Merge "msm: ipa: Fix to slab out of bounds issue" (4acdb380) · Commits · e / devices / android_kernel_oneplus_sm8150

drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c

+61 −9

Original line number	Diff line number	Diff line
		@@ -372,6 +372,8 @@ static ssize_t ipa3_read_hdr(struct file file, char __user ubuf, size_t count,

		list_for_each_entry(entry, &ipa3_ctx->hdr_tbl.head_hdr_entry_list,
		link) {
		if (entry->cookie != IPA_HDR_COOKIE)
		continue;
		nbytes = scnprintf(
		dbg_buff,
		IPA_MAX_MSG_LEN,
		@@ -552,6 +554,12 @@ static int ipa3_attrib_dump_eq(struct ipa_ipfltri_rule_eq *attrib)
		if (attrib->tc_eq_present)
		pr_err("tc:%d ", attrib->tc_eq);

		if (attrib->num_offset_meq_128 > IPA_IPFLTR_NUM_MEQ_128_EQNS) {
		IPAERR_RL("num_offset_meq_128 Max %d passed value %d\n",
		IPA_IPFLTR_NUM_MEQ_128_EQNS, attrib->num_offset_meq_128);
		return -EPERM;
		}

		for (i = 0; i < attrib->num_offset_meq_128; i++) {
		for (j = 0; j < 16; j++) {
		addr[j] = attrib->offset_meq_128[i].value[j];
		@@ -563,6 +571,12 @@ static int ipa3_attrib_dump_eq(struct ipa_ipfltri_rule_eq *attrib)
		mask, addr);
		}

		if (attrib->num_offset_meq_32 > IPA_IPFLTR_NUM_MEQ_32_EQNS) {
		IPAERR_RL("num_offset_meq_32 Max %d passed value %d\n",
		IPA_IPFLTR_NUM_MEQ_32_EQNS, attrib->num_offset_meq_32);
		return -EPERM;
		}

		for (i = 0; i < attrib->num_offset_meq_32; i++)
		pr_err(
		"(ofst_meq32: ofst:%u mask:0x%x val:0x%x) ",
		@@ -570,6 +584,12 @@ static int ipa3_attrib_dump_eq(struct ipa_ipfltri_rule_eq *attrib)
		attrib->offset_meq_32[i].mask,
		attrib->offset_meq_32[i].value);

		if (attrib->num_ihl_offset_meq_32 > IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS) {
		IPAERR_RL("num_ihl_offset_meq_32 Max %d passed value %d\n",
		IPA_IPFLTR_NUM_IHL_MEQ_32_EQNS, attrib->num_ihl_offset_meq_32);
		return -EPERM;
		}

		for (i = 0; i < attrib->num_ihl_offset_meq_32; i++)
		pr_err(
		"(ihl_ofst_meq32: ofts:%d mask:0x%x val:0x%x) ",
		@@ -584,6 +604,14 @@ static int ipa3_attrib_dump_eq(struct ipa_ipfltri_rule_eq *attrib)
		attrib->metadata_meq32.mask,
		attrib->metadata_meq32.value);

		if (attrib->num_ihl_offset_range_16 >
		IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS) {
		IPAERR_RL("num_ihl_offset_range_16 Max %d passed value %d\n",
		IPA_IPFLTR_NUM_IHL_RANGE_16_EQNS,
		attrib->num_ihl_offset_range_16);
		return -EPERM;
		}

		for (i = 0; i < attrib->num_ihl_offset_range_16; i++)
		pr_err(
		"(ihl_ofst_range16: ofst:%u lo:%u hi:%u) ",
		@@ -776,7 +804,11 @@ static ssize_t ipa3_read_rt_hw(struct file file, char __user ubuf,
		pr_err("rule_id:%u prio:%u retain_hdr:%u ",
		rules[rl].id, rules[rl].priority,
		rules[rl].retain_hdr);
		ipa3_attrib_dump_eq(&rules[rl].eq_attrib);
		res = ipa3_attrib_dump_eq(&rules[rl].eq_attrib);
		if (res) {
		IPAERR_RL("failed read attrib eq\n");
		goto bail;
		}
		}

		pr_err("=== Routing Table %d = Non-Hashable Rules ===\n", tbl);
		@@ -807,7 +839,11 @@ static ssize_t ipa3_read_rt_hw(struct file file, char __user ubuf,
		pr_err("rule_id:%u prio:%u retain_hdr:%u\n",
		rules[rl].id, rules[rl].priority,
		rules[rl].retain_hdr);
		ipa3_attrib_dump_eq(&rules[rl].eq_attrib);
		res = ipa3_attrib_dump_eq(&rules[rl].eq_attrib);
		if (res) {
		IPAERR_RL("failed read attrib eq\n");
		goto bail;
		}
		}
		pr_err("\n");
		}
		@@ -881,6 +917,7 @@ static ssize_t ipa3_read_flt(struct file file, char __user ubuf, size_t count,
		u32 rt_tbl_idx;
		u32 bitmap;
		bool eq;
		int res = 0;

		mutex_lock(&ipa3_ctx->lock);

		@@ -890,6 +927,8 @@ static ssize_t ipa3_read_flt(struct file file, char __user ubuf, size_t count,
		tbl = &ipa3_ctx->flt_tbl[j][ip];
		i = 0;
		list_for_each_entry(entry, &tbl->head_flt_rule_list, link) {
		if (entry->cookie != IPA_FLT_COOKIE)
		continue;
		if (entry->rule.eq_attrib_type) {
		rt_tbl_idx = entry->rule.rt_tbl_idx;
		bitmap = entry->rule.eq_attrib.rule_eq_bitmap;
		@@ -915,18 +954,23 @@ static ssize_t ipa3_read_flt(struct file file, char __user ubuf, size_t count,
		pr_err("pdn index %d, set metadata %d ",
		entry->rule.pdn_idx,
		entry->rule.set_metadata);
		if (eq)
		ipa3_attrib_dump_eq(
		if (eq) {
		res = ipa3_attrib_dump_eq(
		&entry->rule.eq_attrib);
		else
		if (res) {
		IPAERR_RL("failed read attrib eq\n");
		goto bail;
		}
		} else
		ipa3_attrib_dump(
		&entry->rule.attrib, ip);
		i++;
		}
		}
		bail:
		mutex_unlock(&ipa3_ctx->lock);

		return 0;
		return res;
		}

		static ssize_t ipa3_read_flt_hw(struct file file, char __user ubuf,
		@@ -979,7 +1023,11 @@ static ssize_t ipa3_read_flt_hw(struct file file, char __user ubuf,
		pr_err("pdn: %u, set_metadata: %u ",
		rules[rl].rule.pdn_idx,
		rules[rl].rule.set_metadata);
		ipa3_attrib_dump_eq(&rules[rl].rule.eq_attrib);
		res = ipa3_attrib_dump_eq(&rules[rl].rule.eq_attrib);
		if (res) {
		IPAERR_RL("failed read attrib eq\n");
		goto bail;
		}
		}

		pr_err("=== Filtering Table ep:%d = Non-Hashable Rules ===\n",
		@@ -1006,7 +1054,11 @@ static ssize_t ipa3_read_flt_hw(struct file file, char __user ubuf,
		pr_err("pdn: %u, set_metadata: %u ",
		rules[rl].rule.pdn_idx,
		rules[rl].rule.set_metadata);
		ipa3_attrib_dump_eq(&rules[rl].rule.eq_attrib);
		res = ipa3_attrib_dump_eq(&rules[rl].rule.eq_attrib);
		if (res) {
		IPAERR_RL("failed read attrib eq\n");
		goto bail;
		}
		}
		pr_err("\n");
		}

drivers/platform/msm/ipa/ipa_v3/ipa_flt.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -61,8 +61,10 @@ static int ipa3_generate_flt_hw_rule(enum ipa_ip_type ip,
		gen_params.rule = (const struct ipa_flt_rule *)&entry->rule;

		res = ipahal_flt_generate_hw_rule(&gen_params, &entry->hw_len, buf);
		if (res)
		if (res) {
		IPAERR_RL("failed to generate flt h/w rule\n");
		return res;
		}

		return 0;
		}