Merge "diag: Fix possible kernel addresses leak"

	uint8_t cmd_code = 0;

	if (!buf || len < 0) {

		pr_err("diag: Invalid input in %s, buf: %p, len: %d\n",

		pr_err("diag: Invalid input in %s, buf: %pK, len: %d\n",

			__func__, buf, len);

		return -EIO;

	}

{

	uint16_t rsp_count = 0, delayed_rsp_id = 0;

	if (!buf || len <= 0 || !entry) {

		pr_err("diag: In %s, invalid input buf: %p, len: %d, entry: %p\n",

		pr_err("diag: In %s, invalid input buf: %pK, len: %d, entry: %pK\n",

			__func__, buf, len, entry);

		return -EIO;

	}

	int peripheral_mask, status;

	if (!buf || (len < sizeof(struct diag_ctrl_dci_status))) {

		pr_err("diag: In %s, invalid buf %p or length: %d\n",

		pr_err("diag: In %s, invalid buf %pK or length: %d\n",

		       __func__, buf, len);

		return;

	}

			mutex_unlock(&driver->dci_mutex);

			return -ENOMEM;

		}

		pr_debug("diag: head of dci log mask %p\n", head_log_mask_ptr);

		pr_debug("diag: head of dci log mask %pK\n", head_log_mask_ptr);

		count = 0; /* iterator for extracting log codes */

		while (count < num_codes) {

			while (log_mask_ptr && (offset < DCI_LOG_MASK_SIZE)) {

				if (*log_mask_ptr == equip_id) {

					found = 1;

					pr_debug("diag: find equip id = %x at %p\n",

					pr_debug("diag: find equip id = %x at %pK\n",

						 equip_id, log_mask_ptr);

					break;

				} else {

			mutex_unlock(&driver->dci_mutex);

			return -ENOMEM;

		}

		pr_debug("diag: head of dci event mask %p\n", event_mask_ptr);

		pr_debug("diag: head of dci event mask %pK\n", event_mask_ptr);

		count = 0; /* iterator for extracting log codes */

		while (count < num_codes) {

			if (read_len >= USER_SPACE_DATA) {

	if (!buf || peripheral >= NUM_PERIPHERALS || len < 0 ||

	    !(driver->feature[PERIPHERAL_MODEM].rcvd_feature_mask)) {

		DIAG_LOG(DIAG_DEBUG_DCI,

			"buf: 0x%p, p: %d, len: %d, f_mask: %d\n",

			"buf: 0x%pK, p: %d, len: %d, f_mask: %d\n",

				buf, peripheral, len,

				driver->feature[peripheral].rcvd_feature_mask);

		return -EINVAL;

/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.

/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and

		bytes_written = scnprintf(buf+bytes_in_buffer, bytes_remaining,

			"id: %d\n"

			"name: %s\n"

			"hdl: %p\n"

			"hdl: %pK\n"

			"connected: %d\n"

			"diag state: %d\n"

			"enabled: %d\n"

			bytes_written = scnprintf(buf+bytes_in_buffer,

				bytes_remaining,

				"name\t\t:\t%s\n"

				"hdl\t\t:\t%p\n"

				"hdl\t\t:\t%pK\n"

				"inited\t\t:\t%d\n"

				"opened\t\t:\t%d\n"

				"diag_state\t:\t%d\n"

			bytes_written = scnprintf(buf+bytes_in_buffer,

				bytes_remaining,

				"name\t\t:\t%s\n"

				"hdl\t\t:\t%p\n"

				"hdl\t\t:\t%pK\n"

				"inited\t\t:\t%d\n"

				"opened\t\t:\t%d\n"

				"diag_state\t:\t%d\n"

			"bridge index: %s\n"

			"mempool: %s\n"

			"read ch opened: %d\n"

			"read ch hdl: %p\n"

			"read ch hdl: %pK\n"

			"write ch opened: %d\n"

			"write ch hdl: %p\n"

			"write ch hdl: %pK\n"

			"read work pending: %d\n"

			"read done work pending: %d\n"

			"open work pending: %d\n"

			"type: %d\n"

			"inited: %d\n"

			"ctxt: %d\n"

			"dev_ops: %p\n"

			"dci_read_buf: %p\n"

			"dci_read_ptr: %p\n"

			"dev_ops: %pK\n"

			"dci_read_buf: %pK\n"

			"dci_read_ptr: %pK\n"

			"dci_read_len: %d\n\n",

			info->id,

			info->name,

	if (!driver->diagfwd_cntl[peripheral] ||

		!driver->diagfwd_cntl[peripheral]->ch_open) {

		pr_err("diag: In %s, control channel is not open, p: %d, %p\n",

		pr_err("diag: In %s, control channel is not open, p: %d, %pK\n",

			__func__, peripheral, driver->diagfwd_cntl[peripheral]);

		return;

	}

	if (!driver->diagfwd_cntl[peripheral] ||

	    !driver->diagfwd_cntl[peripheral]->ch_open) {

		pr_err("diag: In %s, control channel is not open, p: %d, %p\n",

		pr_err("diag: In %s, control channel is not open, p: %d, %pK\n",

		       __func__, peripheral, driver->diagfwd_cntl[peripheral]);

		return;

	}

	mask_info = (!info) ? &msg_mask : info->msg_mask;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||

	    !mask_info) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d, mask_info: %p\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d, mask_info: %pK\n",

		       __func__, src_buf, src_len, dest_buf, dest_len,

		       mask_info);

		return -EINVAL;

	struct diag_msg_build_mask_t rsp;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d\n",

		       __func__, src_buf, src_len, dest_buf, dest_len);

		return -EINVAL;

