Главная Обзор Помощь
Вход
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Просмотр исходного кода

Merge "msm: ipa4: Add checks to prevent use-after-free errors"

qctecmdr 4 лет назад
Родитель
6adb226271 9fd0658d2d
Сommit
aef65700cc
2 измененных файлов с 8 добавлено и 5 удалено
Единый вид Показать статистику Diff
  1. 6 3
      drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
  2. 2 2
      drivers/platform/msm/ipa/ipa_v3/ipa_utils.c

+ 6 - 3
drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
Просмотреть файл 

@@ -1741,7 +1741,8 @@ int __ipa3_del_rt_rule(u32 rule_hdl)
 
 		return -EINVAL;
 
 		return -EINVAL;
 
 	}
 
 	}
 
 
 
-	if (!strcmp(entry->tbl->name, IPA_DFLT_RT_TBL_NAME)) {
 
+	if (!ipa3_check_idr_if_freed(entry) &&
 
+		!strcmp(entry->tbl->name, IPA_DFLT_RT_TBL_NAME)) {
 
 		IPADBG("Deleting rule from default rt table idx=%u\n",
 
 		IPADBG("Deleting rule from default rt table idx=%u\n",
 
 			entry->tbl->idx);
 
 			entry->tbl->idx);
 
 		if (entry->tbl->rule_cnt == 1) {
 
 		if (entry->tbl->rule_cnt == 1) {
 
@@ -1971,7 +1972,8 @@ int ipa3_reset_rt(enum ipa_ip_type ip, bool user_only)
 
 					}
 
 					}
 
 				}
 
 				}
 
 				tbl->rule_cnt--;
 
 				tbl->rule_cnt--;
 
-				if (rule->hdr)
 
+				if (rule->hdr &&
 
+					(!ipa3_check_idr_if_freed(rule->hdr)))
 
 					__ipa3_release_hdr(rule->hdr->id);
 
 					__ipa3_release_hdr(rule->hdr->id);
 
 				else if (rule->proc_ctx &&
 
 				else if (rule->proc_ctx &&
 
 					(!ipa3_check_idr_if_freed(
 
 					(!ipa3_check_idr_if_freed(
 
@@ -2174,7 +2176,8 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy_i *rtrule)
 
 		goto error;
 
 		goto error;
 
 	}
 
 	}
 
 
 
-	if (!strcmp(entry->tbl->name, IPA_DFLT_RT_TBL_NAME)) {
 
+	if (!ipa3_check_idr_if_freed(entry) &&
 
+		!strcmp(entry->tbl->name, IPA_DFLT_RT_TBL_NAME)) {
 
 		IPAERR_RL("Default tbl rule cannot be modified\n");
 
 		IPAERR_RL("Default tbl rule cannot be modified\n");
 
 		return -EINVAL;
 
 		return -EINVAL;
 
 	}
 
 	}

+ 2 - 2
drivers/platform/msm/ipa/ipa_v3/ipa_utils.c
Просмотреть файл 

@@ -6537,7 +6537,7 @@ void ipa3_counter_remove_hdl(int hdl)
 
 	}
 
 	}
 
 	/* remove counters belong to this hdl, set used back to 0 */
 
 	/* remove counters belong to this hdl, set used back to 0 */
 
 	offset = counter->hw_counter.start_id - 1;
 
 	offset = counter->hw_counter.start_id - 1;
 
-	if (offset >= 0 && offset + counter->hw_counter.num_counters
 
+	if (offset >= 0 && (offset + counter->hw_counter.num_counters)
 
 		< IPA_FLT_RT_HW_COUNTER) {
 
 		< IPA_FLT_RT_HW_COUNTER) {
 
 		memset(&ipa3_ctx->flt_rt_counters.used_hw + offset,
 
 		memset(&ipa3_ctx->flt_rt_counters.used_hw + offset,
 
 			   0, counter->hw_counter.num_counters * sizeof(bool));
 
 			   0, counter->hw_counter.num_counters * sizeof(bool));
 
@@ -6546,7 +6546,7 @@ void ipa3_counter_remove_hdl(int hdl)
 
 		goto err;
 
 		goto err;
 
 	}
 
 	}
 
 	offset = counter->sw_counter.start_id - 1 - IPA_FLT_RT_HW_COUNTER;
 
 	offset = counter->sw_counter.start_id - 1 - IPA_FLT_RT_HW_COUNTER;
 
-	if (offset >= 0 && offset + counter->sw_counter.num_counters
 
+	if (offset >= 0 && (offset + counter->sw_counter.num_counters)
 
 		< IPA_FLT_RT_SW_COUNTER) {
 
 		< IPA_FLT_RT_SW_COUNTER) {
 
 		memset(&ipa3_ctx->flt_rt_counters.used_sw + offset,
 
 		memset(&ipa3_ctx->flt_rt_counters.used_sw + offset,
 
 		   0, counter->sw_counter.num_counters * sizeof(bool));
 
 		   0, counter->sw_counter.num_counters * sizeof(bool));