Merge "msm: adsprpc: Fix array index underflow problem" (f9c9eaa4) · Commits · e / devices / android_kernel_fairphone_FP3

drivers/char/adsprpc.c

+51 −21

Original line number	Diff line number	Diff line
		@@ -720,12 +720,20 @@ static void fastrpc_mmap_free(struct fastrpc_mmap *map, uint32_t flags)
		{
		struct fastrpc_apps *me = &gfa;
		struct fastrpc_file *fl;
		int vmid;
		int vmid, cid = -1, err = 0;
		struct fastrpc_session_ctx *sess;

		if (!map)
		return;
		fl = map->fl;
		cid = fl->cid;
		VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
		if (err) {
		err = -ECHRNG;
		pr_err("adsprpc: ERROR:%s, Invalid channel id: %d, err:%d",
		__func__, cid, err);
		return;
		}
		if (map->flags == ADSP_MMAP_HEAP_ADDR \|\|
		map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
		spin_lock(&me->hlock);
		@@ -805,15 +813,21 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd,
		struct fastrpc_apps *me = &gfa;
		struct fastrpc_session_ctx *sess;
		struct fastrpc_apps *apps = fl->apps;
		int cid = fl->cid;
		struct fastrpc_channel_ctx *chan = &apps->channel[cid];
		struct fastrpc_mmap *map = NULL;
		struct fastrpc_channel_ctx *chan = NULL;
		unsigned long attrs;
		dma_addr_t region_phys = 0;
		void *region_vaddr = NULL;
		unsigned long flags;
		int err = 0, vmid;
		int err = 0, vmid, cid = -1;

		cid = fl->cid;
		VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
		if (err) {
		err = -ECHRNG;
		goto bail;
		}
		chan = &apps->channel[cid];
		if (!fastrpc_mmap_find(fl, fd, va, len, mflags, 1, ppmap))
		return 0;
		map = kzalloc(sizeof(*map), GFP_KERNEL);
		@@ -1850,12 +1864,22 @@ static int fastrpc_invoke_send(struct smq_invoke_ctx *ctx,
		{
		struct smq_msg *msg = &ctx->msg;
		struct fastrpc_file *fl = ctx->fl;
		struct fastrpc_channel_ctx *channel_ctx = &fl->apps->channel[fl->cid];
		int err = 0, len;
		int err = 0, len, cid = -1;
		struct fastrpc_channel_ctx *channel_ctx = NULL;

		cid = fl->cid;
		VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
		if (err) {
		err = -ECHRNG;
		goto bail;
		}
		channel_ctx = &fl->apps->channel[fl->cid];

		VERIFY(err, NULL != channel_ctx->chan);
		if (err)
		if (err) {
		err = -ECHRNG;
		goto bail;
		}
		msg->pid = fl->tgid;
		msg->tid = current->pid;
		if (fl->sessionid)
		@@ -1974,11 +1998,22 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode,
		{
		struct smq_invoke_ctx *ctx = NULL;
		struct fastrpc_ioctl_invoke *invoke = &inv->inv;
		int cid = fl->cid;
		int interrupted = 0;
		int err = 0;
		int err = 0, cid = -1, interrupted = 0;
		struct timespec invoket = {0};
		int64_t *perf_counter = getperfcounter(fl, PERF_COUNT);
		int64_t *perf_counter = NULL;

		cid = fl->cid;
		VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
		if (err) {
		err = -ECHRNG;
		goto bail;
		}
		VERIFY(err, fl->sctx != NULL);
		if (err) {
		err = -EBADR;
		goto bail;
		}
		perf_counter = getperfcounter(fl, PERF_COUNT);

		if (fl->profile)
		getnstimeofday(&invoket);
		@@ -1992,13 +2027,6 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode,
		}
		}

		VERIFY(err, fl->sctx != NULL);
		if (err)
		goto bail;
		VERIFY(err, fl->cid >= 0 && fl->cid < NUM_CHANNELS);
		if (err)
		goto bail;

		if (!kernel) {
		VERIFY(err, 0 == context_restore_interrupted(fl, inv,
		&ctx));
		@@ -3408,7 +3436,7 @@ static const struct file_operations debugfs_fops = {
		static int fastrpc_channel_open(struct fastrpc_file *fl)
		{
		struct fastrpc_apps *me = &gfa;
		int cid, ii, err = 0;
		int cid = -1, ii, err = 0;

		mutex_lock(&me->smd_mutex);

		@@ -3416,9 +3444,11 @@ static int fastrpc_channel_open(struct fastrpc_file *fl)
		if (err)
		goto bail;
		cid = fl->cid;
		VERIFY(err, cid >= 0 && cid < NUM_CHANNELS);
		if (err)
		VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
		if (err) {
		err = -ECHRNG;
		goto bail;
		}
		if (me->channel[cid].ssrcount !=
		me->channel[cid].prevssrcount) {
		if (!me->channel[cid].issubsystemup) {