Merge "diag: Validate memory device client's process descriptor"
This commit is contained in:
Linux Build Service Account
Gerrit - the friendly Code Review server
commit
932034e5a1
1 changed files with 41 additions and 16 deletions
|
|
@ -252,6 +252,7 @@ int diag_md_copy_to_user(char __user *buf, int *pret, size_t buf_size,
|
|||
uint8_t drain_again = 0;
|
||||
uint8_t peripheral = 0;
|
||||
struct diag_md_session_t *session_info = NULL;
|
||||
struct pid *pid_struct = NULL;
|
||||
|
||||
mutex_lock(&driver->diagfwd_untag_mutex);
|
||||
|
||||
|
|
@ -278,6 +279,14 @@ int diag_md_copy_to_user(char __user *buf, int *pret, size_t buf_size,
|
|||
if ((info && (info->peripheral_mask &
|
||||
MD_PERIPHERAL_MASK(peripheral)) == 0))
|
||||
goto drop_data;
|
||||
pid_struct = find_get_pid(session_info->pid);
|
||||
if (!pid_struct) {
|
||||
err = -ESRCH;
|
||||
DIAG_LOG(DIAG_DEBUG_PERIPHERALS,
|
||||
"diag: No such md_session_map[%d] with pid = %d err=%d exists..\n",
|
||||
peripheral, session_info->pid, err);
|
||||
goto drop_data;
|
||||
}
|
||||
/*
|
||||
* If the data is from remote processor, copy the remote
|
||||
* token first
|
||||
|
|
@ -297,27 +306,35 @@ int diag_md_copy_to_user(char __user *buf, int *pret, size_t buf_size,
|
|||
}
|
||||
if (i > 0) {
|
||||
remote_token = diag_get_remote(i);
|
||||
err = copy_to_user(buf + ret, &remote_token,
|
||||
sizeof(int));
|
||||
if (get_pid_task(pid_struct, PIDTYPE_PID)) {
|
||||
err = copy_to_user(buf + ret,
|
||||
&remote_token,
|
||||
sizeof(int));
|
||||
if (err)
|
||||
goto drop_data;
|
||||
ret += sizeof(int);
|
||||
}
|
||||
}
|
||||
|
||||
/* Copy the length of data being passed */
|
||||
if (get_pid_task(pid_struct, PIDTYPE_PID)) {
|
||||
err = copy_to_user(buf + ret,
|
||||
(void *)&(entry->len),
|
||||
sizeof(int));
|
||||
if (err)
|
||||
goto drop_data;
|
||||
ret += sizeof(int);
|
||||
}
|
||||
|
||||
/* Copy the length of data being passed */
|
||||
err = copy_to_user(buf + ret, (void *)&(entry->len),
|
||||
sizeof(int));
|
||||
if (err)
|
||||
goto drop_data;
|
||||
ret += sizeof(int);
|
||||
|
||||
/* Copy the actual data being passed */
|
||||
err = copy_to_user(buf + ret, (void *)entry->buf,
|
||||
entry->len);
|
||||
if (err)
|
||||
goto drop_data;
|
||||
ret += entry->len;
|
||||
|
||||
if (get_pid_task(pid_struct, PIDTYPE_PID)) {
|
||||
err = copy_to_user(buf + ret,
|
||||
(void *)entry->buf,
|
||||
entry->len);
|
||||
if (err)
|
||||
goto drop_data;
|
||||
ret += entry->len;
|
||||
}
|
||||
/*
|
||||
* The data is now copied to the user space client,
|
||||
* Notify that the write is complete and delete its
|
||||
|
|
@ -339,7 +356,15 @@ drop_data:
|
|||
}
|
||||
|
||||
*pret = ret;
|
||||
err = copy_to_user(buf + sizeof(int), (void *)&num_data, sizeof(int));
|
||||
if (pid_struct && get_pid_task(pid_struct, PIDTYPE_PID)) {
|
||||
err = copy_to_user(buf + sizeof(int),
|
||||
(void *)&num_data,
|
||||
sizeof(int));
|
||||
} else {
|
||||
DIAG_LOG(DIAG_DEBUG_PERIPHERALS,
|
||||
"diag: md_session_map[%d] with pid = %d Exited..\n",
|
||||
peripheral, driver->md_session_map[peripheral]->pid);
|
||||
}
|
||||
diag_ws_on_copy_complete(DIAG_WS_MUX);
|
||||
if (drain_again)
|
||||
chk_logging_wakeup();
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue