Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 32782582 authored by Yajun Li's avatar Yajun Li
Browse files

soc: hab: fix uninitialized variable and relocate vchan refcnt 



Init hab msg pointer to avoid accessing an uninitialized
pointer.

The format specifier "%p" can leak kernel addresses. Use
"%pK" instead.

Check the status of the pfn_table, because of wrong pagetable
coming from the corresponding hab client unexpectedly.

Change-Id: Ic8c6ba0243d27007d014165f2869a5775a96c09d
Signed-off-by: default avatarYajun Li <yajunl@codeaurora.org>
parent cc0e9149

drivers/soc/qcom/hab/hab.c

+2 −2
Original line number Diff line number Diff line
@@ -599,7 +599,7 @@ int hab_vchan_recv(struct uhab_context *ctx, 


	vchan = hab_get_vchan_fromvcid(vcid, ctx);

	if (!vchan) {

		pr_err("vcid %X, vchan %p ctx %p\n", vcid, vchan, ctx);

		pr_err("vcid %X vchan 0x%pK ctx %pK\n", vcid, vchan, ctx);

		return -ENODEV;

	}
@@ -1134,7 +1134,7 @@ static long hab_ioctl(struct file *filep, unsigned int cmd, unsigned long arg) 
	struct hab_recv *recv_param;

	struct hab_send *send_param;

	struct hab_info *info_param;

	struct hab_message *msg;

	struct hab_message *msg = NULL;

	void *send_data;

	unsigned char data[256] = { 0 };

	long ret = 0;

drivers/soc/qcom/hab/hab.h

+2 −1
Original line number Diff line number Diff line
@@ -214,6 +214,7 @@ struct physical_channel { 
	/* debug only */

	uint32_t sequence_tx;

	uint32_t sequence_rx;

	uint32_t status;



	/* vchans on this pchan */

	struct list_head vchannels;
@@ -255,8 +256,8 @@ struct hab_export_ack_recvd { 
};



struct hab_message {

	size_t sizebytes;

	struct list_head node;

	size_t sizebytes;

	uint32_t data[];

};

drivers/soc/qcom/hab/hab_mem_linux.c

+8 −1
Original line number Diff line number Diff line
@@ -53,6 +53,14 @@ static struct pages_list *pages_list_create( 
	if (!pfn_table)

		return ERR_PTR(-EINVAL);



	pfn = pfn_table->first_pfn;

	if (pfn_valid(pfn) == 0 || page_is_ram(pfn) == 0) {

		pr_err("imp sanity failed pfn %lx valid %d ram %d pchan %s\n",

			pfn, pfn_valid(pfn),

			page_is_ram(pfn), exp->pchan->name);

		return ERR_PTR(-EINVAL);

	}



	size = exp->payload_count * sizeof(struct page *);

	pages = kmalloc(size, GFP_KERNEL);

	if (!pages)
@@ -64,7 +72,6 @@ static struct pages_list *pages_list_create( 
		return ERR_PTR(-ENOMEM);

	}



	pfn = pfn_table->first_pfn;

	for (i = 0; i < pfn_table->nregions; i++) {

		for (j = 0; j < pfn_table->region[i].size; j++) {

			pages[k] = pfn_to_page(pfn+j);

drivers/soc/qcom/hab/hab_mimex.c

+2 −2
Original line number Diff line number Diff line
@@ -277,8 +277,8 @@ int hab_mem_export(struct uhab_context *ctx, 
			&pdata_size);

	}

	if (ret < 0) {

		pr_err("habmem_hyp_grant failed size=%d ret=%d\n",

			pdata_size, ret);

		pr_err("habmem_hyp_grant vc %x failed size=%d ret=%d\n",

			   param->vcid, pdata_size, ret);

		goto err;

	}

drivers/soc/qcom/hab/hab_msg.c

+2 −2
Original line number Diff line number Diff line
@@ -210,7 +210,7 @@ int hab_msg_recv(struct physical_channel *pchan, 
		 */

		vchan = hab_vchan_get(pchan, header);

		if (!vchan) {

			pr_info("vchan is not found, payload type %d, vchan id %x, sizebytes %zx, session %d\n",

			pr_debug("vchan not found type %d vcid %x sz %zx sesn %d\n",

				payload_type, vchan_id, sizebytes, session_id);



			if (sizebytes) {
@@ -313,7 +313,7 @@ int hab_msg_recv(struct physical_channel *pchan, 


	case HAB_PAYLOAD_TYPE_CLOSE:

		/* remote request close */

		pr_info("remote request close vcid %pK %X other id %X session %d refcnt %d\n",

		pr_debug("remote close vcid %pK %X other id %X session %d refcnt %d\n",

			vchan, vchan->id, vchan->otherend_id,

			session_id, get_refcnt(vchan->refcount));

		hab_vchan_stop(vchan);