Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 22bd494f authored by Jagadeesh Ponduru's avatar Jagadeesh Ponduru
Browse files

msm: ipa3: Pointer Check and Fix overflow in Header Deletion 



During header deletion, if there is a HPC referencing to a header,
and the header is deleted, the later commit will cause
writing garbage values to the HW during commit.

Change-Id: Ib8bb490e38c57d975c21e5848850cd79263c95fe
Signed-off-by: default avatarJagadeesh Ponduru <jponduru@codeaurora.org>
parent 0a09ea53

drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c

+8 −2
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2012-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.

 */



#include "ipa_i.h"
@@ -90,6 +90,12 @@ static int ipa3_hdr_proc_ctx_to_hw_format(struct ipa_mem_buffer *mem, 
					0 : 1;

			}

		}

		/* Check the pointer and header length to avoid dangerous overflow in HW */

		if (unlikely(!entry->hdr || !entry->hdr->offset_entry ||

				!entry->offset_entry ||

				entry->hdr->hdr_len == 0 ||

				entry->hdr->hdr_len > ipa_hdr_bin_sz[IPA_HDR_BIN_MAX - 1]))

			return -EINVAL;



		ret = ipahal_cp_proc_ctx_to_hw_buff(entry->type, mem->base,

				entry->offset_entry->offset,
@@ -747,7 +753,7 @@ int __ipa3_del_hdr(u32 hdr_hdl, bool by_user) 
		return 0;

	}



	if (entry->is_hdr_proc_ctx) {

	if (entry->is_hdr_proc_ctx || entry->proc_ctx) {

		dma_unmap_single(ipa3_ctx->pdev,

			entry->phys_base,

			entry->hdr_len,