msm: ipa3: fix dereferencing of offset_entry without check (f209db03) · Commits · e / devices / android_kernel_xiaomi_markw

drivers/platform/msm/ipa/ipa_common_i.h

+13 −0

Original line number	Diff line number	Diff line
		@@ -16,6 +16,7 @@
		#ifndef _IPA_COMMON_I_H_
		#define _IPA_COMMON_I_H_
		#include <linux/ipc_logging.h>
		#include <linux/ipa.h>

		#define __FILENAME__ \
		(strrchr(__FILE__, '/') ? strrchr(__FILE__, '/') + 1 : __FILE__)
		@@ -267,6 +268,18 @@ struct ipa_mhi_connect_params_internal {
		struct start_mhi_channel start;
		};

		/**
		* struct ipa_hdr_offset_entry - IPA header offset entry
		* @link: entry's link in global header offset entries list
		* @offset: the offset
		* @bin: bin
		*/
		struct ipa_hdr_offset_entry {
		struct list_head link;
		u32 offset;
		u32 bin;
		};

		extern const char *ipa_clients_strings[];

		#define IPA_IPC_LOGGING(buf, fmt, args...) \

+0 −12

Original line number	Diff line number	Diff line
		@@ -268,18 +268,6 @@ struct ipa_hdr_entry {
		u16 eth2_ofst;
		};

		/**
		* struct ipa_hdr_offset_entry - IPA header offset entry
		* @link: entry's link in global header offset entries list
		* @offset: the offset
		* @bin: bin
		*/
		struct ipa_hdr_offset_entry {
		struct list_head link;
		u32 offset;
		u32 bin;
		};

		/**
		* struct ipa_hdr_tbl - IPA header table
		* @head_hdr_entry_list: header entries list

+1 −1

Original line number	Diff line number	Diff line
		@@ -4197,7 +4197,7 @@ static int ipa3_pre_init(const struct ipa3_plat_drv_res *resource_p,
		}
		ipa3_ctx->hdr_offset_cache =
		kmem_cache_create("IPA_HDR_OFFSET",
		sizeof(struct ipa3_hdr_offset_entry), 0, 0, NULL);
		sizeof(struct ipa_hdr_offset_entry), 0, 0, NULL);
		if (!ipa3_ctx->hdr_offset_cache) {
		IPAERR(":ipa hdr off cache create failed\n");
		result = -ENOMEM;

+5 −5

Original line number	Diff line number	Diff line
		@@ -77,7 +77,7 @@ static void ipa3_hdr_proc_ctx_to_hw_format(struct ipa_mem_buffer *mem,
		entry->hdr->is_hdr_proc_ctx,
		entry->hdr->phys_base,
		hdr_base_addr,
		entry->hdr->offset_entry->offset);
		entry->hdr->offset_entry);
		}
		}

		@@ -416,7 +416,7 @@ bad_len:
		static int __ipa_add_hdr(struct ipa_hdr_add *hdr)
		{
		struct ipa3_hdr_entry *entry;
		struct ipa3_hdr_offset_entry *offset;
		struct ipa_hdr_offset_entry *offset;
		u32 bin;
		struct ipa3_hdr_tbl *htbl = &ipa3_ctx->hdr_tbl;
		int id;
		@@ -497,7 +497,7 @@ static int __ipa_add_hdr(struct ipa_hdr_add *hdr)
		/* get the first free slot */
		offset =
		list_first_entry(&htbl->head_free_offset_list[bin],
		struct ipa3_hdr_offset_entry, link);
		struct ipa_hdr_offset_entry, link);
		list_move(&offset->link, &htbl->head_offset_list[bin]);
		}

		@@ -860,8 +860,8 @@ int ipa3_reset_hdr(void)
		struct ipa3_hdr_entry *next;
		struct ipa3_hdr_proc_ctx_entry *ctx_entry;
		struct ipa3_hdr_proc_ctx_entry *ctx_next;
		struct ipa3_hdr_offset_entry *off_entry;
		struct ipa3_hdr_offset_entry *off_next;
		struct ipa_hdr_offset_entry *off_entry;
		struct ipa_hdr_offset_entry *off_next;
		struct ipa3_hdr_proc_ctx_offset_entry *ctx_off_entry;
		struct ipa3_hdr_proc_ctx_offset_entry *ctx_off_next;
		int i;

+1 −13

Original line number	Diff line number	Diff line
		@@ -326,7 +326,7 @@ struct ipa3_hdr_entry {
		bool is_hdr_proc_ctx;
		dma_addr_t phys_base;
		struct ipa3_hdr_proc_ctx_entry *proc_ctx;
		struct ipa3_hdr_offset_entry *offset_entry;
		struct ipa_hdr_offset_entry *offset_entry;
		u32 cookie;
		u32 ref_cnt;
		int id;
		@@ -334,18 +334,6 @@ struct ipa3_hdr_entry {
		u16 eth2_ofst;
		};

		/**
		* struct ipa3_hdr_offset_entry - IPA header offset entry
		* @link: entry's link in global header offset entries list
		* @offset: the offset
		* @bin: bin
		*/
		struct ipa3_hdr_offset_entry {
		struct list_head link;
		u32 offset;
		u32 bin;
		};

		/**
		* struct ipa3_hdr_tbl - IPA header table
		* @head_hdr_entry_list: header entries list