4 年之前 · 68623da41c
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
@@ -79,14 +79,16 @@ static int ipa_generate_rt_hw_rule(enum ipa_ip_type ip,
 
				 
			
 
				 	if (entry->hdr) {
			
 
				 		hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);
			
 
				-		if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {
			
 
				+		if (!hdr_entry || (hdr_entry->cookie != IPA_HDR_COOKIE) ||
			
 
				+			ipa3_check_idr_if_freed(entry->hdr)) {
			
 
				 			IPAERR_RL("Header entry already deleted\n");
			
 
				 			return -EPERM;
			
 
				 		}
			
 
				 	} else if (entry->proc_ctx) {
			
 
				 		hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);
			
 
				 		if (!hdr_proc_entry ||
			
 
				-			hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {
			
 
				+			(hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) ||
			
 
				+			ipa3_check_idr_if_freed(entry->proc_ctx)) {
			
 
				 			IPAERR_RL("Proc header entry already deleted\n");
			
 
				 			return -EPERM;
			
 
				 		}
			
@@ -1759,18 +1761,19 @@ int __ipa3_del_rt_rule(u32 rule_hdl)
 
				 		hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);
			
 
				 		if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {
			
 
				 			IPAERR_RL("Header entry already deleted\n");
			
 
				-			return -EINVAL;
			
 
				+			entry->hdr = NULL;
			
 
				 		}
			
 
				 	} else if (entry->proc_ctx) {
			
 
				 		hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);
			
 
				 		if (!hdr_proc_entry ||
			
 
				 			hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {
			
 
				 			IPAERR_RL("Proc header entry already deleted\n");
			
 
				-			return -EINVAL;
			
 
				+			entry->proc_ctx = NULL;
			
 
				 		}
			
 
				 	}
			
 
				 
			
 
				-	if (entry->hdr)
			
 
				+	if (entry->hdr &&
			
 
				+		(!ipa3_check_idr_if_freed(entry->hdr)))
			
 
				 		__ipa3_release_hdr(entry->hdr->id);
			
 
				 	else if (entry->proc_ctx &&
			
 
				 		(!ipa3_check_idr_if_freed(entry->proc_ctx)))
			
@@ -1947,16 +1950,14 @@ int ipa3_reset_rt(enum ipa_ip_type ip, bool user_only)
 
				 
			
 
				 			if (!user_only ||
			
 
				 				rule->ipacm_installed) {
			
 
				-				list_del(&rule->link);
			
 
				 				if (rule->hdr) {
			
 
				 					hdr_entry = ipa3_id_find(
			
 
				 							rule->rule.hdr_hdl);
			
 
				 					if (!hdr_entry ||
			
 
				 					hdr_entry->cookie != IPA_HDR_COOKIE) {
			
 
				-						mutex_unlock(&ipa3_ctx->lock);
			
 
				 						IPAERR_RL(
			
 
				 						"Header already deleted\n");
			
 
				-						return -EINVAL;
			
 
				+						rule->hdr = NULL;
			
 
				 					}
			
 
				 				} else if (rule->proc_ctx) {
			
 
				 					hdr_proc_entry =
			
@@ -1965,15 +1966,16 @@ int ipa3_reset_rt(enum ipa_ip_type ip, bool user_only)
 
				 					if (!hdr_proc_entry ||
			
 
				 						hdr_proc_entry->cookie !=
			
 
				 							IPA_PROC_HDR_COOKIE) {
			
 
				-						mutex_unlock(&ipa3_ctx->lock);
			
 
				 						IPAERR_RL(
			
 
				 						"Proc entry already deleted\n");
			
 
				-						return -EINVAL;
			
 
				+						rule->proc_ctx = NULL;
			
 
				 					}
			
 
				 				}
			
 
				 				tbl->rule_cnt--;
			
 
				+				list_del(&rule->link);
			
 
				 				if (rule->hdr &&
			
 
				-					(!ipa3_check_idr_if_freed(rule->hdr)))
			
 
				+					(!ipa3_check_idr_if_freed(
			
 
				+						rule->hdr)))
			
 
				 					__ipa3_release_hdr(rule->hdr->id);
			
 
				 				else if (rule->proc_ctx &&
			
 
				 					(!ipa3_check_idr_if_freed(
			
@@ -2150,20 +2152,8 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy_i *rtrule)
 
				 	struct ipa3_hdr_entry *hdr_entry;
			
 
				 	struct ipa3_hdr_proc_ctx_entry *hdr_proc_entry;
			
 
				 
			
 
				-	if (rtrule->rule.hdr_hdl) {
			
 
				-		hdr = ipa3_id_find(rtrule->rule.hdr_hdl);
			
 
				-		if ((hdr == NULL) || (hdr->cookie != IPA_HDR_COOKIE)) {
			
 
				-			IPAERR_RL("rt rule does not point to valid hdr\n");
			
 
				-			goto error;
			
 
				-		}
			
 
				-	} else if (rtrule->rule.hdr_proc_ctx_hdl) {
			
 
				-		proc_ctx = ipa3_id_find(rtrule->rule.hdr_proc_ctx_hdl);
			
 
				-		if ((proc_ctx == NULL) ||
			
 
				-			(proc_ctx->cookie != IPA_PROC_HDR_COOKIE)) {
			
 
				-			IPAERR_RL("rt rule does not point to valid proc ctx\n");
			
 
				-			goto error;
			
 
				-		}
			
 
				-	}
			
 
				+	if (__ipa_rt_validate_hndls(&rtrule->rule, &hdr, &proc_ctx))
			
 
				+		goto error;
			
 
				 
			
 
				 	entry = ipa3_id_find(rtrule->rt_rule_hdl);
			
 
				 	if (entry == NULL) {
			
@@ -2187,14 +2177,16 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy_i *rtrule)
 
				 
			
 
				 	if (entry->hdr) {
			
 
				 		hdr_entry = ipa3_id_find(entry->rule.hdr_hdl);
			
 
				-		if (!hdr_entry || hdr_entry->cookie != IPA_HDR_COOKIE) {
			
 
				+		if (!hdr_entry || (hdr_entry->cookie != IPA_HDR_COOKIE) ||
			
 
				+			ipa3_check_idr_if_freed(entry->hdr)) {
			
 
				 			IPAERR_RL("Header entry already deleted\n");
			
 
				 			return -EPERM;
			
 
				 		}
			
 
				 	} else if (entry->proc_ctx) {
			
 
				 		hdr_proc_entry = ipa3_id_find(entry->rule.hdr_proc_ctx_hdl);
			
 
				 		if (!hdr_proc_entry ||
			
 
				-			hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) {
			
 
				+			(hdr_proc_entry->cookie != IPA_PROC_HDR_COOKIE) ||
			
 
				+			ipa3_check_idr_if_freed(entry->proc_ctx)) {
			
 
				 			IPAERR_RL("Proc header entry already deleted\n");
			
 
				 			return -EPERM;
			
 
				 		}
			
@@ -2202,7 +2194,7 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy_i *rtrule)
 
				 
			
 
				 	if (entry->hdr)
			
 
				 		entry->hdr->ref_cnt--;
			
 
				-	if (entry->proc_ctx)
			
 
				+	else if (entry->proc_ctx)
			
 
				 		entry->proc_ctx->ref_cnt--;
			
 
				 
			
 
				 	entry->rule = rtrule->rule;