首页 发现 帮助
登录
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

msm: ipa3: Fix to NULL terminate the header pointer in proc header table

While resetting the header rules if it find invalid header ID it
will return before freeting proc header table it was leading to use
after free when accessing the header pointer from proc header table.
Adding changes to NULL terminating header pointer in proc header table
after header table deleted from the list.

Change-Id: If270d855d3907e61368336316161a250053e1e62
Signed-off-by: Ashok Vuyyuru <[email protected]>
Ashok Vuyyuru 3 年之前
父节点
177ccbe352
当前提交
2785d02d4b
共有 1 个文件被更改,包括 3 次插入0 次删除
分列视图 显示文件统计
  1. 3 0
      drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c

+ 3 - 0
drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
查看文件 

@@ -1270,6 +1270,7 @@ int ipa3_reset_hdr(bool user_only)
 
 
 			if (ipa3_id_find(entry->id) == NULL) {
 
 				mutex_unlock(&ipa3_ctx->lock);
 
+				IPAERR_RL("Invalid header ID\n");
 
 				WARN_ON_RATELIMIT_IPA(1);
 
 				return -EFAULT;
 
 			}
 
@@ -1280,6 +1281,7 @@ int ipa3_reset_hdr(bool user_only)
 
 						entry->phys_base,
 
 						entry->hdr_len,
 
 						DMA_TO_DEVICE);
 
+					entry->proc_ctx->hdr = NULL;
 
 					entry->proc_ctx = NULL;
 
 				} else {
 
 					/* move the offset entry to free list */
 
@@ -1338,6 +1340,7 @@ int ipa3_reset_hdr(bool user_only)
 
 
 		if (ipa3_id_find(ctx_entry->id) == NULL) {
 
 			mutex_unlock(&ipa3_ctx->lock);
 
+			IPAERR_RL("Invalid proc header ID\n");
 
 			WARN_ON_RATELIMIT_IPA(1);
 
 			return -EFAULT;
 
 		}