msm: adsprpc: Fix array index underflow problem (684f18e2) · Commits · e / devices / android_kernel_sony_msm8998

drivers/char/adsprpc.c

+49 −21

Original line number	Diff line number	Diff line
		@@ -591,12 +591,23 @@ static void fastrpc_mmap_free(struct fastrpc_mmap *map)
		{
		struct fastrpc_apps *me = &gfa;
		struct fastrpc_file *fl;
		int vmid;
		int vmid, cid = -1, err = 0;
		struct fastrpc_session_ctx *sess;

		if (!map)
		return;
		fl = map->fl;
		if (fl && !(map->flags == ADSP_MMAP_HEAP_ADDR \|\|
		map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR)) {
		cid = fl->cid;
		VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
		if (err) {
		err = -ECHRNG;
		pr_err("adsprpc: ERROR:%s, Invalid channel id: %d, err:%d",
		__func__, cid, err);
		return;
		}
		}
		if (map->flags == ADSP_MMAP_HEAP_ADDR \|\|
		map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) {
		spin_lock(&me->hlock);
		@@ -673,20 +684,21 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, unsigned attr,
		struct fastrpc_apps *me = &gfa;
		struct fastrpc_session_ctx *sess;
		struct fastrpc_apps *apps = fl->apps;
		int cid = fl->cid;
		struct fastrpc_channel_ctx *chan = NULL;
		struct fastrpc_mmap *map = NULL;
		struct dma_attrs attrs;
		dma_addr_t region_start = 0;
		void *region_vaddr = NULL;
		unsigned long flags;
		int err = 0, vmid;
		int err = 0, vmid, cid = -1;

		VERIFY(err, cid >= 0 && cid < NUM_CHANNELS);
		if (err)
		cid = fl->cid;
		VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
		if (err) {
		err = -ECHRNG;
		goto bail;
		}
		chan = &apps->channel[cid];

		if (!fastrpc_mmap_find(fl, fd, va, len, mflags, ppmap))
		return 0;
		map = kzalloc(sizeof(*map), GFP_KERNEL);
		@@ -1591,12 +1603,22 @@ static int fastrpc_invoke_send(struct smq_invoke_ctx *ctx,
		{
		struct smq_msg *msg = &ctx->msg;
		struct fastrpc_file *fl = ctx->fl;
		struct fastrpc_channel_ctx *channel_ctx = &fl->apps->channel[fl->cid];
		int err = 0, len;
		int err = 0, len, cid = -1;
		struct fastrpc_channel_ctx *channel_ctx = NULL;

		cid = fl->cid;
		VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
		if (err) {
		err = -ECHRNG;
		goto bail;
		}
		channel_ctx = &fl->apps->channel[fl->cid];

		VERIFY(err, NULL != channel_ctx->chan);
		if (err)
		if (err) {
		err = -ECHRNG;
		goto bail;
		}
		msg->pid = current->tgid;
		msg->tid = current->pid;
		if (kernel)
		@@ -1712,11 +1734,21 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode,
		{
		struct smq_invoke_ctx *ctx = NULL;
		struct fastrpc_ioctl_invoke *invoke = &inv->inv;
		int cid = fl->cid;
		int interrupted = 0;
		int err = 0;
		int err = 0, cid = -1, interrupted = 0;
		struct timespec invoket = {0};

		cid = fl->cid;
		VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
		if (err) {
		err = -ECHRNG;
		goto bail;
		}
		VERIFY(err, fl->sctx != NULL);
		if (err) {
		err = -EBADR;
		goto bail;
		}

		if (fl->profile)
		getnstimeofday(&invoket);

		@@ -1729,12 +1761,6 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode,
		}
		}

		VERIFY(err, fl->sctx != NULL);
		if (err)
		goto bail;
		VERIFY(err, fl->cid >= 0 && fl->cid < NUM_CHANNELS);
		if (err)
		goto bail;
		if (!kernel) {
		VERIFY(err, 0 == context_restore_interrupted(fl, inv,
		&ctx));
		@@ -2918,7 +2944,7 @@ static const struct file_operations debugfs_fops = {
		static int fastrpc_channel_open(struct fastrpc_file *fl)
		{
		struct fastrpc_apps *me = &gfa;
		int cid, err = 0;
		int cid = -1, err = 0;

		mutex_lock(&me->smd_mutex);

		@@ -2926,9 +2952,11 @@ static int fastrpc_channel_open(struct fastrpc_file *fl)
		if (err)
		goto bail;
		cid = fl->cid;
		VERIFY(err, cid >= 0 && cid < NUM_CHANNELS);
		if (err)
		VERIFY(err, cid >= ADSP_DOMAIN_ID && cid < NUM_CHANNELS);
		if (err) {
		err = -ECHRNG;
		goto bail;
		}
		if (me->channel[cid].ssrcount !=
		me->channel[cid].prevssrcount) {
		if (!me->channel[cid].issubsystemup) {