evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "msm:ipa: Fix to slab out of bounds access"

Browse source
This commit is contained in:
Linux Build Service Account 2017-10-05 16:09:51 -07:00 committed by Gerrit - the friendly Code Review server
commit 75d9384cc4
4 changed files with 26 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
drivers/platform/msm/ipa/ipa_v2/ipa_debugfs.c
View file

@ -812,10 +812,11 @@ static ssize_t ipa_read_flt(struct file *file, char __user *ubuf, size_t count,
eq = true;
} else {
rt_tbl = ipa_id_find(entry->rule.rt_tbl_hdl);
if (rt_tbl)
rt_tbl_idx = rt_tbl->idx;
if (rt_tbl == NULL ||
rt_tbl->cookie != IPA_RT_TBL_COOKIE)
rt_tbl_idx = ~0;
else
rt_tbl_idx = ~0;
rt_tbl_idx = rt_tbl->idx;
bitmap = entry->rule.attrib.attrib_mask;
eq = false;
}
@ -842,10 +843,11 @@ static ssize_t ipa_read_flt(struct file *file, char __user *ubuf, size_t count,
eq = true;
} else {
rt_tbl = ipa_id_find(entry->rule.rt_tbl_hdl);
if (rt_tbl)
rt_tbl_idx = rt_tbl->idx;
else
if (rt_tbl == NULL ||
rt_tbl->cookie != IPA_RT_TBL_COOKIE)
rt_tbl_idx = ~0;
else
rt_tbl_idx = rt_tbl->idx;
bitmap = entry->rule.attrib.attrib_mask;
eq = false;
}

7
drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
View file

@ -867,10 +867,11 @@ static ssize_t ipa3_read_flt(struct file *file, char __user *ubuf, size_t count,
eq = true;
} else {
rt_tbl = ipa3_id_find(entry->rule.rt_tbl_hdl);
if (rt_tbl)
rt_tbl_idx = rt_tbl->idx;
if (rt_tbl == NULL ||
rt_tbl->cookie != IPA_RT_TBL_COOKIE)
rt_tbl_idx = ~0;
else
rt_tbl_idx = ~0;
rt_tbl_idx = rt_tbl->idx;
bitmap = entry->rule.attrib.attrib_mask;
eq = false;
}

7
drivers/platform/msm/ipa/ipa_v3/ipa_flt.c
View file

@ -1157,6 +1157,13 @@ int ipa3_add_flt_rule_after(struct ipa_ioc_add_flt_rule_after *rules)
goto bail;
}
if (entry->cookie != IPA_FLT_COOKIE) {
IPAERR_RL("Invalid cookie value = %u flt hdl id = %d\n",
entry->cookie, rules->add_after_hdl);
result = -EINVAL;
goto bail;
}
if (entry->tbl != tbl) {
IPAERR_RL("given entry does not match the table\n");
result = -EINVAL;

7
drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
View file

@ -1152,6 +1152,13 @@ int ipa3_add_rt_rule_after(struct ipa_ioc_add_rt_rule_after *rules)
goto bail;
}
if (entry->cookie != IPA_RT_RULE_COOKIE) {
IPAERR_RL("Invalid cookie value = %u rule %d in rt tbls\n",
entry->cookie, rules->add_after_hdl);
ret = -EINVAL;
goto bail;
}
if (entry->tbl != tbl) {
IPAERR_RL("given rt rule does not match the table\n");
ret = -EINVAL;