Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7bd2a476 authored by Sunil Paidimarri's avatar Sunil Paidimarri Committed by Gerrit - the friendly Code Review server
Browse files

msm: ipa: Allocate memory on send message 



On client pushing message, allocate memory for event
data and copy before pushing to clients. This is to
avoid crash if client goes away before freeing the
memory.

Change-Id: Icff40d68d9b60617e8e3eb006eb697194b4e61f6
CRs-Fixed: 1065499
Signed-off-by: default avatarSunil Paidimarri <hisunil@codeaurora.org>
parent d2afad6a

drivers/platform/msm/ipa/ipa_v2/ipa_intf.c

+20 −3
Original line number Diff line number Diff line 
/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.

/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -348,6 +348,11 @@ int ipa_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext) 
	return result;

}



static void ipa2_send_msg_free(void *buff, u32 len, u32 type)

{

	kfree(buff);

}



/**

 * ipa2_send_msg() - Send "message" from kernel client to IPA driver

 * @meta: [in] message meta-data
@@ -367,6 +372,7 @@ int ipa2_send_msg(struct ipa_msg_meta *meta, void *buff, 
		  ipa_msg_free_fn callback)

{

	struct ipa_push_msg *msg;

	void *data = NULL;



	if (unlikely(!ipa_ctx)) {

		IPAERR("IPA driver was not initialized\n");
@@ -392,8 +398,17 @@ int ipa2_send_msg(struct ipa_msg_meta *meta, void *buff, 
	}



	msg->meta = *meta;

	msg->buff = buff;

	msg->callback = callback;

	if (meta->msg_len > 0 && buff) {

		data = kmalloc(meta->msg_len, GFP_KERNEL);

		if (data == NULL) {

			IPAERR("fail to alloc data container\n");

			kfree(msg);

			return -ENOMEM;

		}

		memcpy(data, buff, meta->msg_len);

		msg->buff = data;

		msg->callback = ipa2_send_msg_free;

	}



	mutex_lock(&ipa_ctx->msg_lock);

	list_add_tail(&msg->link, &ipa_ctx->msg_list);
@@ -401,6 +416,8 @@ int ipa2_send_msg(struct ipa_msg_meta *meta, void *buff, 
	IPA_STATS_INC_CNT(ipa_ctx->stats.msg_w[meta->msg_type]);



	wake_up(&ipa_ctx->msg_waitq);

	if (buff)

		callback(buff, meta->msg_len, meta->msg_type);



	return 0;

}

drivers/platform/msm/ipa/ipa_v3/ipa_intf.c

+19 −2
Original line number Diff line number Diff line
@@ -358,6 +358,11 @@ int ipa3_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext) 
	return result;

}



static void ipa3_send_msg_free(void *buff, u32 len, u32 type)

{

	kfree(buff);

}



/**

 * ipa3_send_msg() - Send "message" from kernel client to IPA driver

 * @meta: [in] message meta-data
@@ -377,6 +382,7 @@ int ipa3_send_msg(struct ipa_msg_meta *meta, void *buff, 
		  ipa_msg_free_fn callback)

{

	struct ipa3_push_msg *msg;

	void *data = NULL;



	if (meta == NULL || (buff == NULL && callback != NULL) ||

	    (buff != NULL && callback == NULL)) {
@@ -397,8 +403,17 @@ int ipa3_send_msg(struct ipa_msg_meta *meta, void *buff, 
	}



	msg->meta = *meta;

	msg->buff = buff;

	msg->callback = callback;

	if (meta->msg_len > 0 && buff) {

		data = kmalloc(meta->msg_len, GFP_KERNEL);

		if (data == NULL) {

			IPAERR("fail to alloc data container\n");

			kfree(msg);

			return -ENOMEM;

		}

		memcpy(data, buff, meta->msg_len);

		msg->buff = data;

		msg->callback = ipa3_send_msg_free;

	}



	mutex_lock(&ipa3_ctx->msg_lock);

	list_add_tail(&msg->link, &ipa3_ctx->msg_list);
@@ -406,6 +421,8 @@ int ipa3_send_msg(struct ipa_msg_meta *meta, void *buff, 
	IPA_STATS_INC_CNT(ipa3_ctx->stats.msg_w[meta->msg_type]);



	wake_up(&ipa3_ctx->msg_waitq);

	if (buff)

		callback(buff, meta->msg_len, meta->msg_type);



	return 0;

}