Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9881e48f authored by qctecmdr's avatar qctecmdr Committed by Gerrit - the friendly Code Review server
Browse files

Merge "msm: adsprpc: Validate channel ID before dereferencing"

parents b8658fe7 d01faa36

drivers/char/adsprpc.c

+6 −1
Original line number Original line Diff line number Diff line
@@ -796,7 +796,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, 
	struct fastrpc_session_ctx *sess;

	struct fastrpc_session_ctx *sess;

	struct fastrpc_apps *apps = fl->apps;

	struct fastrpc_apps *apps = fl->apps;

	int cid = fl->cid;

	int cid = fl->cid;

	struct fastrpc_channel_ctx *chan = &apps->channel[cid];

	struct fastrpc_channel_ctx *chan = NULL;

	struct fastrpc_mmap *map = NULL;

	struct fastrpc_mmap *map = NULL;

	dma_addr_t region_phys = 0;

	dma_addr_t region_phys = 0;

	void *region_vaddr = NULL;

	void *region_vaddr = NULL;
@@ -804,6 +804,11 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, 
	int err = 0, vmid, sgl_index = 0;

	int err = 0, vmid, sgl_index = 0;

	struct scatterlist *sgl = NULL;

	struct scatterlist *sgl = NULL;





	VERIFY(err, cid >= 0 && cid < NUM_CHANNELS);

	if (err)

		goto bail;

	chan = &apps->channel[cid];



	if (!fastrpc_mmap_find(fl, fd, va, len, mflags, 1, ppmap))

	if (!fastrpc_mmap_find(fl, fd, va, len, mflags, 1, ppmap))

		return 0;

		return 0;

	map = kzalloc(sizeof(*map), GFP_KERNEL);

	map = kzalloc(sizeof(*map), GFP_KERNEL);