
hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {
IPAERR_RL("Proc header entry already deleted\n");
return -EPERM;
}
}
if (entry->hdr) if (entry->hdr)
entry->hdr->ref_cnt--; entry->hdr->ref_cnt--;
if (entry->proc_ctx) if (entry->proc_ctx)