Loading drivers/platform/msm/ipa/ipa_v3/ipa.c +142 −0 Original line number Diff line number Diff line Loading @@ -1005,6 +1005,7 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1043,6 +1044,24 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1082,6 +1101,8 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1097,6 +1118,7 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, Loading Loading @@ -1138,6 +1160,24 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_ext_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1179,6 +1219,8 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1194,6 +1236,7 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1234,6 +1277,23 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_after_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_after_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1273,6 +1333,8 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1288,6 +1350,7 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1328,6 +1391,23 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_mdfy_rt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1367,6 +1447,8 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1382,6 +1464,7 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1421,6 +1504,23 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_flt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_flt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1459,6 +1559,8 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1474,6 +1576,7 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1514,6 +1617,23 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_flt_rule_after_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_flt_rule_after_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1553,6 +1673,8 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1568,6 +1690,7 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1608,6 +1731,23 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_mdfy_flt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1647,6 +1787,8 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading Loading
drivers/platform/msm/ipa/ipa_v3/ipa.c +142 −0 Original line number Diff line number Diff line Loading @@ -1005,6 +1005,7 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1043,6 +1044,24 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1082,6 +1101,8 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1097,6 +1118,7 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, Loading Loading @@ -1138,6 +1160,24 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_ext_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1179,6 +1219,8 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1194,6 +1236,7 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1234,6 +1277,23 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_after_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_after_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1273,6 +1333,8 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1288,6 +1350,7 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1328,6 +1391,23 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_mdfy_rt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1367,6 +1447,8 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1382,6 +1464,7 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1421,6 +1504,23 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_flt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_flt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1459,6 +1559,8 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1474,6 +1576,7 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1514,6 +1617,23 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_flt_rule_after_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_flt_rule_after_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1553,6 +1673,8 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1568,6 +1690,7 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1608,6 +1731,23 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_mdfy_flt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; } /* alloc kernel pointer with actual payload size */ kptr = kzalloc(pyld_sz, GFP_KERNEL); if (!kptr) { Loading Loading @@ -1647,6 +1787,8 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading
