diff options
| author | Mohammed Javid <mjavid@codeaurora.org> | 2017-08-01 19:05:06 +0530 |
|---|---|---|
| committer | Mohammed Javid <mjavid@codeaurora.org> | 2017-08-30 12:10:39 +0530 |
| commit | 1d85aeac42c23851e5f7271df2bcb9ff77bccd0e (patch) | |
| tree | ff489882f44aabf890086a04d081972ad1e3eeae | |
| parent | 502914e130709bfaf33ab1411b712290ccef19ca (diff) | |
msm: ipa: Fix to use after free issue
Added code changes to avoid use after free
if header already table already freed
during ipa ioctl test.
Change-Id: I5e89c28448bd3b94714451432774457a170005bd
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
| -rw-r--r-- | drivers/platform/msm/ipa/ipa_v2/ipa_rt.c | 13 | ||||
| -rw-r--r-- | drivers/platform/msm/ipa/ipa_v3/ipa_rt.c | 17 |
2 files changed, 22 insertions, 8 deletions
diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c b/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c index 011ca300cc09..0a6f79356a77 100644 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_rt.c @@ -53,7 +53,7 @@ int __ipa_generate_rt_hw_rule_v2(enum ipa_ip_type ip, int pipe_idx; if (buf == NULL) { - memset(tmp, 0, IPA_RT_FLT_HW_RULE_BUF_SIZE); + memset(tmp, 0, (IPA_RT_FLT_HW_RULE_BUF_SIZE/4)); buf = (u8 *)tmp; } @@ -75,8 +75,15 @@ int __ipa_generate_rt_hw_rule_v2(enum ipa_ip_type ip, rule_hdr->u.hdr.pipe_dest_idx = pipe_idx; rule_hdr->u.hdr.system = !ipa_ctx->hdr_tbl_lcl; if (entry->hdr) { - rule_hdr->u.hdr.hdr_offset = - entry->hdr->offset_entry->offset >> 2; + if (entry->hdr->cookie == IPA_HDR_COOKIE) { + rule_hdr->u.hdr.hdr_offset = + entry->hdr->offset_entry->offset >> 2; + } else { + IPAERR("Entry hdr deleted by user = %d cookie = %u\n", + entry->hdr->user_deleted, entry->hdr->cookie); + WARN_ON(1); + rule_hdr->u.hdr.hdr_offset = 0; + } } else { rule_hdr->u.hdr.hdr_offset = 0; } diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c b/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c index bc7cc7060545..d6eeb3bc777e 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c @@ -72,11 +72,18 @@ static int ipa_generate_rt_hw_rule(enum ipa_ip_type ip, if (entry->proc_ctx || (entry->hdr && entry->hdr->is_hdr_proc_ctx)) { struct ipa3_hdr_proc_ctx_entry *proc_ctx; proc_ctx = (entry->proc_ctx) ? : entry->hdr->proc_ctx; - gen_params.hdr_lcl = ipa3_ctx->hdr_proc_ctx_tbl_lcl; - gen_params.hdr_type = IPAHAL_RT_RULE_HDR_PROC_CTX; - gen_params.hdr_ofst = proc_ctx->offset_entry->offset + - ipa3_ctx->hdr_proc_ctx_tbl.start_offset; - } else if (entry->hdr) { + if ((proc_ctx == NULL) || + (proc_ctx->cookie != IPA_PROC_HDR_COOKIE)) { + gen_params.hdr_type = IPAHAL_RT_RULE_HDR_NONE; + gen_params.hdr_ofst = 0; + } else { + gen_params.hdr_lcl = ipa3_ctx->hdr_proc_ctx_tbl_lcl; + gen_params.hdr_type = IPAHAL_RT_RULE_HDR_PROC_CTX; + gen_params.hdr_ofst = proc_ctx->offset_entry->offset + + ipa3_ctx->hdr_proc_ctx_tbl.start_offset; + } + } else if ((entry->hdr != NULL) && + (entry->hdr->cookie == IPA_HDR_COOKIE)) { gen_params.hdr_lcl = ipa3_ctx->hdr_tbl_lcl; gen_params.hdr_type = IPAHAL_RT_RULE_HDR_RAW; gen_params.hdr_ofst = entry->hdr->offset_entry->offset; |