Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

msm: ipa3: Fix to NULL terminate the header pointer in proc header table

While resetting the header rules if it find invalid header ID it
will return before freeting proc header table it was leading to use
after free when accessing the header pointer from proc header table.
Adding changes to NULL terminating header pointer in proc header table
after header table deleted from the list.

Change-Id: If270d855d3907e61368336316161a250053e1e62
Signed-off-by: Ashok Vuyyuru <[email protected]>
Ashok Vuyyuru 3 years ago
parent
177ccbe352
commit
2785d02d4b
1 changed files with 3 additions and 0 deletions
Split View Show Diff Stats
  1. 3 0
      drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c

+ 3 - 0
drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
View File 

@@ -1270,6 +1270,7 @@ int ipa3_reset_hdr(bool user_only)
 
 
 			if (ipa3_id_find(entry->id) == NULL) {
 
 				mutex_unlock(&ipa3_ctx->lock);
 
+				IPAERR_RL("Invalid header ID\n");
 
 				WARN_ON_RATELIMIT_IPA(1);
 
 				return -EFAULT;
 
 			}
 
@@ -1280,6 +1281,7 @@ int ipa3_reset_hdr(bool user_only)
 
 						entry->phys_base,
 
 						entry->hdr_len,
 
 						DMA_TO_DEVICE);
 
+					entry->proc_ctx->hdr = NULL;
 
 					entry->proc_ctx = NULL;
 
 				} else {
 
 					/* move the offset entry to free list */
 
@@ -1338,6 +1340,7 @@ int ipa3_reset_hdr(bool user_only)
 
 
 		if (ipa3_id_find(ctx_entry->id) == NULL) {
 
 			mutex_unlock(&ipa3_ctx->lock);
 
+			IPAERR_RL("Invalid proc header ID\n");
 
 			WARN_ON_RATELIMIT_IPA(1);
 
 			return -EFAULT;
 
 		}