Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2a17a395 authored by Mohammed Javid's avatar Mohammed Javid Committed by Gerrit - the friendly Code Review server
Browse files

msm:ipa: Fix to slab out of bounds access 



Accessing of incorrect structure pointer is causing
slab-out-of-bounds access, fixed issue by accessing
the correct structure pointer.

Change-Id: I23d3c9afbbabba88be92ef5cae83c4708a211e88
Acked-by: default avatarAshok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: default avatarMohammed Javid <mjavid@codeaurora.org>
parent 5bc16c75

drivers/platform/msm/ipa/ipa_v2/ipa_debugfs.c

+8 −6
Original line number Diff line number Diff line
@@ -811,10 +811,11 @@ static ssize_t ipa_read_flt(struct file *file, char __user *ubuf, size_t count, 
			eq = true;

		} else {

			rt_tbl = ipa_id_find(entry->rule.rt_tbl_hdl);

			if (rt_tbl)

				rt_tbl_idx = rt_tbl->idx;

			else

			if (rt_tbl == NULL ||

				rt_tbl->cookie != IPA_RT_TBL_COOKIE)

				rt_tbl_idx =  ~0;

			else

				rt_tbl_idx = rt_tbl->idx;

			bitmap = entry->rule.attrib.attrib_mask;

			eq = false;

		}
@@ -841,10 +842,11 @@ static ssize_t ipa_read_flt(struct file *file, char __user *ubuf, size_t count, 
				eq = true;

			} else {

				rt_tbl = ipa_id_find(entry->rule.rt_tbl_hdl);

				if (rt_tbl)

					rt_tbl_idx = rt_tbl->idx;

				else

				if (rt_tbl == NULL ||

					rt_tbl->cookie != IPA_RT_TBL_COOKIE)

					rt_tbl_idx = ~0;

				else

					rt_tbl_idx = rt_tbl->idx;

				bitmap = entry->rule.attrib.attrib_mask;

				eq = false;

			}

drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c

+4 −3
Original line number Diff line number Diff line
@@ -842,10 +842,11 @@ static ssize_t ipa3_read_flt(struct file *file, char __user *ubuf, size_t count, 
				eq = true;

			} else {

				rt_tbl = ipa3_id_find(entry->rule.rt_tbl_hdl);

				if (rt_tbl)

					rt_tbl_idx = rt_tbl->idx;

				else

				if (rt_tbl == NULL ||

					rt_tbl->cookie != IPA_RT_TBL_COOKIE)

					rt_tbl_idx =  ~0;

				else

					rt_tbl_idx = rt_tbl->idx;

				bitmap = entry->rule.attrib.attrib_mask;

				eq = false;

			}

drivers/platform/msm/ipa/ipa_v3/ipa_flt.c

+7 −0
Original line number Diff line number Diff line
@@ -1501,6 +1501,13 @@ int ipa3_add_flt_rule_after(struct ipa_ioc_add_flt_rule_after *rules) 
		goto bail;

	}



	if (entry->cookie != IPA_FLT_COOKIE) {

		IPAERR_RL("Invalid cookie value =  %u flt hdl id = %d\n",

			entry->cookie, rules->add_after_hdl);

		result = -EINVAL;

		goto bail;

	}



	if (entry->tbl != tbl) {

		IPAERR_RL("given entry does not match the table\n");

		result = -EINVAL;

drivers/platform/msm/ipa/ipa_v3/ipa_rt.c

+7 −0
Original line number Diff line number Diff line
@@ -1373,6 +1373,13 @@ int ipa3_add_rt_rule_after(struct ipa_ioc_add_rt_rule_after *rules) 
		goto bail;

	}



	if (entry->cookie != IPA_RT_RULE_COOKIE) {

		IPAERR_RL("Invalid cookie value =  %u rule %d in rt tbls\n",

			entry->cookie, rules->add_after_hdl);

		ret = -EINVAL;

		goto bail;

	}



	if (entry->tbl != tbl) {

		IPAERR_RL("given rt rule does not match the table\n");

		ret = -EINVAL;