samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
複製 0
程式碼 問題管理 合併請求 Actions Packages Projects 版本發佈 Wiki Activity

qcacmn: Fix crash due to corruption in ce_mark_datapath

瀏覽代碼 
Use length of service_to_pipe array to loop through services instead of
array size.

Change-Id: I107203861501ed5ac348979868ac981b5a6cd1ae
CRs-Fixed: 2033254
This commit is contained in:
Kiran Venkatappa
2017-04-13 16:45:03 +05:30
committed by Sandeep Puligilla
父節點 6cb0fa1c4f
當前提交 c068709444
共有 1 個文件被更改,包括 3 次插入2 次删除
Download Patch File Download Diff File Expand all files Collapse all files

5
hif/src/ce/ce_main.c
查看文件

@@ -597,7 +597,7 @@ static void hif_select_service_to_pipe_map(struct hif_softc *scn,
static bool ce_mark_datapath(struct CE_state *ce_state) static bool ce_mark_datapath(struct CE_state *ce_state)
{ {
struct service_to_pipe *svc_map; struct service_to_pipe *svc_map;
uint32_t map_sz; uint32_t map_sz, map_len;
int i; int i;
bool rc = false; bool rc = false;
@@ -605,7 +605,8 @@ static bool ce_mark_datapath(struct CE_state *ce_state)
hif_select_service_to_pipe_map(ce_state->scn, &svc_map, hif_select_service_to_pipe_map(ce_state->scn, &svc_map,
&map_sz); &map_sz);
for (i = 0; i < map_sz; i++) { map_len = map_sz / sizeof(struct service_to_pipe);
for (i = 0; i < map_len; i++) {
if ((svc_map[i].pipenum == ce_state->id) && if ((svc_map[i].pipenum == ce_state->id) &&
((svc_map[i].service_id == HTT_DATA_MSG_SVC) || ((svc_map[i].service_id == HTT_DATA_MSG_SVC) ||
(svc_map[i].service_id == HTT_DATA2_MSG_SVC) || (svc_map[i].service_id == HTT_DATA2_MSG_SVC) ||