	}

	mask_info = (!info) ? &msg_mask : info->msg_mask;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||

	    !mask_info) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d, mask_info: %p\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d, mask_info: %pK\n",

		       __func__, src_buf, src_len, dest_buf, dest_len,

		       mask_info);

		return -EINVAL;

	mask_info = (!info) ? &msg_mask : info->msg_mask;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||

	    !mask_info) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d, mask_info: %p\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d, mask_info: %pK\n",

		       __func__, src_buf, src_len, dest_buf, dest_len,

		       mask_info);

		return -EINVAL;

	mask_info = (!info) ? &msg_mask : info->msg_mask;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||

	    !mask_info) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d, mask_info: %p\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d, mask_info: %pK\n",

		       __func__, src_buf, src_len, dest_buf, dest_len,

		       mask_info);

		return -EINVAL;

	struct diag_event_mask_config_t rsp;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d\n",

		       __func__, src_buf, src_len, dest_buf, dest_len);

		return -EINVAL;

	}

	mask_info = (!info) ? &event_mask : info->event_mask;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||

	    !mask_info) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d, mask_info: %p\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d, mask_info: %pK\n",

		       __func__, src_buf, src_len, dest_buf, dest_len,

		       mask_info);

		return -EINVAL;

	mask_info = (!info) ? &event_mask : info->event_mask;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||

	    !mask_info) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d, mask_info: %p\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d, mask_info: %pK\n",

		       __func__, src_buf, src_len, dest_buf, dest_len,

		       mask_info);

		return -EINVAL;

	mask_info = (!info) ? &log_mask : info->log_mask;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||

	    !mask_info) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d, mask_info: %p\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d, mask_info: %pK\n",

		       __func__, src_buf, src_len, dest_buf, dest_len,

		       mask_info);

		return -EINVAL;

	mask_info = (!info) ? &log_mask : info->log_mask;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||

	    !mask_info) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d, mask_info: %p\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d, mask_info: %pK\n",

		       __func__, src_buf, src_len, dest_buf, dest_len,

		       mask_info);

		return -EINVAL;

	mask_info = (!info) ? &log_mask : info->log_mask;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||

	    !mask_info) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d, mask_info: %p\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d, mask_info: %pK\n",

		       __func__, src_buf, src_len, dest_buf, dest_len,

		       mask_info);

		return -EINVAL;

	mask_info = (!info) ? &log_mask : info->log_mask;

	if (!src_buf || !dest_buf || src_len <= 0 || dest_len <= 0 ||

	    !mask_info) {

		pr_err("diag: Invalid input in %s, src_buf: %p, src_len: %d, dest_buf: %p, dest_len: %d, mask_info: %p\n",

		pr_err("diag: Invalid input in %s, src_buf: %pK, src_len: %d, dest_buf: %pK, dest_len: %d, mask_info: %pK\n",

		       __func__, src_buf, src_len, dest_buf, dest_len,

		       mask_info);

		return -EINVAL;

		if (ch->tbl[i].buf != buf)

			continue;

		found = 1;

		pr_err_ratelimited("diag: trying to write the same buffer buf: %p, ctxt: %d len: %d at i: %d back to the table, proc: %d, mode: %d\n",

		pr_err_ratelimited("diag: trying to write the same buffer buf: %pK, ctxt: %d len: %d at i: %d back to the table, proc: %d, mode: %d\n",

				   buf, ctx, ch->tbl[i].len,

				   i, id, driver->logging_mode);

	}

	list_for_each_safe(start, temp, &usb_info->buf_tbl) {

		entry = list_entry(start, struct diag_usb_buf_tbl_t, track);

		if (entry->buf == buf) {

			DIAG_LOG(DIAG_DEBUG_MUX, "ref_count-- for %p\n", buf);

			DIAG_LOG(DIAG_DEBUG_MUX, "ref_count-- for %pK\n", buf);

			atomic_dec(&entry->ref_count);

			/*

			 * Remove reference from the table if it is the

	list_for_each_safe(start, temp, &usb_info->buf_tbl) {

		entry = list_entry(start, struct diag_usb_buf_tbl_t, track);

		if (entry->buf == buf) {

			DIAG_LOG(DIAG_DEBUG_MUX, "ref_count-- for %p\n", buf);

			DIAG_LOG(DIAG_DEBUG_MUX, "ref_count-- for %pK\n", buf);

			atomic_dec(&entry->ref_count);

			return entry;

		}

	ch->write_cnt++;

	entry = diag_usb_buf_tbl_get(ch, req->context);

	if (!entry) {

		pr_err_ratelimited("diag: In %s, unable to find entry %p in the table\n",

		pr_err_ratelimited("diag: In %s, unable to find entry %pK in the table\n",

				   __func__, req->context);

		return;

	}

	struct diag_request *req = NULL;

	if (!usb_info || !buf || len <= 0) {

		pr_err_ratelimited("diag: In %s, usb_info: %p buf: %p, len: %d\n",

		pr_err_ratelimited("diag: In %s, usb_info: %pK buf: %pK, len: %d\n",

				   __func__, usb_info, buf, len);

		return -EINVAL;

	}

	spin_lock_irqsave(&usb_info->write_lock, flags);

	if (diag_usb_buf_tbl_add(usb_info, buf, len, ctxt)) {

		DIAG_LOG(DIAG_DEBUG_MUX, "ERR! unable to add buf %p to table\n",

		DIAG_LOG(DIAG_DEBUG_MUX,

					"ERR! unable to add buf %pK to table\n",

			 buf);

		diagmem_free(driver, req, usb_info->mempool);

		spin_unlock_irqrestore(&usb_info->write_lock, flags);