Loading drivers/platform/msm/ipa/ipa_v3/ipa.c +93 −14 Original line number Diff line number Diff line Loading @@ -708,6 +708,7 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -746,11 +747,20 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_v2 *)param)-> ((struct ipa_ioc_add_rt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -794,6 +804,8 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -809,6 +821,7 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, Loading Loading @@ -850,11 +863,20 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_ext_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_ext_v2 *)param)-> ((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -900,6 +922,8 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -915,6 +939,7 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -955,11 +980,19 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_after_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_after_v2 *)param)-> ((struct ipa_ioc_add_rt_rule_after_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -1003,6 +1036,8 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1018,6 +1053,7 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1058,11 +1094,19 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_mdfy_rt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_mdfy_rt_rule_v2 *)param)-> ((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -1106,6 +1150,8 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1121,6 +1167,7 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1160,11 +1207,19 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_flt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_flt_rule_v2 *)param)-> ((struct ipa_ioc_add_flt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -1207,6 +1262,8 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1222,6 +1279,7 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1262,11 +1320,19 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_flt_rule_after_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_flt_rule_after_v2 *)param)-> ((struct ipa_ioc_add_flt_rule_after_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -1310,6 +1376,8 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1325,6 +1393,7 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1365,11 +1434,19 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_mdfy_flt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_mdfy_flt_rule_v2 *)param)-> ((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -1413,6 +1490,8 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading Loading
drivers/platform/msm/ipa/ipa_v3/ipa.c +93 −14 Original line number Diff line number Diff line Loading @@ -708,6 +708,7 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -746,11 +747,20 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_add_rt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_v2 *)param)-> ((struct ipa_ioc_add_rt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -794,6 +804,8 @@ static int ipa3_ioctl_add_rt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -809,6 +821,7 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, Loading Loading @@ -850,11 +863,20 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_ext_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_ext_v2 *)param)-> ((struct ipa_ioc_add_rt_rule_ext_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -900,6 +922,8 @@ static int ipa3_ioctl_add_rt_rule_ext_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -915,6 +939,7 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -955,11 +980,19 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_rt_rule_after_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_add_rt_rule_after_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_rt_rule_after_v2 *)param)-> ((struct ipa_ioc_add_rt_rule_after_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -1003,6 +1036,8 @@ static int ipa3_ioctl_add_rt_rule_after_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1018,6 +1053,7 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1058,11 +1094,19 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_mdfy_rt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_mdfy_rt_rule_v2 *)param)-> ((struct ipa_ioc_mdfy_rt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -1106,6 +1150,8 @@ static int ipa3_ioctl_mdfy_rt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1121,6 +1167,7 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1160,11 +1207,19 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_flt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_add_flt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_flt_rule_v2 *)param)-> ((struct ipa_ioc_add_flt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -1207,6 +1262,8 @@ static int ipa3_ioctl_add_flt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1222,6 +1279,7 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1262,11 +1320,19 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_add_flt_rule_after_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_add_flt_rule_after_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_add_flt_rule_after_v2 *)param)-> ((struct ipa_ioc_add_flt_rule_after_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -1310,6 +1376,8 @@ static int ipa3_ioctl_add_flt_rule_after_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading @@ -1325,6 +1393,7 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) u32 pyld_sz; u64 uptr = 0; u8 *param = NULL; u8 *param2 = NULL; u8 *kptr = NULL; if (copy_from_user(header, (const void __user *)arg, Loading Loading @@ -1365,11 +1434,19 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) retval = -EFAULT; goto free_param_kptr; } param2 = memdup_user((const void __user *)arg, sizeof(struct ipa_ioc_mdfy_flt_rule_v2)); if (IS_ERR(param2)) { retval = -EFAULT; goto free_param_kptr; } /* add check in case user-space module compromised */ if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param)->num_rules if (unlikely(((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)->num_rules != pre_entry)) { IPAERR_RL("current %d pre %d\n", ((struct ipa_ioc_mdfy_flt_rule_v2 *)param)-> ((struct ipa_ioc_mdfy_flt_rule_v2 *)param2)-> num_rules, pre_entry); retval = -EFAULT; goto free_param_kptr; Loading Loading @@ -1413,6 +1490,8 @@ static int ipa3_ioctl_mdfy_flt_rule_v2(unsigned long arg) free_param_kptr: if (!IS_ERR(param)) kfree(param); if (!IS_ERR(param2)) kfree(param2); kfree(kptr); return retval; Loading
