samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "msm: ipa4: Add checks to prevent use-after-free errors"

Browse Source
This commit is contained in:
qctecmdr
2020-07-15 23:22:58 -07:00
committed by Gerrit - the friendly Code Review server
parent 6adb226271 9fd0658d2d
commit aef65700cc
2 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
drivers/platform/msm/ipa/ipa_v3/ipa_rt.c
View File

@@ -1741,7 +1741,8 @@ int __ipa3_del_rt_rule(u32 rule_hdl)
return -EINVAL; return -EINVAL;
} }
if (!strcmp(entry->tbl->name, IPA_DFLT_RT_TBL_NAME)) { if (!ipa3_check_idr_if_freed(entry) &&
!strcmp(entry->tbl->name, IPA_DFLT_RT_TBL_NAME)) {
IPADBG("Deleting rule from default rt table idx=%u\n", IPADBG("Deleting rule from default rt table idx=%u\n",
entry->tbl->idx); entry->tbl->idx);
if (entry->tbl->rule_cnt == 1) { if (entry->tbl->rule_cnt == 1) {
@@ -1971,7 +1972,8 @@ int ipa3_reset_rt(enum ipa_ip_type ip, bool user_only)
} }
} }
tbl->rule_cnt--; tbl->rule_cnt--;
if (rule->hdr) if (rule->hdr &&
(!ipa3_check_idr_if_freed(rule->hdr)))
__ipa3_release_hdr(rule->hdr->id); __ipa3_release_hdr(rule->hdr->id);
else if (rule->proc_ctx && else if (rule->proc_ctx &&
(!ipa3_check_idr_if_freed( (!ipa3_check_idr_if_freed(
@@ -2174,7 +2176,8 @@ static int __ipa_mdfy_rt_rule(struct ipa_rt_rule_mdfy_i *rtrule)
goto error; goto error;
} }
if (!strcmp(entry->tbl->name, IPA_DFLT_RT_TBL_NAME)) { if (!ipa3_check_idr_if_freed(entry) &&
!strcmp(entry->tbl->name, IPA_DFLT_RT_TBL_NAME)) {
IPAERR_RL("Default tbl rule cannot be modified\n"); IPAERR_RL("Default tbl rule cannot be modified\n");
return -EINVAL; return -EINVAL;
} }

4
drivers/platform/msm/ipa/ipa_v3/ipa_utils.c
View File

@@ -6537,7 +6537,7 @@ void ipa3_counter_remove_hdl(int hdl)
} }
/* remove counters belong to this hdl, set used back to 0 */ /* remove counters belong to this hdl, set used back to 0 */
offset = counter->hw_counter.start_id - 1; offset = counter->hw_counter.start_id - 1;
if (offset >= 0 && offset + counter->hw_counter.num_counters if (offset >= 0 && (offset + counter->hw_counter.num_counters)
< IPA_FLT_RT_HW_COUNTER) { < IPA_FLT_RT_HW_COUNTER) {
memset(&ipa3_ctx->flt_rt_counters.used_hw + offset, memset(&ipa3_ctx->flt_rt_counters.used_hw + offset,
0, counter->hw_counter.num_counters * sizeof(bool)); 0, counter->hw_counter.num_counters * sizeof(bool));
@@ -6546,7 +6546,7 @@ void ipa3_counter_remove_hdl(int hdl)
goto err; goto err;
} }
offset = counter->sw_counter.start_id - 1 - IPA_FLT_RT_HW_COUNTER; offset = counter->sw_counter.start_id - 1 - IPA_FLT_RT_HW_COUNTER;
if (offset >= 0 && offset + counter->sw_counter.num_counters if (offset >= 0 && (offset + counter->sw_counter.num_counters)
< IPA_FLT_RT_SW_COUNTER) { < IPA_FLT_RT_SW_COUNTER) {
memset(&ipa3_ctx->flt_rt_counters.used_sw + offset, memset(&ipa3_ctx->flt_rt_counters.used_sw + offset,
0, counter->sw_counter.num_counters * sizeof(bool)); 0, counter->sw_counter.num_counters * sizeof(bool));